From cd3a04fed390d14caec39c34f840c4efa05cbe2c Mon Sep 17 00:00:00 2001 From: Laura Seidler Date: Sun, 23 Jul 2023 17:23:18 +0200 Subject: [PATCH] feat!: support for enabling image streaming at cluster level Could previously be set manually via console/`gcloud` - if this was enabled, `enable_gcfs` must be set to `true` with this update, otherwise image streaming will be disabled. Fixes #1360 --- autogen/main/cluster.tf.tmpl | 10 ++++++++++ autogen/main/variables.tf.tmpl | 6 ++++++ autogen/safer-cluster/main.tf.tmpl | 2 ++ autogen/safer-cluster/variables.tf.tmpl | 6 ++++++ modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 8 ++++++++ .../beta-private-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 8 ++++++++ modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 8 ++++++++ .../beta-public-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 8 ++++++++ modules/beta-public-cluster/variables.tf | 6 ++++++ modules/safer-cluster-update-variant/README.md | 1 + modules/safer-cluster-update-variant/main.tf | 2 ++ modules/safer-cluster-update-variant/variables.tf | 6 ++++++ modules/safer-cluster/README.md | 1 + modules/safer-cluster/main.tf | 2 ++ modules/safer-cluster/variables.tf | 6 ++++++ 22 files changed, 102 insertions(+) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 58ab5a57cb..ed102decd6 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -519,6 +519,16 @@ resource "google_container_cluster" "primary" { topic = var.notification_config_topic } } + {% if beta_cluster and autopilot_cluster != true %} + + node_pool_defaults { + node_config_defaults { + gcfs_config { + enabled = var.enable_gcfs + } + } + } + {% endif %} } {% if autopilot_cluster != true %} /****************************************** diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index d0d140b656..6567b050e4 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -777,5 +777,11 @@ variable "enable_identity_service" { description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +} {% endif %} {% endif %} diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index 7459598fb6..0c92ee6078 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -195,4 +195,6 @@ module "gke" { notification_config_topic = var.notification_config_topic timeouts = var.timeouts + + enable_gcfs = var.enable_gcfs } diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 66afc7d3cd..b5c7fcb495 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -484,3 +484,9 @@ variable "timeouts" { error_message = "Only create, update, delete timeouts can be specified." } } + +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +} diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index c782d85e1e..b71dd4536e 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -186,6 +186,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 519c54d8f2..4621207fbe 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -445,6 +445,14 @@ resource "google_container_cluster" "primary" { topic = var.notification_config_topic } } + + node_pool_defaults { + node_config_defaults { + gcfs_config { + enabled = var.enable_gcfs + } + } + } } /****************************************** Create Container Cluster node pools diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 11bd398c68..72664f56b8 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -736,3 +736,9 @@ variable "enable_identity_service" { description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +} diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index f707b3f289..3ffc84394d 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -164,6 +164,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index b53205c4d8..db8514c456 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -445,6 +445,14 @@ resource "google_container_cluster" "primary" { topic = var.notification_config_topic } } + + node_pool_defaults { + node_config_defaults { + gcfs_config { + enabled = var.enable_gcfs + } + } + } } /****************************************** Create Container Cluster node pools diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 11bd398c68..72664f56b8 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -736,3 +736,9 @@ variable "enable_identity_service" { description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +} diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 233b62570d..2b6eba790c 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -179,6 +179,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index c086223b59..28f5e5acd4 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -426,6 +426,14 @@ resource "google_container_cluster" "primary" { topic = var.notification_config_topic } } + + node_pool_defaults { + node_config_defaults { + gcfs_config { + enabled = var.enable_gcfs + } + } + } } /****************************************** Create Container Cluster node pools diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 5e033e3eb3..b87d882699 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -706,3 +706,9 @@ variable "enable_identity_service" { description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +} diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index be5efc9a01..03828f019b 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -157,6 +157,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index ed021f26be..362d8cae0c 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -426,6 +426,14 @@ resource "google_container_cluster" "primary" { topic = var.notification_config_topic } } + + node_pool_defaults { + node_config_defaults { + gcfs_config { + enabled = var.enable_gcfs + } + } + } } /****************************************** Create Container Cluster node pools diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 5e033e3eb3..b87d882699 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -706,3 +706,9 @@ variable "enable_identity_service" { description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +} diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index 21eff2cba8..189b14880d 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -218,6 +218,7 @@ For simplicity, we suggest using `roles/container.admin` and | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 9bd0429ca2..2531ee2c6e 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -191,4 +191,6 @@ module "gke" { notification_config_topic = var.notification_config_topic timeouts = var.timeouts + + enable_gcfs = var.enable_gcfs } diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 7a2f1a69d9..4248b6019b 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -484,3 +484,9 @@ variable "timeouts" { error_message = "Only create, update, delete timeouts can be specified." } } + +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +} diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index 21eff2cba8..189b14880d 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -218,6 +218,7 @@ For simplicity, we suggest using `roles/container.admin` and | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index b87a2f1d8c..3239f2b183 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -191,4 +191,6 @@ module "gke" { notification_config_topic = var.notification_config_topic timeouts = var.timeouts + + enable_gcfs = var.enable_gcfs } diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 7a2f1a69d9..4248b6019b 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -484,3 +484,9 @@ variable "timeouts" { error_message = "Only create, update, delete timeouts can be specified." } } + +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +}