Merge pull request #2 from terraform-google-modules/master

update

.kitchen.yml

@@ -85,6 +85,7 @@ suites:
           backend: local
           controls:
             - gcloud
+            - acm
         - name: gcp
           backend: gcp
           controls:

CHANGELOG.md

@@ -11,6 +11,9 @@ Extending the adopted spec, each change should have a link to its corresponding
 ### Added
 
 * Support for Shielded Nodes beta feature via `enabled_shielded_nodes` variable. [#300]
+* Support for setting node_locations on node pools. [#303]
+* Fix for specifying  `node_count` on node pools when autoscaling is disabled. [#311]
+* Added submodule for installing Anthos Config Management. [#268]
 
 ## [v5.1.1] - 2019-10-25
 
@@ -225,6 +228,10 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0
 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0
 
+[#268]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/268
+[#311]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/311
+[#303]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/303
+[#300]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/300
 [#286]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/286
 [#285]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/285
 [#284]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/284

autogen/README.md

@@ -55,6 +55,9 @@ module "gke" {
     {
       name               = "default-node-pool"
       machine_type       = "n1-standard-2"
+      {% if beta_cluster %}
+      node_locations     = "us-central1-b,us-central1-c"
+      {% endif %}
       min_count          = 1
       max_count          = 100
       disk_size_gb       = 100

autogen/cluster.tf

@@ -310,22 +310,28 @@ resource "google_container_node_pool" "pools" {
   {% endif %}
   project  = var.project_id
   location = local.location
+  {% if beta_cluster %}
+  // use node_locations if provided, defaults to cluster level node_locations if not specified
+  node_locations = lookup(var.node_pools[count.index], "node_locations", "") != "" ? split(",", var.node_pools[count.index]["node_locations"]) : null
+  {% endif %}
   cluster  = google_container_cluster.primary.name
   version = lookup(var.node_pools[count.index], "auto_upgrade", false) ? "" : lookup(
     var.node_pools[count.index],
     "version",
     local.node_version,
   )
-  initial_node_count = lookup(
+
+  initial_node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? lookup(
     var.node_pools[count.index],
     "initial_node_count",
-    lookup(var.node_pools[count.index], "min_count", 1),
-  )
+    lookup(var.node_pools[count.index], "min_count", 1)
+  ) : null
+
   {% if beta_cluster %}
   max_pods_per_node = lookup(var.node_pools[count.index], "max_pods_per_node", null)
   {% endif %}
 
-  node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1)
+  node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "node_count", 1)
 
   dynamic "autoscaling" {
     for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : []

autogen/main.tf

@@ -92,7 +92,7 @@ locals {
   cluster_output_zones          = local.cluster_output_regional_zones
 
 {% if private_cluster %}
-  cluster_output_endpoint = var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.endpoint
+  cluster_output_endpoint = var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint
 {% else %}
   cluster_output_endpoint = google_container_cluster.primary.endpoint
 {% endif %}

build/int.cloudbuild.yaml

@@ -14,6 +14,9 @@
 
 timeout: 12600s
 steps:
+- id: download acm
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && download_acm']
 - id: prepare
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && prepare_environment']
@@ -306,6 +309,6 @@ tags:
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.6'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.5.4'
 options:
   machineType: 'N1_HIGHCPU_8'

build/lint.cloudbuild.yaml

@@ -24,4 +24,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.6'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.5.4'

cluster.tf

@@ -137,13 +137,15 @@ resource "google_container_node_pool" "pools" {
     "version",
     local.node_version,
   )
-  initial_node_count = lookup(
+
+  initial_node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? lookup(
     var.node_pools[count.index],
     "initial_node_count",
-    lookup(var.node_pools[count.index], "min_count", 1),
-  )
+    lookup(var.node_pools[count.index], "min_count", 1)
+  ) : null
+
 
-  node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1)
+  node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "node_count", 1)
 
   dynamic "autoscaling" {
     for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : []

examples/node_pool/main.tf

@@ -27,7 +27,6 @@ module "gke" {
   source                            = "../../modules/beta-public-cluster/"
   project_id                        = var.project_id
   name                              = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  regional                          = false
   region                            = var.region
   zones                             = var.zones
   network                           = var.network
@@ -59,12 +58,24 @@ module "gke" {
       auto_repair       = false
       service_account   = var.compute_engine_service_account
     },
+    {
+      name            = "pool-03"
+      node_locations  = "${var.region}-b,${var.region}-c"
+      autoscaling     = false
+      node_count      = 2
+      machine_type    = "n1-standard-2"
+      disk_type       = "pd-standard"
+      image_type      = "COS"
+      auto_upgrade    = true
+      service_account = var.compute_engine_service_account
+    },
   ]
 
   node_pools_oauth_scopes = {
     all     = []
     pool-01 = []
     pool-02 = []
+    pool-03 = []
   }
 
   node_pools_metadata = {
@@ -73,6 +84,7 @@ module "gke" {
       shutdown-script = file("${path.module}/data/shutdown-script.sh")
     }
     pool-02 = {}
+    pool-03 = {}
   }
 
   node_pools_labels = {
@@ -83,6 +95,7 @@ module "gke" {
       pool-01-example = true
     }
     pool-02 = {}
+    pool-03 = {}
   }
 
   node_pools_taints = {
@@ -101,6 +114,7 @@ module "gke" {
       },
     ]
     pool-02 = []
+    pool-03 = []
   }
 
   node_pools_tags = {
@@ -111,6 +125,7 @@ module "gke" {
       "pool-01-example",
     ]
     pool-02 = []
+    pool-03 = []
   }
 }
 

examples/simple_zonal/README.md → examples/simple_zonal_with_acm/README.md

@@ -1,16 +1,22 @@
 # Simple Zonal Cluster
 
-This example illustrates how to create a simple cluster.
+This example illustrates how to create a simple cluster and install [Anthos Config Management](https://cloud.google.com/anthos-config-management/docs/).
+
+It incorporates the standard cluster module and the [ACM install module](../../modules/acm).
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| acm\_policy\_dir | Subfolder containing configs in ACM Git repo | string | `"foo-corp"` | no |
+| acm\_sync\_branch | Anthos config management Git branch | string | `"1.0.0"` | no |
+| acm\_sync\_repo | Anthos config management Git repo | string | `"[email protected]:GoogleCloudPlatform/csp-config-management.git"` | no |
 | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
 | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes |
 | network | The VPC network to host the cluster in | string | n/a | yes |
+| operator\_path | Path to the operator yaml config. If unset, will download from GCS releases. | string | `"null"` | no |
 | project\_id | The project ID to host the cluster in | string | n/a | yes |
 | region | The region to host the cluster in | string | n/a | yes |
 | subnetwork | The subnetwork to host the cluster in | string | n/a | yes |
@@ -20,6 +26,7 @@ This example illustrates how to create a simple cluster.
 
 | Name | Description |
 |------|-------------|
+| acm\_git\_creds\_public | Public key of SSH keypair to allow the Anthos Operator to authenticate to your Git repository. |
 | ca\_certificate |  |
 | client\_token |  |
 | cluster\_name | Cluster name |

examples/simple_zonal_with_acm/acm.tf

@@ -0,0 +1,27 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "acm" {
+  source           = "../../modules/acm"
+  project_id       = var.project_id
+  location         = module.gke.location
+  cluster_name     = module.gke.name
+  sync_repo        = var.acm_sync_repo
+  sync_branch      = var.acm_sync_branch
+  policy_dir       = var.acm_policy_dir
+  cluster_endpoint = module.gke.endpoint
+  operator_path    = var.operator_path
+}

examples/simple_zonal/outputs.tf → examples/simple_zonal_with_acm/outputs.tf

@@ -33,3 +33,8 @@ output "service_account" {
   value       = module.gke.service_account
 }
 
+output "acm_git_creds_public" {
+  description = "Public key of SSH keypair to allow the Anthos Operator to authenticate to your Git repository."
+  value       = module.acm.git_creds_public
+}
+

examples/simple_zonal/variables.tf → examples/simple_zonal_with_acm/variables.tf

@@ -48,3 +48,26 @@ variable "ip_range_services" {
   description = "The secondary ip range to use for pods"
 }
 
+variable "acm_sync_repo" {
+  description = "Anthos config management Git repo"
+  type        = string
+  default     = "[email protected]:GoogleCloudPlatform/csp-config-management.git"
+}
+
+variable "acm_sync_branch" {
+  description = "Anthos config management Git branch"
+  type        = string
+  default     = "1.0.0"
+}
+
+variable "acm_policy_dir" {
+  description = "Subfolder containing configs in ACM Git repo"
+  type        = string
+  default     = "foo-corp"
+}
+
+variable "operator_path" {
+  description = "Path to the operator yaml config. If unset, will download from GCS releases."
+  type        = string
+  default     = null
+}

modules/acm/.gitignore

@@ -0,0 +1,3 @@
+# This fill will be always downloaded by terraform local-exec command from gc bucket
+config-management-operator.yaml
+/terraform.tfvars

modules/acm/README.md

@@ -0,0 +1,65 @@
+# Terraform Kubernetes Engine ACM Submodule
+
+This module installs [Anthos Config Management](https://cloud.google.com/anthos-config-management/docs/) (ACM) in a Kubernetes cluster.
+
+Specifically, this module automates the following steps for [installing ACM](https://cloud.google.com/anthos-config-management/docs/how-to/installing):
+1. Installing the ACM Operator on your cluster.
+2. Generating an SSH key for accessing Git and providing it to the Operator
+3. Configuring the Operator to connect to your ACM repository
+
+## Usage
+
+There is a [full example](../../examples/simple_zonal_with_acm) provided. Simple usage is as follows:
+
+```tf
+module "acm" {
+  source           = "terraform-google-modules/kubernetes-engine/google//modules/acm"
+
+  project_id       = "my-project-id"
+  cluster_name     = "my-cluster-name"
+  location         = module.gke.location
+  cluster_endpoint = module.gke.endpoint
+
+  sync_repo        = "[email protected]:GoogleCloudPlatform/csp-config-management.git"
+  sync_branch      = "1.0.0"
+  policy_dir       = "foo-corp"
+}
+```
+
+To deploy this config:
+1. Run `terraform apply`
+2. Inspect the `git_creds_public` [output](#outputs) to retrieve the public key used for accessing Git. Whitelist this key for access to your Git repo. Instructions for some popular Git hosting providers are included for convenience:
+
+  * [Cloud Souce Repositories](https://cloud.google.com/source-repositories/docs/authentication#ssh)
+  * [Bitbucket](https://confluence.atlassian.com/bitbucket/set-up-an-ssh-key-728138079.html)
+  * [GitHub](https://help.github.com/articles/adding-a-new-ssh-key-to-your-github-account/)
+  * [Gitlab](https://docs.gitlab.com/ee/ssh/)
+
+## Whitelisting
+Note that installing Anthos Config Management [requires](https://cloud.google.com/anthos-config-management/docs/how-to/installing#local_environment) an active Anthos license.
+By default, this module will attempt to download the ACM operator from Google directly—meaning your Terraform service account needs to be whitelisted for ACM access. If this is an issue, you can predownload the operator yourself then set the `operator_path` variable to point to the file location.
+
+ <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cluster\_endpoint | Kubernetes cluster endpoint. | string | n/a | yes |
+| cluster\_name | The unique name to identify the cluster in ACM. | string | n/a | yes |
+| create\_ssh\_key | Controls whether a key will be generated for Git authentication | bool | `"true"` | no |
+| enable\_policy\_controller | Whether to enable the ACM Policy Controller on the cluster | bool | `"true"` | no |
+| install\_template\_library | Whether to install the default Policy Controller template library | bool | `"true"` | no |
+| location | The location (zone or region) this cluster has been created in. | string | n/a | yes |
+| operator\_path | Path to the operator yaml config. If unset, will download from GCS releases. | string | `"null"` | no |
+| policy\_dir | Subfolder containing configs in ACM Git repo | string | n/a | yes |
+| project\_id | The project in which the resource belongs. | string | n/a | yes |
+| sync\_branch | ACM repo Git branch | string | `"master"` | no |
+| sync\_repo | ACM Git repo address | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| git\_creds\_public | Public key of SSH keypair to allow the Anthos Operator to authenticate to your Git repository. |
+
+ <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->