From de4c4866447e43d8fee9679f9f7c684863644f36 Mon Sep 17 00:00:00 2001 From: anoxape <2760053+anoxape@users.noreply.github.com> Date: Wed, 29 Jun 2022 21:43:14 -0700 Subject: [PATCH] feat: support gVNIC (#1296) Co-authored-by: Bharath KKB --- README.md | 2 ++ autogen/main/README.md | 2 ++ autogen/main/cluster.tf.tmpl | 14 ++++++++++++++ cluster.tf | 13 +++++++++++++ .../beta-private-cluster-update-variant/README.md | 2 ++ .../beta-private-cluster-update-variant/cluster.tf | 14 ++++++++++++++ modules/beta-private-cluster/README.md | 2 ++ modules/beta-private-cluster/cluster.tf | 13 +++++++++++++ .../beta-public-cluster-update-variant/README.md | 2 ++ .../beta-public-cluster-update-variant/cluster.tf | 14 ++++++++++++++ modules/beta-public-cluster/README.md | 2 ++ modules/beta-public-cluster/cluster.tf | 13 +++++++++++++ modules/private-cluster-update-variant/README.md | 2 ++ modules/private-cluster-update-variant/cluster.tf | 14 ++++++++++++++ modules/private-cluster/README.md | 2 ++ modules/private-cluster/cluster.tf | 13 +++++++++++++ 16 files changed, 124 insertions(+) diff --git a/README.md b/README.md index 0911237b24..522564c06e 100644 --- a/README.md +++ b/README.md @@ -60,6 +60,7 @@ module "gke" { disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false + enable_gvnic = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -239,6 +240,7 @@ The node_pools variable takes the following parameters: | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | | enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | +| enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/autogen/main/README.md b/autogen/main/README.md index 5169793c14..6fde2af604 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -109,6 +109,7 @@ module "gke" { disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false + enable_gvnic = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -196,6 +197,7 @@ The node_pools variable takes the following parameters: | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | | enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | +| enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 49e9c5ac66..2c40828480 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -311,6 +311,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + service_account = lookup(var.node_pools[0], "service_account", local.service_account) tags = concat( @@ -447,6 +454,7 @@ locals { "spot", "service_account", "enable_gcfs", + "enable_gvnic", "enable_secure_boot", ] } @@ -598,6 +606,12 @@ resource "google_container_node_pool" "pools" { enabled = gcfs_config.value } } + dynamic "gvnic" { + for_each = lookup(each.value, "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/cluster.tf b/cluster.tf index 8565e41a9e..6de632f8a9 100644 --- a/cluster.tf +++ b/cluster.tf @@ -181,6 +181,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + service_account = lookup(var.node_pools[0], "service_account", local.service_account) tags = concat( @@ -307,6 +314,12 @@ resource "google_container_node_pool" "pools" { enabled = gcfs_config.value } } + dynamic "gvnic" { + for_each = lookup(each.value, "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index b75726f7a7..fbaaeb9e0f 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -92,6 +92,7 @@ module "gke" { disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false + enable_gvnic = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -313,6 +314,7 @@ The node_pools variable takes the following parameters: | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | | enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | +| enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 65d0f2530f..ac589a7faf 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -274,6 +274,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + service_account = lookup(var.node_pools[0], "service_account", local.service_account) tags = concat( @@ -394,6 +401,7 @@ locals { "spot", "service_account", "enable_gcfs", + "enable_gvnic", "enable_secure_boot", ] } @@ -531,6 +539,12 @@ resource "google_container_node_pool" "pools" { enabled = gcfs_config.value } } + dynamic "gvnic" { + for_each = lookup(each.value, "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index a55d71e273..af7801ef69 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -70,6 +70,7 @@ module "gke" { disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false + enable_gvnic = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -291,6 +292,7 @@ The node_pools variable takes the following parameters: | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | | enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | +| enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index b3e1c8db5c..ad630ef7c5 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -274,6 +274,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + service_account = lookup(var.node_pools[0], "service_account", local.service_account) tags = concat( @@ -443,6 +450,12 @@ resource "google_container_node_pool" "pools" { enabled = gcfs_config.value } } + dynamic "gvnic" { + for_each = lookup(each.value, "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 2810e838a3..39c87f0ec6 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -86,6 +86,7 @@ module "gke" { disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false + enable_gvnic = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -300,6 +301,7 @@ The node_pools variable takes the following parameters: | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | | enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | +| enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 0f7d3b7cd6..8fb29d2f5b 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -274,6 +274,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + service_account = lookup(var.node_pools[0], "service_account", local.service_account) tags = concat( @@ -375,6 +382,7 @@ locals { "spot", "service_account", "enable_gcfs", + "enable_gvnic", "enable_secure_boot", ] } @@ -512,6 +520,12 @@ resource "google_container_node_pool" "pools" { enabled = gcfs_config.value } } + dynamic "gvnic" { + for_each = lookup(each.value, "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 6e7ad6c702..1cec3ada38 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -64,6 +64,7 @@ module "gke" { disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false + enable_gvnic = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -278,6 +279,7 @@ The node_pools variable takes the following parameters: | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | | enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | +| enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 32d22347de..012ce31570 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -274,6 +274,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + service_account = lookup(var.node_pools[0], "service_account", local.service_account) tags = concat( @@ -424,6 +431,12 @@ resource "google_container_node_pool" "pools" { enabled = gcfs_config.value } } + dynamic "gvnic" { + for_each = lookup(each.value, "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 9add63fa06..cdc59dbd55 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -88,6 +88,7 @@ module "gke" { disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false + enable_gvnic = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -273,6 +274,7 @@ The node_pools variable takes the following parameters: | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | | enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | +| enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 6e65239e11..a52836d8b5 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -181,6 +181,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + service_account = lookup(var.node_pools[0], "service_account", local.service_account) tags = concat( @@ -281,6 +288,7 @@ locals { "spot", "service_account", "enable_gcfs", + "enable_gvnic", "enable_secure_boot", ] } @@ -408,6 +416,12 @@ resource "google_container_node_pool" "pools" { enabled = gcfs_config.value } } + dynamic "gvnic" { + for_each = lookup(each.value, "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 286d9a0b09..e7251e2710 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -66,6 +66,7 @@ module "gke" { disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false + enable_gvnic = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -251,6 +252,7 @@ The node_pools variable takes the following parameters: | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | | enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | +| enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 91e16f98e3..aaedfaf344 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -181,6 +181,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + service_account = lookup(var.node_pools[0], "service_account", local.service_account) tags = concat( @@ -320,6 +327,12 @@ resource "google_container_node_pool" "pools" { enabled = gcfs_config.value } } + dynamic "gvnic" { + for_each = lookup(each.value, "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {},