All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
Extending the adopted spec, each change should have a link to its corresponding pull request appended.
33.1.0 (2024-10-09)
- add a flag to allow access through Google Cloud public IP addresses (#2078) (2f412bb)
- added confidential-nodes flag for node-pools (#2110) (b2a597b)
- enable L4 ILB subsetting support for safer clusters (#2105) (0733908)
- acm: correct membership location (#2128) (7cf9894)
- acm: use membership registration location (#2123) (caa194f)
- allow changing
enable_identity_service
value in place (#2132) (9c2191e) - allow null
enable_gcfs
setting in defined nodepools (#2111) (700a01d) - autopilot: narrow version exclusion (#2112) (620bf32)
- ignore control plane network when private endpoint subnet is set (#2122) (a4b130d)
33.0.4 (2024-09-18)
33.0.3 (2024-09-13)
33.0.2 (2024-09-13)
33.0.1 (2024-09-11)
33.0.0 (2024-09-11)
- beta-autopilot: enable gcfs by default (#2066)
- TPG>=5.41: add config_sync.enabled (#2074)
- update relay_mode to enable_relay (#2067)
- private_cluster: enable private nodes by default (#2064)
- deps: Update Terraform terraform-google-modules/project-factory/google to v16 (#2057)
- beta-autopilot: enable gcfs by default (#2066) (a083437)
- deps: Update Terraform Google Provider to v6 (major) (#2063) (8b7e342)
- private_cluster: enable private nodes by default (#2064) (e11787c)
- support reservation affinity (#2010) (7cc0626)
- avoid TPGv5.44.0 with Autopilot (#2076) (f54d2e1)
- deps: Update Terraform terraform-google-modules/project-factory/google to v16 (#2057) (8e53122)
- Node Pool enable_gcfs true:false (#1976) (419078d)
- TPG>=5.41: add config_sync.enabled (#2074) (4939c6f)
- update relay_mode to enable_relay (#2067) (dafdd72)
32.0.4 (2024-08-26)
32.0.3 (2024-08-22)
32.0.2 (2024-08-21)
32.0.1 (2024-08-20)
- fleet_app_operator_permissions: enable multi use per project (#2045) (a83100d)
- fleet_app_operator_permissions: optional groups and users (#2044) (a5a67e5)
- gcfs AP diff and general cleanup (#2043) (ec42a18)
- remove duplicte enable_secure_boot (#2040) (d469973)
32.0.0 (2024-08-10)
- TPG>=5.40.0: Add support for RayOperator Addon (#2032)
- TPG>=5.33: add secret manager add-on config to beta modules (#1977)
- Add additional functionality for autopilot clusters (#1985) (3b0bbe8)
- add notification event filter (#1996) (9ff1b5e)
- add optional private_endpoint_subnetwork variable in private submodules (#2009) (7a2e9b8)
- add support for
logging_variant
in Autopilot clusters (#1962) (08028a8) - add support for additive_vpc_scope_dns_domain (#1998) (b54b7ba)
- add support for confidential storage + docs fixes (#2003) (270a5c7)
- allow default node pools metadata key-value pairs to be disabled (#2005) (318f38f)
- anthos modules remote fleet project (#1995) (674f772)
- bump
enable_intranode_visibility
to GA (#1956) (4274b0e) - bump identity_service_config to ga (#1997) (9d6a400)
- bump kubelet config to ga + minor doc fixes (#1994) (6bd1bc1)
- cluster.tf: add support for setting cgroup mode (#2001) (3fc4db4)
- enable binauthz for autopilot (#2030) (3ebf04a)
- extend enable_secret_manager_addon to beta-autopilot clusters (#2017) (7f31e96)
- Fleet app operator permissions (#1986) (e0fd03a)
- support enable_nested_virtualization (#2012) (e298e74)
- support workload_identity_config on autopilot (#2011) (b4f2e14)
- TPG>=5.33: add secret manager add-on config to beta modules (#1977) (5c58d89)
- TPG>=5.40.0: Add support for RayOperator Addon (#2032) (c046af1)
- add missing gpu node pool param docs (#2023) (ac76d4d)
- empty addons_config handling (#1978) (9ae8b38)
- enable_confidential_storage fix (#2018) (12cfe5e)
- skip service account
random_string
when not needed (#2024) (be88d19)
31.1.0 (2024-06-26)
- Add enable_cilium_clusterwide_network_policy support (#1972) (72cf873)
- Add enable_l4_ilb_subsetting for autopilot clusters (#1969) (c48dc6e)
- add pod_pids_limit for kubelet_config in all modules, example and autogen (#1922) (eec38a2)
- Adding extra permissions to the cluster's default service account (#1943) (4fab404)
- Set boot_disk_kms_key cluster wide and for cluster_autoscaling (#1959) (654868e)
- avoid
auto_provisioning_defaults
drift (#1806) (0005ab9) - firewall rules for autopilot clusters are ineffective. add cluster_network_tag to autopilot cluster network_tags if firewalls are toggled on (#1817) (e7b20cd)
- Fix the value of output "identity_service_enabled" in beta modules (#1982) (a6210fc)
31.0.0 (2024-05-28)
- TPG>=5.25.0: bump for #1948 (#1955)
- TPG>=5.21: add queued_provisioning (#1950)
- TPG>=5.25.0: Add support for StatefulHA Addon (#1948)
- deps: Update Terraform terraform-google-modules/project-factory/google to v15 (#1936)
- Add local_ssd_ephemeral_count to default configuration (#1944) (04ebd0c)
- add missing dns_cache output in non beta (#1864) (3d5cc9f)
- Add option image_type in cluster_autoscaling block (#1905) (2272164)
- Add secondary_boot_disks to node_pool configuration. (#1946) (11bae67)
- add security posture VULNERABILITY_ENTERPRISE (#1947) (c48c8ab)
- add support for gpu_sharing_config on nodepool (#1874) (b57387c)
- Add threads_per_core setting for node config in node pools (#1942) (e573ced)
- Add upgrade_settings for NAP created node pools (#1908) (c87bb41)
- TPG>=5.21: add queued_provisioning (#1950) (c87333b)
- TPG>=5.25.0: Add support for StatefulHA Addon (#1948) (acbb453)
- add gpu_driver_version to recreate list + docs (#1913) (12cf40f)
- deps: Update Terraform terraform-google-modules/project-factory/google to v15 (#1936) (d01e5bc)
- docs: remove beta from docs from non beta arguments (#1957) (3de63b3)
- dynamic block ephemeral_storage_local_ssd_config (#1951) (26eb7c0)
- local nvme ssd count (#1937) (dbd90e3)
- TPG>=5.25.0: bump for #1948 (#1955) (b12c2e7)
30.3.0 (2024-05-09)
- add enable_l4_ilb_subsetting for GA TPG (#1924) (da0476a)
- adds local_nvme_ssd_block_config to beta-public-cluster (#1912) (f7c2ed9)
- network tags for autoprovisioned node pools (#1920) (f864e8a)
- safer-clusters: add components selection for monitoring (#1851) (15b472f)
30.2.0 (2024-03-08)
30.1.0 (2024-02-26)
- add direct fleet registration option (#1878) (6b267bd)
- add optional membership_location to fleet-membership (#1860) (163de39)
30.0.0 (2024-01-31)
- TPG>=5.9: cluster autoscaling profile is GA (#1839)
- Update least privilege default service account (#1844)
- TPG>=5.6: use hub membership location for output (#1824)
- Revert create least privilege default service account (#1757) (#1827)
- TF>=1.1: Configure ASM management mode (#1702)
- add advanced datapath observability config option (#1776) (90e9bdf)
- Add support for configuring allow_net_admin in autopilot clusters (#1768) (493149d)
- add support for pod_range in private cluster (#1803) (9c62f1f)
- dual stack (IPV4_IPV6) support (#1818) (d6cb390)
- Make confidential_nodes GA (#1815) (322a5ee)
- promote tpu to ga (#1856) (ba78819)
- TF>=1.1: Configure ASM management mode (#1702) (a9de2d7)
- TPG>=5.6: use hub membership location for output (#1824) (13e79af)
- TPG>=5.9: cluster autoscaling profile is GA (#1839) (495623e)
- Update least privilege default service account (#1844) (c63aa4f)
- workload-identity: Allow passing Google Service Account display_name and description (#1834) (b387621)
- Add project ID to the fleet feature membership for ASM (#1832) (1835f80)
- alpha option for cluster creation (#1796) (67b67f3)
- CI: extend wait time for ACM (#1861) (3d840c0)
- Do not ignore "mesh_id" label on "google_container_cluster" resource (#1836) (95641a6)
- Revert create least privilege default service account (#1757) (#1827) (0d7f638)
29.0.0 (2023-11-02)
- TPGv5: update to TPG v5 (#1761)
- align keepers with ForceNew: true fields (#1698)
- Create least privilege default service account (#1757)
- acm: remove direct kubectl commands (#1751)
- TPG>=4.81.0: add fqdn policies (#1729)
- enabling vulnerability and audit modes for workloads (#1749)
- support for enabling image streaming at cluster level (#1696)
- make promethus configurable (#1715)
- Add support for additional pod secondary ranges at the cluster level (#1738)
- acm: remove direct kubectl commands (#1751) (4c27a6a)
- add security posture (#1750) (5d959a6)
- Add support for additional pod secondary ranges at the cluster level (#1738) (cebc213)
- add support for gpu_driver_installation_config on nodepool (#1767) (f43a241)
- align keepers with ForceNew: true fields (#1698) (3181f6c)
- Create least privilege default service account (#1757) (350faa7)
- enabling vulnerability and audit modes for workloads (#1749) (7bfd6fe)
- make promethus configurable (#1715) (ae26016)
- support for enabling image streaming at cluster level (#1696) (dbb57a2)
- TPG>=4.81.0: add fqdn policies (#1729) (2beb720)
- acm: Allow to enable config_sync or policy_controller standalone (#1752) (abdba8c)
- lint updates for dev-tools v1.16 (#1742) (e09ff11)
- TPGv5: update to TPG v5 (#1761) (455a93c)
28.0.0 (2023-09-20)
- support gcs fuse addon (#1722)
- Add support for disk_size and disk_type for cluster_autoscaling. (#1693)
- add project and location output to fleet-membership (#1740) (825bda6)
- Add support for disk_size and disk_type for cluster_autoscaling. (#1693) (fd233e5)
- Add support for Logging Variant to enable max throughput option (#1616) (acd2d41)
- mesh_certificates support (#1712) (8913ef2)
- promote config_connector_config to ga (#1559) (ae63848)
- support configuring ACM git service account email (#1685) (426f06f)
- support gcs fuse addon (#1722) (2f5a276)
27.0.0 (2023-06-29)
- TPG>=4.32.0: Support enabling Policy Controller mutations (#1665)
- Add protect_config beta feature (#1617) (d252579)
- cluster.tf: add support to set initial release channel version (#1625) (e522073)
- TPG>=4.32.0: Support enabling Policy Controller mutations (#1665) (1173518)
- extend acm wait when policy bundles are present (#1657) (e51804e)
- set max firewall name to 36 (#1645) (29d9259)
- update policy-essentials hash 59f4695 using ref (#1659) (2fe1715)
26.1.1 (2023-05-22)
26.1.0 (2023-05-16)
- allow ACM module to work w/o metrics sa (#1634) (83a8be2)
- avoid TPG 4.65.0 and 4.65.1 (#1637) (ea3e374)
26.0.0 (2023-05-10)
- set release_channel and auto_upgrade, drop meshtelemetry (#1618)
- kubernetes ~> 2.13: Remove 1.23 restriction on workload identity module (#1595)
- acm: prevent conflicts in IAM binding (#1576)
- add blue/green upgrade strategy settings (#1551) (db51271)
- add enable_private_nodes options to node_pool network_config (#1604) (48d7590)
- allow setting network tags on autopilot clusters (#1572) (23e9c96)
- Workload Identity module, to bind roles in various projects for the service account created (#1574) (53f0f58)
- acm: prevent conflicts in IAM binding (#1576) (a7cfe92)
- Autopilot vertical pod autoscaling (#1564) (6853c61)
- fixes for tflint and dev-tools 1.10 (#1598) (d012313)
- kubernetes ~> 2.13: Remove 1.23 restriction on workload identity module (#1595) (b23bc86)
- node_metadata mapping for GCE_METADATA (#1542) (#1543) (b03ea84)
- nodepool autoscaling vars avail in GKE 1.24.1 result in conflicts. Preserve default behavior (#1562) (98e8dc3)
- PSP removed in GKE >= 1.25.0 (#1622) (530f16b)
- set release_channel and auto_upgrade, drop meshtelemetry (#1618) (3c8dd3a)
- use provided service_account_name if available (#1610) (a42ed88)
25.0.0 (2023-02-03)
- Promote node sysctl config to GA (#1536)
- enable auto repair and upgrade with cluster autoscaling (#1530)
- support for gateway api for safer cluster variants (#1523)
- promote gke_backup_agent_config to ga (#1513)
- enable private nodes with specified pod ip range (#1514)
- Promote managed_prometheus to GA (#1505)
- support for gateway api (#1510)
- Add option to pass
resource_labels
to NP (#1508) - promote gce_pd_csi_driver to GA (#1509)
- Set the provided SA when creating autopilot clusters (#1495)
- add all pod_ranges to cluster firewall rules and add missing shadow rules (#1480) (bcd5e03)
- Add option to pass
resource_labels
to NP (#1508) (e7566c5) - add support for policy bundles and metrics SA (#1529) (0f63eab)
- promote gce_pd_csi_driver to GA (#1509) (ac062f8)
- promote gke_backup_agent_config to ga (#1513) (966135f)
- Promote managed_prometheus to GA (#1505) (9c77c6c)
- Promote node sysctl config to GA (#1536) (754f4e3)
- Set the provided SA when creating autopilot clusters (#1495) (d122a55)
- support for gateway api (#1510) (4181276)
- support for gateway api for safer cluster variants (#1523) (912da8c)
- auth module avoid TPG v4.49.0 (#1535) (95c5c11)
- auth module avoid TPG v4.50.0 (#1541) (c3e08ea)
- avoid TGP v4.49.0 for asm (#1537) (5d3d54e)
- enable auto repair and upgrade with cluster autoscaling (#1530) (d59542c)
- enable private nodes with specified pod ip range (#1514) (8190439)
- remove datapath provider from Autopilot modules (#1556) (ea012f5)
- support custom service account for autopilot (#1550) (52e25ab)
- Update variable validation description (#1518) (d985879)
24.1.0 (2022-12-14)
24.0.0 (2022-11-21)
- cost_management_config is out of beta now (#1470)
- update variant - recreate node pools on max_pods_per_node or pod_range change (#1464)
- expose global master access in GA modules (#1421)
- min tpb bump for location_policy
- min TPG bump for location_policy (#1453)
- add service_external_ips option (#1441)
- Adding Support for Cost Allocation Feature in Beta (#1413)
- add boot_disk_kms_key variable for node pools to GA modules (#1371)
- add boot_disk_kms_key variable for node pools to GA modules (#1371) (d9a44c6)
- add location_policy and fix permadiff (#1452) (aecccf0)
- add nodepool autoscaling vars avail in GKE 1.24.1 (#1415) (f57f3ce)
- add service_external_ips option (#1441) (e9de006)
- Add support for https_proxy parameter for the config_sync.git block (#1457) (43bbd3c)
- Adding Support for Cost Allocation Feature in Beta (#1413) (ba3dcd0)
- cost_management_config is out of beta now (#1470) (10ea608)
- expose global master access in GA modules (#1421) (4278f2c)
- Make creation of istio-system namespace optional (#1439) (335c62a)
- update variant - recreate node pools on max_pods_per_node or pod_range change (#1464) (b006593)
- location-policy permadrifting #1445 (aecccf0)
- min tpb bump for location_policy (0ddd297)
- min TPG bump for location_policy (#1453) (0ddd297)
23.3.0 (2022-10-28)
- move vpa out of beta (df16cda)
- Exposing VPA to GA module (#1404) (df16cda)
- incorrect
node_pools
variable type (#1424) (faaee19) - Truncating hub membership ID when greater than 63 character (#1429) (0c5660d)
- use dynamic block for accelerators, updates for CI (#1428) (0304a20)
23.2.0 (2022-09-27)
- add support for provisioning windows node pools (92d7c67)
- Allow configuring cluster_autoscaling for safer cluster variants (#1407) (a661eea)
23.1.0 (2022-09-08)
- add enable_referential_rules variable (#1394) (1fd7184)
- adds placement policy argument to the beta modules (#1385) (c0f5881)
- Allow enabling GKE backup agent for safer cluster variants (#1367) (5fb077d)
- cloud dns support for safer clusters (#1384) (4e817be)
- enable PoCo referential_rules for ACM (#1373) (b9287de)
23.0.0 (2022-08-22)
- Increased minimum Google Provider version to 4.29 (#1353)
- The new binary_authorization (#1332) may result in the first apply after upgrading taking additional time
- add module_depends_on to workload-identity (#1341) (a6dce1a)
- promote notification config & dns to ga (#1327) (47b5ff6)
- add depends_on to asm module google_container_cluster data resource (#1365) (9140c60)
- change asm module depends_on method (#1354) (300eb1f)
- new binary_authorization (#1332) requires TPG 4.29 (#1353) (4f0d19e)
22.1.0 (2022-08-02)
- add
gke_backup_agent_config
arg (#1316) (cff4428) - add module_depends_on for asm sub module (#1323) (4d526f9)
- add var and output for ACM version (#1322) (35b2bf5)
- cloud-dns support (#1317) (4bf0011)
- expose disable_default_snat in GA modules (#1336) (a8ea7c7)
- promote
max_pods_per_node
,max_surge
, andmax_unavailable
fields to ga (#1318) (ed64058)
- resolve deprecation warning for binary authorization (#1332) (f8a5cca), closes #1331
- support explicit k8s version with unspecified release channel (#1335) (dc1de85)
22.0.0 (2022-07-11)
- Minimum Google/Google Beta provider versions increased to v4.25.0.
- promote Spot VM to GA (#1294)
- support maintenance_exclusion (#1273)
- Allow enabling managed Prometheus in beta cluster submodules (#1307) (71e7067)
- expose use_existing_context variable in WI module (#1295) (d802e49)
- promote Spot VM to GA (#1294) (274da2f)
- support gVNIC (#1296) (5d6eac1)
- support maintenance_exclusion (#1273) (425bf93)
- Support managed Prometheus for safer cluster variants (#1311) (55faaf5)
- WorkloadIdenity allow to use k8s sa from the different project (#1275) (4f5dded)
- Create new node pool when shielded_instance_config changes (#1237) (a2272f0)
- support managed prometheus for autopilot (#1310) (568c824)
21.2.0 (2022-06-22)
- Add keeper for
enable_secure_boot
nodepool option for update variant. (#1277) (a8b6f20) - Add maintenance variables for safer cluster (#1282) (19f59c4)
- expose timeouts (6011c80)
- Recurring maintenance window to GA (#1262) (4bba52f)
21.1.0 (2022-05-24)
- convert gcfs_config to dynamic block to prevent node pool recreation (81686e7)
- trim trailing dash from gcp SA name (#1243) (aee12e7)
21.0.0 (2022-05-12)
- update kube-dns configMap using kubernetes_config_map_v1_data (#1214)
- Add
filestore_csi_driver
option for safer cluster variants (#1176) (40ef1a1) - Add app.kubernetes.io/created-by label to CPR in ASM module (#1190) (bbd9b77)
- Add keeper for
enable_gcfs
node pool option for update variants (#1218) (f431756), closes #1217 - Add support for image streaming/GCFS (#1174) (3a94528)
- Add support for internal endpoint with ASM module (#1219) (8e87308)
- Switch to native Terraform resources for hub registration and ACM (#947) (9359961)
- update kube-dns configMap using kubernetes_config_map_v1_data (#1214) (8547935)
- add output "service_account" to simple_zonal (9e92318)
- add provider_meta for google-beta to ASM submodule (#1186) (9f06ef4)
- Add required kubernetes provider to ASM module (#1221) (77d08e0)
- Apply applicable ASM_OPTS in config_map (#1183) (79d604a)
- ASM module required TF 0.14+ (#1209) (55a1e15)
- make GKE module cluster_name computed attribute (#1189) (7a09acd)
- misspellings in comments and min_cpu_platform (#1207) (7553a2b)
- Remove unnecessary auth files. (#1231) (aa47e23)
- removed unused variable ip_source_ranges_ssh from example safer_cluster_iap_bastion (#1199) (5197f22)
- set initial_node_count with remove_default_node_pool (#1228) (151c8c4)
- set only one of log/mon config or service (#1240) (2316e77)
- Use fleet_id instead of project_id for hub operations (#1238) (a9a69ed)
- various fix to address CI issues (#1248) (9e92318)
20.0.0 (2022-03-10)
- Added gcp_filestore_csi_driver_config to addons config (#1166)
- Rewrote ASM module, see the upgrade guide for details (#1140)
- Minimum provider version increased to 4.10.
- add gcp_filestore_csi_driver_config to addons config (#1166) (a68fe69)
- Add Identity Service config to beta modules (#1142) (6a99347)
- GKE autopilot support (#1148) (d5ceafb)
- Rewrite ASM module (#1140) (0d9c44e)
- Add missing type attributes to variables (#1117) (6436339)
- ASM module rewrite improvements (#1165) (2867162)
- release 20.0.0 (7976d17)
19.0.0 (2022-01-31)
- Change default node image from COS to COS_CONTAINERD (#1122)
- Add spot vm support to beta clusters (#1131)
- update TPG version constraints to 4.0 (#1129)
- TPU firewall rule split into a separate resource
- Add spot vm support to beta clusters (#1131) (ae0d953)
- Allow datapath_provider in GA main module (#1084) (3b5ddb9)
- Change default node image from COS to COS_CONTAINERD (#1122) (e6b9282)
- update TPG version constraints to 4.0 (#1129) (d494b0f)
- Allow users to specify network tags for the default node pool (#1123) (b8b8547)
- Create separate firewall rule for egress to TPUs (#1126) (99cfd98)
- Removed dependency to obsolete template_file by upgrading to templatefile (#1119) (14a0536)
18.0.0 (2021-12-16)
- safer-cluster modules now use ADVANCED_DATAPATH by default. Set
datapath_provider
toDATAPATH_PROVIDER_UNSPECIFIED
to continue using Dataplane v1. - Minimum beta provider version increased to v3.87.0.
- Added monitoring_enabled_components and logging_enabled_components variables to beta clusters (#1028) (9278265)
- Make auto_provisioning_defaults a non-beta feature and set
min_cpu_platform
for auto-provisioned node pools (#1077) (5603718) - Use ADVANCED_DATAPATH (aka. Dataplane V2) for safer-cluster modules (#1085) (41a0c83)
17.3.0 (2021-11-23)
17.2.0 (2021-11-12)
- Add beta support for confidential_nodes (#1040) (e105bb5)
- Added support for specifying min_cpu_platform in node config - … (#1057) (23b5243)
- Document grant_registry_access for Artifact Registry (#1044) (d3ca023)
- pass REVISION_NAME to downstream install script (#1048) (dd410d7)
- set image_type, machine_type, and sandboxing on default node pool to comply with validation policies (#1038) (8e92f6e)
17.1.0 (2021-10-27)
- add missing required_providers on workload identity module (#1035) (04f7502)
- adds metadata to the default node pool (#1018) (660ddc9)
17.0.0 (2021-09-28)
- Minimum beta provider version increased to v3.79.0.
- Add support for gVisor per node pool (#1001) (850c418)
- Add support for setting additional
pod_range
to beta node pools (#984) (9d1274f) - Promote authenticator_security_group to GA modules (#989) (6042fd6)
- Delete bundle.hcl (#981) (b910639)
- Use provided gcp_given_name for workload identity (#1003) (d72e595), closes #1002
- WI GCP SA output (#1009) (b431aa5)
16.1.0 (2021-08-14)
- Use provided k8s service account name when setting up workload identity (#972) (e00286f)
- WI conditionally invoke data source if using external GSA (#974) (b208d5c)
16.0.1 (2021-07-23)
16.0.0 (2021-07-23)
- add gpu node autoscaling support (#807) (#944)
- add gpu node autoscaling support (#807) (#944) (e53a949)
- ASM CA option without providing CA_CERT maps and adding revision_name flag (#952) (64b782c)
- Enables an existing GSA to be used when setting up Workload Identity (#955) (712fc54)
15.0.2 (2021-07-02)
- nap default image in test (#946) (b12fdb6)
- update ASM mode var description (#910) (a9be73c)
- updated GCP APIs in ASM module (#937) (0c5f363)
15.0.1 (2021-06-14)
15.0.0 (2021-06-08)
- Updated ASM terraform module for 1.8 and 1.9 (#895)
- K8s provider upgrade (#892)
- Add multi-repo support for Config Sync (#872)
- Add support for
enable_l4_ilb_subsetting
flag (#896) - For beta modules, support for google-beta provider versions older than v3.63 has been removed.
- Add multi-repo support for Config Sync (#872) (23da103)
- Add support for
enable_l4_ilb_subsetting
flag (#896) (7531f90) - Add use local_ssd_ephemeral_count attribute in node_pool config on beta clusters (#902) (9335262)
- K8s provider upgrade (#892) (9172b3e)
- Updated ASM terraform module for 1.8 and 1.9 (#895) (e2ba8d2)
- Add ability to impersonate service accounts in kubectl for all submodules (#903) (fc43485)
- asm destroy (#922) (f3ddbf5)
- Asm overlay path (#921) (5d3dc52)
- docs: Describe
ADVANCED_DATAPATH
in more detail (#907) (c32c5d1) - Ensure the ASM module's destroy command removes all ASM components (#918) (00c2b71)
- switch ASM API and IAM flags to use native resources (#914) (ff71123)
14.3.0 (2021-05-05)
- Introduce add_master_webhook_firewall_rules flag to add webhooks (#882) (8a5dcb8)
- workload-identity: add entire GSA in output (#887) (734ce5d)
- Add cluster ID to outputs (#886) (fc34eb6)
- Remove data google_client_config from all modules as it is no longer used within modules (#875) (687dc71)
- Remove unused local kubectl wrapper scripts (#876) (110adb6)
14.2.0 (2021-04-16)
14.1.0 (2021-04-01)
14.0.1 (2021-03-12)
14.0.0 (2021-03-09)
- Added support for multi-project GKE Hub registration (#840)
- The
network_policy
variable now defaults tofalse
. - Replaced
registry_project_id
withregistry_project_ids
list. - Add support for asm v1.8 to the asm module (#824)
- Add dataplane-v2 provisioning support (#753) (d1fbef4)
- Add new property to explicitly return GKE private_endpoint for auth module (#841) (1b99c07)
- Add support for asm v1.8 to the asm module (#824) (923eff4)
- Added support for multi-project GKE Hub registration (#840) (6dc1eb1)
- Require actively enabling network policy (#809) (3354205)
- Fix attribution for safer cluster modules (#830) (bb7c3ce)
- Remove deprecated variable "registry_project_id" (#832) (83eae98)
13.1.0 (2021-02-16)
- Add support for creating "shadow" firewall rules for logging purposes (#741) (259dbfb)
- Add support for multiple registry projects (#815) (5562cd6)
- Add support for TPUs on beta clusters (#810) (fff0078)
13.0.0 (2021-01-29)
- Minimum Terraform core version increased to 0.13.
- dynamic operator yaml (#693)
- Using in-cluster features now requires additional provider configuration. See the upgrade guide for details.
- Add maintenance exclusions support (#781) (0abbf41)
- Add nodepool taints to keepers for update-variant (#717) (372a11c)
- add support for Linux node config (#782) (98826e6)
- Add Terraform 0.13 constraint and module attribution (#792) (32db990)
- Add the option to disable Kubernetes SA annotation in workload-identity. (#787) (4e4ce02)
- dynamic operator yaml (#693) (b1cce30)
- Hub registration using kubeconfig and labels support (#785) (6a29e62)
- remove wait for cluster script (#801) (356ed6d)
- Set auto-provisioned node pools to use configured service account (#639) (4a61f76)
- Support for ACM for non GKE clusters (#786) (aa551d5)
- Move provider version constraint to required_providers block (#774) (825f287)
- Remove provider config from module to be TF 0.13 compatible (#777) (81b0a94)
12.4.0 (2021-10-18)
12.3.0 (2020-12-09)
- Add instance_group_urls output (#618) (5623d51)
- Enable vertical autoscaling in GA modules (#758) (2e4f36a)
12.2.0 (2020-12-04)
- Add option for CPU manager policy (#749) (721f846)
- added notification_config block to beta submodules (#752) (4a85321)
- Enable ACM feature on hub (#722) (c199dae)
- Grant roles/artifactregistry.reader to created service account when grant_registry_access is true (#748) (166fb24)
- Make bash scripts more portable by referencing
/usr/bin/env
(#756) (24d6af6) - Remove max Terraform version constraint, allowing 0.14 compatibility (#757) (eb95de9)
12.1.0 (2020-11-10)
- Add cluster_telemetry var to beta submodules (#728) (e8291f0)
- Add support for Cloud Run load balancer configuration (#740) (685a2db)
- Support service account impersonation for wait-for-cluster script (#729) (75a56f1)
- fallback to name if location is not set (#736) (63d7f5e)
- multiple cluster wait-for-cluster.sh (#734) (6682911)
- Updating the Binary Authorization submodule to allow Terraform 0.13 (#726) (df98cf9)
12.0.0 (2020-10-16)
- This is a backwards-incompatible release. See the upgrade guide for details.
- GKE Hub functionality has been removed from ASM module(#665). Users can leverage Hub module for this functionality.
- Removed the gcloud_skip_download variable and defaulted to never downloading gcloud. (#712) (f84e838)
- ACM - Wait for gatekeeper & Hub: expose module_depends_on (#689) (26ea28d)
- add node_pool_taints to all the modules (#705) (68e8eec)
- allow passing roles to created Workload Identity service account (#708) (e761dce)
- Expose service account variable on ASM submodule (#658) (182dded)
- hub make decode work with -d or --decode (#671) (0b5bd3d)
- Hub submodule - add option to use existing service account to register clusters. (#678) (9f84cec)
- Promote previously beta features to GA modules (#709) (2cb4fae), closes #708
- ACM: fix bug when not using
ssh
secret type for ACM submodule (#679) (716867c) - make wait-for-cluster more robust (#676) (dffb047)
- Correct WI module source in docs (#701) (f31b1f4)
- Enable auto-upgrade in beta clusters with a release channel (#682) (21f95db)
- Fix broken link in README.md (#691) (6f0e749)
- Fix skip_provisioners enabled flag for wait_for_cluster (#669) (e293a43)
- remove hub from asm module (#670) (6f419c3)
- set project number for ASM install (#692) (c5d1e4d)
- Shorten GSA account_id if necessary (#666) (0225458)
11.1.0 (2020-09-04)
- Add variable disable_default_snat (#625) (19a9e9c)
- Update fields for ACM and Config Sync to bring them to feature parity (#635) (7fc3b48)
11.0.0 (2020-08-10)
- In-cluster resources have been updated to use the kubectl wrapper module. See the upgrade guide for details.
- Add support for enabling master_global_access, which is turned on by default. (#601) (8a9f904)
- Allow user to customize ASM install with different directories and versions (#620) (d542c5c)
- Update modules to use new kubectl module (#602) (794da61)
10.0.0 (2020-07-10)
See the upgrade guide for details.
- The default machine type has been changed to
e2-medium
. If you want the old default, you should specify it explicitly:machine_type = "n1-standard-2"
. - Pod security policy enablement has been changed to use a simple boolean flag (
var. enable_pod_security_policy
)
- add configconnector to safer variant (#581) (4b3f609)
- Added variable for service dependency in binary_authorization sub module (#584) (e3e5458)
- Changed default node pool machine type to e2-medium (#597) (1de41ef)
- Compatibility for new asm release with 299.0.0 (#589) (a5213c4)
- Explicitly specify VPC-native clusters for beta modules. (#598) (d9f7782)
- Simplified pod security policy interface. (6069ece)
- Typo in autogen/safer-cluster/README.md (#596) (ebdf57d)
9.4.0 (2020-06-25)
- Add ASM install submodule (#538) (6ff27f9)
- Add bool option for automount_service_account_token (#571) (002cfb1)
- Add firewall support safer-cluster modules (#570) (7ce3c49)
- Enhance WI module usability with existing KSA (#557) (cf3273d)
- Restore gcloud wait_for_cluster (#568) (0bcf3ca)
- Use gcloud module for scripts, closes #401 (#404) (65172de)
9.3.0 (2020-06-11)
- Add Beta Public Module Update Variant (#546) (d9f1ea8)
- Add ConfigConnector configuration option (beta) (#547) (672adf9)
9.2.0 (2020-05-27)
- Add submodule for creating a binary authentication attestor (#530) (cc30fbb)
- Add support for KALM config (#528) (6bf1178)
9.1.0 (2020-05-15)
- Add boot disk kms key variable (#516) (9195f0f)
- Expose gce_pd_csi_driver for Safer Cluster modules #503 (#514) (d4e7dc6)
9.0.0 (2020-05-07)
See the upgrade guide for details.
- Beta clusters have changed the default to use the GKE_METADATA_SERVER, to use the old option set
node_metadata = "SECURE"
. - Minimum provider change increased to 3.19.
- The ACM module has been refactored and resources will be recreated. This will show up in Terraform plans but is a safe no-op for Kubernetes.
- For the safer cluster module, you must now specify
release_channel
instead ofkubernetes_version
.
- [safer-cluster] Replace "kubernetes_version" with "release_channel" (#487) (5791ac1)
- Add an
auth
submodule outputting akubeconfig
(#469) (a5ace36) - Add config sync module (#493) (c090d5b)
- Add fully configurable resource usage export block in GA and upgrade GCP provider (#491) (54eca6b)
- Add GCE PD CSI Driver beta support (#497) (d96afa7)
- Add support for setting firewall rules (#470) (16bdd6e)
- Enable GKE_METADATA_SERVER as default node_metadata for beta-clusters (#490) (#512) (8e14762)
- Expose the grant_registry_access variable in safer-cluster (#509) (0961613)
8.1.0 (2020-04-10)
- Add peering_name output for private clusters and increase minimum provider version to 3.14 (#484) (ff6b5cc)
- Add support for enabling Nodelocal dns cache (var.dns_cache) (#477) (de8e1d5)
8.0.0 (2020-04-07)
v8.0.0 is a backwards-incompatible release. Please see the upgrading guide.
- Beta clusters now have Workload Identity enabled by default. To disable Workload Identity, set
identity_namespace = null
- Beta clusters now have shielded nodes enabled by default. To disable, set
enable_shielded_nodes = false
.
- Add support for setting var.istio_auth (#462) (fff4272)
- Added support for specifying autoscaling_profile in var.cluster_autoscaling (#456) (1ac2c5c)
- Enable WI and shielded nodes by default in beta clusters (#441) (704962b)
- Rollout default_max_pods_per_node setting to GA modules (#439) (36ddbbb)
- Correct bug in passing var.zones for safer cluster modules (#474) (7660b51)
- Fix CI for Workload Identity (#460) (025f8b7)
- Remove unused variable
service_account
in safer-cluster to avoid confusion (#448) (a30e7cd) - update and pin kubernetes provider to >= 1.11.1 (#453) (418d9b3)
- Use gcloud module for ACM submodule, will force reinstall of ACM (#442) (9737190), closes #454
7.3.0 (2020-02-19)
7.2.0 (2020-02-11)
- Add master_ipv4_cidr_block output for private clusters (#427) (2cc64c8)
- Allow workload identity submodule to update existing k8s SA. (#430) (51fba38)
7.1.0 (2020-02-07)
- Change for_each splat syntax on update variants, closes #414 (#415) (a20425f)
- If release_channel is active, set min_master_version to null (#412) (4c7b399)
- Prevents "Invalid index" when creating private cluster (#422) (cc53d1c), closes #419
- Stop warning about deprecated external references from destroy provisioners. (#420) (c8fde26)
7.0.0 (2020-01-29)
- Minimum beta provider version increased to 3.1 to allow surge upgrades.
- Beta clusters now have surge upgrades turned on by default. This behavior can be tuned using the max_surge and max_unavailable inputs.
- Moves node pool state location to allow using for_each on them, see the upgrade guide for details.
- Add a service activation module (#146) (658ea51)
- Enable Surge Upgrades by specifying max_surge and max_unavailable (Beta) (#394) (e4abe78)
- Move to using for_each for node pools (#257) (7d0c9aa)
- Change pod_security_policy_config type to list(object()) (#408) (a99352a)
- Removed dependency on jq from wait-for-cluster.sh script (#402) (d2a5e28)
v6.2.0 - 2019-12-27
- Breaking: Changed default logging and monitoring providers to new Stackdriver versions. #384
- Updated to support Google Provider version 3.x #381
v6.1.1 - 2019-12-04
- Fix endpoint output for private clusters where
private_nodes=false
. #365
v6.1.0 - 2019-12-03
- Support for using a pre-existing Service Account with the ACM submodule. #346
- Compute region output for zonal clusters. #362
v6.0.1 - 2019-12-02
- The required Google provider constraint has been relaxed to
~> 2.18
(>= 2.18, <3.0). #359
v6.0.0 - 2019-11-28
v6.0.0 is a backwards-incompatible release. Please see the upgrading guide.
- Support for Shielded Nodes beta feature via
enabled_shielded_nodes
variable. #300 - Support for setting node_locations on node pools. #303
- Fix for specifying
node_count
on node pools when autoscaling is disabled. #311 - Added submodule for installing Anthos Config Management. #268
- Support for
local_ssd_count
in node pool configuration. #339 - Wait for cluster to be ready before returning endpoint. #340
safer-cluster
submodule. #315simple_regional_with_networking
example. #195release_channel
variable for beta submodules. #271- The
node_locations
attribute to thenode_pools
object for beta submodules. #290 private_zonal_with_networking
example. #308regional_private_node_pool_oauth_scopes
example. #321- The
cluster_autoscaling
variable for beta submodules. #93 - The
master_authorized_networks
variable. #354
- The
node_pool_labels
,node_pool_tags
, andnode_pool_taints
variables have defaults and can be overridden within thenode_pools
object. #3 upstream_nameservers
variable is typed as a list of strings. #350- The
network_policy
variable defaults totrue
. #138
- Breaking: Removed support for enabling the Kubernetes dashboard, as this is deprecated on GKE. #337
- Breaking: Removed support for versions of the Google provider and the Google Beta provider older than 2.18. #261
- Breaking: Removed the
master_authorized_networks_config
variable. #354
identity_namespace
output depends on thegoogle_container_cluster.primary
resource. #301- Idempotency of the beta submodules. #326
v5.1.1 - 2019-10-25
- Fixed bug with setting up sandboxing on nodes. #286
v5.1.0 - 2019-10-24
- Added ability to skip local-exec provisioners. #258
- Added private and beta private variants which allow node pools to be created before being destroyed. #256
- Add a parameter
registry_project_id
to allow connecting to registries in other projects. #273
- Made
region
variable optional for zonal clusters. #247 - Made default metadata, labels, and tags optional. #282
v5.0.0 - 2019-09-25
v5.0.0 is a backwards-incompatible release. Please see the upgrading guide.
The v5.0.0 module requires using the 2.12 version of the Google provider.
- Breaking: Enabled metadata-concealment by default #248
- All beta functionality removed from non-beta clusters, moved
node_pool_taints
to beta modules #228
- Added support for resource usage export config #238
- Added
sandbox_enabled
variable to use GKE Sandbox #241 - Added
grant_registry_access
variable to grant Container Registry access to created SA #236 - Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features #216
- Support for Workload Identity beta feature #234
- Support for Google Groups based RBAC beta feature #217
- Support for disabling node pool autoscaling by setting
autoscaling
tofalse
within the node pool variable. #250
- Fixed issue with passing a dynamically created Service Account to the module. #27
v4.1.0 2019-07-24
- Support for GCE cluster resource_labels. #210
endpoint
output depends on cluster and node pool resources to avoid a race condition. #214
v4.0.0 2019-07-12
- Supported version of Terraform is 0.12. #177
v3.0.0 - 2019-07-08
v3.0.0 is a breaking release. Refer to the Upgrading to v3.0 guide for details.
- Add configuration flag for enable BinAuthZ Admission controller #160 #188
- Add configuration flag for
pod_security_policy_config
#163 #188 - Support for a guest accelerator in node pool configuration. #197
- Support to scale the default node cluster. #149
- Support for configuring the network policy provider. #159
- Support for database encryption. #165
- Submodules for public and private clusters with beta features. #124 #188 #203
- Support for configuring cluster IPv4 CIDRs. #193
- Support for configuring IP Masquerade. #187
- Support for v2.9 of the Google providers. #198
- Support for upstreamNameservers. #207
- Dropped support for versions of the Google provider earlier than v2.9; these versions multiple incompatibilities with the module. #198
v2.1.0 - 2019-05-30
- Support for v2.6 and v2.7 of the Google providers. #152
deploy_using_private_endpoint
variable onprivate-cluster
submodule. #136
- The dependency on jq has been documented in the README. #151
v2.0.1 - 2019-05-01
- Explicitly pinned supported version of Terraform Google provider to 2.3. #148
v2.0.0 - 2019-04-12
v2.0.0 is a breaking release. Refer to the Upgrading to v2.0 guide for details.
- Add
basic_auth_username
set to""
by default. #40 - Add
basic_auth_password
set to""
by default. #40 - Add
issue_client_certificate
set tofalse
by default. #40 - Add
node_pool_oauth_scopes
which enables overriding the default node pool OAuth scopes. #94
- The
service_account
variable defaults to"create"
which causes a cluster-specific service account to be created. - Disabled Basic Authentication by default. #40
v1.0.1 - 2019-04-04
- Note about using Terraform with private clusters. #121
- Optimized dependency between node pools and primary cluster. #77
- Removed
credentials_path
variables from examples. #89
- Fix empty zone list. #132
v1.0.0 - 2019-03-25
Version 1.0.0 of this module introduces a breaking change: adding the disable-legacy-endpoints
metadata field to all node pools. This metadata is required by GKE and determines whether the /0.1/
and /v1beta1/
paths are available in the nodes' metadata server. If your applications do not require access to the node's metadata server, you can leave the default value of true
provided by the module. If your applications require access to the metadata server, be sure to read the linked documentation to see if you need to set the value for this field to false
to allow your applications access to the above metadata server paths.
In either case, upgrading to module version v1.0.0
will trigger a recreation of all node pools in the cluster.
- Allow creation of service accounts. #80
- Add support for private clusters via submodule. #69
- Add
remove_default_node_pool
set tofalse
by default. Fixes #15. #55 - Allow arbitrary key-value pairs to be set on node pool metadata. #52
- Add
initial_node_count
parameter to node_pool block. #60 - Added
disable_legacy_metadata_endpoints
parameter. [#114]
- Set
horizontal_pod_autoscaling
totrue
by default. Fixes #42. #54 - Update simple-zonal example GKE version to supported version. #49
- Drop explicit version from simple_zonal example. #74
- Remove explicit versions from test cases and examples. #62
- Set up submodule structure for public and private clusters. #61
- Update the google and google-beta providers to v2.2 #106
- Zonal clusters can now accept a single zone. Fixes #43. #50
- Fix link to "configure a service account" #73
- Fix issue with regional cluster roll outs causing version skews #108
- Fix permanent metadata skew due to disable-legacy-endpoints keys [#114]
v0.4.0 - 2018-12-19
- Updated default version to
1.10.6
. #31
region
argument on google_compute_subnetwork caused errors. #22- Added check to wait for GKE cluster to be
READY
before completing. #46
v0.3.0 - 2018-10-10
- Updated network/subnetwork lookup to use data source. #16
- Make zone configuration optional when creating a regional cluster. #19
v0.2.0 - 2018-09-26
- Support for configuring master authorized networks. #10
- Support specifying monitoring and logging services. #9
- Initial release of module.