Skip to content

Commit

Permalink
Merge branch 'terraform-google-modules:master' into enable_blue_green…
Browse files Browse the repository at this point in the history
…_upgrade_strategy
  • Loading branch information
ProgEsteves authored Mar 31, 2023
2 parents 1d8d7f2 + d012313 commit e02f566
Show file tree
Hide file tree
Showing 83 changed files with 228 additions and 372 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/stale.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v7
- uses: actions/stale@v8
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days'
Expand Down
3 changes: 1 addition & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,7 @@
# Make will use bash instead of sh
SHELL := /usr/bin/env bash

# Pin to 1.3.9 per https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/issues/1208
DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.8
DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.10
DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
REGISTRY_URL := gcr.io/cloud-foundation-cicd
DOCKER_BIN ?= docker
Expand Down
1 change: 0 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,6 @@ Then perform the following commands on the root folder:
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
| shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | <pre>object({<br> metadata = string<br> })</pre> | <pre>{<br> "metadata": "INCLUDE_ALL_METADATA"<br>}</pre> | no |
| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
Expand Down
6 changes: 3 additions & 3 deletions autogen/main/cluster.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -135,12 +135,12 @@ resource "google_container_cluster" "primary" {
content {
service_account = local.service_account
oauth_scopes = local.node_pools_oauth_scopes["all"]

management {
auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true)
auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade",true)
}

{% if beta_cluster %}
min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "")
{% endif %}
Expand Down Expand Up @@ -309,7 +309,7 @@ resource "google_container_cluster" "primary" {
{% endif %}
}
{% if autopilot_cluster != true %}

datapath_provider = var.datapath_provider
{% endif %}

Expand Down
31 changes: 17 additions & 14 deletions autogen/main/main.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ locals {
resource_type = "memory"
minimum = var.cluster_autoscaling.min_memory_gb
maximum = var.cluster_autoscaling.max_memory_gb
}], var.cluster_autoscaling.gpu_resources) : []
}], var.cluster_autoscaling.gpu_resources) : []
{% endif %}


Expand All @@ -77,12 +77,14 @@ locals {
network_project_id = var.network_project_id != "" ? var.network_project_id : var.project_id
zone_count = length(var.zones)
cluster_type = var.regional ? "regional" : "zonal"
{% if autopilot_cluster != true %}
// auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous.
{% if beta_cluster %}
// When a release channel is used, node auto-upgrade are enabled and cannot be disabled.
default_auto_upgrade = var.regional || var.release_channel != null ? true : false
{% else %}
default_auto_upgrade = var.regional ? true : false
{% endif %}
{% endif %}

cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null
Expand Down Expand Up @@ -133,14 +135,12 @@ locals {
}]
{% endif %}

cluster_output_name = google_container_cluster.primary.name
cluster_output_regional_zones = google_container_cluster.primary.node_locations
cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : []
cluster_output_zones = local.cluster_output_regional_zones

{% if private_cluster %}
cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint) : google_container_cluster.primary.endpoint
cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config.0.peering_name : null
cluster_endpoint = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
cluster_peering_name = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
cluster_endpoint_for_nodes = var.master_ipv4_cidr_block
{% else %}
cluster_endpoint = google_container_cluster.primary.endpoint
Expand All @@ -152,17 +152,18 @@ locals {
cluster_output_min_master_version = google_container_cluster.primary.min_master_version
cluster_output_logging_service = google_container_cluster.primary.logging_service
cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service
cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config.0.network_policy_config.0.disabled
cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config.0.http_load_balancing.0.disabled
cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config.0.horizontal_pod_autoscaling.0.disabled
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : false
{% if autopilot_cluster != true %}
cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled
{% endif %}
cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled
cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false

{% if beta_cluster %}
# BETA features
cluster_output_istio_disabled = google_container_cluster.primary.addons_config.0.istio_config != null && length(google_container_cluster.primary.addons_config.0.istio_config) == 1 ? google_container_cluster.primary.addons_config.0.istio_config.0.disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config.0.enabled : false
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config.0.enabled : false

# /BETA features
{% endif %}
Expand All @@ -176,11 +177,11 @@ locals {
[for np in google_container_node_pool.pools : np.name], [""],
[for np in google_container_node_pool.windows_pools : np.name], [""]
)

cluster_output_node_pools_versions = merge(
{ for np in google_container_node_pool.pools : np.name => np.version },
{ for np in google_container_node_pool.windows_pools : np.name => np.version },
)
)
{% endif %}

cluster_master_auth_list_layer1 = local.cluster_output_master_auth
Expand Down Expand Up @@ -221,7 +222,9 @@ locals {
# BETA features
cluster_istio_enabled = ! local.cluster_output_istio_disabled
cluster_dns_cache_enabled = var.dns_cache
{% if autopilot_cluster != true %}
cluster_telemetry_type_is_set = var.cluster_telemetry_type != null
{% endif %}
cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
Expand Down
16 changes: 9 additions & 7 deletions autogen/main/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -102,12 +102,14 @@ variable "service_external_ips" {
default = false
}

{% if autopilot_cluster != true %}
variable "datapath_provider" {
type = string
description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature."
default = "DATAPATH_PROVIDER_UNSPECIFIED"
}

{% endif %}
variable "maintenance_start_time" {
type = string
description = "Time window specified for daily or recurring maintenance operations in RFC3339 format"
Expand Down Expand Up @@ -335,14 +337,15 @@ variable "configure_ip_masq" {
default = false
}

{% if beta_cluster %}
{% if beta_cluster and autopilot_cluster != true%}
variable "cluster_telemetry_type" {
type = string
description = "Available options include ENABLED, DISABLED, and SYSTEM_ONLY"
default = null
}

{% endif %}
{% if autopilot_cluster != true%}
variable "logging_service" {
type = string
description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none"
Expand All @@ -355,6 +358,7 @@ variable "monitoring_service" {
default = "monitoring.googleapis.com/kubernetes"
}

{% endif %}
variable "create_service_account" {
type = bool
description = "Defines if service account specified to run nodes should be created."
Expand Down Expand Up @@ -397,11 +401,6 @@ variable "cluster_resource_labels" {
default = {}
}

variable "skip_provisioners" {
type = bool
description = "Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality."
default = false
}
{% if private_cluster %}

variable "deploy_using_private_endpoint" {
Expand Down Expand Up @@ -697,6 +696,7 @@ variable "enable_kubernetes_alpha" {

variable "istio" {
description = "(Beta) Enable Istio addon"
type = bool
default = false
}

Expand All @@ -720,12 +720,14 @@ variable "config_connector" {

variable "cloudrun" {
description = "(Beta) Enable CloudRun addon"
type = bool
default = false
}

variable "cloudrun_load_balancer_type" {
description = "(Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer."
default = ""
type = string
default = ""
}

variable "enable_pod_security_policy" {
Expand Down
12 changes: 12 additions & 0 deletions autogen/main/versions.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ terraform {

{% if beta_cluster %}
required_providers {
google = {
source = "hashicorp/google"
version = ">= 4.51.0, < 5.0"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 4.51.0, < 5.0"
Expand All @@ -30,6 +34,10 @@ terraform {
source = "hashicorp/kubernetes"
version = "~> 2.10"
}
random = {
source = "hashicorp/random"
version = ">= 2.1"
}
}
provider_meta "google-beta" {
module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v25.0.0"
Expand All @@ -44,6 +52,10 @@ terraform {
source = "hashicorp/kubernetes"
version = "~> 2.10"
}
random = {
source = "hashicorp/random"
version = ">= 2.1"
}
}
provider_meta "google" {
module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v25.0.0"
Expand Down
3 changes: 1 addition & 2 deletions autogen/safer-cluster/main.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ module "gke" {
{% endif %}
project_id = var.project_id
name = var.name
description = var.description
regional = var.regional
region = var.region
zones = var.zones
Expand Down Expand Up @@ -188,8 +189,6 @@ module "gke" {

enable_shielded_nodes = var.enable_shielded_nodes

skip_provisioners = var.skip_provisioners

gce_pd_csi_driver = var.gce_pd_csi_driver
filestore_csi_driver = var.filestore_csi_driver

Expand Down
21 changes: 3 additions & 18 deletions autogen/safer-cluster/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -306,6 +306,7 @@ variable "master_ipv4_cidr_block" {

variable "istio" {
description = "(Beta) Enable Istio addon"
type = bool
default = false
}

Expand Down Expand Up @@ -341,6 +342,7 @@ variable "cluster_dns_domain" {

variable "default_max_pods_per_node" {
description = "The maximum number of pods to schedule per node"
type = number
default = 110
}

Expand All @@ -355,6 +357,7 @@ variable "database_encryption" {

variable "cloudrun" {
description = "(Beta) Enable CloudRun addon"
type = bool
default = false
}

Expand All @@ -364,18 +367,6 @@ variable "resource_usage_export_dataset_id" {
default = ""
}

variable "enable_network_egress_export" {
type = bool
description = "Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic."
default = false
}

variable "enable_resource_consumption_export" {
type = bool
description = "Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export."
default = true
}

variable "enable_cost_allocation" {
type = bool
description = "Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery"
Expand Down Expand Up @@ -424,12 +415,6 @@ variable "enable_private_endpoint" {
default = true
}

variable "skip_provisioners" {
type = bool
description = "Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality."
default = false
}

variable "enable_pod_security_policy" {
type = bool
description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created."
Expand Down
2 changes: 1 addition & 1 deletion build/int.cloudbuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -511,6 +511,6 @@ tags:
- 'integration'
substitutions:
_DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
_DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.8'
_DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10'
options:
machineType: 'N1_HIGHCPU_8'
2 changes: 1 addition & 1 deletion build/lint.cloudbuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ tags:
- 'lint'
substitutions:
_DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
_DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.8'
_DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10'
options:
machineType: 'N1_HIGHCPU_8'
env:
Expand Down
1 change: 0 additions & 1 deletion examples/simple_autopilot_private_non_default_sa/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@ module "gke" {
enable_private_endpoint = true
enable_private_nodes = true
master_ipv4_cidr_block = "172.16.0.0/28"
datapath_provider = "ADVANCED_DATAPATH"

master_authorized_networks = [
{
Expand Down
1 change: 0 additions & 1 deletion examples/simple_regional/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ This example illustrates how to create a simple cluster.
| network | The VPC network to host the cluster in | `any` | n/a | yes |
| project\_id | The project ID to host the cluster in | `any` | n/a | yes |
| region | The region to host the cluster in | `any` | n/a | yes |
| skip\_provisioners | Flag to skip local-exec provisioners | `bool` | `false` | no |
| subnetwork | The subnetwork to host the cluster in | `any` | n/a | yes |

## Outputs
Expand Down
1 change: 0 additions & 1 deletion examples/simple_regional/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -40,5 +40,4 @@ module "gke" {
service_account = var.compute_engine_service_account
enable_cost_allocation = true
enable_binary_authorization = var.enable_binary_authorization
skip_provisioners = var.skip_provisioners
}
6 changes: 0 additions & 6 deletions examples/simple_regional/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -47,12 +47,6 @@ variable "compute_engine_service_account" {
description = "Service account to associate to the nodes in the cluster"
}

variable "skip_provisioners" {
type = bool
description = "Flag to skip local-exec provisioners"
default = false
}

variable "enable_binary_authorization" {
description = "Enable BinAuthZ Admission controller"
default = false
Expand Down
1 change: 0 additions & 1 deletion examples/simple_regional_beta/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ This example illustrates how to create a simple cluster with beta features.
| cluster\_name\_suffix | A suffix to append to the default cluster name | `string` | `""` | no |
| compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | `any` | n/a | yes |
| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | <pre>[<br> {<br> "key_name": "",<br> "state": "DECRYPTED"<br> }<br>]</pre> | no |
| datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no |
| dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no |
Expand Down
6 changes: 0 additions & 6 deletions examples/simple_regional_beta/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -113,9 +113,3 @@ variable "regional" {
description = "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)"
default = true
}

variable "datapath_provider" {
type = string
description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature."
default = "DATAPATH_PROVIDER_UNSPECIFIED"
}
Loading

0 comments on commit e02f566

Please sign in to comment.