Skip to content

Latest commit

 

History

History
953 lines (610 loc) · 81 KB

CHANGELOG.md

File metadata and controls

953 lines (610 loc) · 81 KB

Change Log

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Extending the adopted spec, each change should have a link to its corresponding pull request appended.

17.3.0 (2021-11-23)

Features

Bug Fixes

17.2.0 (2021-11-12)

Features

  • Add beta support for confidential_nodes (#1040) (e105bb5)
  • Added support for specifying min_cpu_platform in node config - … (#1057) (23b5243)

Bug Fixes

  • Document grant_registry_access for Artifact Registry (#1044) (d3ca023)
  • pass REVISION_NAME to downstream install script (#1048) (dd410d7)
  • set image_type, machine_type, and sandboxing on default node pool to comply with validation policies (#1038) (8e92f6e)

17.1.0 (2021-10-27)

Features

  • Add support for CPU quota configs for node pools (#1032) (80252f3)

Bug Fixes

  • add missing required_providers on workload identity module (#1035) (04f7502)
  • adds metadata to the default node pool (#1018) (660ddc9)

17.0.0 (2021-09-28)

⚠ BREAKING CHANGES

  • Minimum beta provider version increased to v3.79.0.

Features

  • Add support for gVisor per node pool (#1001) (850c418)
  • Add support for setting additional pod_range to beta node pools (#984) (9d1274f)
  • Promote authenticator_security_group to GA modules (#989) (6042fd6)

Bug Fixes

16.1.0 (2021-08-14)

Features

  • add enable_namespace_creation flag for ASM module (#968) (8764b76)

Bug Fixes

  • Use provided k8s service account name when setting up workload identity (#972) (e00286f)
  • WI conditionally invoke data source if using external GSA (#974) (b208d5c)

16.0.1 (2021-07-23)

Bug Fixes

  • restore Workload Identity GSA resource name (#960) (8dbda1a)

16.0.0 (2021-07-23)

⚠ BREAKING CHANGES

  • add gpu node autoscaling support (#807) (#944)

Features

  • add gpu node autoscaling support (#807) (#944) (e53a949)
  • ASM CA option without providing CA_CERT maps and adding revision_name flag (#952) (64b782c)
  • Enables an existing GSA to be used when setting up Workload Identity (#955) (712fc54)

15.0.2 (2021-07-02)

Bug Fixes

15.0.1 (2021-06-14)

Bug Fixes

15.0.0 (2021-06-08)

⚠ BREAKING CHANGES

  • Updated ASM terraform module for 1.8 and 1.9 (#895)
  • K8s provider upgrade (#892)
  • Add multi-repo support for Config Sync (#872)
  • Add support for enable_l4_ilb_subsetting flag (#896)
  • For beta modules, support for google-beta provider versions older than v3.63 has been removed.

Features

  • Add multi-repo support for Config Sync (#872) (23da103)
  • Add support for enable_l4_ilb_subsetting flag (#896) (7531f90)
  • Add use local_ssd_ephemeral_count attribute in node_pool config on beta clusters (#902) (9335262)
  • K8s provider upgrade (#892) (9172b3e)
  • Updated ASM terraform module for 1.8 and 1.9 (#895) (e2ba8d2)

Bug Fixes

  • Add ability to impersonate service accounts in kubectl for all submodules (#903) (fc43485)
  • asm destroy (#922) (f3ddbf5)
  • Asm overlay path (#921) (5d3dc52)
  • docs: Describe ADVANCED_DATAPATH in more detail (#907) (c32c5d1)
  • Ensure the ASM module's destroy command removes all ASM components (#918) (00c2b71)
  • switch ASM API and IAM flags to use native resources (#914) (ff71123)

14.3.0 (2021-05-05)

Features

  • Introduce add_master_webhook_firewall_rules flag to add webhooks (#882) (8a5dcb8)
  • workload-identity: add entire GSA in output (#887) (734ce5d)

Bug Fixes

  • Add cluster ID to outputs (#886) (fc34eb6)
  • Remove data google_client_config from all modules as it is no longer used within modules (#875) (687dc71)
  • Remove unused local kubectl wrapper scripts (#876) (110adb6)

14.2.0 (2021-04-16)

Features

  • Add managed ctrl plane option to ASM module (#864) (7034f68)

Bug Fixes

  • Correct ConfigManagement hierarchyController definition (#861) (062bd5e)

14.1.0 (2021-04-01)

Features

  • Default to using cos_containerd image for GKE Sandbox clusters (#854) (1a2c26e)

14.0.1 (2021-03-12)

Bug Fixes

14.0.0 (2021-03-09)

⚠ BREAKING CHANGES

  • Added support for multi-project GKE Hub registration (#840)
  • The network_policy variable now defaults to false.
  • Replaced registry_project_id with registry_project_ids list.
  • Add support for asm v1.8 to the asm module (#824)

Features

  • Add dataplane-v2 provisioning support (#753) (d1fbef4)
  • Add new property to explicitly return GKE private_endpoint for auth module (#841) (1b99c07)
  • Add support for asm v1.8 to the asm module (#824) (923eff4)
  • Added support for multi-project GKE Hub registration (#840) (6dc1eb1)
  • Require actively enabling network policy (#809) (3354205)

Bug Fixes

  • Fix attribution for safer cluster modules (#830) (bb7c3ce)
  • Remove deprecated variable "registry_project_id" (#832) (83eae98)

13.1.0 (2021-02-16)

Features

  • Add support for creating "shadow" firewall rules for logging purposes (#741) (259dbfb)
  • Add support for multiple registry projects (#815) (5562cd6)
  • Add support for TPUs on beta clusters (#810) (fff0078)

Bug Fixes

  • Allow creating zonal clusters when region is not set. (#806) (f32dea7)

13.0.0 (2021-01-29)

⚠ BREAKING CHANGES

  • Minimum Terraform core version increased to 0.13.
  • dynamic operator yaml (#693)
  • Using in-cluster features now requires additional provider configuration. See the upgrade guide for details.

Features

  • Add maintenance exclusions support (#781) (0abbf41)
  • Add nodepool taints to keepers for update-variant (#717) (372a11c)
  • add support for Linux node config (#782) (98826e6)
  • Add Terraform 0.13 constraint and module attribution (#792) (32db990)
  • Add the option to disable Kubernetes SA annotation in workload-identity. (#787) (4e4ce02)
  • dynamic operator yaml (#693) (b1cce30)
  • Hub registration using kubeconfig and labels support (#785) (6a29e62)
  • remove wait for cluster script (#801) (356ed6d)
  • Set auto-provisioned node pools to use configured service account (#639) (4a61f76)
  • Support for ACM for non GKE clusters (#786) (aa551d5)

Bug Fixes

  • Move provider version constraint to required_providers block (#774) (825f287)
  • Remove provider config from module to be TF 0.13 compatible (#777) (81b0a94)

12.4.0 (2021-10-18)

Features

12.3.0 (2020-12-09)

Features

12.2.0 (2020-12-04)

Features

  • Add option for CPU manager policy (#749) (721f846)
  • added notification_config block to beta submodules (#752) (4a85321)
  • Enable ACM feature on hub (#722) (c199dae)
  • Grant roles/artifactregistry.reader to created service account when grant_registry_access is true (#748) (166fb24)

Bug Fixes

  • Make bash scripts more portable by referencing /usr/bin/env (#756) (24d6af6)
  • Remove max Terraform version constraint, allowing 0.14 compatibility (#757) (eb95de9)

12.1.0 (2020-11-10)

Features

  • Add cluster_telemetry var to beta submodules (#728) (e8291f0)
  • Add support for Cloud Run load balancer configuration (#740) (685a2db)
  • Support service account impersonation for wait-for-cluster script (#729) (75a56f1)

Bug Fixes

  • fallback to name if location is not set (#736) (63d7f5e)
  • multiple cluster wait-for-cluster.sh (#734) (6682911)
  • Updating the Binary Authorization submodule to allow Terraform 0.13 (#726) (df98cf9)

12.0.0 (2020-10-16)

⚠ BREAKING CHANGES

  • This is a backwards-incompatible release. See the upgrade guide for details.
  • GKE Hub functionality has been removed from ASM module(#665). Users can leverage Hub module for this functionality.
  • Removed the gcloud_skip_download variable and defaulted to never downloading gcloud. (#712) (f84e838)

Features

  • ACM - Wait for gatekeeper & Hub: expose module_depends_on (#689) (26ea28d)
  • add node_pool_taints to all the modules (#705) (68e8eec)
  • allow passing roles to created Workload Identity service account (#708) (e761dce)
  • Expose service account variable on ASM submodule (#658) (182dded)
  • hub make decode work with -d or --decode (#671) (0b5bd3d)
  • Hub submodule - add option to use existing service account to register clusters. (#678) (9f84cec)
  • Promote previously beta features to GA modules (#709) (2cb4fae), closes #708
  • ACM: fix bug when not using ssh secret type for ACM submodule (#679) (716867c)
  • make wait-for-cluster more robust (#676) (dffb047)

Bug Fixes

  • Correct WI module source in docs (#701) (f31b1f4)
  • Enable auto-upgrade in beta clusters with a release channel (#682) (21f95db)
  • Fix broken link in README.md (#691) (6f0e749)
  • Fix skip_provisioners enabled flag for wait_for_cluster (#669) (e293a43)
  • remove hub from asm module (#670) (6f419c3)
  • set project number for ASM install (#692) (c5d1e4d)
  • Shorten GSA account_id if necessary (#666) (0225458)

11.1.0 (2020-09-04)

Features

  • Add variable disable_default_snat (#625) (19a9e9c)
  • Update fields for ACM and Config Sync to bring them to feature parity (#635) (7fc3b48)

11.0.0 (2020-08-10)

⚠ BREAKING CHANGES

Features

  • Add support for enabling master_global_access, which is turned on by default. (#601) (8a9f904)
  • Allow user to customize ASM install with different directories and versions (#620) (d542c5c)
  • Update modules to use new kubectl module (#602) (794da61)

Bug Fixes

10.0.0 (2020-07-10)

⚠ BREAKING CHANGES

See the upgrade guide for details.

  • The default machine type has been changed to e2-medium. If you want the old default, you should specify it explicitly: machine_type = "n1-standard-2".
  • Pod security policy enablement has been changed to use a simple boolean flag (var. enable_pod_security_policy)

Features

  • add configconnector to safer variant (#581) (4b3f609)
  • Added variable for service dependency in binary_authorization sub module (#584) (e3e5458)
  • Changed default node pool machine type to e2-medium (#597) (1de41ef)

Bug Fixes

  • Compatibility for new asm release with 299.0.0 (#589) (a5213c4)
  • Explicitly specify VPC-native clusters for beta modules. (#598) (d9f7782)
  • Simplified pod security policy interface. (6069ece)
  • Typo in autogen/safer-cluster/README.md (#596) (ebdf57d)

9.4.0 (2020-06-25)

Features

  • Add ASM install submodule (#538) (6ff27f9)
  • Add bool option for automount_service_account_token (#571) (002cfb1)
  • Add firewall support safer-cluster modules (#570) (7ce3c49)

Bug Fixes

9.3.0 (2020-06-11)

Features

  • Add Beta Public Module Update Variant (#546) (d9f1ea8)
  • Add ConfigConnector configuration option (beta) (#547) (672adf9)

Bug Fixes

9.2.0 (2020-05-27)

Features

  • Add submodule for creating a binary authentication attestor (#530) (cc30fbb)
  • Add support for KALM config (#528) (6bf1178)

Bug Fixes

  • Add additional guardrails for disabled workload identity. (#542) (43c4349)

9.1.0 (2020-05-15)

Features

Bug Fixes

  • Update auth module to handle empty clusters (#521) (dd2afca)

9.0.0 (2020-05-07)

⚠ BREAKING CHANGES

See the upgrade guide for details.

  • Beta clusters have changed the default to use the GKE_METADATA_SERVER, to use the old option set node_metadata = "SECURE".
  • Minimum provider change increased to 3.19.
  • The ACM module has been refactored and resources will be recreated. This will show up in Terraform plans but is a safe no-op for Kubernetes.
  • For the safer cluster module, you must now specify release_channel instead of kubernetes_version.

Features

  • [safer-cluster] Replace "kubernetes_version" with "release_channel" (#487) (5791ac1)
  • Add an auth submodule outputting a kubeconfig (#469) (a5ace36)
  • Add config sync module (#493) (c090d5b)
  • Add fully configurable resource usage export block in GA and upgrade GCP provider (#491) (54eca6b)
  • Add GCE PD CSI Driver beta support (#497) (d96afa7)
  • Add support for setting firewall rules (#470) (16bdd6e)
  • Enable GKE_METADATA_SERVER as default node_metadata for beta-clusters (#490) (#512) (8e14762)
  • Expose the grant_registry_access variable in safer-cluster (#509) (0961613)

Bug Fixes

  • Correct identity namespace output for beta clusters (#500) (c783659), closes #489

8.1.0 (2020-04-10)

Features

  • Add peering_name output for private clusters and increase minimum provider version to 3.14 (#484) (ff6b5cc)
  • Add support for enabling Nodelocal dns cache (var.dns_cache) (#477) (de8e1d5)

Bug Fixes

  • Add stackdriver.resourceMetadata.writer role for SA to prevent monitoring errors (#485) (07de70b)

8.0.0 (2020-04-07)

v8.0.0 is a backwards-incompatible release. Please see the upgrading guide.

⚠ BREAKING CHANGES

  • Beta clusters now have Workload Identity enabled by default. To disable Workload Identity, set identity_namespace = null
  • Beta clusters now have shielded nodes enabled by default. To disable, set enable_shielded_nodes = false.

Features

  • Add support for setting var.istio_auth (#462) (fff4272)
  • Added support for specifying autoscaling_profile in var.cluster_autoscaling (#456) (1ac2c5c)
  • Enable WI and shielded nodes by default in beta clusters (#441) (704962b)
  • Rollout default_max_pods_per_node setting to GA modules (#439) (36ddbbb)

Bug Fixes

  • Correct bug in passing var.zones for safer cluster modules (#474) (7660b51)
  • Fix CI for Workload Identity (#460) (025f8b7)
  • Remove unused variable service_account in safer-cluster to avoid confusion (#448) (a30e7cd)
  • update and pin kubernetes provider to >= 1.11.1 (#453) (418d9b3)
  • Use gcloud module for ACM submodule, will force reinstall of ACM (#442) (9737190), closes #454

7.3.0 (2020-02-19)

Features

  • Add enable_kubernetes_alpha flag for beta clusters (#437) (f6f7370)

Bug Fixes

  • Rolled back to basic path routing for networks (#434) (8571f61)

7.2.0 (2020-02-11)

Features

  • Add master_ipv4_cidr_block output for private clusters (#427) (2cc64c8)
  • Allow workload identity submodule to update existing k8s SA. (#430) (51fba38)

Bug Fixes

7.1.0 (2020-02-07)

Features

Bug Fixes

  • Change for_each splat syntax on update variants, closes #414 (#415) (a20425f)
  • If release_channel is active, set min_master_version to null (#412) (4c7b399)
  • Prevents "Invalid index" when creating private cluster (#422) (cc53d1c), closes #419
  • Stop warning about deprecated external references from destroy provisioners. (#420) (c8fde26)

7.0.0 (2020-01-29)

⚠ BREAKING CHANGES

  • Minimum beta provider version increased to 3.1 to allow surge upgrades.
  • Beta clusters now have surge upgrades turned on by default. This behavior can be tuned using the max_surge and max_unavailable inputs.
  • Moves node pool state location to allow using for_each on them, see the upgrade guide for details.

Features

  • Add a service activation module (#146) (658ea51)
  • Enable Surge Upgrades by specifying max_surge and max_unavailable (Beta) (#394) (e4abe78)
  • Move to using for_each for node pools (#257) (7d0c9aa)

Bug Fixes

  • Change pod_security_policy_config type to list(object()) (#408) (a99352a)
  • Removed dependency on jq from wait-for-cluster.sh script (#402) (d2a5e28)

v6.2.0 - 2019-12-27

Fixed

  • Breaking: Changed default logging and monitoring providers to new Stackdriver versions. #384

Changed

  • Updated to support Google Provider version 3.x #381

v6.1.1 - 2019-12-04

Fixed

  • Fix endpoint output for private clusters where private_nodes=false. #365

v6.1.0 - 2019-12-03

Added

  • Support for using a pre-existing Service Account with the ACM submodule. #346

Fixed

  • Compute region output for zonal clusters. #362

v6.0.1 - 2019-12-02

Fixed

  • The required Google provider constraint has been relaxed to ~> 2.18 (>= 2.18, <3.0). #359

v6.0.0 - 2019-11-28

v6.0.0 is a backwards-incompatible release. Please see the upgrading guide.

Added

  • Support for Shielded Nodes beta feature via enabled_shielded_nodes variable. #300
  • Support for setting node_locations on node pools. #303
  • Fix for specifying node_count on node pools when autoscaling is disabled. #311
  • Added submodule for installing Anthos Config Management. #268
  • Support for local_ssd_count in node pool configuration. #339
  • Wait for cluster to be ready before returning endpoint. #340
  • safer-cluster submodule. #315
  • simple_regional_with_networking example. #195
  • release_channel variable for beta submodules. #271
  • The node_locations attribute to the node_pools object for beta submodules. #290
  • private_zonal_with_networking example. #308
  • regional_private_node_pool_oauth_scopes example. #321
  • The cluster_autoscaling variable for beta submodules. #93
  • The master_authorized_networks variable. #354

Changed

  • The node_pool_labels, node_pool_tags, and node_pool_taints variables have defaults and can be overridden within the node_pools object. #3
  • upstream_nameservers variable is typed as a list of strings. #350
  • The network_policy variable defaults to true. #138

Removed

  • Breaking: Removed support for enabling the Kubernetes dashboard, as this is deprecated on GKE. #337
  • Breaking: Removed support for versions of the Google provider and the Google Beta provider older than 2.18. #261
  • Breaking: Removed the master_authorized_networks_config variable. #354

Fixed

  • identity_namespace output depends on the google_container_cluster.primary resource. #301
  • Idempotency of the beta submodules. #326

v5.1.1 - 2019-10-25

Fixed

  • Fixed bug with setting up sandboxing on nodes. #286

v5.1.0 - 2019-10-24

Added

  • Added ability to skip local-exec provisioners. #258
  • Added private and beta private variants which allow node pools to be created before being destroyed. #256
  • Add a parameter registry_project_id to allow connecting to registries in other projects. #273

Changed

  • Made region variable optional for zonal clusters. #247
  • Made default metadata, labels, and tags optional. #282

Fixed

  • Authenticate gcloud in wait-for-cluster.sh using value of GOOGLE_APPLICATION_CREDENTIALS. #284 #285

v5.0.0 - 2019-09-25

v5.0.0 is a backwards-incompatible release. Please see the upgrading guide.

The v5.0.0 module requires using the 2.12 version of the Google provider.

Changed

  • Breaking: Enabled metadata-concealment by default #248
  • All beta functionality removed from non-beta clusters, moved node_pool_taints to beta modules #228

Added

  • Added support for resource usage export config #238
  • Added sandbox_enabled variable to use GKE Sandbox #241
  • Added grant_registry_access variable to grant Container Registry access to created SA #236
  • Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features #216
  • Support for Workload Identity beta feature #234
  • Support for Google Groups based RBAC beta feature #217
  • Support for disabling node pool autoscaling by setting autoscaling to false within the node pool variable. #250

Fixed

  • Fixed issue with passing a dynamically created Service Account to the module. #27

v4.1.0 2019-07-24

Added

  • Support for GCE cluster resource_labels. #210

Changed

  • endpoint output depends on cluster and node pool resources to avoid a race condition. #214

v4.0.0 2019-07-12

Changed

  • Supported version of Terraform is 0.12. #177

v3.0.0 - 2019-07-08

v3.0.0 is a breaking release. Refer to the Upgrading to v3.0 guide for details.

Added

  • Add configuration flag for enable BinAuthZ Admission controller #160 #188
  • Add configuration flag for pod_security_policy_config #163 #188
  • Support for a guest accelerator in node pool configuration. #197
  • Support to scale the default node cluster. #149
  • Support for configuring the network policy provider. #159
  • Support for database encryption. #165
  • Submodules for public and private clusters with beta features. #124 #188 #203
  • Support for configuring cluster IPv4 CIDRs. #193
  • Support for configuring IP Masquerade. #187
  • Support for v2.9 of the Google providers. #198
  • Support for upstreamNameservers. #207

Fixed

  • Dropped support for versions of the Google provider earlier than v2.9; these versions multiple incompatibilities with the module. #198

v2.1.0 - 2019-05-30

Added

  • Support for v2.6 and v2.7 of the Google providers. #152
  • deploy_using_private_endpoint variable on private-cluster submodule. #136

Fixed

  • The dependency on jq has been documented in the README. #151

v2.0.1 - 2019-05-01

Fixed

  • Explicitly pinned supported version of Terraform Google provider to 2.3. #148

v2.0.0 - 2019-04-12

v2.0.0 is a breaking release. Refer to the Upgrading to v2.0 guide for details.

Added

  • Add basic_auth_username set to "" by default. #40
  • Add basic_auth_password set to "" by default. #40
  • Add issue_client_certificate set to false by default. #40
  • Add node_pool_oauth_scopes which enables overriding the default node pool OAuth scopes. #94

Changed

  • The service_account variable defaults to "create" which causes a cluster-specific service account to be created.
  • Disabled Basic Authentication by default. #40

v1.0.1 - 2019-04-04

Added

  • Note about using Terraform with private clusters. #121

Changed

  • Optimized dependency between node pools and primary cluster. #77
  • Removed credentials_path variables from examples. #89

Fixed

  • Fix empty zone list. #132

v1.0.0 - 2019-03-25

Version 1.0.0 of this module introduces a breaking change: adding the disable-legacy-endpoints metadata field to all node pools. This metadata is required by GKE and determines whether the /0.1/ and /v1beta1/ paths are available in the nodes' metadata server. If your applications do not require access to the node's metadata server, you can leave the default value of true provided by the module. If your applications require access to the metadata server, be sure to read the linked documentation to see if you need to set the value for this field to false to allow your applications access to the above metadata server paths.

In either case, upgrading to module version v1.0.0 will trigger a recreation of all node pools in the cluster.

Added

  • Allow creation of service accounts. #80
  • Add support for private clusters via submodule. #69
  • Add remove_default_node_pool set to false by default. Fixes #15. #55
  • Allow arbitrary key-value pairs to be set on node pool metadata. #52
  • Add initial_node_count parameter to node_pool block. #60
  • Added disable_legacy_metadata_endpoints parameter. [#114]

Changed

  • Set horizontal_pod_autoscaling to true by default. Fixes #42. #54
  • Update simple-zonal example GKE version to supported version. #49
  • Drop explicit version from simple_zonal example. #74
  • Remove explicit versions from test cases and examples. #62
  • Set up submodule structure for public and private clusters. #61
  • Update the google and google-beta providers to v2.2 #106

Fixed

  • Zonal clusters can now accept a single zone. Fixes #43. #50
  • Fix link to "configure a service account" #73
  • Fix issue with regional cluster roll outs causing version skews #108
  • Fix permanent metadata skew due to disable-legacy-endpoints keys [#114]

v0.4.0 - 2018-12-19

Added

  • Added support for testing with kitchen-terraform. #33
  • Added support for preemptible nodes. #38

Changed

  • Updated default version to 1.10.6. #31

Fixed

  • region argument on google_compute_subnetwork caused errors. #22
  • Added check to wait for GKE cluster to be READY before completing. #46

v0.3.0 - 2018-10-10

Changed

  • Updated network/subnetwork lookup to use data source. #16
  • Make zone configuration optional when creating a regional cluster. #19

v0.2.0 - 2018-09-26

Added

  • Support for configuring master authorized networks. #10
  • Support specifying monitoring and logging services. #9

v0.1.0 - 2018-09-12

Added

  • Initial release of module.