From 325ee8e99a09fa96ff6b6fe88a8836c57dfde227 Mon Sep 17 00:00:00 2001 From: Bharath KKB Date: Thu, 10 Mar 2022 12:13:16 -0600 Subject: [PATCH] chore: cleanup unused autopilot vars (#1170) * chore: cleanup unused autopilot vars * address comments --- autogen/main/main.tf.tmpl | 10 +- autogen/main/outputs.tf.tmpl | 14 +- autogen/main/variables.tf.tmpl | 343 +++++++++--------- .../beta-autopilot-private-cluster/README.md | 24 -- .../beta-autopilot-private-cluster/main.tf | 30 -- .../beta-autopilot-private-cluster/outputs.tf | 10 +- .../variables.tf | 168 --------- .../beta-autopilot-public-cluster/README.md | 24 -- modules/beta-autopilot-public-cluster/main.tf | 30 -- .../beta-autopilot-public-cluster/outputs.tf | 10 +- .../variables.tf | 168 --------- .../main.tf | 4 +- .../outputs.tf | 10 +- .../variables.tf | 301 ++++++++------- modules/beta-private-cluster/main.tf | 4 +- modules/beta-private-cluster/outputs.tf | 10 +- modules/beta-private-cluster/variables.tf | 301 ++++++++------- .../main.tf | 4 +- .../outputs.tf | 10 +- .../variables.tf | 297 ++++++++------- modules/beta-public-cluster/main.tf | 4 +- modules/beta-public-cluster/outputs.tf | 10 +- modules/beta-public-cluster/variables.tf | 297 ++++++++------- .../variables.tf | 149 ++++---- modules/private-cluster/variables.tf | 149 ++++---- variables.tf | 149 ++++---- 26 files changed, 1034 insertions(+), 1496 deletions(-) diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index ab24310091..5afd74e756 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -56,6 +56,7 @@ locals { release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] + {% if autopilot_cluster != true %} autoscaling_resource_limits = var.cluster_autoscaling.enabled ? concat([{ resource_type = "cpu" minimum = var.cluster_autoscaling.min_cpu_cores @@ -65,6 +66,7 @@ locals { minimum = var.cluster_autoscaling.min_memory_gb maximum = var.cluster_autoscaling.max_memory_gb }], var.cluster_autoscaling.gpu_resources) : [] + {% endif %} custom_kube_dns_config = length(keys(var.stub_domains)) > 0 @@ -92,7 +94,7 @@ locals { provider = null }] {% endif %} -{% if beta_cluster %} +{% if beta_cluster and autopilot_cluster != true %} cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? { load_balancer_type = var.cloudrun_load_balancer_type } : {} @@ -104,21 +106,22 @@ locals { local.cluster_cloudrun_config_load_balancer_config ) ] : [] - + cluster_cloudrun_enabled = var.cloudrun cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] - {% endif %} cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group }] + {% if autopilot_cluster != true %} // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) }] + {% endif %} cluster_output_name = google_container_cluster.primary.name cluster_output_regional_zones = google_container_cluster.primary.node_locations @@ -192,7 +195,6 @@ locals { {% if beta_cluster %} # BETA features cluster_istio_enabled = ! local.cluster_output_istio_disabled - cluster_cloudrun_enabled = var.cloudrun cluster_dns_cache_enabled = var.dns_cache cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index 951c48ae8b..bb3b09f1ce 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -162,14 +162,18 @@ output "peering_name" { {% endif %} {% if beta_cluster %} -output "istio_enabled" { - description = "Whether Istio is enabled" - value = local.cluster_istio_enabled -} - output "cloudrun_enabled" { description = "Whether CloudRun enabled" + {% if autopilot_cluster != true %} value = local.cluster_cloudrun_enabled + {% else %} + value = false + {% endif %} +} + +output "istio_enabled" { + description = "Whether Istio is enabled" + value = local.cluster_istio_enabled } output "dns_cache_enabled" { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 17b3e273ca..c1bb121768 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -96,18 +96,6 @@ variable "http_load_balancing" { default = true } -variable "network_policy" { - type = bool - description = "Enable network policy addon" - default = false -} - -variable "network_policy_provider" { - type = string - description = "The network policy provider." - default = "CALICO" -} - variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." @@ -150,32 +138,6 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } -{% if autopilot_cluster != true %} -variable "initial_node_count" { - type = number - description = "The number of nodes to create in this cluster's default node pool." - default = 0 -} - -variable "remove_default_node_pool" { - type = bool - description = "Remove default node pool while setting up the cluster" - default = false -} - -variable "filestore_csi_driver" { - type = bool - description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" - default = false -} -{% endif %} - -variable "disable_legacy_metadata_endpoints" { - type = bool - description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." - default = true -} - {% if autopilot_cluster != true %} variable "node_pools" { type = list(map(string)) @@ -241,15 +203,8 @@ variable "enable_resource_consumption_export" { description = "Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export." default = true } -{% if beta_cluster %} - -variable "enable_kubernetes_alpha" { - type = bool - description = "Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days." - default = false -} -{% endif %} +{% if autopilot_cluster != true %} variable "cluster_autoscaling" { type = object({ enabled = bool @@ -276,7 +231,6 @@ variable "cluster_autoscaling" { description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } -{% if autopilot_cluster != true %} variable "node_pools_taints" { type = map(list(object({ key = string, value = string, effect = string }))) description = "Map of lists containing node taints by node-pool name" @@ -361,28 +315,12 @@ variable "logging_service" { default = "logging.googleapis.com/kubernetes" } -{% if beta_cluster %} -variable "logging_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." - default = [] -} - -{% endif %} variable "monitoring_service" { type = string description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none" default = "monitoring.googleapis.com/kubernetes" } -{% if beta_cluster %} -variable "monitoring_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." - default = [] -} - -{% endif %} variable "create_service_account" { type = bool description = "Defines if service account specified to run nodes should be created." @@ -430,12 +368,6 @@ variable "skip_provisioners" { description = "Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality." default = false } - -variable "default_max_pods_per_node" { - type = number - description = "The maximum number of pods to schedule per node" - default = 110 -} {% if private_cluster %} variable "deploy_using_private_endpoint" { @@ -473,18 +405,6 @@ variable "master_global_access_enabled" { {% endif %} {% if beta_cluster %} - -variable "istio" { - description = "(Beta) Enable Istio addon" - default = false -} - -variable "istio_auth" { - type = string - description = "(Beta) The authentication type between services in Istio." - default = "AUTH_MUTUAL_TLS" -} - variable "dns_cache" { type = bool description = "(Beta) The status of the NodeLocal DNSCache addon." @@ -494,68 +414,6 @@ variable "dns_cache" { default = false {% endif %} } - -variable "gce_pd_csi_driver" { - type = bool - description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." - {% if autopilot_cluster == true %} - default = true - {% else %} - default = false - {% endif %} -} - -variable "kalm_config" { - type = bool - description = "(Beta) Whether KALM is enabled for this cluster." - default = false -} - -variable "config_connector" { - type = bool - description = "(Beta) Whether ConfigConnector is enabled for this cluster." - default = false -} - -variable "cloudrun" { - description = "(Beta) Enable CloudRun addon" - default = false -} - -variable "cloudrun_load_balancer_type" { - description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." - default = "" -} - -variable "enable_pod_security_policy" { - type = bool - description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - default = false -} - -variable "enable_l4_ilb_subsetting" { - type = bool - description = "Enable L4 ILB Subsetting on the cluster" - default = false -} - -variable "sandbox_enabled" { - type = bool - description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." - default = false -} - -variable "enable_intranode_visibility" { - type = bool - description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" - default = false -} - -variable "enable_identity_service" { - type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." - default = false -} {% endif %} variable "authenticator_security_group" { @@ -564,27 +422,6 @@ variable "authenticator_security_group" { default = null } -variable "node_metadata" { - description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA" - type = string - - validation { - condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." - } -} - -variable "database_encryption" { - description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." - type = list(object({ state = string, key_name = string })) - - default = [{ - state = "DECRYPTED" - key_name = "" - }] -} - variable "identity_namespace" { description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string @@ -597,18 +434,6 @@ variable "release_channel" { default = null } -variable "enable_shielded_nodes" { - type = bool - description = "Enable Shielded Nodes features on all nodes in this cluster" - default = true -} - -variable "enable_binary_authorization" { - type = bool - description = "Enable BinAuthZ Admission controller" - default = false -} - variable "add_cluster_firewall_rules" { type = bool description = "Create additional firewall rules" @@ -684,3 +509,169 @@ variable "enable_tpu" { default = false } {% endif %} +{% if autopilot_cluster != true %} +variable "network_policy" { + type = bool + description = "Enable network policy addon" + default = false +} + +variable "network_policy_provider" { + type = string + description = "The network policy provider." + default = "CALICO" +} + +variable "initial_node_count" { + type = number + description = "The number of nodes to create in this cluster's default node pool." + default = 0 +} + +variable "remove_default_node_pool" { + type = bool + description = "Remove default node pool while setting up the cluster" + default = false +} + +variable "filestore_csi_driver" { + type = bool + description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" + default = false +} + +variable "disable_legacy_metadata_endpoints" { + type = bool + description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." + default = true +} + +variable "default_max_pods_per_node" { + type = number + description = "The maximum number of pods to schedule per node" + default = 110 +} + +variable "database_encryption" { + description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + type = list(object({ state = string, key_name = string })) + + default = [{ + state = "DECRYPTED" + key_name = "" + }] +} + +variable "enable_shielded_nodes" { + type = bool + description = "Enable Shielded Nodes features on all nodes in this cluster" + default = true +} + +variable "enable_binary_authorization" { + type = bool + description = "Enable BinAuthZ Admission controller" + default = false +} + +variable "node_metadata" { + description = "Specifies how node metadata is exposed to the workload running on the node" + default = "GKE_METADATA" + type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." + } +} +{% endif %} +{% if beta_cluster and autopilot_cluster != true %} + +variable "enable_kubernetes_alpha" { + type = bool + description = "Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days." + default = false +} + +variable "logging_enabled_components" { + type = list(string) + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + default = [] +} + +variable "monitoring_enabled_components" { + type = list(string) + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." + default = [] +} + +variable "istio" { + description = "(Beta) Enable Istio addon" + default = false +} + +variable "istio_auth" { + type = string + description = "(Beta) The authentication type between services in Istio." + default = "AUTH_MUTUAL_TLS" +} + +variable "kalm_config" { + type = bool + description = "(Beta) Whether KALM is enabled for this cluster." + default = false +} + +variable "config_connector" { + type = bool + description = "(Beta) Whether ConfigConnector is enabled for this cluster." + default = false +} + +variable "cloudrun" { + description = "(Beta) Enable CloudRun addon" + default = false +} + +variable "cloudrun_load_balancer_type" { + description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." + default = "" +} + +variable "enable_pod_security_policy" { + type = bool + description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." + default = false +} + + +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} + +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." + default = false +} + +variable "enable_intranode_visibility" { + type = bool + description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + default = false +} + +variable "enable_identity_service" { + type = bool + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} + +variable "gce_pd_csi_driver" { + type = bool + description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." + default = false +} +{% endif %} diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 9f39b2f6c0..477ca75f08 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -72,40 +72,25 @@ Then perform the following commands on the root folder: | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | -| cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
  })
| 
{
  "autoscaling_profile": "BALANCED",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | | cluster\_telemetry\_type | Available options include ENABLED, DISABLED, and SYSTEM\_ONLY | `string` | `null` | no | -| config\_connector | (Beta) Whether ConfigConnector is enabled for this cluster. | `bool` | `false` | no | | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | -| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | 
[
  {
    "key_name": "",
    "state": "DECRYPTED"
  }
]
| no | | datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | -| default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | -| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | -| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | -| enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | -| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | -| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | -| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | -| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | -| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | -| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | @@ -117,11 +102,7 @@ Then perform the following commands on the root folder: | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | | ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | -| istio | (Beta) Enable Istio addon | `bool` | `false` | no | -| istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | -| kalm\_config | (Beta) Whether KALM is enabled for this cluster. | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | -| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string }))` | `[]` | no | @@ -130,14 +111,10 @@ Then perform the following commands on the root folder: | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | (Beta) Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `false` | no | -| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | -| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | @@ -146,7 +123,6 @@ Then perform the following commands on the root folder: | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | -| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index 90dfa0b5c1..779c6eb03c 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -47,15 +47,6 @@ locals { release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] - autoscaling_resource_limits = var.cluster_autoscaling.enabled ? concat([{ - resource_type = "cpu" - minimum = var.cluster_autoscaling.min_cpu_cores - maximum = var.cluster_autoscaling.max_cpu_cores - }, { - resource_type = "memory" - minimum = var.cluster_autoscaling.min_memory_gb - maximum = var.cluster_autoscaling.max_memory_gb - }], var.cluster_autoscaling.gpu_resources) : [] custom_kube_dns_config = length(keys(var.stub_domains)) > 0 @@ -70,31 +61,11 @@ locals { cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} - cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? { - load_balancer_type = var.cloudrun_load_balancer_type - } : {} - cluster_cloudrun_config = var.cloudrun ? [ - merge( - { - disabled = false - }, - local.cluster_cloudrun_config_load_balancer_config - ) - ] : [] - - cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] - cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group }] - // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 - old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } - - cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) - }] cluster_output_name = google_container_cluster.primary.name cluster_output_regional_zones = google_container_cluster.primary.node_locations @@ -151,7 +122,6 @@ locals { }] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled - cluster_cloudrun_enabled = var.cloudrun cluster_dns_cache_enabled = var.dns_cache cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf index 1e0b1769c9..6cdab1a5ce 100644 --- a/modules/beta-autopilot-private-cluster/outputs.tf +++ b/modules/beta-autopilot-private-cluster/outputs.tf @@ -133,16 +133,16 @@ output "peering_name" { value = local.cluster_peering_name } +output "cloudrun_enabled" { + description = "Whether CloudRun enabled" + value = false +} + output "istio_enabled" { description = "Whether Istio is enabled" value = local.cluster_istio_enabled } -output "cloudrun_enabled" { - description = "Whether CloudRun enabled" - value = local.cluster_cloudrun_enabled -} - output "dns_cache_enabled" { description = "Whether DNS Cache enabled" value = local.cluster_dns_cache_enabled diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 0faa8f3f83..b6fb9443b7 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -96,18 +96,6 @@ variable "http_load_balancing" { default = true } -variable "network_policy" { - type = bool - description = "Enable network policy addon" - default = false -} - -variable "network_policy_provider" { - type = string - description = "The network policy provider." - default = "CALICO" -} - variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." @@ -149,13 +137,6 @@ variable "ip_range_services" { } -variable "disable_legacy_metadata_endpoints" { - type = bool - description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." - default = true -} - - variable "resource_usage_export_dataset_id" { type = string description = "The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export." @@ -174,34 +155,6 @@ variable "enable_resource_consumption_export" { default = true } -variable "enable_kubernetes_alpha" { - type = bool - description = "Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days." - default = false -} - -variable "cluster_autoscaling" { - type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - }) - default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - } - description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" -} - variable "stub_domains" { type = map(list(string)) @@ -251,24 +204,12 @@ variable "logging_service" { default = "logging.googleapis.com/kubernetes" } -variable "logging_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." - default = [] -} - variable "monitoring_service" { type = string description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none" default = "monitoring.googleapis.com/kubernetes" } -variable "monitoring_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." - default = [] -} - variable "create_service_account" { type = bool description = "Defines if service account specified to run nodes should be created." @@ -317,12 +258,6 @@ variable "skip_provisioners" { default = false } -variable "default_max_pods_per_node" { - type = number - description = "The maximum number of pods to schedule per node" - default = 110 -} - variable "deploy_using_private_endpoint" { type = bool description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." @@ -354,109 +289,18 @@ variable "master_global_access_enabled" { default = true } - -variable "istio" { - description = "(Beta) Enable Istio addon" - default = false -} - -variable "istio_auth" { - type = string - description = "(Beta) The authentication type between services in Istio." - default = "AUTH_MUTUAL_TLS" -} - variable "dns_cache" { type = bool description = "(Beta) The status of the NodeLocal DNSCache addon." default = true } -variable "gce_pd_csi_driver" { - type = bool - description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." - default = true -} - -variable "kalm_config" { - type = bool - description = "(Beta) Whether KALM is enabled for this cluster." - default = false -} - -variable "config_connector" { - type = bool - description = "(Beta) Whether ConfigConnector is enabled for this cluster." - default = false -} - -variable "cloudrun" { - description = "(Beta) Enable CloudRun addon" - default = false -} - -variable "cloudrun_load_balancer_type" { - description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." - default = "" -} - -variable "enable_pod_security_policy" { - type = bool - description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - default = false -} - -variable "enable_l4_ilb_subsetting" { - type = bool - description = "Enable L4 ILB Subsetting on the cluster" - default = false -} - -variable "sandbox_enabled" { - type = bool - description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." - default = false -} - -variable "enable_intranode_visibility" { - type = bool - description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" - default = false -} - -variable "enable_identity_service" { - type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." - default = false -} - variable "authenticator_security_group" { type = string description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" default = null } -variable "node_metadata" { - description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA" - type = string - - validation { - condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." - } -} - -variable "database_encryption" { - description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." - type = list(object({ state = string, key_name = string })) - - default = [{ - state = "DECRYPTED" - key_name = "" - }] -} - variable "identity_namespace" { description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string @@ -469,18 +313,6 @@ variable "release_channel" { default = null } -variable "enable_shielded_nodes" { - type = bool - description = "Enable Shielded Nodes features on all nodes in this cluster" - default = true -} - -variable "enable_binary_authorization" { - type = bool - description = "Enable BinAuthZ Admission controller" - default = false -} - variable "add_cluster_firewall_rules" { type = bool description = "Create additional firewall rules" diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 92cd7f6342..0f186d676e 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -66,37 +66,22 @@ Then perform the following commands on the root folder: | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | -| cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
  })
| 
{
  "autoscaling_profile": "BALANCED",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | | cluster\_telemetry\_type | Available options include ENABLED, DISABLED, and SYSTEM\_ONLY | `string` | `null` | no | -| config\_connector | (Beta) Whether ConfigConnector is enabled for this cluster. | `bool` | `false` | no | | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | -| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | 
[
  {
    "key_name": "",
    "state": "DECRYPTED"
  }
]
| no | | datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | -| default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | -| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | -| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | -| enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | -| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | -| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | -| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | -| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | -| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | -| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | @@ -108,25 +93,17 @@ Then perform the following commands on the root folder: | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | | ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | -| istio | (Beta) Enable Istio addon | `bool` | `false` | no | -| istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | -| kalm\_config | (Beta) Whether KALM is enabled for this cluster. | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | -| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `false` | no | -| network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | -| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | @@ -135,7 +112,6 @@ Then perform the following commands on the root folder: | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | `string` | `null` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | -| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no | diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 7ca2e091f0..cae98fa3c5 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -47,15 +47,6 @@ locals { release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] - autoscaling_resource_limits = var.cluster_autoscaling.enabled ? concat([{ - resource_type = "cpu" - minimum = var.cluster_autoscaling.min_cpu_cores - maximum = var.cluster_autoscaling.max_cpu_cores - }, { - resource_type = "memory" - minimum = var.cluster_autoscaling.min_memory_gb - maximum = var.cluster_autoscaling.max_memory_gb - }], var.cluster_autoscaling.gpu_resources) : [] custom_kube_dns_config = length(keys(var.stub_domains)) > 0 @@ -70,31 +61,11 @@ locals { cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} - cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? { - load_balancer_type = var.cloudrun_load_balancer_type - } : {} - cluster_cloudrun_config = var.cloudrun ? [ - merge( - { - disabled = false - }, - local.cluster_cloudrun_config_load_balancer_config - ) - ] : [] - - cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] - cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group }] - // legacy mappings https://github.com/hashicorp/terraform-provider-google/pull/10238 - old_node_metadata_config_mapping = { GKE_METADATA_SERVER = "GKE_METADATA", GCE_METADATA = "EXPOSE" } - - cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ - mode = lookup(local.old_node_metadata_config_mapping, var.node_metadata, var.node_metadata) - }] cluster_output_name = google_container_cluster.primary.name cluster_output_regional_zones = google_container_cluster.primary.node_locations @@ -150,7 +121,6 @@ locals { }] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled - cluster_cloudrun_enabled = var.cloudrun cluster_dns_cache_enabled = var.dns_cache cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf index 749dce191f..3d0d040736 100644 --- a/modules/beta-autopilot-public-cluster/outputs.tf +++ b/modules/beta-autopilot-public-cluster/outputs.tf @@ -123,16 +123,16 @@ output "identity_namespace" { ] } +output "cloudrun_enabled" { + description = "Whether CloudRun enabled" + value = false +} + output "istio_enabled" { description = "Whether Istio is enabled" value = local.cluster_istio_enabled } -output "cloudrun_enabled" { - description = "Whether CloudRun enabled" - value = local.cluster_cloudrun_enabled -} - output "dns_cache_enabled" { description = "Whether DNS Cache enabled" value = local.cluster_dns_cache_enabled diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 6a4f02e804..92045a5060 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -96,18 +96,6 @@ variable "http_load_balancing" { default = true } -variable "network_policy" { - type = bool - description = "Enable network policy addon" - default = false -} - -variable "network_policy_provider" { - type = string - description = "The network policy provider." - default = "CALICO" -} - variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." @@ -149,13 +137,6 @@ variable "ip_range_services" { } -variable "disable_legacy_metadata_endpoints" { - type = bool - description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." - default = true -} - - variable "resource_usage_export_dataset_id" { type = string description = "The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export." @@ -174,34 +155,6 @@ variable "enable_resource_consumption_export" { default = true } -variable "enable_kubernetes_alpha" { - type = bool - description = "Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days." - default = false -} - -variable "cluster_autoscaling" { - type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - }) - default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - } - description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" -} - variable "stub_domains" { type = map(list(string)) @@ -251,24 +204,12 @@ variable "logging_service" { default = "logging.googleapis.com/kubernetes" } -variable "logging_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." - default = [] -} - variable "monitoring_service" { type = string description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none" default = "monitoring.googleapis.com/kubernetes" } -variable "monitoring_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." - default = [] -} - variable "create_service_account" { type = bool description = "Defines if service account specified to run nodes should be created." @@ -317,115 +258,18 @@ variable "skip_provisioners" { default = false } -variable "default_max_pods_per_node" { - type = number - description = "The maximum number of pods to schedule per node" - default = 110 -} - - -variable "istio" { - description = "(Beta) Enable Istio addon" - default = false -} - -variable "istio_auth" { - type = string - description = "(Beta) The authentication type between services in Istio." - default = "AUTH_MUTUAL_TLS" -} - variable "dns_cache" { type = bool description = "(Beta) The status of the NodeLocal DNSCache addon." default = true } -variable "gce_pd_csi_driver" { - type = bool - description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." - default = true -} - -variable "kalm_config" { - type = bool - description = "(Beta) Whether KALM is enabled for this cluster." - default = false -} - -variable "config_connector" { - type = bool - description = "(Beta) Whether ConfigConnector is enabled for this cluster." - default = false -} - -variable "cloudrun" { - description = "(Beta) Enable CloudRun addon" - default = false -} - -variable "cloudrun_load_balancer_type" { - description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." - default = "" -} - -variable "enable_pod_security_policy" { - type = bool - description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - default = false -} - -variable "enable_l4_ilb_subsetting" { - type = bool - description = "Enable L4 ILB Subsetting on the cluster" - default = false -} - -variable "sandbox_enabled" { - type = bool - description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." - default = false -} - -variable "enable_intranode_visibility" { - type = bool - description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" - default = false -} - -variable "enable_identity_service" { - type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." - default = false -} - variable "authenticator_security_group" { type = string description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" default = null } -variable "node_metadata" { - description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA" - type = string - - validation { - condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." - } -} - -variable "database_encryption" { - description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." - type = list(object({ state = string, key_name = string })) - - default = [{ - state = "DECRYPTED" - key_name = "" - }] -} - variable "identity_namespace" { description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string @@ -438,18 +282,6 @@ variable "release_channel" { default = null } -variable "enable_shielded_nodes" { - type = bool - description = "Enable Shielded Nodes features on all nodes in this cluster" - default = true -} - -variable "enable_binary_authorization" { - type = bool - description = "Enable BinAuthZ Admission controller" - default = false -} - variable "add_cluster_firewall_rules" { type = bool description = "Create additional firewall rules" diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 37618874cd..acdae6152a 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -91,10 +91,9 @@ locals { local.cluster_cloudrun_config_load_balancer_config ) ] : [] - + cluster_cloudrun_enabled = var.cloudrun cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] - cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group }] @@ -166,7 +165,6 @@ locals { }] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled - cluster_cloudrun_enabled = var.cloudrun cluster_dns_cache_enabled = var.dns_cache cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index 27f413723e..4377e2ee3e 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -151,16 +151,16 @@ output "peering_name" { value = local.cluster_peering_name } -output "istio_enabled" { - description = "Whether Istio is enabled" - value = local.cluster_istio_enabled -} - output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = local.cluster_cloudrun_enabled } +output "istio_enabled" { + description = "Whether Istio is enabled" + value = local.cluster_istio_enabled +} + output "dns_cache_enabled" { description = "Whether DNS Cache enabled" value = local.cluster_dns_cache_enabled diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 06c316f332..b0deff1945 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -96,18 +96,6 @@ variable "http_load_balancing" { default = true } -variable "network_policy" { - type = bool - description = "Enable network policy addon" - default = false -} - -variable "network_policy_provider" { - type = string - description = "The network policy provider." - default = "CALICO" -} - variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." @@ -148,30 +136,6 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } -variable "initial_node_count" { - type = number - description = "The number of nodes to create in this cluster's default node pool." - default = 0 -} - -variable "remove_default_node_pool" { - type = bool - description = "Remove default node pool while setting up the cluster" - default = false -} - -variable "filestore_csi_driver" { - type = bool - description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" - default = false -} - -variable "disable_legacy_metadata_endpoints" { - type = bool - description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." - default = true -} - variable "node_pools" { type = list(map(string)) description = "List of maps containing node pools" @@ -234,12 +198,6 @@ variable "enable_resource_consumption_export" { default = true } -variable "enable_kubernetes_alpha" { - type = bool - description = "Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days." - default = false -} - variable "cluster_autoscaling" { type = object({ enabled = bool @@ -343,24 +301,12 @@ variable "logging_service" { default = "logging.googleapis.com/kubernetes" } -variable "logging_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." - default = [] -} - variable "monitoring_service" { type = string description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none" default = "monitoring.googleapis.com/kubernetes" } -variable "monitoring_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." - default = [] -} - variable "create_service_account" { type = bool description = "Defines if service account specified to run nodes should be created." @@ -409,12 +355,6 @@ variable "skip_provisioners" { default = false } -variable "default_max_pods_per_node" { - type = number - description = "The maximum number of pods to schedule per node" - default = 110 -} - variable "deploy_using_private_endpoint" { type = bool description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." @@ -446,97 +386,141 @@ variable "master_global_access_enabled" { default = true } - -variable "istio" { - description = "(Beta) Enable Istio addon" +variable "dns_cache" { + type = bool + description = "(Beta) The status of the NodeLocal DNSCache addon." default = false } -variable "istio_auth" { +variable "authenticator_security_group" { type = string - description = "(Beta) The authentication type between services in Istio." - default = "AUTH_MUTUAL_TLS" + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = null } -variable "dns_cache" { - type = bool - description = "(Beta) The status of the NodeLocal DNSCache addon." - default = false +variable "identity_namespace" { + description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" + type = string + default = "enabled" } -variable "gce_pd_csi_driver" { +variable "release_channel" { + type = string + description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`." + default = null +} + +variable "add_cluster_firewall_rules" { type = bool - description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." + description = "Create additional firewall rules" default = false } -variable "kalm_config" { +variable "add_master_webhook_firewall_rules" { type = bool - description = "(Beta) Whether KALM is enabled for this cluster." + description = "Create master_webhook firewall rules for ports defined in `firewall_inbound_ports`" default = false } -variable "config_connector" { +variable "firewall_priority" { + type = number + description = "Priority rule for firewall rules" + default = 1000 +} + +variable "firewall_inbound_ports" { + type = list(string) + description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied." + default = ["8443", "9443", "15017"] +} + +variable "gcloud_upgrade" { type = bool - description = "(Beta) Whether ConfigConnector is enabled for this cluster." + description = "Whether to upgrade gcloud at runtime" default = false } -variable "cloudrun" { - description = "(Beta) Enable CloudRun addon" +variable "add_shadow_firewall_rules" { + type = bool + description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." default = false } -variable "cloudrun_load_balancer_type" { - description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." - default = "" +variable "shadow_firewall_rules_priority" { + type = number + description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000." + default = 999 } -variable "enable_pod_security_policy" { +variable "enable_confidential_nodes" { type = bool - description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." + description = "An optional flag to enable confidential node config." default = false } -variable "enable_l4_ilb_subsetting" { +variable "disable_default_snat" { type = bool - description = "Enable L4 ILB Subsetting on the cluster" + description = "Whether to disable the default SNAT to support the private use of public IP addresses" default = false } -variable "sandbox_enabled" { +variable "impersonate_service_account" { + type = string + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} + +variable "notification_config_topic" { + type = string + description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." + default = "" +} + +variable "enable_tpu" { type = bool - description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." + description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" default = false } - -variable "enable_intranode_visibility" { +variable "network_policy" { type = bool - description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + description = "Enable network policy addon" default = false } -variable "enable_identity_service" { +variable "network_policy_provider" { + type = string + description = "The network policy provider." + default = "CALICO" +} + +variable "initial_node_count" { + type = number + description = "The number of nodes to create in this cluster's default node pool." + default = 0 +} + +variable "remove_default_node_pool" { type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + description = "Remove default node pool while setting up the cluster" default = false } -variable "authenticator_security_group" { - type = string - description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" - default = null +variable "filestore_csi_driver" { + type = bool + description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" + default = false } -variable "node_metadata" { - description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA" - type = string +variable "disable_legacy_metadata_endpoints" { + type = bool + description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." + default = true +} - validation { - condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." - } +variable "default_max_pods_per_node" { + type = number + description = "The maximum number of pods to schedule per node" + default = 110 } variable "database_encryption" { @@ -549,18 +533,6 @@ variable "database_encryption" { }] } -variable "identity_namespace" { - description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" - type = string - default = "enabled" -} - -variable "release_channel" { - type = string - description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`." - default = null -} - variable "enable_shielded_nodes" { type = bool description = "Enable Shielded Nodes features on all nodes in this cluster" @@ -573,74 +545,101 @@ variable "enable_binary_authorization" { default = false } -variable "add_cluster_firewall_rules" { - type = bool - description = "Create additional firewall rules" - default = false +variable "node_metadata" { + description = "Specifies how node metadata is exposed to the workload running on the node" + default = "GKE_METADATA" + type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." + } } -variable "add_master_webhook_firewall_rules" { +variable "enable_kubernetes_alpha" { type = bool - description = "Create master_webhook firewall rules for ports defined in `firewall_inbound_ports`" + description = "Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days." default = false } -variable "firewall_priority" { - type = number - description = "Priority rule for firewall rules" - default = 1000 +variable "logging_enabled_components" { + type = list(string) + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + default = [] } -variable "firewall_inbound_ports" { +variable "monitoring_enabled_components" { type = list(string) - description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied." - default = ["8443", "9443", "15017"] + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." + default = [] } -variable "gcloud_upgrade" { +variable "istio" { + description = "(Beta) Enable Istio addon" + default = false +} + +variable "istio_auth" { + type = string + description = "(Beta) The authentication type between services in Istio." + default = "AUTH_MUTUAL_TLS" +} + +variable "kalm_config" { type = bool - description = "Whether to upgrade gcloud at runtime" + description = "(Beta) Whether KALM is enabled for this cluster." default = false } -variable "add_shadow_firewall_rules" { +variable "config_connector" { type = bool - description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." + description = "(Beta) Whether ConfigConnector is enabled for this cluster." default = false } -variable "shadow_firewall_rules_priority" { - type = number - description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000." - default = 999 +variable "cloudrun" { + description = "(Beta) Enable CloudRun addon" + default = false } -variable "enable_confidential_nodes" { +variable "cloudrun_load_balancer_type" { + description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." + default = "" +} + +variable "enable_pod_security_policy" { type = bool - description = "An optional flag to enable confidential node config." + description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." default = false } -variable "disable_default_snat" { + +variable "enable_l4_ilb_subsetting" { type = bool - description = "Whether to disable the default SNAT to support the private use of public IP addresses" + description = "Enable L4 ILB Subsetting on the cluster" default = false } -variable "impersonate_service_account" { - type = string - description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." - default = "" +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." + default = false } -variable "notification_config_topic" { - type = string - description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." - default = "" +variable "enable_intranode_visibility" { + type = bool + description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + default = false } -variable "enable_tpu" { +variable "enable_identity_service" { type = bool - description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} + +variable "gce_pd_csi_driver" { + type = bool + description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." default = false } diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 37618874cd..acdae6152a 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -91,10 +91,9 @@ locals { local.cluster_cloudrun_config_load_balancer_config ) ] : [] - + cluster_cloudrun_enabled = var.cloudrun cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] - cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group }] @@ -166,7 +165,6 @@ locals { }] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled - cluster_cloudrun_enabled = var.cloudrun cluster_dns_cache_enabled = var.dns_cache cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index 27f413723e..4377e2ee3e 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -151,16 +151,16 @@ output "peering_name" { value = local.cluster_peering_name } -output "istio_enabled" { - description = "Whether Istio is enabled" - value = local.cluster_istio_enabled -} - output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = local.cluster_cloudrun_enabled } +output "istio_enabled" { + description = "Whether Istio is enabled" + value = local.cluster_istio_enabled +} + output "dns_cache_enabled" { description = "Whether DNS Cache enabled" value = local.cluster_dns_cache_enabled diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 06c316f332..b0deff1945 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -96,18 +96,6 @@ variable "http_load_balancing" { default = true } -variable "network_policy" { - type = bool - description = "Enable network policy addon" - default = false -} - -variable "network_policy_provider" { - type = string - description = "The network policy provider." - default = "CALICO" -} - variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." @@ -148,30 +136,6 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } -variable "initial_node_count" { - type = number - description = "The number of nodes to create in this cluster's default node pool." - default = 0 -} - -variable "remove_default_node_pool" { - type = bool - description = "Remove default node pool while setting up the cluster" - default = false -} - -variable "filestore_csi_driver" { - type = bool - description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" - default = false -} - -variable "disable_legacy_metadata_endpoints" { - type = bool - description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." - default = true -} - variable "node_pools" { type = list(map(string)) description = "List of maps containing node pools" @@ -234,12 +198,6 @@ variable "enable_resource_consumption_export" { default = true } -variable "enable_kubernetes_alpha" { - type = bool - description = "Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days." - default = false -} - variable "cluster_autoscaling" { type = object({ enabled = bool @@ -343,24 +301,12 @@ variable "logging_service" { default = "logging.googleapis.com/kubernetes" } -variable "logging_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." - default = [] -} - variable "monitoring_service" { type = string description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none" default = "monitoring.googleapis.com/kubernetes" } -variable "monitoring_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." - default = [] -} - variable "create_service_account" { type = bool description = "Defines if service account specified to run nodes should be created." @@ -409,12 +355,6 @@ variable "skip_provisioners" { default = false } -variable "default_max_pods_per_node" { - type = number - description = "The maximum number of pods to schedule per node" - default = 110 -} - variable "deploy_using_private_endpoint" { type = bool description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." @@ -446,97 +386,141 @@ variable "master_global_access_enabled" { default = true } - -variable "istio" { - description = "(Beta) Enable Istio addon" +variable "dns_cache" { + type = bool + description = "(Beta) The status of the NodeLocal DNSCache addon." default = false } -variable "istio_auth" { +variable "authenticator_security_group" { type = string - description = "(Beta) The authentication type between services in Istio." - default = "AUTH_MUTUAL_TLS" + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = null } -variable "dns_cache" { - type = bool - description = "(Beta) The status of the NodeLocal DNSCache addon." - default = false +variable "identity_namespace" { + description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" + type = string + default = "enabled" } -variable "gce_pd_csi_driver" { +variable "release_channel" { + type = string + description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`." + default = null +} + +variable "add_cluster_firewall_rules" { type = bool - description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." + description = "Create additional firewall rules" default = false } -variable "kalm_config" { +variable "add_master_webhook_firewall_rules" { type = bool - description = "(Beta) Whether KALM is enabled for this cluster." + description = "Create master_webhook firewall rules for ports defined in `firewall_inbound_ports`" default = false } -variable "config_connector" { +variable "firewall_priority" { + type = number + description = "Priority rule for firewall rules" + default = 1000 +} + +variable "firewall_inbound_ports" { + type = list(string) + description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied." + default = ["8443", "9443", "15017"] +} + +variable "gcloud_upgrade" { type = bool - description = "(Beta) Whether ConfigConnector is enabled for this cluster." + description = "Whether to upgrade gcloud at runtime" default = false } -variable "cloudrun" { - description = "(Beta) Enable CloudRun addon" +variable "add_shadow_firewall_rules" { + type = bool + description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." default = false } -variable "cloudrun_load_balancer_type" { - description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." - default = "" +variable "shadow_firewall_rules_priority" { + type = number + description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000." + default = 999 } -variable "enable_pod_security_policy" { +variable "enable_confidential_nodes" { type = bool - description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." + description = "An optional flag to enable confidential node config." default = false } -variable "enable_l4_ilb_subsetting" { +variable "disable_default_snat" { type = bool - description = "Enable L4 ILB Subsetting on the cluster" + description = "Whether to disable the default SNAT to support the private use of public IP addresses" default = false } -variable "sandbox_enabled" { +variable "impersonate_service_account" { + type = string + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} + +variable "notification_config_topic" { + type = string + description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." + default = "" +} + +variable "enable_tpu" { type = bool - description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." + description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" default = false } - -variable "enable_intranode_visibility" { +variable "network_policy" { type = bool - description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + description = "Enable network policy addon" default = false } -variable "enable_identity_service" { +variable "network_policy_provider" { + type = string + description = "The network policy provider." + default = "CALICO" +} + +variable "initial_node_count" { + type = number + description = "The number of nodes to create in this cluster's default node pool." + default = 0 +} + +variable "remove_default_node_pool" { type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + description = "Remove default node pool while setting up the cluster" default = false } -variable "authenticator_security_group" { - type = string - description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" - default = null +variable "filestore_csi_driver" { + type = bool + description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" + default = false } -variable "node_metadata" { - description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA" - type = string +variable "disable_legacy_metadata_endpoints" { + type = bool + description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." + default = true +} - validation { - condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." - } +variable "default_max_pods_per_node" { + type = number + description = "The maximum number of pods to schedule per node" + default = 110 } variable "database_encryption" { @@ -549,18 +533,6 @@ variable "database_encryption" { }] } -variable "identity_namespace" { - description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" - type = string - default = "enabled" -} - -variable "release_channel" { - type = string - description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`." - default = null -} - variable "enable_shielded_nodes" { type = bool description = "Enable Shielded Nodes features on all nodes in this cluster" @@ -573,74 +545,101 @@ variable "enable_binary_authorization" { default = false } -variable "add_cluster_firewall_rules" { - type = bool - description = "Create additional firewall rules" - default = false +variable "node_metadata" { + description = "Specifies how node metadata is exposed to the workload running on the node" + default = "GKE_METADATA" + type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." + } } -variable "add_master_webhook_firewall_rules" { +variable "enable_kubernetes_alpha" { type = bool - description = "Create master_webhook firewall rules for ports defined in `firewall_inbound_ports`" + description = "Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days." default = false } -variable "firewall_priority" { - type = number - description = "Priority rule for firewall rules" - default = 1000 +variable "logging_enabled_components" { + type = list(string) + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + default = [] } -variable "firewall_inbound_ports" { +variable "monitoring_enabled_components" { type = list(string) - description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied." - default = ["8443", "9443", "15017"] + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." + default = [] } -variable "gcloud_upgrade" { +variable "istio" { + description = "(Beta) Enable Istio addon" + default = false +} + +variable "istio_auth" { + type = string + description = "(Beta) The authentication type between services in Istio." + default = "AUTH_MUTUAL_TLS" +} + +variable "kalm_config" { type = bool - description = "Whether to upgrade gcloud at runtime" + description = "(Beta) Whether KALM is enabled for this cluster." default = false } -variable "add_shadow_firewall_rules" { +variable "config_connector" { type = bool - description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." + description = "(Beta) Whether ConfigConnector is enabled for this cluster." default = false } -variable "shadow_firewall_rules_priority" { - type = number - description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000." - default = 999 +variable "cloudrun" { + description = "(Beta) Enable CloudRun addon" + default = false } -variable "enable_confidential_nodes" { +variable "cloudrun_load_balancer_type" { + description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." + default = "" +} + +variable "enable_pod_security_policy" { type = bool - description = "An optional flag to enable confidential node config." + description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." default = false } -variable "disable_default_snat" { + +variable "enable_l4_ilb_subsetting" { type = bool - description = "Whether to disable the default SNAT to support the private use of public IP addresses" + description = "Enable L4 ILB Subsetting on the cluster" default = false } -variable "impersonate_service_account" { - type = string - description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." - default = "" +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." + default = false } -variable "notification_config_topic" { - type = string - description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." - default = "" +variable "enable_intranode_visibility" { + type = bool + description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + default = false } -variable "enable_tpu" { +variable "enable_identity_service" { type = bool - description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} + +variable "gce_pd_csi_driver" { + type = bool + description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." default = false } diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 55af249c10..0f9683068f 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -91,10 +91,9 @@ locals { local.cluster_cloudrun_config_load_balancer_config ) ] : [] - + cluster_cloudrun_enabled = var.cloudrun cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] - cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group }] @@ -165,7 +164,6 @@ locals { }] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled - cluster_cloudrun_enabled = var.cloudrun cluster_dns_cache_enabled = var.dns_cache cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index 289ccb0aea..1fbf1d6aba 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -141,16 +141,16 @@ output "identity_namespace" { ] } -output "istio_enabled" { - description = "Whether Istio is enabled" - value = local.cluster_istio_enabled -} - output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = local.cluster_cloudrun_enabled } +output "istio_enabled" { + description = "Whether Istio is enabled" + value = local.cluster_istio_enabled +} + output "dns_cache_enabled" { description = "Whether DNS Cache enabled" value = local.cluster_dns_cache_enabled diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 7ca71309bf..cfbd3e080b 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -96,18 +96,6 @@ variable "http_load_balancing" { default = true } -variable "network_policy" { - type = bool - description = "Enable network policy addon" - default = false -} - -variable "network_policy_provider" { - type = string - description = "The network policy provider." - default = "CALICO" -} - variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." @@ -148,30 +136,6 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } -variable "initial_node_count" { - type = number - description = "The number of nodes to create in this cluster's default node pool." - default = 0 -} - -variable "remove_default_node_pool" { - type = bool - description = "Remove default node pool while setting up the cluster" - default = false -} - -variable "filestore_csi_driver" { - type = bool - description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" - default = false -} - -variable "disable_legacy_metadata_endpoints" { - type = bool - description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." - default = true -} - variable "node_pools" { type = list(map(string)) description = "List of maps containing node pools" @@ -234,12 +198,6 @@ variable "enable_resource_consumption_export" { default = true } -variable "enable_kubernetes_alpha" { - type = bool - description = "Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days." - default = false -} - variable "cluster_autoscaling" { type = object({ enabled = bool @@ -343,24 +301,12 @@ variable "logging_service" { default = "logging.googleapis.com/kubernetes" } -variable "logging_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." - default = [] -} - variable "monitoring_service" { type = string description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none" default = "monitoring.googleapis.com/kubernetes" } -variable "monitoring_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." - default = [] -} - variable "create_service_account" { type = bool description = "Defines if service account specified to run nodes should be created." @@ -409,103 +355,141 @@ variable "skip_provisioners" { default = false } -variable "default_max_pods_per_node" { - type = number - description = "The maximum number of pods to schedule per node" - default = 110 +variable "dns_cache" { + type = bool + description = "(Beta) The status of the NodeLocal DNSCache addon." + default = false } +variable "authenticator_security_group" { + type = string + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = null +} -variable "istio" { - description = "(Beta) Enable Istio addon" - default = false +variable "identity_namespace" { + description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" + type = string + default = "enabled" } -variable "istio_auth" { +variable "release_channel" { type = string - description = "(Beta) The authentication type between services in Istio." - default = "AUTH_MUTUAL_TLS" + description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`." + default = null } -variable "dns_cache" { +variable "add_cluster_firewall_rules" { type = bool - description = "(Beta) The status of the NodeLocal DNSCache addon." + description = "Create additional firewall rules" default = false } -variable "gce_pd_csi_driver" { +variable "add_master_webhook_firewall_rules" { type = bool - description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." + description = "Create master_webhook firewall rules for ports defined in `firewall_inbound_ports`" default = false } -variable "kalm_config" { - type = bool - description = "(Beta) Whether KALM is enabled for this cluster." - default = false +variable "firewall_priority" { + type = number + description = "Priority rule for firewall rules" + default = 1000 } -variable "config_connector" { +variable "firewall_inbound_ports" { + type = list(string) + description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied." + default = ["8443", "9443", "15017"] +} + +variable "gcloud_upgrade" { type = bool - description = "(Beta) Whether ConfigConnector is enabled for this cluster." + description = "Whether to upgrade gcloud at runtime" default = false } -variable "cloudrun" { - description = "(Beta) Enable CloudRun addon" +variable "add_shadow_firewall_rules" { + type = bool + description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." default = false } -variable "cloudrun_load_balancer_type" { - description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." - default = "" +variable "shadow_firewall_rules_priority" { + type = number + description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000." + default = 999 } -variable "enable_pod_security_policy" { +variable "enable_confidential_nodes" { type = bool - description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." + description = "An optional flag to enable confidential node config." default = false } -variable "enable_l4_ilb_subsetting" { +variable "disable_default_snat" { type = bool - description = "Enable L4 ILB Subsetting on the cluster" + description = "Whether to disable the default SNAT to support the private use of public IP addresses" default = false } -variable "sandbox_enabled" { +variable "impersonate_service_account" { + type = string + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} + +variable "notification_config_topic" { + type = string + description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." + default = "" +} + +variable "enable_tpu" { type = bool - description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." + description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" default = false } - -variable "enable_intranode_visibility" { +variable "network_policy" { type = bool - description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + description = "Enable network policy addon" default = false } -variable "enable_identity_service" { +variable "network_policy_provider" { + type = string + description = "The network policy provider." + default = "CALICO" +} + +variable "initial_node_count" { + type = number + description = "The number of nodes to create in this cluster's default node pool." + default = 0 +} + +variable "remove_default_node_pool" { type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + description = "Remove default node pool while setting up the cluster" default = false } -variable "authenticator_security_group" { - type = string - description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" - default = null +variable "filestore_csi_driver" { + type = bool + description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" + default = false } -variable "node_metadata" { - description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA" - type = string +variable "disable_legacy_metadata_endpoints" { + type = bool + description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." + default = true +} - validation { - condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." - } +variable "default_max_pods_per_node" { + type = number + description = "The maximum number of pods to schedule per node" + default = 110 } variable "database_encryption" { @@ -518,18 +502,6 @@ variable "database_encryption" { }] } -variable "identity_namespace" { - description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" - type = string - default = "enabled" -} - -variable "release_channel" { - type = string - description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`." - default = null -} - variable "enable_shielded_nodes" { type = bool description = "Enable Shielded Nodes features on all nodes in this cluster" @@ -542,74 +514,101 @@ variable "enable_binary_authorization" { default = false } -variable "add_cluster_firewall_rules" { - type = bool - description = "Create additional firewall rules" - default = false +variable "node_metadata" { + description = "Specifies how node metadata is exposed to the workload running on the node" + default = "GKE_METADATA" + type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." + } } -variable "add_master_webhook_firewall_rules" { +variable "enable_kubernetes_alpha" { type = bool - description = "Create master_webhook firewall rules for ports defined in `firewall_inbound_ports`" + description = "Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days." default = false } -variable "firewall_priority" { - type = number - description = "Priority rule for firewall rules" - default = 1000 +variable "logging_enabled_components" { + type = list(string) + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + default = [] } -variable "firewall_inbound_ports" { +variable "monitoring_enabled_components" { type = list(string) - description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied." - default = ["8443", "9443", "15017"] + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." + default = [] } -variable "gcloud_upgrade" { +variable "istio" { + description = "(Beta) Enable Istio addon" + default = false +} + +variable "istio_auth" { + type = string + description = "(Beta) The authentication type between services in Istio." + default = "AUTH_MUTUAL_TLS" +} + +variable "kalm_config" { type = bool - description = "Whether to upgrade gcloud at runtime" + description = "(Beta) Whether KALM is enabled for this cluster." default = false } -variable "add_shadow_firewall_rules" { +variable "config_connector" { type = bool - description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." + description = "(Beta) Whether ConfigConnector is enabled for this cluster." default = false } -variable "shadow_firewall_rules_priority" { - type = number - description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000." - default = 999 +variable "cloudrun" { + description = "(Beta) Enable CloudRun addon" + default = false } -variable "enable_confidential_nodes" { +variable "cloudrun_load_balancer_type" { + description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." + default = "" +} + +variable "enable_pod_security_policy" { type = bool - description = "An optional flag to enable confidential node config." + description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." default = false } -variable "disable_default_snat" { + +variable "enable_l4_ilb_subsetting" { type = bool - description = "Whether to disable the default SNAT to support the private use of public IP addresses" + description = "Enable L4 ILB Subsetting on the cluster" default = false } -variable "impersonate_service_account" { - type = string - description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." - default = "" +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." + default = false } -variable "notification_config_topic" { - type = string - description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." - default = "" +variable "enable_intranode_visibility" { + type = bool + description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + default = false } -variable "enable_tpu" { +variable "enable_identity_service" { type = bool - description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} + +variable "gce_pd_csi_driver" { + type = bool + description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." default = false } diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 55af249c10..0f9683068f 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -91,10 +91,9 @@ locals { local.cluster_cloudrun_config_load_balancer_config ) ] : [] - + cluster_cloudrun_enabled = var.cloudrun cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] - cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group }] @@ -165,7 +164,6 @@ locals { }] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled - cluster_cloudrun_enabled = var.cloudrun cluster_dns_cache_enabled = var.dns_cache cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index 289ccb0aea..1fbf1d6aba 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -141,16 +141,16 @@ output "identity_namespace" { ] } -output "istio_enabled" { - description = "Whether Istio is enabled" - value = local.cluster_istio_enabled -} - output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = local.cluster_cloudrun_enabled } +output "istio_enabled" { + description = "Whether Istio is enabled" + value = local.cluster_istio_enabled +} + output "dns_cache_enabled" { description = "Whether DNS Cache enabled" value = local.cluster_dns_cache_enabled diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 7ca71309bf..cfbd3e080b 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -96,18 +96,6 @@ variable "http_load_balancing" { default = true } -variable "network_policy" { - type = bool - description = "Enable network policy addon" - default = false -} - -variable "network_policy_provider" { - type = string - description = "The network policy provider." - default = "CALICO" -} - variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." @@ -148,30 +136,6 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } -variable "initial_node_count" { - type = number - description = "The number of nodes to create in this cluster's default node pool." - default = 0 -} - -variable "remove_default_node_pool" { - type = bool - description = "Remove default node pool while setting up the cluster" - default = false -} - -variable "filestore_csi_driver" { - type = bool - description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" - default = false -} - -variable "disable_legacy_metadata_endpoints" { - type = bool - description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." - default = true -} - variable "node_pools" { type = list(map(string)) description = "List of maps containing node pools" @@ -234,12 +198,6 @@ variable "enable_resource_consumption_export" { default = true } -variable "enable_kubernetes_alpha" { - type = bool - description = "Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days." - default = false -} - variable "cluster_autoscaling" { type = object({ enabled = bool @@ -343,24 +301,12 @@ variable "logging_service" { default = "logging.googleapis.com/kubernetes" } -variable "logging_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." - default = [] -} - variable "monitoring_service" { type = string description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none" default = "monitoring.googleapis.com/kubernetes" } -variable "monitoring_enabled_components" { - type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." - default = [] -} - variable "create_service_account" { type = bool description = "Defines if service account specified to run nodes should be created." @@ -409,103 +355,141 @@ variable "skip_provisioners" { default = false } -variable "default_max_pods_per_node" { - type = number - description = "The maximum number of pods to schedule per node" - default = 110 +variable "dns_cache" { + type = bool + description = "(Beta) The status of the NodeLocal DNSCache addon." + default = false } +variable "authenticator_security_group" { + type = string + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = null +} -variable "istio" { - description = "(Beta) Enable Istio addon" - default = false +variable "identity_namespace" { + description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" + type = string + default = "enabled" } -variable "istio_auth" { +variable "release_channel" { type = string - description = "(Beta) The authentication type between services in Istio." - default = "AUTH_MUTUAL_TLS" + description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`." + default = null } -variable "dns_cache" { +variable "add_cluster_firewall_rules" { type = bool - description = "(Beta) The status of the NodeLocal DNSCache addon." + description = "Create additional firewall rules" default = false } -variable "gce_pd_csi_driver" { +variable "add_master_webhook_firewall_rules" { type = bool - description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." + description = "Create master_webhook firewall rules for ports defined in `firewall_inbound_ports`" default = false } -variable "kalm_config" { - type = bool - description = "(Beta) Whether KALM is enabled for this cluster." - default = false +variable "firewall_priority" { + type = number + description = "Priority rule for firewall rules" + default = 1000 } -variable "config_connector" { +variable "firewall_inbound_ports" { + type = list(string) + description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied." + default = ["8443", "9443", "15017"] +} + +variable "gcloud_upgrade" { type = bool - description = "(Beta) Whether ConfigConnector is enabled for this cluster." + description = "Whether to upgrade gcloud at runtime" default = false } -variable "cloudrun" { - description = "(Beta) Enable CloudRun addon" +variable "add_shadow_firewall_rules" { + type = bool + description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." default = false } -variable "cloudrun_load_balancer_type" { - description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." - default = "" +variable "shadow_firewall_rules_priority" { + type = number + description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000." + default = 999 } -variable "enable_pod_security_policy" { +variable "enable_confidential_nodes" { type = bool - description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." + description = "An optional flag to enable confidential node config." default = false } -variable "enable_l4_ilb_subsetting" { +variable "disable_default_snat" { type = bool - description = "Enable L4 ILB Subsetting on the cluster" + description = "Whether to disable the default SNAT to support the private use of public IP addresses" default = false } -variable "sandbox_enabled" { +variable "impersonate_service_account" { + type = string + description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." + default = "" +} + +variable "notification_config_topic" { + type = string + description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." + default = "" +} + +variable "enable_tpu" { type = bool - description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." + description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" default = false } - -variable "enable_intranode_visibility" { +variable "network_policy" { type = bool - description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + description = "Enable network policy addon" default = false } -variable "enable_identity_service" { +variable "network_policy_provider" { + type = string + description = "The network policy provider." + default = "CALICO" +} + +variable "initial_node_count" { + type = number + description = "The number of nodes to create in this cluster's default node pool." + default = 0 +} + +variable "remove_default_node_pool" { type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + description = "Remove default node pool while setting up the cluster" default = false } -variable "authenticator_security_group" { - type = string - description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" - default = null +variable "filestore_csi_driver" { + type = bool + description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" + default = false } -variable "node_metadata" { - description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA" - type = string +variable "disable_legacy_metadata_endpoints" { + type = bool + description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." + default = true +} - validation { - condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." - } +variable "default_max_pods_per_node" { + type = number + description = "The maximum number of pods to schedule per node" + default = 110 } variable "database_encryption" { @@ -518,18 +502,6 @@ variable "database_encryption" { }] } -variable "identity_namespace" { - description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" - type = string - default = "enabled" -} - -variable "release_channel" { - type = string - description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`." - default = null -} - variable "enable_shielded_nodes" { type = bool description = "Enable Shielded Nodes features on all nodes in this cluster" @@ -542,74 +514,101 @@ variable "enable_binary_authorization" { default = false } -variable "add_cluster_firewall_rules" { - type = bool - description = "Create additional firewall rules" - default = false +variable "node_metadata" { + description = "Specifies how node metadata is exposed to the workload running on the node" + default = "GKE_METADATA" + type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." + } } -variable "add_master_webhook_firewall_rules" { +variable "enable_kubernetes_alpha" { type = bool - description = "Create master_webhook firewall rules for ports defined in `firewall_inbound_ports`" + description = "Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days." default = false } -variable "firewall_priority" { - type = number - description = "Priority rule for firewall rules" - default = 1000 +variable "logging_enabled_components" { + type = list(string) + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + default = [] } -variable "firewall_inbound_ports" { +variable "monitoring_enabled_components" { type = list(string) - description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied." - default = ["8443", "9443", "15017"] + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." + default = [] } -variable "gcloud_upgrade" { +variable "istio" { + description = "(Beta) Enable Istio addon" + default = false +} + +variable "istio_auth" { + type = string + description = "(Beta) The authentication type between services in Istio." + default = "AUTH_MUTUAL_TLS" +} + +variable "kalm_config" { type = bool - description = "Whether to upgrade gcloud at runtime" + description = "(Beta) Whether KALM is enabled for this cluster." default = false } -variable "add_shadow_firewall_rules" { +variable "config_connector" { type = bool - description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." + description = "(Beta) Whether ConfigConnector is enabled for this cluster." default = false } -variable "shadow_firewall_rules_priority" { - type = number - description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000." - default = 999 +variable "cloudrun" { + description = "(Beta) Enable CloudRun addon" + default = false } -variable "enable_confidential_nodes" { +variable "cloudrun_load_balancer_type" { + description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer." + default = "" +} + +variable "enable_pod_security_policy" { type = bool - description = "An optional flag to enable confidential node config." + description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." default = false } -variable "disable_default_snat" { + +variable "enable_l4_ilb_subsetting" { type = bool - description = "Whether to disable the default SNAT to support the private use of public IP addresses" + description = "Enable L4 ILB Subsetting on the cluster" default = false } -variable "impersonate_service_account" { - type = string - description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." - default = "" +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." + default = false } -variable "notification_config_topic" { - type = string - description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." - default = "" +variable "enable_intranode_visibility" { + type = bool + description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + default = false } -variable "enable_tpu" { +variable "enable_identity_service" { type = bool - description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} + +variable "gce_pd_csi_driver" { + type = bool + description = "(Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." default = false } diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index e0138ec154..82f9bc4a9b 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -96,18 +96,6 @@ variable "http_load_balancing" { default = true } -variable "network_policy" { - type = bool - description = "Enable network policy addon" - default = false -} - -variable "network_policy_provider" { - type = string - description = "The network policy provider." - default = "CALICO" -} - variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." @@ -137,30 +125,6 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } -variable "initial_node_count" { - type = number - description = "The number of nodes to create in this cluster's default node pool." - default = 0 -} - -variable "remove_default_node_pool" { - type = bool - description = "Remove default node pool while setting up the cluster" - default = false -} - -variable "filestore_csi_driver" { - type = bool - description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" - default = false -} - -variable "disable_legacy_metadata_endpoints" { - type = bool - description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." - default = true -} - variable "node_pools" { type = list(map(string)) description = "List of maps containing node pools" @@ -361,12 +325,6 @@ variable "skip_provisioners" { default = false } -variable "default_max_pods_per_node" { - type = number - description = "The maximum number of pods to schedule per node" - default = 110 -} - variable "deploy_using_private_endpoint" { type = bool description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." @@ -397,27 +355,6 @@ variable "authenticator_security_group" { default = null } -variable "node_metadata" { - description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA" - type = string - - validation { - condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." - } -} - -variable "database_encryption" { - description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." - type = list(object({ state = string, key_name = string })) - - default = [{ - state = "DECRYPTED" - key_name = "" - }] -} - variable "identity_namespace" { description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string @@ -430,18 +367,6 @@ variable "release_channel" { default = null } -variable "enable_shielded_nodes" { - type = bool - description = "Enable Shielded Nodes features on all nodes in this cluster" - default = true -} - -variable "enable_binary_authorization" { - type = bool - description = "Enable BinAuthZ Admission controller" - default = false -} - variable "add_cluster_firewall_rules" { type = bool description = "Create additional firewall rules" @@ -491,3 +416,77 @@ variable "impersonate_service_account" { default = "" } +variable "network_policy" { + type = bool + description = "Enable network policy addon" + default = false +} + +variable "network_policy_provider" { + type = string + description = "The network policy provider." + default = "CALICO" +} + +variable "initial_node_count" { + type = number + description = "The number of nodes to create in this cluster's default node pool." + default = 0 +} + +variable "remove_default_node_pool" { + type = bool + description = "Remove default node pool while setting up the cluster" + default = false +} + +variable "filestore_csi_driver" { + type = bool + description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" + default = false +} + +variable "disable_legacy_metadata_endpoints" { + type = bool + description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." + default = true +} + +variable "default_max_pods_per_node" { + type = number + description = "The maximum number of pods to schedule per node" + default = 110 +} + +variable "database_encryption" { + description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + type = list(object({ state = string, key_name = string })) + + default = [{ + state = "DECRYPTED" + key_name = "" + }] +} + +variable "enable_shielded_nodes" { + type = bool + description = "Enable Shielded Nodes features on all nodes in this cluster" + default = true +} + +variable "enable_binary_authorization" { + type = bool + description = "Enable BinAuthZ Admission controller" + default = false +} + +variable "node_metadata" { + description = "Specifies how node metadata is exposed to the workload running on the node" + default = "GKE_METADATA" + type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." + } +} diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index e0138ec154..82f9bc4a9b 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -96,18 +96,6 @@ variable "http_load_balancing" { default = true } -variable "network_policy" { - type = bool - description = "Enable network policy addon" - default = false -} - -variable "network_policy_provider" { - type = string - description = "The network policy provider." - default = "CALICO" -} - variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." @@ -137,30 +125,6 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } -variable "initial_node_count" { - type = number - description = "The number of nodes to create in this cluster's default node pool." - default = 0 -} - -variable "remove_default_node_pool" { - type = bool - description = "Remove default node pool while setting up the cluster" - default = false -} - -variable "filestore_csi_driver" { - type = bool - description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" - default = false -} - -variable "disable_legacy_metadata_endpoints" { - type = bool - description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." - default = true -} - variable "node_pools" { type = list(map(string)) description = "List of maps containing node pools" @@ -361,12 +325,6 @@ variable "skip_provisioners" { default = false } -variable "default_max_pods_per_node" { - type = number - description = "The maximum number of pods to schedule per node" - default = 110 -} - variable "deploy_using_private_endpoint" { type = bool description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." @@ -397,27 +355,6 @@ variable "authenticator_security_group" { default = null } -variable "node_metadata" { - description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA" - type = string - - validation { - condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." - } -} - -variable "database_encryption" { - description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." - type = list(object({ state = string, key_name = string })) - - default = [{ - state = "DECRYPTED" - key_name = "" - }] -} - variable "identity_namespace" { description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string @@ -430,18 +367,6 @@ variable "release_channel" { default = null } -variable "enable_shielded_nodes" { - type = bool - description = "Enable Shielded Nodes features on all nodes in this cluster" - default = true -} - -variable "enable_binary_authorization" { - type = bool - description = "Enable BinAuthZ Admission controller" - default = false -} - variable "add_cluster_firewall_rules" { type = bool description = "Create additional firewall rules" @@ -491,3 +416,77 @@ variable "impersonate_service_account" { default = "" } +variable "network_policy" { + type = bool + description = "Enable network policy addon" + default = false +} + +variable "network_policy_provider" { + type = string + description = "The network policy provider." + default = "CALICO" +} + +variable "initial_node_count" { + type = number + description = "The number of nodes to create in this cluster's default node pool." + default = 0 +} + +variable "remove_default_node_pool" { + type = bool + description = "Remove default node pool while setting up the cluster" + default = false +} + +variable "filestore_csi_driver" { + type = bool + description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" + default = false +} + +variable "disable_legacy_metadata_endpoints" { + type = bool + description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." + default = true +} + +variable "default_max_pods_per_node" { + type = number + description = "The maximum number of pods to schedule per node" + default = 110 +} + +variable "database_encryption" { + description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + type = list(object({ state = string, key_name = string })) + + default = [{ + state = "DECRYPTED" + key_name = "" + }] +} + +variable "enable_shielded_nodes" { + type = bool + description = "Enable Shielded Nodes features on all nodes in this cluster" + default = true +} + +variable "enable_binary_authorization" { + type = bool + description = "Enable BinAuthZ Admission controller" + default = false +} + +variable "node_metadata" { + description = "Specifies how node metadata is exposed to the workload running on the node" + default = "GKE_METADATA" + type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." + } +} diff --git a/variables.tf b/variables.tf index ce76d52bfc..f1b02095c2 100644 --- a/variables.tf +++ b/variables.tf @@ -96,18 +96,6 @@ variable "http_load_balancing" { default = true } -variable "network_policy" { - type = bool - description = "Enable network policy addon" - default = false -} - -variable "network_policy_provider" { - type = string - description = "The network policy provider." - default = "CALICO" -} - variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." @@ -137,30 +125,6 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } -variable "initial_node_count" { - type = number - description = "The number of nodes to create in this cluster's default node pool." - default = 0 -} - -variable "remove_default_node_pool" { - type = bool - description = "Remove default node pool while setting up the cluster" - default = false -} - -variable "filestore_csi_driver" { - type = bool - description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" - default = false -} - -variable "disable_legacy_metadata_endpoints" { - type = bool - description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." - default = true -} - variable "node_pools" { type = list(map(string)) description = "List of maps containing node pools" @@ -361,39 +325,12 @@ variable "skip_provisioners" { default = false } -variable "default_max_pods_per_node" { - type = number - description = "The maximum number of pods to schedule per node" - default = 110 -} - variable "authenticator_security_group" { type = string description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" default = null } -variable "node_metadata" { - description = "Specifies how node metadata is exposed to the workload running on the node" - default = "GKE_METADATA" - type = string - - validation { - condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) - error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." - } -} - -variable "database_encryption" { - description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." - type = list(object({ state = string, key_name = string })) - - default = [{ - state = "DECRYPTED" - key_name = "" - }] -} - variable "identity_namespace" { description = "The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`)" type = string @@ -406,18 +343,6 @@ variable "release_channel" { default = null } -variable "enable_shielded_nodes" { - type = bool - description = "Enable Shielded Nodes features on all nodes in this cluster" - default = true -} - -variable "enable_binary_authorization" { - type = bool - description = "Enable BinAuthZ Admission controller" - default = false -} - variable "add_cluster_firewall_rules" { type = bool description = "Create additional firewall rules" @@ -467,3 +392,77 @@ variable "impersonate_service_account" { default = "" } +variable "network_policy" { + type = bool + description = "Enable network policy addon" + default = false +} + +variable "network_policy_provider" { + type = string + description = "The network policy provider." + default = "CALICO" +} + +variable "initial_node_count" { + type = number + description = "The number of nodes to create in this cluster's default node pool." + default = 0 +} + +variable "remove_default_node_pool" { + type = bool + description = "Remove default node pool while setting up the cluster" + default = false +} + +variable "filestore_csi_driver" { + type = bool + description = "The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes" + default = false +} + +variable "disable_legacy_metadata_endpoints" { + type = bool + description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." + default = true +} + +variable "default_max_pods_per_node" { + type = number + description = "The maximum number of pods to schedule per node" + default = 110 +} + +variable "database_encryption" { + description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + type = list(object({ state = string, key_name = string })) + + default = [{ + state = "DECRYPTED" + key_name = "" + }] +} + +variable "enable_shielded_nodes" { + type = bool + description = "Enable Shielded Nodes features on all nodes in this cluster" + default = true +} + +variable "enable_binary_authorization" { + type = bool + description = "Enable BinAuthZ Admission controller" + default = false +} + +variable "node_metadata" { + description = "Specifies how node metadata is exposed to the workload running on the node" + default = "GKE_METADATA" + type = string + + validation { + condition = contains(["GKE_METADATA", "GCE_METADATA", "UNSPECIFIED", "GKE_METADATA_SERVER", "EXPOSE"], var.node_metadata) + error_message = "The node_metadata value must be one of GKE_METADATA, GCE_METADATA or UNSPECIFIED." + } +}