From 91174ce05365eafebe4814e09b6e117f4c7348fe Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Fri, 26 Jan 2024 20:16:03 +0200 Subject: [PATCH] feat: Make confidential_nodes GA (#1815) Signed-off-by: drfaust92 --- README.md | 1 + autogen/main/cluster.tf.tmpl | 3 +-- autogen/main/main.tf.tmpl | 2 +- autogen/main/variables.tf.tmpl | 2 +- cluster.tf | 7 +++++++ main.tf | 1 + modules/beta-autopilot-private-cluster/cluster.tf | 1 + modules/beta-autopilot-private-cluster/main.tf | 2 +- modules/beta-autopilot-public-cluster/cluster.tf | 1 + modules/beta-autopilot-public-cluster/main.tf | 2 +- modules/beta-private-cluster-update-variant/cluster.tf | 1 + modules/beta-private-cluster-update-variant/main.tf | 2 +- modules/beta-private-cluster/cluster.tf | 1 + modules/beta-private-cluster/main.tf | 2 +- modules/beta-public-cluster-update-variant/cluster.tf | 1 + modules/beta-public-cluster-update-variant/main.tf | 2 +- modules/beta-public-cluster/cluster.tf | 1 + modules/beta-public-cluster/main.tf | 2 +- modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 7 +++++++ modules/private-cluster-update-variant/main.tf | 1 + modules/private-cluster-update-variant/variables.tf | 5 +++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 7 +++++++ modules/private-cluster/main.tf | 1 + modules/private-cluster/variables.tf | 5 +++++ variables.tf | 5 +++++ 27 files changed, 57 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 6bba665485..e6a8945f55 100644 --- a/README.md +++ b/README.md @@ -155,6 +155,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 08b6264ae9..e04d86406d 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -70,14 +70,13 @@ resource "google_container_cluster" "primary" { enabled = var.enable_cost_allocation } } -{% if beta_cluster %} + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { enabled = confidential_nodes.value.enabled } } -{% endif %} subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index d5c4bf784d..2b75d8e5ca 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -219,6 +219,7 @@ locals { cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] {% if autopilot_cluster != true %} cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates @@ -234,7 +235,6 @@ locals { {% endif %} cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 0f7f66474e..7445f9d476 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -544,12 +544,12 @@ variable "shadow_firewall_rules_log_config" { } } -{% if beta_cluster %} variable "enable_confidential_nodes" { type = bool description = "An optional flag to enable confidential node config." default = false } +{% if beta_cluster %} variable "workload_vulnerability_mode" { description = "(beta) Vulnerability mode." diff --git a/cluster.tf b/cluster.tf index c8c6465d24..2228fe8bbf 100644 --- a/cluster.tf +++ b/cluster.tf @@ -65,6 +65,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "confidential_nodes" { + for_each = local.confidential_node_config + content { + enabled = confidential_nodes.value.enabled + } + } + subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" default_snat_status { diff --git a/main.tf b/main.tf index 8ad332d19d..89889acbf1 100644 --- a/main.tf +++ b/main.tf @@ -162,6 +162,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 539b173783..00c767d99a 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -56,6 +56,7 @@ resource "google_container_cluster" "primary" { enabled = var.enable_cost_allocation } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index b5ce225a9c..a7e90a1f5f 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -121,13 +121,13 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 2c9bf25fc0..bb7f73ae6b 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -56,6 +56,7 @@ resource "google_container_cluster" "primary" { enabled = var.enable_cost_allocation } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 8b204a0404..0199ec231b 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -120,13 +120,13 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 2e4d762f4d..434bfedbb7 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -64,6 +64,7 @@ resource "google_container_cluster" "primary" { enabled = var.enable_cost_allocation } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 3fea94230a..b7f8f664ed 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -181,6 +181,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -191,7 +192,6 @@ locals { cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index f2975f2683..1c8e68452c 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -64,6 +64,7 @@ resource "google_container_cluster" "primary" { enabled = var.enable_cost_allocation } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 3fea94230a..b7f8f664ed 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -181,6 +181,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -191,7 +192,6 @@ locals { cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 5c28b74514..a79bf757d0 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -64,6 +64,7 @@ resource "google_container_cluster" "primary" { enabled = var.enable_cost_allocation } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 9264dab4b1..ee6ec17917 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -180,6 +180,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -190,7 +191,6 @@ locals { cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 3c462677bb..57f7d04c18 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -64,6 +64,7 @@ resource "google_container_cluster" "primary" { enabled = var.enable_cost_allocation } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 9264dab4b1..ee6ec17917 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -180,6 +180,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -190,7 +191,6 @@ locals { cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 21737fcee0..646278d5ca 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -184,6 +184,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index ce5ba2801e..2c97d719c6 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -65,6 +65,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "confidential_nodes" { + for_each = local.confidential_node_config + content { + enabled = confidential_nodes.value.enabled + } + } + subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" default_snat_status { diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 386f42b3c0..98283ce979 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -163,6 +163,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index c8484137a4..483f3f3f48 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -513,6 +513,11 @@ variable "shadow_firewall_rules_log_config" { } } +variable "enable_confidential_nodes" { + type = bool + description = "An optional flag to enable confidential node config." + default = false +} variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index f6625e314e..f6f4851284 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -162,6 +162,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 6172828642..b410c17958 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -65,6 +65,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "confidential_nodes" { + for_each = local.confidential_node_config + content { + enabled = confidential_nodes.value.enabled + } + } + subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" default_snat_status { diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 386f42b3c0..98283ce979 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -163,6 +163,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index c8484137a4..483f3f3f48 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -513,6 +513,11 @@ variable "shadow_firewall_rules_log_config" { } } +variable "enable_confidential_nodes" { + type = bool + description = "An optional flag to enable confidential node config." + default = false +} variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." diff --git a/variables.tf b/variables.tf index a3d70374a9..ea04722045 100644 --- a/variables.tf +++ b/variables.tf @@ -483,6 +483,11 @@ variable "shadow_firewall_rules_log_config" { } } +variable "enable_confidential_nodes" { + type = bool + description = "An optional flag to enable confidential node config." + default = false +} variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."