PLT-1330 CMEK, SA & CIDRs (#36)

Author: iamjanr

CHANGELOG.md

@@ -2,16 +2,23 @@
 
 ## 1.6.1-0.3.0 (upcoming)
 
-* [PLT-327] After creating a GKE cluster, it takes ~20 minutes for its status to be READY
-* [PLT-911] Disable external endpoint
+* [PLT-1330] CMEK - Service accounts & Secondary CIDR ranges adaption to R4.7
 
 ## Previous development
 
+## 1.6.1-0.2.1 (2024-12-05)
+
+* [PLT-1313] Support Secondary CIDR ranges
+* [PLT-1246] CMEK Support
+
 ## 1.6.1-0.2.0 (2024-10-11)
 
+* [PLT-965] Disable managed Monitoring and Logging
 * [PLT-806] Add GKE Private cluster support
 * [PLT-563] Fix autoscaling issues
 * [PLT-326] First approach to manage taints addition, update and deletion on GKE
+* [PLT-327] After creating a GKE cluster, it takes ~20 minutes for its status to be READY
+* [PLT-911] Disable external endpoint
 
 ### Branched to branch-1.6.1-0.1 (2024-08-22)
 

cloud/scope/managedmachinepool.go

@@ -218,6 +218,9 @@ func ConvertToSdkNodePool(nodePool infrav1exp.GCPManagedMachinePool, machinePool
 	if nodePool.Spec.LinuxNodeConfig != nil {
 		sdkNodePool.Config.LinuxNodeConfig = infrav1exp.ConvertToSdkLinuxNodeConfig(nodePool.Spec.LinuxNodeConfig)
 	}
+	if nodePool.Spec.BootDiskKmsKey != "" {
+		sdkNodePool.Config.BootDiskKmsKey = nodePool.Spec.BootDiskKmsKey
+	}
 	if nodePool.Spec.Management != nil {
 		sdkNodePool.Management = &containerpb.NodeManagement{
 			AutoRepair:  nodePool.Spec.Management.AutoRepair,
@@ -241,6 +244,9 @@ func ConvertToSdkNodePool(nodePool infrav1exp.GCPManagedMachinePool, machinePool
 	if nodePool.Spec.DiskSizeGB != nil {
 		sdkNodePool.Config.DiskSizeGb = int32(*nodePool.Spec.DiskSizeGB)
 	}
+	if nodePool.Spec.BootDiskKmsKey != "" {
+		sdkNodePool.Config.BootDiskKmsKey = nodePool.Spec.BootDiskKmsKey
+	}
 	if len(nodePool.Spec.NodeNetwork.Tags) != 0 {
 		sdkNodePool.Config.Tags = nodePool.Spec.NodeNetwork.Tags
 	}

cloud/services/container/clusters/reconcile.go

@@ -300,6 +300,15 @@ func (s *Service) createCluster(ctx context.Context, log *logr.Logger) error {
 		}
 	}
 
+	// Add IPAllocationPolicy for CIDR support
+	if s.scope.GCPManagedControlPlane.Spec.ClusterIpv4Cidr != nil {
+		cluster.ClusterIpv4Cidr = *s.scope.GCPManagedControlPlane.Spec.ClusterIpv4Cidr
+	}
+
+	if s.scope.GCPManagedControlPlane.Spec.IPAllocationPolicy != nil {
+		cluster.IpAllocationPolicy = infrav1exp.ConvertToSdkIPAllocationPolicy(s.scope.GCPManagedControlPlane.Spec.IPAllocationPolicy)
+	}
+
 	// If the cluster is autopilot, we don't need to specify node pools.
 	if !s.scope.IsAutopilotCluster() {
 		cluster.NodePools = scope.ConvertToSdkNodePools(nodePools, machinePools, isRegional, cluster.Name)

config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanes.yaml

@@ -62,6 +62,14 @@ spec:
           spec:
             description: GCPManagedControlPlaneSpec defines the desired state of GCPManagedControlPlane.
             properties:
+              clusterIpv4Cidr:
+                description: |-
+                  ClusterIpv4Cidr is the IP address range of the container pods in the GKE cluster, in
+                  [CIDR](http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing)
+                  notation (e.g. `10.96.0.0/14`).
+                  If not specified then one will be automatically chosen.
+                  If this field is specified then IPAllocationPolicy.ClusterIpv4CidrBlock should be left blank.
+                type: string
               clusterName:
                 description: |-
                   ClusterName allows you to specify the name of the GKE cluster.
@@ -118,6 +126,42 @@ spec:
                 - host
                 - port
                 type: object
+              ipAllocationPolicy:
+                description: |-
+                  IPAllocationPolicy represents configuration options for GKE cluster IP allocation.
+                  If not specified then GKE default values will be used.
+                properties:
+                  clusterIpv4CidrBlock:
+                    description: |-
+                      ClusterIpv4CidrBlock represents the IP address range for the GKE cluster pod IPs. If this field is set, then
+                      GCPManagedControlPlaneSpec.ClusterIpv4Cidr must be left blank.
+                      This field is only applicable when use_ip_aliases is set to true.
+                      If not specified the range will be chosen with the default size.
+                    type: string
+                  clusterSecondaryRangeName:
+                    description: |-
+                      ClusterSecondaryRangeName represents the name of the secondary range to be used for the GKE cluster CIDR block.
+                      The range will be used for pod IP addresses and must be an existing secondary range associated with the cluster subnetwork.
+                      This field is only applicable when use_ip_aliases is set to true.
+                    type: string
+                  servicesIpv4CidrBlock:
+                    description: |-
+                      ServicesIpv4CidrBlock represents the IP address range for services IPs in the GKE cluster.
+                      This field is only applicable when use_ip_aliases is set to true.
+                      If not specified the range will be chosen with the default size.
+                    type: string
+                  servicesSecondaryRangeName:
+                    description: |-
+                      ServicesSecondaryRangeName represents the name of the secondary range to be used for the services CIDR block.
+                      The range will be used for service ClusterIPs and must be an existing secondary range associated with the cluster subnetwork.
+                      This field is only applicable when use_ip_aliases is set to true.
+                    type: string
+                  useIPAliases:
+                    description: |-
+                      UseIPAliases represents whether alias IPs will be used for pod IPs in the cluster.
+                      If unspecified will default to false.
+                    type: boolean
+                type: object
               location:
                 description: |-
                   Location represents the location (region or zone) in which the GKE cluster

config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedmachinepools.yaml

@@ -58,6 +58,10 @@ spec:
                   AdditionalLabels is an optional set of tags to add to GCP resources managed by the GCP provider, in addition to the
                   ones added by default.
                 type: object
+              bootDiskKmsKey:
+                description: BootDiskKmsKey is the name of the key used to encrypt
+                  the boot disk.
+                type: string
               diskSizeGB:
                 description: |-
                   DiskSizeGB is size of the disk attached to each node,

exp/api/v1beta1/gcpmanagedcontrolplane_types.go

@@ -89,6 +89,17 @@ type GCPManagedControlPlaneSpec struct {
 	// Location represents the location (region or zone) in which the GKE cluster
 	// will be created.
 	Location string `json:"location"`
+	// ClusterIpv4Cidr is the IP address range of the container pods in the GKE cluster, in
+	// [CIDR](http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing)
+	// notation (e.g. `10.96.0.0/14`).
+	// If not specified then one will be automatically chosen.
+	// If this field is specified then IPAllocationPolicy.ClusterIpv4CidrBlock should be left blank.
+	// +optional
+	ClusterIpv4Cidr *string `json:"clusterIpv4Cidr,omitempty"`
+	// IPAllocationPolicy represents configuration options for GKE cluster IP allocation.
+	// If not specified then GKE default values will be used.
+	// +optional
+	IPAllocationPolicy *IPAllocationPolicy `json:"ipAllocationPolicy,omitempty"`
 	// EnableAutopilot indicates whether to enable autopilot for this GKE cluster.
 	// +optional
 	EnableAutopilot bool `json:"enableAutopilot"`
@@ -173,6 +184,35 @@ const (
 	Stable ReleaseChannel = "stable"
 )
 
+// IPAllocationPolicy represents configuration options for GKE cluster IP allocation.
+type IPAllocationPolicy struct {
+	// UseIPAliases represents whether alias IPs will be used for pod IPs in the cluster.
+	// If unspecified will default to false.
+	// +optional
+	UseIPAliases *bool `json:"useIPAliases,omitempty"`
+	// ClusterSecondaryRangeName represents the name of the secondary range to be used for the GKE cluster CIDR block.
+	// The range will be used for pod IP addresses and must be an existing secondary range associated with the cluster subnetwork.
+	// This field is only applicable when use_ip_aliases is set to true.
+	// +optional
+	ClusterSecondaryRangeName *string `json:"clusterSecondaryRangeName,omitempty"`
+	// ServicesSecondaryRangeName represents the name of the secondary range to be used for the services CIDR block.
+	// The range will be used for service ClusterIPs and must be an existing secondary range associated with the cluster subnetwork.
+	// This field is only applicable when use_ip_aliases is set to true.
+	// +optional
+	ServicesSecondaryRangeName *string `json:"servicesSecondaryRangeName,omitempty"`
+	// ClusterIpv4CidrBlock represents the IP address range for the GKE cluster pod IPs. If this field is set, then
+	// GCPManagedControlPlaneSpec.ClusterIpv4Cidr must be left blank.
+	// This field is only applicable when use_ip_aliases is set to true.
+	// If not specified the range will be chosen with the default size.
+	// +optional
+	ClusterIpv4CidrBlock *string `json:"clusterIpv4CidrBlock,omitempty"`
+	// ServicesIpv4CidrBlock represents the IP address range for services IPs in the GKE cluster.
+	// This field is only applicable when use_ip_aliases is set to true.
+	// If not specified the range will be chosen with the default size.
+	// +optional
+	ServicesIpv4CidrBlock *string `json:"servicesIpv4CidrBlock,omitempty"`
+}
+
 // MasterAuthorizedNetworksConfig contains configuration options for the master authorized networks feature.
 // Enabled master authorized networks will disallow all external traffic to access
 // Kubernetes master through HTTPS except traffic from the given CIDR blocks,

exp/api/v1beta1/gcpmanagedcontrolplane_webhook.go

@@ -24,6 +24,7 @@ import (
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/utils/pointer"
 
 	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -123,6 +124,15 @@ func (r *GCPManagedControlPlane) ValidateUpdate(oldRaw runtime.Object) (admissio
 		)
 	}
 
+	// Add IPAllocationPolicy for CIDR support (PLT-1246)
+
+	if !cmp.Equal(r.Spec.ClusterIpv4Cidr, old.Spec.ClusterIpv4Cidr) {
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("spec", "ClusterIpv4Cidr"),
+				pointer.StringDeref(r.Spec.ClusterIpv4Cidr, ""), "field is immutable"),
+		)
+	}
+
 	if !cmp.Equal(r.Spec.EnableAutopilot, old.Spec.EnableAutopilot) {
 		allErrs = append(allErrs,
 			field.Invalid(field.NewPath("spec", "EnableAutopilot"),
@@ -167,3 +177,54 @@ func generateGKEName(resourceName, namespace string, maxLength int) (string, err
 
 	return fmt.Sprintf("%s%s", resourcePrefix, hashedName), nil
 }
+
+// Add IPAllocationPolicy for CIDR support (PLT-1246)
+
+func validateIPAllocationPolicy(spec GCPManagedControlPlaneSpec) field.ErrorList {
+	var allErrs field.ErrorList
+
+	if spec.IPAllocationPolicy == nil {
+		return allErrs
+	}
+
+	path := field.NewPath("spec", "IPAllocationPolicy")
+
+	isUseIPAliases := pointer.BoolDeref(spec.IPAllocationPolicy.UseIPAliases, false)
+	if spec.IPAllocationPolicy.ClusterSecondaryRangeName != nil && !isUseIPAliases {
+		allErrs = append(allErrs,
+			field.Invalid(path.Child("ClusterSecondaryRangeName"),
+				spec.IPAllocationPolicy.ClusterSecondaryRangeName,
+				"field cannot be set unless UseIPAliases is set to true"),
+		)
+	}
+	if spec.IPAllocationPolicy.ServicesSecondaryRangeName != nil && !isUseIPAliases {
+		allErrs = append(allErrs,
+			field.Invalid(path.Child("ServicesSecondaryRangeName"),
+				spec.IPAllocationPolicy.ServicesSecondaryRangeName,
+				"field cannot be set unless UseIPAliases is set to true"),
+		)
+	}
+	if spec.IPAllocationPolicy.ServicesIpv4CidrBlock != nil && !isUseIPAliases {
+		allErrs = append(allErrs,
+			field.Invalid(path.Child("ServicesIpv4CidrBlock"),
+				spec.IPAllocationPolicy.ServicesIpv4CidrBlock,
+				"field cannot be set unless UseIPAliases is set to true"),
+		)
+	}
+	if spec.IPAllocationPolicy.ClusterIpv4CidrBlock != nil && !isUseIPAliases {
+		allErrs = append(allErrs,
+			field.Invalid(path.Child("ClusterIpv4CidrBlock"),
+				spec.IPAllocationPolicy.ClusterIpv4CidrBlock,
+				"field cannot be set unless UseIPAliases is set to true"),
+		)
+	}
+	if spec.IPAllocationPolicy.ClusterIpv4CidrBlock != nil && spec.ClusterIpv4Cidr != nil {
+		allErrs = append(allErrs,
+			field.Invalid(path.Child("ClusterIpv4CidrBlock"),
+				spec.IPAllocationPolicy.ClusterIpv4CidrBlock,
+				"only one of spec.ClusterIpv4Cidr and spec.IPAllocationPolicy.ClusterIpv4CidrBlock can be set"),
+		)
+	}
+
+	return allErrs
+}

exp/api/v1beta1/gcpmanagedmachinepool_types.go

@@ -114,6 +114,8 @@ type GCPManagedMachinePoolSpec struct {
 	// machine pool
 	// +optional
 	ProviderIDList []string `json:"providerIDList,omitempty"`
+	// BootDiskKmsKey is the name of the key used to encrypt the boot disk.
+	BootDiskKmsKey string `json:"bootDiskKmsKey,omitempty"`
 }
 
 // NodeNetworkConfig encapsulates node network configurations.

exp/api/v1beta1/types.go

@@ -20,6 +20,7 @@ import (
 	"strings"
 
 	"cloud.google.com/go/container/apiv1/containerpb"
+	"k8s.io/utils/pointer"
 )
 
 // TaintEffect is the effect for a Kubernetes taint.
@@ -144,3 +145,20 @@ func ConvertToSdkLinuxNodeConfig(linuxNodeConfig *LinuxNodeConfig) *containerpb.
 	}
 	return &sdkLinuxNodeConfig
 }
+
+// Add IPAllocationPolicy for CIDR support (PLT-1246)
+
+// ConvertToSdkIPAllocationPolicy converts the CAPG IPAllocationPolicy to a containerpb IPAllocationPolicy.
+func ConvertToSdkIPAllocationPolicy(policy *IPAllocationPolicy) *containerpb.IPAllocationPolicy {
+	if policy == nil {
+		return nil
+	}
+
+	return &containerpb.IPAllocationPolicy{
+		UseIpAliases:               pointer.BoolDeref(policy.UseIPAliases, false),
+		ClusterSecondaryRangeName:  pointer.StringDeref(policy.ClusterSecondaryRangeName, ""),
+		ServicesSecondaryRangeName: pointer.StringDeref(policy.ServicesSecondaryRangeName, ""),
+		ClusterIpv4CidrBlock:       pointer.StringDeref(policy.ClusterIpv4CidrBlock, ""),
+		ServicesIpv4CidrBlock:      pointer.StringDeref(policy.ServicesIpv4CidrBlock, ""),
+	}
+}