From 6d5d1c3764086a44a3c408efb603a772d1f4ccdd Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Thu, 14 Apr 2022 11:04:00 -0700 Subject: [PATCH] feat!: update kube-dns configMap using kubernetes_config_map_v1_data (#1214) * feat!: kube-dns using kubernetes_config_map_v1_data * fix: node_pool test with node auto-provisioning --- README.md | 2 - autogen/main/dns.tf.tmpl | 56 ++++--------------- autogen/main/variables.tf.tmpl | 12 ---- autogen/main/versions.tf.tmpl | 4 +- dns.tf | 54 ++++-------------- docs/upgrading_to_v21.0.md | 16 ++++++ .../beta-autopilot-private-cluster/README.md | 2 - modules/beta-autopilot-private-cluster/dns.tf | 53 ++++-------------- .../variables.tf | 12 ---- .../versions.tf | 2 +- .../beta-autopilot-public-cluster/README.md | 2 - modules/beta-autopilot-public-cluster/dns.tf | 53 ++++-------------- .../variables.tf | 12 ---- .../beta-autopilot-public-cluster/versions.tf | 2 +- .../README.md | 2 - .../dns.tf | 54 ++++-------------- .../variables.tf | 12 ---- .../versions.tf | 2 +- modules/beta-private-cluster/README.md | 2 - modules/beta-private-cluster/dns.tf | 54 ++++-------------- modules/beta-private-cluster/variables.tf | 12 ---- modules/beta-private-cluster/versions.tf | 2 +- .../README.md | 2 - .../beta-public-cluster-update-variant/dns.tf | 54 ++++-------------- .../variables.tf | 12 ---- .../versions.tf | 2 +- modules/beta-public-cluster/README.md | 2 - modules/beta-public-cluster/dns.tf | 54 ++++-------------- modules/beta-public-cluster/variables.tf | 12 ---- modules/beta-public-cluster/versions.tf | 2 +- .../private-cluster-update-variant/README.md | 2 - modules/private-cluster-update-variant/dns.tf | 54 ++++-------------- .../variables.tf | 12 ---- .../versions.tf | 2 +- modules/private-cluster/README.md | 2 - modules/private-cluster/dns.tf | 54 ++++-------------- modules/private-cluster/variables.tf | 12 ---- modules/private-cluster/versions.tf | 2 +- test/integration/node_pool/controls/gcloud.rb | 2 +- .../stub_domains/controls/kubectl.rb | 4 +- .../stub_domains_private/controls/kubectl.rb | 4 +- .../controls/kubectl.rb | 4 +- .../upstream_nameservers/controls/kubectl.rb | 4 +- variables.tf | 12 ---- versions.tf | 2 +- 45 files changed, 146 insertions(+), 588 deletions(-) create mode 100644 docs/upgrading_to_v21.0.md diff --git a/README.md b/README.md index cbafbe9a75..be33562ca1 100644 --- a/README.md +++ b/README.md @@ -148,12 +148,10 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | -| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | -| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/autogen/main/dns.tf.tmpl b/autogen/main/dns.tf.tmpl index 00297d6876..b9db91ca2e 100644 --- a/autogen/main/dns.tf.tmpl +++ b/autogen/main/dns.tf.tmpl @@ -17,43 +17,15 @@ {{ autogeneration_note }} /****************************************** - Delete default kube-dns configmap + Manage kube-dns configmaps *****************************************/ -module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 3.1" - - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners - cluster_name = google_container_cluster.primary.name - cluster_location = google_container_cluster.primary.location - project_id = var.project_id - upgrade = var.gcloud_upgrade - impersonate_service_account = var.impersonate_service_account - - kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" - kubectl_destroy_command = "" - - module_depends_on = concat( - [google_container_cluster.primary.master_version], - {% if autopilot_cluster != true %} - [for pool in google_container_node_pool.pools : pool.name] - {% endif %} - ) -} -/****************************************** - Create kube-dns confimap - *****************************************/ -resource "kubernetes_config_map" "kube-dns" { +resource "kubernetes_config_map_v1_data" "kube-dns" { count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -62,8 +34,9 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, {% if autopilot_cluster != true %} google_container_node_pool.pools, @@ -71,17 +44,12 @@ EOF ] } -resource "kubernetes_config_map" "kube-dns-upstream-namservers" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" { count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { - name = "kube-dns" - + name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -90,8 +58,9 @@ ${jsonencode(var.upstream_nameservers)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, {% if autopilot_cluster != true %} google_container_node_pool.pools, @@ -99,16 +68,12 @@ EOF ] } -resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" { count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -121,8 +86,9 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, {% if autopilot_cluster != true %} google_container_node_pool.pools, diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index c1bb121768..399b1db09b 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -458,12 +458,6 @@ variable "firewall_inbound_ports" { default = ["8443", "9443", "15017"] } -variable "gcloud_upgrade" { - type = bool - description = "Whether to upgrade gcloud at runtime" - default = false -} - variable "add_shadow_firewall_rules" { type = bool description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." @@ -490,12 +484,6 @@ variable "disable_default_snat" { } {% endif %} -variable "impersonate_service_account" { - type = string - description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." - default = "" -} - {% if beta_cluster %} variable "notification_config_topic" { type = string diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 7a4d7ccb3a..478869dc30 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -28,7 +28,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.0" + version = "~> 2.10" } } provider_meta "google-beta" { @@ -42,7 +42,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.0" + version = "~> 2.10" } } provider_meta "google" { diff --git a/dns.tf b/dns.tf index 1a4c059a30..bf0d05b723 100644 --- a/dns.tf +++ b/dns.tf @@ -17,41 +17,15 @@ // This file was automatically generated from a template in ./autogen/main /****************************************** - Delete default kube-dns configmap + Manage kube-dns configmaps *****************************************/ -module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 3.1" - - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners - cluster_name = google_container_cluster.primary.name - cluster_location = google_container_cluster.primary.location - project_id = var.project_id - upgrade = var.gcloud_upgrade - impersonate_service_account = var.impersonate_service_account - - kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" - kubectl_destroy_command = "" - - module_depends_on = concat( - [google_container_cluster.primary.master_version], - [for pool in google_container_node_pool.pools : pool.name] - ) -} -/****************************************** - Create kube-dns confimap - *****************************************/ -resource "kubernetes_config_map" "kube-dns" { +resource "kubernetes_config_map_v1_data" "kube-dns" { count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -60,24 +34,20 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] } -resource "kubernetes_config_map" "kube-dns-upstream-namservers" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" { count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { - name = "kube-dns" - + name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -86,23 +56,20 @@ ${jsonencode(var.upstream_nameservers)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] } -resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" { count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -115,8 +82,9 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] diff --git a/docs/upgrading_to_v21.0.md b/docs/upgrading_to_v21.0.md new file mode 100644 index 0000000000..199bc067f6 --- /dev/null +++ b/docs/upgrading_to_v21.0.md @@ -0,0 +1,16 @@ +# Upgrading to v21.0 + +The v21.0 release of *kubernetes-engine* is a backwards incompatible +release. + +### Terraform Kubernetes Engine Module + +The [Terraform Kubernetes Engine Module](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine) has been rewritten to use the 'kubernetes_config_map_v1_data' resouce added to the Terraform Kubernetes provider version 2.10. + +1. Run `terraform state rm module.gke.kubernetes_config_map.kube-dns` +2. Update the module version to v21.0 +4. Run `terraform apply` + +### Kubernetes Provider upgrade +The Terraform Kubernetes Engine module now requires version 2.10 or higher of +the Kubernetes Provider. diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 477ca75f08..b529daa285 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -91,12 +91,10 @@ Then perform the following commands on the root folder: | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | -| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | -| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | diff --git a/modules/beta-autopilot-private-cluster/dns.tf b/modules/beta-autopilot-private-cluster/dns.tf index 07f05d1327..d9c4d7518f 100644 --- a/modules/beta-autopilot-private-cluster/dns.tf +++ b/modules/beta-autopilot-private-cluster/dns.tf @@ -17,40 +17,15 @@ // This file was automatically generated from a template in ./autogen/main /****************************************** - Delete default kube-dns configmap + Manage kube-dns configmaps *****************************************/ -module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 3.1" - - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners - cluster_name = google_container_cluster.primary.name - cluster_location = google_container_cluster.primary.location - project_id = var.project_id - upgrade = var.gcloud_upgrade - impersonate_service_account = var.impersonate_service_account - - kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" - kubectl_destroy_command = "" - - module_depends_on = concat( - [google_container_cluster.primary.master_version], - ) -} -/****************************************** - Create kube-dns confimap - *****************************************/ -resource "kubernetes_config_map" "kube-dns" { +resource "kubernetes_config_map_v1_data" "kube-dns" { count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -59,23 +34,19 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, ] } -resource "kubernetes_config_map" "kube-dns-upstream-namservers" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" { count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { - name = "kube-dns" - + name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -84,22 +55,19 @@ ${jsonencode(var.upstream_nameservers)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, ] } -resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" { count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -112,8 +80,9 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, ] } diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index b6fb9443b7..c59bd0576a 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -337,12 +337,6 @@ variable "firewall_inbound_ports" { default = ["8443", "9443", "15017"] } -variable "gcloud_upgrade" { - type = bool - description = "Whether to upgrade gcloud at runtime" - default = false -} - variable "add_shadow_firewall_rules" { type = bool description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." @@ -367,12 +361,6 @@ variable "disable_default_snat" { default = false } -variable "impersonate_service_account" { - type = string - description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." - default = "" -} - variable "notification_config_topic" { type = string description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 9f174e0110..432f7dfc56 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -25,7 +25,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.0" + version = "~> 2.10" } } provider_meta "google-beta" { diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 0f186d676e..dea8aa7655 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -82,12 +82,10 @@ Then perform the following commands on the root folder: | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | -| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | -| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | diff --git a/modules/beta-autopilot-public-cluster/dns.tf b/modules/beta-autopilot-public-cluster/dns.tf index 07f05d1327..d9c4d7518f 100644 --- a/modules/beta-autopilot-public-cluster/dns.tf +++ b/modules/beta-autopilot-public-cluster/dns.tf @@ -17,40 +17,15 @@ // This file was automatically generated from a template in ./autogen/main /****************************************** - Delete default kube-dns configmap + Manage kube-dns configmaps *****************************************/ -module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 3.1" - - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners - cluster_name = google_container_cluster.primary.name - cluster_location = google_container_cluster.primary.location - project_id = var.project_id - upgrade = var.gcloud_upgrade - impersonate_service_account = var.impersonate_service_account - - kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" - kubectl_destroy_command = "" - - module_depends_on = concat( - [google_container_cluster.primary.master_version], - ) -} -/****************************************** - Create kube-dns confimap - *****************************************/ -resource "kubernetes_config_map" "kube-dns" { +resource "kubernetes_config_map_v1_data" "kube-dns" { count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -59,23 +34,19 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, ] } -resource "kubernetes_config_map" "kube-dns-upstream-namservers" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" { count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { - name = "kube-dns" - + name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -84,22 +55,19 @@ ${jsonencode(var.upstream_nameservers)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, ] } -resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" { count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -112,8 +80,9 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, ] } diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 92045a5060..dbeb0e9d30 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -306,12 +306,6 @@ variable "firewall_inbound_ports" { default = ["8443", "9443", "15017"] } -variable "gcloud_upgrade" { - type = bool - description = "Whether to upgrade gcloud at runtime" - default = false -} - variable "add_shadow_firewall_rules" { type = bool description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." @@ -336,12 +330,6 @@ variable "disable_default_snat" { default = false } -variable "impersonate_service_account" { - type = string - description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." - default = "" -} - variable "notification_config_topic" { type = string description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 0b21724474..30805b2d9f 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -25,7 +25,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.0" + version = "~> 2.10" } } provider_meta "google-beta" { diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 58552c3206..1982618734 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -198,12 +198,10 @@ Then perform the following commands on the root folder: | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no | -| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | -| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/beta-private-cluster-update-variant/dns.tf b/modules/beta-private-cluster-update-variant/dns.tf index 1a4c059a30..bf0d05b723 100644 --- a/modules/beta-private-cluster-update-variant/dns.tf +++ b/modules/beta-private-cluster-update-variant/dns.tf @@ -17,41 +17,15 @@ // This file was automatically generated from a template in ./autogen/main /****************************************** - Delete default kube-dns configmap + Manage kube-dns configmaps *****************************************/ -module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 3.1" - - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners - cluster_name = google_container_cluster.primary.name - cluster_location = google_container_cluster.primary.location - project_id = var.project_id - upgrade = var.gcloud_upgrade - impersonate_service_account = var.impersonate_service_account - - kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" - kubectl_destroy_command = "" - - module_depends_on = concat( - [google_container_cluster.primary.master_version], - [for pool in google_container_node_pool.pools : pool.name] - ) -} -/****************************************** - Create kube-dns confimap - *****************************************/ -resource "kubernetes_config_map" "kube-dns" { +resource "kubernetes_config_map_v1_data" "kube-dns" { count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -60,24 +34,20 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] } -resource "kubernetes_config_map" "kube-dns-upstream-namservers" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" { count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { - name = "kube-dns" - + name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -86,23 +56,20 @@ ${jsonencode(var.upstream_nameservers)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] } -resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" { count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -115,8 +82,9 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index b0deff1945..a36617596a 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -434,12 +434,6 @@ variable "firewall_inbound_ports" { default = ["8443", "9443", "15017"] } -variable "gcloud_upgrade" { - type = bool - description = "Whether to upgrade gcloud at runtime" - default = false -} - variable "add_shadow_firewall_rules" { type = bool description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." @@ -464,12 +458,6 @@ variable "disable_default_snat" { default = false } -variable "impersonate_service_account" { - type = string - description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." - default = "" -} - variable "notification_config_topic" { type = string description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 46a2039bde..43d651161b 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -25,7 +25,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.0" + version = "~> 2.10" } } provider_meta "google-beta" { diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 12fceb7438..7adb7a2713 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -176,12 +176,10 @@ Then perform the following commands on the root folder: | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no | -| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | -| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/beta-private-cluster/dns.tf b/modules/beta-private-cluster/dns.tf index 1a4c059a30..bf0d05b723 100644 --- a/modules/beta-private-cluster/dns.tf +++ b/modules/beta-private-cluster/dns.tf @@ -17,41 +17,15 @@ // This file was automatically generated from a template in ./autogen/main /****************************************** - Delete default kube-dns configmap + Manage kube-dns configmaps *****************************************/ -module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 3.1" - - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners - cluster_name = google_container_cluster.primary.name - cluster_location = google_container_cluster.primary.location - project_id = var.project_id - upgrade = var.gcloud_upgrade - impersonate_service_account = var.impersonate_service_account - - kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" - kubectl_destroy_command = "" - - module_depends_on = concat( - [google_container_cluster.primary.master_version], - [for pool in google_container_node_pool.pools : pool.name] - ) -} -/****************************************** - Create kube-dns confimap - *****************************************/ -resource "kubernetes_config_map" "kube-dns" { +resource "kubernetes_config_map_v1_data" "kube-dns" { count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -60,24 +34,20 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] } -resource "kubernetes_config_map" "kube-dns-upstream-namservers" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" { count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { - name = "kube-dns" - + name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -86,23 +56,20 @@ ${jsonencode(var.upstream_nameservers)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] } -resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" { count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -115,8 +82,9 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index b0deff1945..a36617596a 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -434,12 +434,6 @@ variable "firewall_inbound_ports" { default = ["8443", "9443", "15017"] } -variable "gcloud_upgrade" { - type = bool - description = "Whether to upgrade gcloud at runtime" - default = false -} - variable "add_shadow_firewall_rules" { type = bool description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." @@ -464,12 +458,6 @@ variable "disable_default_snat" { default = false } -variable "impersonate_service_account" { - type = string - description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." - default = "" -} - variable "notification_config_topic" { type = string description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 5e4229cead..d00560dffe 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -25,7 +25,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.0" + version = "~> 2.10" } } provider_meta "google-beta" { diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index d0475292cb..5fb6447227 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -189,12 +189,10 @@ Then perform the following commands on the root folder: | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no | -| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | -| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/beta-public-cluster-update-variant/dns.tf b/modules/beta-public-cluster-update-variant/dns.tf index 1a4c059a30..bf0d05b723 100644 --- a/modules/beta-public-cluster-update-variant/dns.tf +++ b/modules/beta-public-cluster-update-variant/dns.tf @@ -17,41 +17,15 @@ // This file was automatically generated from a template in ./autogen/main /****************************************** - Delete default kube-dns configmap + Manage kube-dns configmaps *****************************************/ -module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 3.1" - - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners - cluster_name = google_container_cluster.primary.name - cluster_location = google_container_cluster.primary.location - project_id = var.project_id - upgrade = var.gcloud_upgrade - impersonate_service_account = var.impersonate_service_account - - kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" - kubectl_destroy_command = "" - - module_depends_on = concat( - [google_container_cluster.primary.master_version], - [for pool in google_container_node_pool.pools : pool.name] - ) -} -/****************************************** - Create kube-dns confimap - *****************************************/ -resource "kubernetes_config_map" "kube-dns" { +resource "kubernetes_config_map_v1_data" "kube-dns" { count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -60,24 +34,20 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] } -resource "kubernetes_config_map" "kube-dns-upstream-namservers" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" { count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { - name = "kube-dns" - + name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -86,23 +56,20 @@ ${jsonencode(var.upstream_nameservers)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] } -resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" { count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -115,8 +82,9 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index cfbd3e080b..7ed1614d3c 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -403,12 +403,6 @@ variable "firewall_inbound_ports" { default = ["8443", "9443", "15017"] } -variable "gcloud_upgrade" { - type = bool - description = "Whether to upgrade gcloud at runtime" - default = false -} - variable "add_shadow_firewall_rules" { type = bool description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." @@ -433,12 +427,6 @@ variable "disable_default_snat" { default = false } -variable "impersonate_service_account" { - type = string - description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." - default = "" -} - variable "notification_config_topic" { type = string description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index a89a6116f0..8ef24c453b 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -25,7 +25,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.0" + version = "~> 2.10" } } provider_meta "google-beta" { diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 3fd495ceeb..91766a636c 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -167,12 +167,10 @@ Then perform the following commands on the root folder: | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no | -| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | -| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/beta-public-cluster/dns.tf b/modules/beta-public-cluster/dns.tf index 1a4c059a30..bf0d05b723 100644 --- a/modules/beta-public-cluster/dns.tf +++ b/modules/beta-public-cluster/dns.tf @@ -17,41 +17,15 @@ // This file was automatically generated from a template in ./autogen/main /****************************************** - Delete default kube-dns configmap + Manage kube-dns configmaps *****************************************/ -module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 3.1" - - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners - cluster_name = google_container_cluster.primary.name - cluster_location = google_container_cluster.primary.location - project_id = var.project_id - upgrade = var.gcloud_upgrade - impersonate_service_account = var.impersonate_service_account - - kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" - kubectl_destroy_command = "" - - module_depends_on = concat( - [google_container_cluster.primary.master_version], - [for pool in google_container_node_pool.pools : pool.name] - ) -} -/****************************************** - Create kube-dns confimap - *****************************************/ -resource "kubernetes_config_map" "kube-dns" { +resource "kubernetes_config_map_v1_data" "kube-dns" { count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -60,24 +34,20 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] } -resource "kubernetes_config_map" "kube-dns-upstream-namservers" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" { count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { - name = "kube-dns" - + name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -86,23 +56,20 @@ ${jsonencode(var.upstream_nameservers)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] } -resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" { count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -115,8 +82,9 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index cfbd3e080b..7ed1614d3c 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -403,12 +403,6 @@ variable "firewall_inbound_ports" { default = ["8443", "9443", "15017"] } -variable "gcloud_upgrade" { - type = bool - description = "Whether to upgrade gcloud at runtime" - default = false -} - variable "add_shadow_firewall_rules" { type = bool description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." @@ -433,12 +427,6 @@ variable "disable_default_snat" { default = false } -variable "impersonate_service_account" { - type = string - description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." - default = "" -} - variable "notification_config_topic" { type = string description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 82fb95dd8c..a88675cd80 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -25,7 +25,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.0" + version = "~> 2.10" } } provider_meta "google-beta" { diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index f82124de2c..e10051ca13 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -179,12 +179,10 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | -| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | -| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/private-cluster-update-variant/dns.tf b/modules/private-cluster-update-variant/dns.tf index 1a4c059a30..bf0d05b723 100644 --- a/modules/private-cluster-update-variant/dns.tf +++ b/modules/private-cluster-update-variant/dns.tf @@ -17,41 +17,15 @@ // This file was automatically generated from a template in ./autogen/main /****************************************** - Delete default kube-dns configmap + Manage kube-dns configmaps *****************************************/ -module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 3.1" - - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners - cluster_name = google_container_cluster.primary.name - cluster_location = google_container_cluster.primary.location - project_id = var.project_id - upgrade = var.gcloud_upgrade - impersonate_service_account = var.impersonate_service_account - - kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" - kubectl_destroy_command = "" - - module_depends_on = concat( - [google_container_cluster.primary.master_version], - [for pool in google_container_node_pool.pools : pool.name] - ) -} -/****************************************** - Create kube-dns confimap - *****************************************/ -resource "kubernetes_config_map" "kube-dns" { +resource "kubernetes_config_map_v1_data" "kube-dns" { count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -60,24 +34,20 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] } -resource "kubernetes_config_map" "kube-dns-upstream-namservers" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" { count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { - name = "kube-dns" - + name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -86,23 +56,20 @@ ${jsonencode(var.upstream_nameservers)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] } -resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" { count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -115,8 +82,9 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 82f9bc4a9b..17a02fb465 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -391,12 +391,6 @@ variable "firewall_inbound_ports" { default = ["8443", "9443", "15017"] } -variable "gcloud_upgrade" { - type = bool - description = "Whether to upgrade gcloud at runtime" - default = false -} - variable "add_shadow_firewall_rules" { type = bool description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." @@ -410,12 +404,6 @@ variable "shadow_firewall_rules_priority" { } -variable "impersonate_service_account" { - type = string - description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." - default = "" -} - variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 4733793cd2..66b6540fbb 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -25,7 +25,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.0" + version = "~> 2.10" } } provider_meta "google" { diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 35af609e56..879e3f65b4 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -157,12 +157,10 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | -| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | -| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | diff --git a/modules/private-cluster/dns.tf b/modules/private-cluster/dns.tf index 1a4c059a30..bf0d05b723 100644 --- a/modules/private-cluster/dns.tf +++ b/modules/private-cluster/dns.tf @@ -17,41 +17,15 @@ // This file was automatically generated from a template in ./autogen/main /****************************************** - Delete default kube-dns configmap + Manage kube-dns configmaps *****************************************/ -module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" - version = "~> 3.1" - - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners - cluster_name = google_container_cluster.primary.name - cluster_location = google_container_cluster.primary.location - project_id = var.project_id - upgrade = var.gcloud_upgrade - impersonate_service_account = var.impersonate_service_account - - kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" - kubectl_destroy_command = "" - - module_depends_on = concat( - [google_container_cluster.primary.master_version], - [for pool in google_container_node_pool.pools : pool.name] - ) -} -/****************************************** - Create kube-dns confimap - *****************************************/ -resource "kubernetes_config_map" "kube-dns" { +resource "kubernetes_config_map_v1_data" "kube-dns" { count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -60,24 +34,20 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] } -resource "kubernetes_config_map" "kube-dns-upstream-namservers" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" { count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { - name = "kube-dns" - + name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -86,23 +56,20 @@ ${jsonencode(var.upstream_nameservers)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] } -resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" { +resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" { count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0 metadata { name = "kube-dns" namespace = "kube-system" - - labels = { - maintained_by = "terraform" - } } data = { @@ -115,8 +82,9 @@ ${jsonencode(var.stub_domains)} EOF } + force = true + depends_on = [ - module.gcloud_delete_default_kube_dns_configmap.wait, google_container_cluster.primary, google_container_node_pool.pools, ] diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 82f9bc4a9b..17a02fb465 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -391,12 +391,6 @@ variable "firewall_inbound_ports" { default = ["8443", "9443", "15017"] } -variable "gcloud_upgrade" { - type = bool - description = "Whether to upgrade gcloud at runtime" - default = false -} - variable "add_shadow_firewall_rules" { type = bool description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." @@ -410,12 +404,6 @@ variable "shadow_firewall_rules_priority" { } -variable "impersonate_service_account" { - type = string - description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." - default = "" -} - variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 088a05ec11..10a89c4915 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -25,7 +25,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.0" + version = "~> 2.10" } } provider_meta "google" { diff --git a/test/integration/node_pool/controls/gcloud.rb b/test/integration/node_pool/controls/gcloud.rb index 5ed27d7919..1b2a6e24de 100644 --- a/test/integration/node_pool/controls/gcloud.rb +++ b/test/integration/node_pool/controls/gcloud.rb @@ -60,7 +60,7 @@ end describe "node pools" do - let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" } } + let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" || p['name'] =~ %r{^nap-.*} } } it "has 3" do expect(node_pools.count).to eq 3 diff --git a/test/integration/stub_domains/controls/kubectl.rb b/test/integration/stub_domains/controls/kubectl.rb index 1e53883a2d..861bedb9d7 100644 --- a/test/integration/stub_domains/controls/kubectl.rb +++ b/test/integration/stub_domains/controls/kubectl.rb @@ -46,8 +46,8 @@ describe "kube-dns" do let(:kubedns_configmap) { client.get_config_map("kube-dns", "kube-system") } - it "is created by Terraform" do - expect(kubedns_configmap.metadata.labels.maintained_by).to eq "terraform" + it "is managed by Terraform" do + expect(kubedns_configmap.metadata.managedFields[0].manager).to eq "Terraform" end it "reflects the stub_domains configuration" do diff --git a/test/integration/stub_domains_private/controls/kubectl.rb b/test/integration/stub_domains_private/controls/kubectl.rb index 17502685d8..1c819c209e 100644 --- a/test/integration/stub_domains_private/controls/kubectl.rb +++ b/test/integration/stub_domains_private/controls/kubectl.rb @@ -42,8 +42,8 @@ describe "kube-dns" do let(:kubedns_configmap) { client.get_config_map("kube-dns", "kube-system") } - it "is created by Terraform" do - expect(kubedns_configmap.metadata.labels.maintained_by).to eq "terraform" + it "is managed by Terraform" do + expect(kubedns_configmap.metadata.managedFields[0].manager).to eq "Terraform" end it "reflects the stub_domains configuration" do diff --git a/test/integration/stub_domains_upstream_nameservers/controls/kubectl.rb b/test/integration/stub_domains_upstream_nameservers/controls/kubectl.rb index 8e8dfe086c..548140fc39 100644 --- a/test/integration/stub_domains_upstream_nameservers/controls/kubectl.rb +++ b/test/integration/stub_domains_upstream_nameservers/controls/kubectl.rb @@ -46,8 +46,8 @@ describe "kube-dns" do let(:kubedns_configmap) { client.get_config_map("kube-dns", "kube-system") } - it "is created by Terraform" do - expect(kubedns_configmap.metadata.labels.maintained_by).to eq "terraform" + it "is managed by Terraform" do + expect(kubedns_configmap.metadata.managedFields[0].manager).to eq "Terraform" end it "reflects the stub_domains configuration" do diff --git a/test/integration/upstream_nameservers/controls/kubectl.rb b/test/integration/upstream_nameservers/controls/kubectl.rb index 21ec09c326..788c9f11d0 100644 --- a/test/integration/upstream_nameservers/controls/kubectl.rb +++ b/test/integration/upstream_nameservers/controls/kubectl.rb @@ -46,8 +46,8 @@ describe "kube-dns" do let(:kubedns_configmap) { client.get_config_map("kube-dns", "kube-system") } - it "is created by Terraform" do - expect(kubedns_configmap.metadata.labels.maintained_by).to eq "terraform" + it "is managed by Terraform" do + expect(kubedns_configmap.metadata.managedFields[0].manager).to eq "Terraform" end it "reflects the upstream_nameservers configuration" do diff --git a/variables.tf b/variables.tf index f1b02095c2..9e2be9dd5e 100644 --- a/variables.tf +++ b/variables.tf @@ -367,12 +367,6 @@ variable "firewall_inbound_ports" { default = ["8443", "9443", "15017"] } -variable "gcloud_upgrade" { - type = bool - description = "Whether to upgrade gcloud at runtime" - default = false -} - variable "add_shadow_firewall_rules" { type = bool description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)." @@ -386,12 +380,6 @@ variable "shadow_firewall_rules_priority" { } -variable "impersonate_service_account" { - type = string - description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." - default = "" -} - variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/versions.tf b/versions.tf index dc54c64875..2a8dbe62e5 100644 --- a/versions.tf +++ b/versions.tf @@ -25,7 +25,7 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.0" + version = "~> 2.10" } } provider_meta "google" {