Merge branch 'master' into master

CPL-markus · Jun 13, 2024 · 62aa48d · 62aa48d
2 parents 677a49b + 6dd46d1
commit 62aa48d
Show file tree

Hide file tree

Showing 89 changed files with 1,047 additions and 312 deletions.
diff --git a/README.md b/README.md
@@ -144,7 +144,7 @@ Then perform the following commands on the root folder:
 | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
 | boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no |
-| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | <pre>object({<br>    enabled                 = bool<br>    autoscaling_profile     = string<br>    min_cpu_cores           = number<br>    max_cpu_cores           = number<br>    min_memory_gb           = number<br>    max_memory_gb           = number<br>    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))<br>    auto_repair             = bool<br>    auto_upgrade            = bool<br>    disk_size               = optional(number)<br>    disk_type               = optional(string)<br>    image_type              = optional(string)<br>    strategy                = optional(string)<br>    max_surge               = optional(number)<br>    max_unavailable         = optional(number)<br>    node_pool_soak_duration = optional(string)<br>    batch_soak_duration     = optional(string)<br>    batch_percentage        = optional(number)<br>    batch_node_count        = optional(number)<br>  })</pre> | <pre>{<br>  "auto_repair": true,<br>  "auto_upgrade": true,<br>  "autoscaling_profile": "BALANCED",<br>  "disk_size": 100,<br>  "disk_type": "pd-standard",<br>  "enabled": false,<br>  "gpu_resources": [],<br>  "image_type": "COS_CONTAINERD",<br>  "max_cpu_cores": 0,<br>  "max_memory_gb": 0,<br>  "min_cpu_cores": 0,<br>  "min_memory_gb": 0<br>}</pre> | no |
+| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | <pre>object({<br>    enabled                     = bool<br>    autoscaling_profile         = string<br>    min_cpu_cores               = number<br>    max_cpu_cores               = number<br>    min_memory_gb               = number<br>    max_memory_gb               = number<br>    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))<br>    auto_repair                 = bool<br>    auto_upgrade                = bool<br>    disk_size                   = optional(number)<br>    disk_type                   = optional(string)<br>    image_type                  = optional(string)<br>    strategy                    = optional(string)<br>    max_surge                   = optional(number)<br>    max_unavailable             = optional(number)<br>    node_pool_soak_duration     = optional(string)<br>    batch_soak_duration         = optional(string)<br>    batch_percentage            = optional(number)<br>    batch_node_count            = optional(number)<br>    enable_secure_boot          = optional(bool, false)<br>    enable_integrity_monitoring = optional(bool, true)<br>  })</pre> | <pre>{<br>  "auto_repair": true,<br>  "auto_upgrade": true,<br>  "autoscaling_profile": "BALANCED",<br>  "disk_size": 100,<br>  "disk_type": "pd-standard",<br>  "enable_integrity_monitoring": true,<br>  "enable_secure_boot": false,<br>  "enabled": false,<br>  "gpu_resources": [],<br>  "image_type": "COS_CONTAINERD",<br>  "max_cpu_cores": 0,<br>  "max_memory_gb": 0,<br>  "min_cpu_cores": 0,<br>  "min_memory_gb": 0<br>}</pre> | no |
 | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no |
 | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no |
 | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no |

diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
@@ -168,6 +168,11 @@ resource "google_container_cluster" "primary" {
           }
         }
 
+        shielded_instance_config {
+          enable_secure_boot          = lookup(var.cluster_autoscaling, "enable_secure_boot", false)
+          enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true)
+        }
+
         {% if beta_cluster %}
         min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "")
         {% endif %}

diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
@@ -244,39 +244,43 @@ variable "enable_resource_consumption_export" {
 {% if autopilot_cluster != true %}
 variable "cluster_autoscaling" {
   type = object({
-    enabled                 = bool
-    autoscaling_profile     = string
-    min_cpu_cores           = number
-    max_cpu_cores           = number
-    min_memory_gb           = number
-    max_memory_gb           = number
-    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
-    auto_repair             = bool
-    auto_upgrade            = bool
-    disk_size               = optional(number)
-    disk_type               = optional(string)
-    image_type              = optional(string)
-    strategy                = optional(string)
-    max_surge               = optional(number)
-    max_unavailable         = optional(number)
-    node_pool_soak_duration = optional(string)
-    batch_soak_duration     = optional(string)
-    batch_percentage        = optional(number)
-    batch_node_count        = optional(number)
+    enabled                     = bool
+    autoscaling_profile         = string
+    min_cpu_cores               = number
+    max_cpu_cores               = number
+    min_memory_gb               = number
+    max_memory_gb               = number
+    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
+    auto_repair                 = bool
+    auto_upgrade                = bool
+    disk_size                   = optional(number)
+    disk_type                   = optional(string)
+    image_type                  = optional(string)
+    strategy                    = optional(string)
+    max_surge                   = optional(number)
+    max_unavailable             = optional(number)
+    node_pool_soak_duration     = optional(string)
+    batch_soak_duration         = optional(string)
+    batch_percentage            = optional(number)
+    batch_node_count            = optional(number)
+    enable_secure_boot          = optional(bool, false)
+    enable_integrity_monitoring = optional(bool, true)
   })
   default = {
-    enabled             = false
-    autoscaling_profile = "BALANCED"
-    max_cpu_cores       = 0
-    min_cpu_cores       = 0
-    max_memory_gb       = 0
-    min_memory_gb       = 0
-    gpu_resources       = []
-    auto_repair         = true
-    auto_upgrade        = true
-    disk_size           = 100
-    disk_type           = "pd-standard"
-    image_type          = "COS_CONTAINERD"
+    enabled                     = false
+    autoscaling_profile         = "BALANCED"
+    max_cpu_cores               = 0
+    min_cpu_cores               = 0
+    max_memory_gb               = 0
+    min_memory_gb               = 0
+    gpu_resources               = []
+    auto_repair                 = true
+    auto_upgrade                = true
+    disk_size                   = 100
+    disk_type                   = "pd-standard"
+    image_type                  = "COS_CONTAINERD"
+    enable_secure_boot          = false
+    enable_integrity_monitoring = true
   }
   description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)"
 }

diff --git a/cluster.tf b/cluster.tf
@@ -141,6 +141,11 @@ resource "google_container_cluster" "primary" {
           }
         }
 
+        shielded_instance_config {
+          enable_secure_boot          = lookup(var.cluster_autoscaling, "enable_secure_boot", false)
+          enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true)
+        }
+
 
         image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD")
       }

diff --git a/examples/acm-terraform-blog-part1/terraform/gke.tf b/examples/acm-terraform-blog-part1/terraform/gke.tf
@@ -31,7 +31,7 @@ module "enabled_google_apis" {
 
 module "gke" {
   source             = "terraform-google-modules/kubernetes-engine/google"
-  version            = "~> 30.0"
+  version            = "~> 31.0"
   project_id         = module.enabled_google_apis.project_id
   name               = "sfl-acm-part1"
   region             = var.region

diff --git a/examples/acm-terraform-blog-part2/terraform/gke.tf b/examples/acm-terraform-blog-part2/terraform/gke.tf
@@ -31,7 +31,7 @@ module "enabled_google_apis" {
 
 module "gke" {
   source             = "terraform-google-modules/kubernetes-engine/google"
-  version            = "~> 30.0"
+  version            = "~> 31.0"
   project_id         = module.enabled_google_apis.project_id
   name               = "sfl-acm-part2"
   region             = var.region

diff --git a/examples/acm-terraform-blog-part3/terraform/gke.tf b/examples/acm-terraform-blog-part3/terraform/gke.tf
@@ -33,7 +33,7 @@ module "enabled_google_apis" {
 
 module "gke" {
   source             = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster"
-  version            = "~> 30.0"
+  version            = "~> 31.0"
   project_id         = module.enabled_google_apis.project_id
   name               = "sfl-acm-part3"
   region             = var.region
@@ -48,7 +48,7 @@ module "gke" {
 
 module "wi" {
   source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
-  version             = "~> 30.0"
+  version             = "~> 31.0"
   gcp_sa_name         = "cnrmsa"
   cluster_name        = module.gke.name
   name                = "cnrm-controller-manager"

diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf
@@ -28,7 +28,7 @@ provider "kubernetes" {
 
 module "gke" {
   source  = "terraform-google-modules/kubernetes-engine/google"
-  version = "~> 30.0"
+  version = "~> 31.0"
 
   project_id = var.project_id
   name       = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
@@ -55,7 +55,7 @@ resource "kubernetes_pod" "nginx-example" {
 
   spec {
     container {
-      image = "nginx:1.26.0"
+      image = "nginx:1.27.0"
       name  = "nginx-example"
     }
   }

diff --git a/examples/disable_client_cert/main.tf b/examples/disable_client_cert/main.tf
@@ -28,7 +28,7 @@ provider "kubernetes" {
 
 module "gke" {
   source  = "terraform-google-modules/kubernetes-engine/google"
-  version = "~> 30.0"
+  version = "~> 31.0"
 
   project_id               = var.project_id
   name                     = "${local.cluster_type}-cluster${var.cluster_name_suffix}"

diff --git a/examples/island_cluster_anywhere_in_gcp_design/README.md b/examples/island_cluster_anywhere_in_gcp_design/README.md
@@ -0,0 +1,37 @@
+# GKE island cluster anywhere in GCP design
+
+This example provisions a cluster in an island VPC allowing reuse of the IP address space for multiple clusters across different GCP organizations.
+
+## Deploy
+
+1. Create NCC hub.
+2. Update `ncc_hub_project_id`, `ncc_hub_name`, `network_name` and gke spokes in `terraform.tfvars`.
+3. Run `terraform apply`.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| gke\_spokes | n/a | `any` | n/a | yes |
+| ingress\_ip\_addrs\_subnet\_cidr | Subnet to use for reserving internal ip addresses for the ILBs. | `string` | n/a | yes |
+| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | n/a | yes |
+| ncc\_hub\_name | n/a | `string` | n/a | yes |
+| ncc\_hub\_project\_id | n/a | `string` | n/a | yes |
+| net\_attachment\_subnet\_cidr | Subnet for the router PSC interface network attachment in island network. | `string` | n/a | yes |
+| node\_locations | n/a | `list(string)` | n/a | yes |
+| primary\_net\_name | Primary VPC network name. | `string` | n/a | yes |
+| primary\_subnet | Subnet to use in primary network to deploy the router. | `string` | n/a | yes |
+| proxy\_subnet\_cidr | CIDR for the regional managed proxy subnet. | `string` | n/a | yes |
+| region | n/a | `string` | n/a | yes |
+| router\_machine\_type | n/a | `string` | n/a | yes |
+| secondary\_ranges | n/a | `map(string)` | n/a | yes |
+| subnet\_cidr | Primary subnet CIDR used by the cluster. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| cluster\_ids | n/a |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/island_cluster_anywhere_in_gcp_design/main.tf b/examples/island_cluster_anywhere_in_gcp_design/main.tf
@@ -0,0 +1,93 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "random_id" "rand" {
+  byte_length = 4
+}
+
+resource "google_service_account" "gke-sa" {
+  for_each = { for k, v in var.gke_spokes : k => v }
+
+  account_id = "gke-sa-${random_id.rand.hex}"
+  project    = each.value["project_id"]
+}
+
+module "gke" {
+  source  = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster"
+  version = "~> 31.0"
+
+  for_each = { for k, v in var.gke_spokes : k => v }
+
+  name                                 = each.value["cluster_name"]
+  project_id                           = each.value["project_id"]
+  region                               = var.region
+  release_channel                      = "RAPID"
+  zones                                = var.node_locations
+  network                              = module.net[each.key].network_name
+  subnetwork                           = "${each.value["cluster_name"]}-${var.region}-snet"
+  ip_range_pods                        = "${each.value["cluster_name"]}-${var.region}-snet-pods"
+  ip_range_services                    = "${each.value["cluster_name"]}-${var.region}-snet-services"
+  enable_private_endpoint              = true
+  enable_private_nodes                 = true
+  datapath_provider                    = "ADVANCED_DATAPATH"
+  monitoring_enable_managed_prometheus = false
+  enable_shielded_nodes                = true
+  master_global_access_enabled         = false
+  master_ipv4_cidr_block               = var.secondary_ranges["master_cidr"]
+  master_authorized_networks           = var.master_authorized_networks
+  deletion_protection                  = false
+  remove_default_node_pool             = true
+  disable_default_snat                 = true
+  gateway_api_channel                  = "CHANNEL_STANDARD"
+
+  node_pools = [
+    {
+      name                      = "default"
+      machine_type              = "e2-highcpu-2"
+      min_count                 = 1
+      max_count                 = 100
+      local_ssd_count           = 0
+      spot                      = true
+      local_ssd_ephemeral_count = 0
+      disk_size_gb              = 100
+      disk_type                 = "pd-standard"
+      image_type                = "COS_CONTAINERD"
+      logging_variant           = "DEFAULT"
+      auto_repair               = true
+      auto_upgrade              = true
+      service_account           = google_service_account.gke-sa[each.key].email
+      initial_node_count        = 1
+      enable_secure_boot        = true
+    },
+  ]
+
+  node_pools_tags = {
+    all = ["gke-${random_id.rand.hex}"]
+  }
+
+  node_pools_oauth_scopes = {
+    all = [
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring",
+    ]
+  }
+
+  timeouts = {
+    create = "15m"
+    update = "15m"
+    delete = "15m"
+  }
+}
diff --git a/examples/island_cluster_anywhere_in_gcp_design/manifests/k8s.yaml b/examples/island_cluster_anywhere_in_gcp_design/manifests/k8s.yaml
@@ -0,0 +1,88 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: whereami
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: whereami
+  template:
+    metadata:
+      labels:
+        app: whereami
+    spec:
+      containers:
+      - name: whereami
+        image: us-docker.pkg.dev/google-samples/containers/gke/whereami:v1.2.19
+        ports:
+          - name: http
+            containerPort: 8080
+        resources:
+          requests:
+            cpu: "50m"
+            memory: 128Mi
+          limits:
+            cpu: "100m"
+            memory: 256Mi
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 5
+          timeoutSeconds: 1
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: whereami
+spec:
+  type: ClusterIP
+  selector:
+    app: whereami
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+---
+kind: Gateway
+apiVersion: gateway.networking.k8s.io/v1beta1
+metadata:
+  name: l7-ilb
+spec:
+  gatewayClassName: gke-l7-rilb
+  listeners:
+  - name: http
+    protocol: HTTP
+    port: 80
+  addresses:
+  - type: NamedAddress
+    value: gke-spoke-1-l7-rilb-ip
+---
+kind: HTTPRoute
+apiVersion: gateway.networking.k8s.io/v1beta1
+metadata:
+  name: whereami
+spec:
+  parentRefs:
+  - kind: Gateway
+    name: l7-ilb
+  rules:
+  - backendRefs:
+    - name: whereami
+      port: 80