zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Squashing relevant changes from fast-dev-gke-marzi 

Co-authored-by: Daniel Marzini <dmarzi@google.com>
This commit is contained in:
Julio Castillo 2022-04-03 22:32:52 +02:00
parent d28dfc40b0
commit 110d94067d
25 changed files with 729 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
fast/stages/03-gke-multitenant/config/cluster/README.md Normal file
View File

@ -0,0 +1,3 @@
The cluster/ directory contains configs that apply to entire clusters, rather than to namespaces. By default, any config in the cluster/ directory applies to every cluster enrolled in Config Sync. You can limit which clusters a config can affect by using a ClusterSelector.
Doc ref: https://cloud.google.com/anthos-config-management/docs/concepts/hierarchical-repo#cluster

28
fast/stages/03-gke-multitenant/config/cluster/clusterrole-ns-viewer.yml Normal file
View File

@ -0,0 +1,28 @@
# Copyright 2022 Google LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dev-namespace-viewer
rules:
- apiGroups: ["", "metrics.k8s.io", "extensions", "apps"]
resources:
- "pods"
- "pods/log"
- "events"
- "deployments"
- "replicasets"
verbs: ["get", "watch", "list"]

43
fast/stages/03-gke-multitenant/config/cluster/ns-must-have-geo-constraint_v1beta_gatekeeper.yml Normal file
View File

@ -0,0 +1,43 @@
# Copyright 2022 Google LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ns-must-have-geo
annotations:
configsync.gke.io/cluster-name-selector: gke-1
spec:
enforcementAction: dryrun
match:
excludedNamespaces:
- "kube-system"
- "kube-public"
- "kube-node-lease"
- "resource-group-system"
- "config-management-monitoring"
- "config-management-system"
- "cos-auditd"
- "gatekeeper-system"
- "kube-node-lease"
- "cnrm-system"
- "gke-mcs"
- "configconnector-operator-system"
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
labels:
- key: "geo"

47
fast/stages/03-gke-multitenant/config/cluster/pod_priority_classes.yml Normal file
View File

@ -0,0 +1,47 @@
# Copyright 2022 Google LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: high-priority-system
value: 1000000
globalDefault: false
description: "This priority class will cause other pods to be preempted."
---
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: high-priority
value: 1000
globalDefault: false
description: "This priority class will cause other pods to be preempted."
---
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: mid-priority
value: 100
globalDefault: false
# preemptionPolicy: Never
description: "This priority class will cause other pods to be preempted."
---
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: low-priority
value: 10
globalDefault: true
# preemptionPolicy: Never
description: "This priority class will cause other pods to be preempted."

7
fast/stages/03-gke-multitenant/config/namespaces/README.md Normal file
View File

@ -0,0 +1,7 @@
The namespaces/ directory contains configs for namespaces and namespace-scoped objects.
The structure within namespaces/ is the mechanism that drives namespace inheritance. You can limit which namespaces can inherit a config, by using a NamespaceSelector.
Doc ref: https://cloud.google.com/anthos-config-management/docs/concepts/hierarchical-repo#namespaces

54
fast/stages/03-gke-multitenant/config/namespaces/cos-auditd/apps_v1_configmap_cos-auditd.yml Normal file
View File

@ -0,0 +1,54 @@
# Copyright 2022 Google LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: ConfigMap
apiVersion: v1
metadata:
name: fluentd-gcp-config-cos-auditd
namespace: cos-auditd
annotations:
kubernetes.io/description: 'ConfigMap for Linux auditd logging daemonset on COS nodes.'
data:
google-fluentd.conf: |-
<source>
@type systemd
filters [{ "SYSLOG_IDENTIFIER": "audit" }]
pos_file /var/log/gcp-journald-audit.pos
read_from_head true
tag linux-auditd
</source>
# Do not collect fluentd's own logs to avoid infinite loops.
<match fluent.**>
@type null
</match>
<match **>
@type google_cloud
enable_monitoring false
split_logs_by_tag false
detect_subservice false
buffer_type file
buffer_path /var/log/fluentd-buffers/system.audit.buffer
buffer_queue_full_action block
buffer_chunk_limit 512k
buffer_queue_limit 2
flush_interval 5s
max_retry_wait 30
disable_retry_limit
num_threads 2
use_grpc true
</match>

128
fast/stages/03-gke-multitenant/config/namespaces/cos-auditd/apps_v1_daemonset_cos-auditd.yml Normal file
View File

@ -0,0 +1,128 @@
# Copyright 2022 Google LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cos-auditd-logging
namespace: cos-auditd
annotations:
kubernetes.io/description: 'DaemonSet that enables Linux auditd logging on COS nodes.'
spec:
selector:
matchLabels:
name: cos-auditd-logging
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
labels:
name: cos-auditd-logging
spec:
hostNetwork: true
hostPID: true
nodeSelector:
cloud.google.com/gke-os-distribution: cos
volumes:
- hostPath:
path: /
name: host
- hostPath:
path: /var/log
name: varlog
- hostPath:
path: /usr/lib64
name: libsystemddir
- configMap:
defaultMode: 420
name: fluentd-gcp-config-cos-auditd
name: config-volume
initContainers:
- name: cos-auditd-setup
image: ubuntu
command: ["chroot", "/host", "systemctl", "start", "cloud-audit-setup"]
securityContext:
privileged: true
volumeMounts:
- name: host
mountPath: /host
resources:
requests:
memory: "10Mi"
cpu: "10m"
priorityClassName: high-priority-system
containers:
- name: fluentd-gcp-cos-auditd
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
image: gcr.io/stackdriver-agents/stackdriver-logging-agent:0.6-1.6.0-1
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /bin/sh
- -c
- |
LIVENESS_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-300}; STUCK_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-900}; if [[ ! -e /var/log/fluentd-buffers ]]; then
exit 1;
fi; touch -d "${STUCK_THRESHOLD_SECONDS} seconds ago" /tmp/marker-stuck; if [[ -z "$(find /var/log/fluentd-buffers -type f -newer /tmp/marker-stuck -print -quit)" ]]; then
rm -rf /var/log/fluentd-buffers;
exit 1;
fi; touch -d "${LIVENESS_THRESHOLD_SECONDS} seconds ago" /tmp/marker-liveness; if [[ -z "$(find /var/log/fluentd-buffers -type f -newer /tmp/marker-liveness -print -quit)" ]]; then
exit 1;
fi;
failureThreshold: 3
initialDelaySeconds: 600
periodSeconds: 60
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: "1"
memory: 500Mi
requests:
cpu: 100m
memory: 200Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/log
name: varlog
- mountPath: /host/lib
name: libsystemddir
readOnly: true
- mountPath: /etc/google-fluentd/google-fluentd.conf
subPath: google-fluentd.conf
name: config-volume
dnsPolicy: Default
restartPolicy: Always
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoSchedule
key: node.alpha.kubernetes.io/ismaster
- effect: NoExecute
operator: Exists
- effect: NoSchedule
key: sandbox.gke.io/runtime
operator: Equal
value: gvisor
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate

19
fast/stages/03-gke-multitenant/config/namespaces/cos-auditd/namespace.yml Normal file
View File

@ -0,0 +1,19 @@
# Copyright 2022 Google LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: cos-auditd

34
fast/stages/03-gke-multitenant/config/namespaces/teams/limit-range.yml Normal file
View File

@ -0,0 +1,34 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# LimitRange Reference: https://kubernetes.io/docs/concepts/policy/limit-range/
apiVersion: v1
kind: LimitRange
metadata:
name: default-limits
spec:
limits:
- type: Container
default:
cpu: "1"
memory: 512Mi
defaultRequest:
memory: 256Mi
cpu: "0.5"
max:
cpu: "2"
memory: 1Gi
- type: PersistentVolumeClaim
max:
storage: 2Gi

22
fast/stages/03-gke-multitenant/config/namespaces/teams/network-policy-default-deny-egress.yml Normal file
View File

@ -0,0 +1,22 @@
# Copyright 2022 Google LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# apiVersion: networking.k8s.io/v1
# kind: NetworkPolicy
# metadata:
# name: default-deny-egress
# spec:
# podSelector: {}
# policyTypes:
# - Egress

18
fast/stages/03-gke-multitenant/config/namespaces/teams/team-a/namespace.yml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: team-a

30
fast/stages/03-gke-multitenant/config/namespaces/teams/team-a/repo-sync.yml Normal file
View File

@ -0,0 +1,30 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This Namespace is configured with RepoSync
# Doc ref: https://cloud.google.com/anthos-config-management/docs/how-to/namespace-repositories#namespace-root
apiVersion: configsync.gke.io/v1beta1
kind: RepoSync
metadata:
name: repo-sync
namespace: team-a
spec:
sourceFormat: unstructured
git:
repo: "https://github.com/danielmarzini/configsync-application-example"
branch: main
revision: HEAD
dir: "configsync/team-a"
auth: none

35
fast/stages/03-gke-multitenant/config/namespaces/teams/team-a/resourcequotas.yml Normal file
View File

@ -0,0 +1,35 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ResourceQuota Reference: https://kubernetes.io/docs/concepts/policy/resource-quotas/
kind: ResourceQuota
apiVersion: v1
metadata:
namespace: team-a
name: pvc
spec:
hard:
persistentvolumeclaims: "3"
---
apiVersion: v1
kind: ResourceQuota
metadata:
namespace: team-a
name: mem-cpu-store
spec:
hard:
requests.cpu: "1"
requests.memory: 1Gi
limits.cpu: "2"
limits.memory: 2Gi

28
fast/stages/03-gke-multitenant/config/namespaces/teams/team-a/rolebinding-ns-viewer.yml Normal file
View File

@ -0,0 +1,28 @@
# Copyright 2022 Google LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: namespace-viewer
roleRef:
kind: ClusterRole
name: dev-namespace-viewer
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: team-a@marzi.gcp-pso-italy.net
apiGroup: rbac.authorization.k8s.io
namespace: team-a

28
fast/stages/03-gke-multitenant/config/namespaces/teams/team-a/sync-rolebinding.yml Normal file
View File

@ -0,0 +1,28 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ROOT_REPO/namespaces/NAMESPACE/sync-rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: syncs-repo
namespace: team-a
subjects:
- kind: ServiceAccount
name: ns-reconciler-team-a
namespace: config-management-system
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io

44
fast/stages/03-gke-multitenant/config/namespaces/teams/team-b/apps_v1_deployment_v1.yml Normal file
View File

@ -0,0 +1,44 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: team-b
name: whereami
spec:
replicas: 1
selector:
matchLabels:
app: whereami
template:
metadata:
labels:
app: whereami
version: v1
spec:
containers:
- name: whereami
image: us-docker.pkg.dev/google-samples/containers/gke/whereami:v1.2.7
resources:
limits:
cpu: "0.5"
memory: 128Mi
requests:
cpu: "0.5"
memory: 128Mi
ports:
- name: http
containerPort: 8080

20
fast/stages/03-gke-multitenant/config/namespaces/teams/team-b/namespace.yml Normal file
View File

@ -0,0 +1,20 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: team-b
labels:
geo: "europe-west1"

23
fast/stages/03-gke-multitenant/config/system/repo.yml Normal file
View File

@ -0,0 +1,23 @@
# Copyright 2022 Google LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# For the mono-repo mode, declaring a Repo resource under system/ directory is required.
# For the multi-repo mode, declaring a Repo resource under system/ directory is optional.
apiVersion: configmanagement.gke.io/v1
kind: Repo
metadata:
name: repo
spec:
version: 1.0.0

3
fast/stages/03-gke-multitenant/dev/README.md
View File

@ -63,6 +63,9 @@ everything else is in RBAC (second part of this stage)
## Addresses for ILBs
### Private Cluster
WARNING: do not use run this stage with GKE-HUB and private clusters enabled from a machine outside the clusters network
## Filestore
- later

5
fast/stages/03-gke-multitenant/dev/gke-clusters.tf
View File

@ -43,6 +43,7 @@ module "gke-cluster" {
horizontal_pod_autoscaling = true
config_connector_config = true
kalm_config = false
gcp_filestore_csi_driver_config = false
# enable only if enable_dataplane_v2 is changed to false below
network_policy_config = false
istio_config = {
@ -51,7 +52,7 @@ module "gke-cluster" {
}
}
# change these here for all clusters if absolutely needed
# authenticator_security_group = var.authenticator_security_group
authenticator_security_group = var.authenticator_security_group
enable_dataplane_v2 = true
enable_l4_ilb_subsetting = false
enable_intranode_visibility = true
@ -59,7 +60,7 @@ module "gke-cluster" {
workload_identity = true
private_cluster_config = {
enable_private_nodes = true
enable_private_endpoint = true
enable_private_endpoint = false
master_ipv4_cidr_block = each.value.net.master_range
master_global_access = true
}

59
fast/stages/03-gke-multitenant/dev/gke-hub.tf Normal file
View File

@ -0,0 +1,59 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "gke-hub" {
source = "../../../../modules/gke-hub"
project_id = module.gke-project-0.project_id
features = {
configmanagement = true
mc_ingress = true
mc_servicediscovery = true
}
member_clusters = {
for cluster_id in keys(var.clusters) :
cluster_id => module.gke-cluster[cluster_id].id
}
member_features = {
configmanagement = {
binauthz = false
config_sync = {
gcp_service_account_email = null
https_proxy = null
policy_dir = "fast/stages/03-gke-multitenant/config"
secret_type = "none"
source_format = "hierarchy"
sync_branch = "fast-dev-gke-marzi"
sync_repo = "https://github.com/GoogleCloudPlatform/cloud-foundation-fabric"
sync_rev = null
}
hierarchy_controller = null
policy_controller = {
exemptable_namespaces = [
"asm-system",
"config-management-system",
"config-management-monitoring",
"gatekeeper-system",
"kube-system",
"cos-auditd"
]
log_denies_enabled = true
referential_rules_enabled = false
template_library_installed = true
}
version = "1.10.2"
}
}
}

7
fast/stages/03-gke-multitenant/dev/main.tf
View File

@ -35,7 +35,9 @@ module "gke-project-0" {
"gkehub.googleapis.com",
"stackdriver.googleapis.com",
"container.googleapis.com",
# "trafficdirector.googleapis.com"
"multiclusterservicediscovery.googleapis.com",
"multiclusteringress.googleapis.com",
"trafficdirector.googleapis.com"
]
# add here any other service ids and keys for robot accounts which are needed
# service_encryption_key_ids = {
@ -66,6 +68,9 @@ module "gke-project-0" {
# values = ["projects/fl01-prod-iac-core-0"]
# }
# }
iam = {
"roles/container.clusterViewer" = var.cluster_viewer_users
}
}
module "gke-dataset-resource-usage" {

19
fast/stages/03-gke-multitenant/dev/variables.tf
View File

@ -18,11 +18,11 @@
# 1 project, m clusters
# cloud dns for gke?
# variable "authenticator_security_group" {
# description = "Optional group used for Groups for GKE."
# type = string
# default = null
# }
variable "authenticator_security_group" {
description = "Optional group used for Groups for GKE."
type = string
default = null
}
variable "billing_account" {
# tfdoc:variable:source 00-bootstrap
@ -44,6 +44,7 @@ variable "cluster_defaults" {
pod_security_policy = bool
release_channel = string
vertical_pod_autoscaling = bool
gcp_filestore_csi_driver_config = bool
})
default = {
# TODO: review defaults
@ -59,6 +60,7 @@ variable "cluster_defaults" {
pod_security_policy = false
release_channel = "STABLE"
vertical_pod_autoscaling = false
gcp_filestore_csi_driver_config = false
}
}
@ -90,10 +92,17 @@ variable "clusters" {
pod_security_policy = bool
release_channel = string
vertical_pod_autoscaling = bool
gcp_filestore_csi_driver_config = bool
})
}))
}
variable "cluster_viewer_users" {
description = "list of users to be granted as container.clusterViewer"
type = list(any)
default = []
}
variable "dns_domain" {
description = "Domain name used for clusters, prefix by each cluster name. Leave null to disable Cloud DNS for GKE."
type = string

8
modules/gke-hub/main.tf
View File

@ -40,7 +40,7 @@ resource "google_gke_hub_feature" "configmanagement" {
resource "google_gke_hub_feature" "mci" {
provider = google-beta
for_each = var.features.mc_ingress ? var.member_clusters : {}
for_each = var.features.mc_ingress ? try(var.member_clusters[0], {}) : {}
project = var.project_id
name = "multiclusteringress"
location = "global"
@ -67,6 +67,12 @@ resource "google_gke_hub_feature_membership" "feature_member" {
feature = google_gke_hub_feature.configmanagement["1"].name
membership = google_gke_hub_membership.membership[each.key].membership_id
depends_on = [
google_gke_hub_feature.configmanagement,
google_gke_hub_feature.mci,
google_gke_hub_feature.mcs,
]
dynamic "configmanagement" {
for_each = (
try(var.member_features.configmanagement, null) != null

2
modules/gke-nodepool/main.tf
View File

@ -84,7 +84,7 @@ resource "google_container_node_pool" "nodepool" {
location = var.location
name = var.name
initial_node_count = var.initial_node_count
initial_node_count = var.node_count == null ? var.initial_node_count : null // (dmarzi) TOFIX
max_pods_per_node = var.max_pods_per_node
node_count = var.autoscaling_config == null ? var.node_count : null
node_locations = var.node_locations