From d1fbef4c9a88f8bf6d1f7e3e8cb9e87811a8a8b0 Mon Sep 17 00:00:00 2001 From: Ryan Atkins <7253933+ryan-atkins@users.noreply.github.com> Date: Fri, 5 Mar 2021 09:58:59 -0800 Subject: [PATCH] feat: Add dataplane-v2 provisioning support (#753) * add datapath_provider var for beta clusters * incorporate datapath_provider option * update tests for datapath_provider beta cluster * example README var updates * remove network_policy var usage * finish docs updates Co-authored-by: ryan-atkins <> --- autogen/main/cluster.tf.tmpl | 3 +++ autogen/main/variables.tf.tmpl | 7 +++++++ examples/simple_regional_beta/README.md | 1 + examples/simple_regional_beta/main.tf | 3 +++ examples/simple_regional_beta/variables.tf | 6 ++++++ modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 1 + modules/beta-private-cluster-update-variant/variables.tf | 5 +++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 1 + modules/beta-private-cluster/variables.tf | 5 +++++ modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 1 + modules/beta-public-cluster-update-variant/variables.tf | 5 +++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 1 + modules/beta-public-cluster/variables.tf | 5 +++++ test/fixtures/beta_cluster/main.tf | 3 +++ test/integration/beta_cluster/controls/gcloud.rb | 6 ++++++ 19 files changed, 57 insertions(+) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index a9674146289..d6c3fe4c4ed 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -189,6 +189,9 @@ resource "google_container_cluster" "primary" { } {% endif %} } + {% if beta_cluster %} + datapath_provider = var.datapath_provider + {% endif %} {% if beta_cluster %} networking_mode = "VPC_NATIVE" diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index bd75e20a877..6051162161c 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -107,6 +107,13 @@ variable "network_policy_provider" { description = "The network policy provider." default = "CALICO" } +{% if beta_cluster %} +variable "datapath_provider" { + type = string + description = "The desired datapath provider for this cluster. By default, uses the IPTables-based kube-proxy implementation." + default = "DATAPATH_PROVIDER_UNSPECIFIED" +} +{% endif %} variable "maintenance_start_time" { type = string diff --git a/examples/simple_regional_beta/README.md b/examples/simple_regional_beta/README.md index d849d2bfffa..5b49a79de21 100644 --- a/examples/simple_regional_beta/README.md +++ b/examples/simple_regional_beta/README.md @@ -11,6 +11,7 @@ This example illustrates how to create a simple cluster with beta features. | cluster\_name\_suffix | A suffix to append to the default cluster name | `string` | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | `any` | n/a | yes | | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` |
[
{
"key_name": "",
"state": "DECRYPTED"
}
]
| no | +| datapath\_provider | The desired datapath provider for this cluster. By default, uses the IPTables-based kube-proxy implementation. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index 7dbb3bdc228..e79e7275e48 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -60,4 +60,7 @@ module "gke" { # Disable workload identity identity_namespace = null node_metadata = "UNSPECIFIED" + + # Enable Dataplane Setup + datapath_provider = "ADVANCED_DATAPATH" } diff --git a/examples/simple_regional_beta/variables.tf b/examples/simple_regional_beta/variables.tf index cdedce33d2b..8af6ea5afd7 100644 --- a/examples/simple_regional_beta/variables.tf +++ b/examples/simple_regional_beta/variables.tf @@ -123,3 +123,9 @@ variable "regional" { description = "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" default = true } + +variable "datapath_provider" { + type = string + description = "The desired datapath provider for this cluster. By default, uses the IPTables-based kube-proxy implementation." + default = "DATAPATH_PROVIDER_UNSPECIFIED" +} diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 17f5c204d7b..79844c9b730 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -170,6 +170,7 @@ Then perform the following commands on the root folder: | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` |
[
{
"key_name": "",
"state": "DECRYPTED"
}
]
| no | +| datapath\_provider | The desired datapath provider for this cluster. By default, uses the IPTables-based kube-proxy implementation. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | | description | The description of the cluster | `string` | `""` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 79a44c42a4b..f8e6ce526e6 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -172,6 +172,7 @@ resource "google_container_cluster" "primary" { enabled = var.config_connector } } + datapath_provider = var.datapath_provider networking_mode = "VPC_NATIVE" ip_allocation_policy { diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index e1045edf1ec..e1bfe60f449 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -107,6 +107,11 @@ variable "network_policy_provider" { description = "The network policy provider." default = "CALICO" } +variable "datapath_provider" { + type = string + description = "The desired datapath provider for this cluster. By default, uses the IPTables-based kube-proxy implementation." + default = "DATAPATH_PROVIDER_UNSPECIFIED" +} variable "maintenance_start_time" { type = string diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 275a613c01a..60c929e0ec3 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -148,6 +148,7 @@ Then perform the following commands on the root folder: | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` |
[
{
"key_name": "",
"state": "DECRYPTED"
}
]
| no | +| datapath\_provider | The desired datapath provider for this cluster. By default, uses the IPTables-based kube-proxy implementation. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | | description | The description of the cluster | `string` | `""` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index c42081da3e2..5681faa2f89 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -172,6 +172,7 @@ resource "google_container_cluster" "primary" { enabled = var.config_connector } } + datapath_provider = var.datapath_provider networking_mode = "VPC_NATIVE" ip_allocation_policy { diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index e1045edf1ec..e1bfe60f449 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -107,6 +107,11 @@ variable "network_policy_provider" { description = "The network policy provider." default = "CALICO" } +variable "datapath_provider" { + type = string + description = "The desired datapath provider for this cluster. By default, uses the IPTables-based kube-proxy implementation." + default = "DATAPATH_PROVIDER_UNSPECIFIED" +} variable "maintenance_start_time" { type = string diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 89d237c6202..4466e33c265 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -164,6 +164,7 @@ Then perform the following commands on the root folder: | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` |
[
{
"key_name": "",
"state": "DECRYPTED"
}
]
| no | +| datapath\_provider | The desired datapath provider for this cluster. By default, uses the IPTables-based kube-proxy implementation. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index cb5db2783e1..5bef8c1481d 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -172,6 +172,7 @@ resource "google_container_cluster" "primary" { enabled = var.config_connector } } + datapath_provider = var.datapath_provider networking_mode = "VPC_NATIVE" ip_allocation_policy { diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 347359ab7a8..df550dce427 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -107,6 +107,11 @@ variable "network_policy_provider" { description = "The network policy provider." default = "CALICO" } +variable "datapath_provider" { + type = string + description = "The desired datapath provider for this cluster. By default, uses the IPTables-based kube-proxy implementation." + default = "DATAPATH_PROVIDER_UNSPECIFIED" +} variable "maintenance_start_time" { type = string diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index ff180acd04d..5a6fcc3a43b 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -142,6 +142,7 @@ Then perform the following commands on the root folder: | configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no | | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` |
[
{
"key_name": "",
"state": "DECRYPTED"
}
]
| no | +| datapath\_provider | The desired datapath provider for this cluster. By default, uses the IPTables-based kube-proxy implementation. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index da7ab37e127..1ead5fcc135 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -172,6 +172,7 @@ resource "google_container_cluster" "primary" { enabled = var.config_connector } } + datapath_provider = var.datapath_provider networking_mode = "VPC_NATIVE" ip_allocation_policy { diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 347359ab7a8..df550dce427 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -107,6 +107,11 @@ variable "network_policy_provider" { description = "The network policy provider." default = "CALICO" } +variable "datapath_provider" { + type = string + description = "The desired datapath provider for this cluster. By default, uses the IPTables-based kube-proxy implementation." + default = "DATAPATH_PROVIDER_UNSPECIFIED" +} variable "maintenance_start_time" { type = string diff --git a/test/fixtures/beta_cluster/main.tf b/test/fixtures/beta_cluster/main.tf index bd1a91b3548..33832103d21 100644 --- a/test/fixtures/beta_cluster/main.tf +++ b/test/fixtures/beta_cluster/main.tf @@ -61,6 +61,9 @@ module "this" { enable_binary_authorization = true enable_pod_security_policy = true + + // Dataplane-V2 Feature + datapath_provider = "ADVANCED_DATAPATH" } data "google_client_config" "default" { diff --git a/test/integration/beta_cluster/controls/gcloud.rb b/test/integration/beta_cluster/controls/gcloud.rb index 8653bc8d8a8..6cba10bac1e 100644 --- a/test/integration/beta_cluster/controls/gcloud.rb +++ b/test/integration/beta_cluster/controls/gcloud.rb @@ -73,6 +73,12 @@ ) end + it "has the expected datapathProvider config" do + expect(data['networkConfig']).to include( + "datapathProvider" => "ADVANCED_DATAPATH" + ) + end + it "has the expected binaryAuthorization config" do expect(data['binaryAuthorization']).to eq({ "enabled" => true,