2022-02-28 03:40:48 -08:00
# GKE hub module
This module allows simplified creation and management of a GKE Hub object and its features for a given set of clusters. The given list of clusters will be registered inside the Hub and all the configured features will be activated.
To use this module you must ensure the following APIs are enabled in the target project:
2022-07-05 00:07:50 -07:00
2022-10-12 03:59:36 -07:00
- `gkehub.googleapis.com`
- `gkeconnect.googleapis.com`
- `anthosconfigmanagement.googleapis.com`
- `multiclusteringress.googleapis.com`
- `multiclusterservicediscovery.googleapis.com`
- `mesh.googleapis.com`
2022-02-28 03:40:48 -08:00
## Full GKE Hub example
```hcl
module "project" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/project"
2022-02-28 03:40:48 -08:00
billing_account = var.billing_account_id
name = "gkehub-test"
parent = "folders/12345"
services = [
2022-07-05 00:07:50 -07:00
"anthosconfigmanagement.googleapis.com",
2022-02-28 03:40:48 -08:00
"container.googleapis.com",
"gkeconnect.googleapis.com",
2022-07-05 00:07:50 -07:00
"gkehub.googleapis.com",
2022-02-28 03:40:48 -08:00
"multiclusteringress.googleapis.com",
"multiclusterservicediscovery.googleapis.com",
2022-07-15 02:56:13 -07:00
"mesh.googleapis.com"
2022-02-28 03:40:48 -08:00
]
}
module "vpc" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/net-vpc"
2022-02-28 03:40:48 -08:00
project_id = module.project.project_id
name = "network"
subnets = [{
ip_cidr_range = "10.0.0.0/24"
name = "cluster-1"
region = "europe-west1"
secondary_ip_range = {
pods = "10.1.0.0/16"
services = "10.2.0.0/24"
}
}]
}
2022-07-28 23:39:25 -07:00
module "cluster_1" {
2023-04-21 05:08:13 -07:00
source = "./fabric/modules/gke-cluster-standard"
2022-10-10 00:38:21 -07:00
project_id = module.project.project_id
name = "cluster-1"
location = "europe-west1"
vpc_config = {
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["europe-west1/cluster-1"]
2022-10-12 03:59:36 -07:00
master_authorized_ranges = {
fc1918_10_8 = "10.0.0.0/8"
}
2022-12-16 03:53:56 -08:00
master_ipv4_cidr_block = "192.168.0.0/28"
2022-10-10 00:38:21 -07:00
}
enable_features = {
dataplane_v2 = true
workload_identity = true
}
2022-02-28 03:40:48 -08:00
private_cluster_config = {
enable_private_endpoint = true
master_global_access = false
}
}
module "hub" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/gke-hub"
2022-02-28 03:40:48 -08:00
project_id = module.project.project_id
2022-07-28 23:39:25 -07:00
clusters = {
cluster-1 = module.cluster_1.id
2022-02-28 03:40:48 -08:00
}
2022-07-28 23:39:25 -07:00
features = {
appdevexperience = false
configmanagement = true
identityservice = false
multiclusteringress = null
servicemesh = false
multiclusterservicediscovery = false
2022-02-28 03:40:48 -08:00
}
2022-07-28 23:39:25 -07:00
configmanagement_templates = {
default = {
binauthz = false
2022-02-28 03:40:48 -08:00
config_sync = {
2022-07-28 23:39:25 -07:00
git = {
gcp_service_account_email = null
https_proxy = null
policy_dir = "configsync"
secret_type = "none"
source_format = "hierarchy"
sync_branch = "main"
sync_repo = "https://github.com/danielmarzini/configsync-platform-example"
sync_rev = null
sync_wait_secs = null
}
prevent_drift = false
source_format = "hierarchy"
}
hierarchy_controller = {
enable_hierarchical_resource_quota = true
enable_pod_tree_labels = true
}
policy_controller = {
audit_interval_seconds = 120
exemptable_namespaces = []
log_denies_enabled = true
referential_rules_enabled = true
template_library_installed = true
2022-02-28 03:40:48 -08:00
}
2022-07-28 23:39:25 -07:00
version = "v1"
2022-02-28 03:40:48 -08:00
}
}
2022-07-28 23:39:25 -07:00
configmanagement_clusters = {
2022-12-16 03:53:56 -08:00
"default" = ["cluster-1"]
2022-07-28 23:39:25 -07:00
}
}
2023-01-29 04:42:06 -08:00
# tftest modules=4 resources=16
2022-07-28 23:39:25 -07:00
```
## Multi-cluster mesh on GKE
```hcl
module "project" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/project"
2022-07-28 23:39:25 -07:00
billing_account = "123-456-789"
name = "gkehub-test"
parent = "folders/12345"
services = [
"anthos.googleapis.com",
"container.googleapis.com",
"gkehub.googleapis.com",
"gkeconnect.googleapis.com",
"mesh.googleapis.com",
"meshconfig.googleapis.com",
"meshca.googleapis.com"
]
}
2023-02-09 02:54:47 -08:00
resource "google_project_iam_member" "gkehub_fix" {
member = "serviceAccount:${module.project.service_accounts.robots.fleet}"
project = module.project.project_id
role = "roles/gkehub.serviceAgent"
}
2022-07-28 23:39:25 -07:00
module "vpc" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/net-vpc"
2022-07-28 23:39:25 -07:00
project_id = module.project.project_id
name = "vpc"
mtu = 1500
subnets = [
{
ip_cidr_range = "10.0.1.0/24"
name = "subnet-cluster-1"
region = "europe-west1"
2023-02-09 02:54:47 -08:00
secondary_ip_ranges = {
2022-07-28 23:39:25 -07:00
pods = "10.1.0.0/16"
services = "10.2.0.0/24"
}
},
{
ip_cidr_range = "10.0.2.0/24"
name = "subnet-cluster-2"
region = "europe-west4"
2023-02-09 02:54:47 -08:00
secondary_ip_ranges = {
2022-07-28 23:39:25 -07:00
pods = "10.3.0.0/16"
services = "10.4.0.0/24"
}
},
{
2023-02-09 02:54:47 -08:00
ip_cidr_range = "10.0.0.0/28"
name = "subnet-mgmt"
region = "europe-west1"
secondary_ip_ranges = null
2022-07-28 23:39:25 -07:00
}
]
}
module "firewall" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/net-vpc-firewall"
2022-07-28 23:39:25 -07:00
project_id = module.project.project_id
network = module.vpc.name
2022-11-04 05:56:07 -07:00
ingress_rules = {
2022-07-28 23:39:25 -07:00
allow-mesh = {
2022-11-04 05:56:07 -07:00
description = "Allow mesh"
priority = 900
source_ranges = ["10.1.0.0/16", "10.3.0.0/16"]
targets = ["cluster-1-node", "cluster-2-node"]
},
2022-07-28 23:39:25 -07:00
"allow-cluster-1-istio" = {
2022-11-04 05:56:07 -07:00
description = "Allow istio sidecar injection, istioctl version and istioctl ps"
source_ranges = ["192.168.1.0/28"]
targets = ["cluster-1-node"]
rules = [
{ protocol = "tcp", ports = [8080, 15014, 15017] }
]
2022-07-28 23:39:25 -07:00
},
"allow-cluster-2-istio" = {
2022-11-04 05:56:07 -07:00
description = "Allow istio sidecar injection, istioctl version and istioctl ps"
source_ranges = ["192.168.2.0/28"]
targets = ["cluster-2-node"]
rules = [
{ protocol = "tcp", ports = [8080, 15014, 15017] }
]
2022-02-28 03:40:48 -08:00
}
}
}
2022-07-28 23:39:25 -07:00
module "cluster_1" {
2023-04-21 05:08:13 -07:00
source = "./fabric/modules/gke-cluster-standard"
2022-10-10 00:38:21 -07:00
project_id = module.project.project_id
name = "cluster-1"
location = "europe-west1"
vpc_config = {
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["europe-west1/subnet-cluster-1"]
master_authorized_ranges = {
mgmt = "10.0.0.0/28"
pods-cluster-1 = "10.3.0.0/16"
}
2022-12-16 03:53:56 -08:00
master_ipv4_cidr_block = "192.168.1.0/28"
2022-10-10 00:38:21 -07:00
}
2022-07-28 23:39:25 -07:00
private_cluster_config = {
enable_private_endpoint = false
master_global_access = true
}
2023-02-09 02:54:47 -08:00
2022-10-10 00:38:21 -07:00
release_channel = "REGULAR"
2022-07-28 23:39:25 -07:00
labels = {
mesh_id = "proj-${module.project.number}"
}
2023-02-09 02:54:47 -08:00
enable_features = {
workload_identity = true
dataplane_v2 = true
}
2022-02-28 03:40:48 -08:00
}
2022-07-28 23:39:25 -07:00
module "cluster_1_nodepool" {
2022-10-12 03:59:36 -07:00
source = "./fabric/modules/gke-nodepool"
project_id = module.project.project_id
cluster_name = module.cluster_1.name
2023-02-09 02:54:47 -08:00
cluster_id = module.cluster_1.id
2022-10-12 03:59:36 -07:00
location = "europe-west1"
2023-02-09 02:54:47 -08:00
name = "cluster-1-nodepool"
2022-10-12 03:59:36 -07:00
node_count = { initial = 1 }
2022-10-27 08:12:04 -07:00
service_account = { create = true }
2022-10-12 03:59:36 -07:00
tags = ["cluster-1-node"]
2022-07-28 23:39:25 -07:00
}
module "cluster_2" {
2023-04-21 05:08:13 -07:00
source = "./fabric/modules/gke-cluster-standard"
2022-12-16 03:53:56 -08:00
project_id = module.project.project_id
name = "cluster-2"
location = "europe-west4"
2022-10-10 00:38:21 -07:00
vpc_config = {
network = module.vpc.self_link
subnetwork = module.vpc.subnet_self_links["europe-west4/subnet-cluster-2"]
master_authorized_ranges = {
mgmt = "10.0.0.0/28"
pods-cluster-1 = "10.3.0.0/16"
}
2022-12-16 03:53:56 -08:00
master_ipv4_cidr_block = "192.168.2.0/28"
2022-10-10 00:38:21 -07:00
}
2022-07-28 23:39:25 -07:00
private_cluster_config = {
enable_private_endpoint = false
master_global_access = true
}
2022-10-10 00:38:21 -07:00
release_channel = "REGULAR"
2022-07-28 23:39:25 -07:00
labels = {
mesh_id = "proj-${module.project.number}"
}
2023-02-09 02:54:47 -08:00
enable_features = {
workload_identity = true
dataplane_v2 = true
}
2022-07-28 23:39:25 -07:00
}
module "cluster_2_nodepool" {
2022-12-16 03:53:56 -08:00
source = "./fabric/modules/gke-nodepool"
project_id = module.project.project_id
cluster_name = module.cluster_2.name
2023-02-09 02:54:47 -08:00
cluster_id = module.cluster_2.id
2022-12-16 03:53:56 -08:00
location = "europe-west4"
2023-02-09 02:54:47 -08:00
name = "cluster-2-nodepool"
2022-10-12 03:59:36 -07:00
node_count = { initial = 1 }
2022-10-27 08:12:04 -07:00
service_account = { create = true }
2022-10-12 03:59:36 -07:00
tags = ["cluster-2-node"]
2022-07-28 23:39:25 -07:00
}
module "hub" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/gke-hub"
2022-07-28 23:39:25 -07:00
project_id = module.project.project_id
2023-02-09 02:54:47 -08:00
depends_on = [google_project_iam_member.gkehub_fix]
2022-12-16 03:53:56 -08:00
clusters = {
2022-07-28 23:39:25 -07:00
cluster-1 = module.cluster_1.id
cluster-2 = module.cluster_2.id
}
features = {
appdevexperience = false
configmanagement = false
identityservice = false
multiclusteringress = null
servicemesh = true
multiclusterservicediscovery = false
}
workload_identity_clusters = [
"cluster-1",
"cluster-2"
]
}
2022-10-12 03:59:36 -07:00
2023-02-24 10:14:43 -08:00
# tftest modules=8 resources=32
2022-02-28 03:40:48 -08:00
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
2022-07-28 23:39:25 -07:00
| [project_id ](variables.tf#L87 ) | GKE hub project ID. | < code > string</ code > | ✓ | |
| [clusters ](variables.tf#L17 ) | Clusters members of this GKE Hub in name => id format. | < code > map( string) </ code > | | < code > {} </ code > |
| [configmanagement_clusters ](variables.tf#L24 ) | Config management features enabled on specific sets of member clusters, in config name => [cluster name] format. | < code > map( list( string)) </ code > | | < code > {} </ code > |
| [configmanagement_templates ](variables.tf#L31 ) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | < code title = "map(object({ binauthz = bool config_sync = object({ git = object({ gcp_service_account_email = string https_proxy = string policy_dir = string secret_type = string sync_branch = string sync_repo = string sync_rev = string sync_wait_secs = number }) prevent_drift = string source_format = string }) hierarchy_controller = object({ enable_hierarchical_resource_quota = bool enable_pod_tree_labels = bool }) policy_controller = object({ audit_interval_seconds = number exemptable_namespaces = list(string) log_denies_enabled = bool referential_rules_enabled = bool template_library_installed = bool }) version = string }))" > map( object({…})) </ code > | | < code > {} </ code > |
2023-01-29 02:02:47 -08:00
| [features ](variables.tf#L66 ) | Enable and configue fleet features. | < code title = "object({ appdevexperience = optional(bool, false) configmanagement = optional(bool, false) identityservice = optional(bool, false) multiclusteringress = optional(string, null) multiclusterservicediscovery = optional(bool, false) servicemesh = optional(bool, false) })" > object({…}) </ code > | | < code title = "{ appdevexperience = false configmanagement = false identityservice = false multiclusteringress = null servicemesh = false multiclusterservicediscovery = false }" > {…} </ code > |
2022-07-28 23:39:25 -07:00
| [workload_identity_clusters ](variables.tf#L92 ) | Clusters that will use Fleet Workload Identity. | < code > list( string) </ code > | | < code > [] </ code > |
2022-02-28 03:40:48 -08:00
## Outputs
| name | description | sensitive |
|---|---|:---:|
2022-11-24 09:56:01 -08:00
| [cluster_ids ](outputs.tf#L17 ) | Ids of all the clusters created. | |
2022-02-28 03:40:48 -08:00
<!-- END TFDOC -->
