From 8cf4d788b446cb9ef5bfaa5499da45dd38be717a Mon Sep 17 00:00:00 2001 From: anoxape <2760053+anoxape@users.noreply.github.com> Date: Mon, 20 Jun 2022 00:23:19 -0700 Subject: [PATCH] feat: support gVNIC --- README.md | 2 ++ autogen/main/README.md | 2 ++ autogen/main/cluster.tf.tmpl | 7 +++++++ autogen/main/versions.tf.tmpl | 4 ++-- cluster.tf | 7 +++++++ modules/beta-autopilot-private-cluster/versions.tf | 2 +- modules/beta-autopilot-public-cluster/versions.tf | 2 +- modules/beta-private-cluster-update-variant/README.md | 2 ++ modules/beta-private-cluster-update-variant/cluster.tf | 7 +++++++ modules/beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/README.md | 2 ++ modules/beta-private-cluster/cluster.tf | 7 +++++++ modules/beta-private-cluster/versions.tf | 2 +- modules/beta-public-cluster-update-variant/README.md | 2 ++ modules/beta-public-cluster-update-variant/cluster.tf | 7 +++++++ modules/beta-public-cluster-update-variant/versions.tf | 2 +- modules/beta-public-cluster/README.md | 2 ++ modules/beta-public-cluster/cluster.tf | 7 +++++++ modules/beta-public-cluster/versions.tf | 2 +- modules/private-cluster-update-variant/README.md | 2 ++ modules/private-cluster-update-variant/cluster.tf | 7 +++++++ modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/README.md | 2 ++ modules/private-cluster/cluster.tf | 7 +++++++ modules/private-cluster/versions.tf | 2 +- versions.tf | 2 +- 26 files changed, 83 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 0f338e2863..7b45f16f37 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,7 @@ module "gke" { disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false + enable_gvnic = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -238,6 +239,7 @@ The node_pools variable takes the following parameters: | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | | enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | +| enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/autogen/main/README.md b/autogen/main/README.md index a41e0b6006..1a83b319d7 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -109,6 +109,7 @@ module "gke" { disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false + enable_gvnic = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -196,6 +197,7 @@ The node_pools variable takes the following parameters: | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | | enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | +| enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 92c42822e7..be36028cbd 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -296,6 +296,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + service_account = lookup(var.node_pools[0], "service_account", local.service_account) tags = concat( diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 861e63e1de..db7e4d1de8 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,7 +24,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 4.10.0, < 5.0" + version = ">= 4.14.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" @@ -38,7 +38,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.10.0, < 5.0" + version = ">= 4.14.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/cluster.tf b/cluster.tf index 61518b6da6..b250e47e9f 100644 --- a/cluster.tf +++ b/cluster.tf @@ -174,6 +174,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + service_account = lookup(var.node_pools[0], "service_account", local.service_account) tags = concat( diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 733df3c769..c9290b6491 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 4.10.0, < 5.0" + version = ">= 4.14.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 085712ebb7..84bf3e9737 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 4.10.0, < 5.0" + version = ">= 4.14.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 48a12f031b..963e87ebd1 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -92,6 +92,7 @@ module "gke" { disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false + enable_gvnic = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -312,6 +313,7 @@ The node_pools variable takes the following parameters: | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | | enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | +| enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index ba4480c444..fd8badd07b 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -259,6 +259,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + service_account = lookup(var.node_pools[0], "service_account", local.service_account) tags = concat( diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 18109ec90c..389ec38bfd 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 4.10.0, < 5.0" + version = ">= 4.14.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index a3ce1ece4d..7bf4f3776b 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -70,6 +70,7 @@ module "gke" { disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false + enable_gvnic = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -290,6 +291,7 @@ The node_pools variable takes the following parameters: | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | | enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | +| enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 31448a1df0..60efd3c1e4 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -259,6 +259,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + service_account = lookup(var.node_pools[0], "service_account", local.service_account) tags = concat( diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 96a98ff01c..672b72bf01 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 4.10.0, < 5.0" + version = ">= 4.14.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 30c05a0a00..e1291f0f82 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -86,6 +86,7 @@ module "gke" { disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false + enable_gvnic = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -299,6 +300,7 @@ The node_pools variable takes the following parameters: | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | | enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | +| enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 8058338a49..5e7f89c9f1 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -259,6 +259,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + service_account = lookup(var.node_pools[0], "service_account", local.service_account) tags = concat( diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index c0d8fb8f09..395caa7710 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 4.10.0, < 5.0" + version = ">= 4.14.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 352db89885..dcfb16ef1b 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -64,6 +64,7 @@ module "gke" { disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false + enable_gvnic = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -277,6 +278,7 @@ The node_pools variable takes the following parameters: | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | | enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | +| enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 46450cbf46..319a2b2ba1 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -259,6 +259,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + service_account = lookup(var.node_pools[0], "service_account", local.service_account) tags = concat( diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 07dbfaf413..cdcbf818c2 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 4.10.0, < 5.0" + version = ">= 4.14.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index c9e0c619b7..4cfddc6652 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -87,6 +87,7 @@ module "gke" { disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false + enable_gvnic = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -272,6 +273,7 @@ The node_pools variable takes the following parameters: | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | | enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | +| enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 588a200b63..dff886cd16 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -174,6 +174,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + service_account = lookup(var.node_pools[0], "service_account", local.service_account) tags = concat( diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index ea81af9ba9..9f21c4f870 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.10.0, < 5.0" + version = ">= 4.14.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 7d30994a2d..351169eb59 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -65,6 +65,7 @@ module "gke" { disk_type = "pd-standard" image_type = "COS_CONTAINERD" enable_gcfs = false + enable_gvnic = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -250,6 +251,7 @@ The node_pools variable takes the following parameters: | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | | enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | +| enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 6a222bc9bf..ecda00b5d0 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -174,6 +174,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } + } + service_account = lookup(var.node_pools[0], "service_account", local.service_account) tags = concat( diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 5ee9f41bc5..716985c48b 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.10.0, < 5.0" + version = ">= 4.14.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/versions.tf b/versions.tf index 09132e746d..1ec0eb1850 100644 --- a/versions.tf +++ b/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.10.0, < 5.0" + version = ">= 4.14.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes"