unfinished gke hub IAM
This commit is contained in:
parent
366f28a519
commit
133fd07823
|
@ -14,41 +14,31 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
# TODO: service account
|
||||
# https://cloud.google.com/kubernetes-engine/docs/how-to/msc-setup-with-shared-vpc-networks#shared-service-project-iam
|
||||
# TODO: add roles/multiclusterservicediscovery.serviceAgent and
|
||||
# roles/compute.networkViewer to IAM condition for GKE stage SA
|
||||
|
||||
locals {
|
||||
fleet_enabled = (
|
||||
var.fleet_features != null || var.fleet_workload_identity
|
||||
)
|
||||
# TODO: add condition
|
||||
fleet_mcs_enabled = false
|
||||
}
|
||||
|
||||
module "gke-hub" {
|
||||
source = "../../../../modules/gke-hub"
|
||||
count = local.fleet_enabled ? 1 : 0
|
||||
project_id = module.gke-project-0.project_id
|
||||
member_clusters = {
|
||||
clusters = {
|
||||
for cluster_id in keys(var.clusters) :
|
||||
cluster_id => module.gke-cluster[cluster_id].id
|
||||
}
|
||||
member_features = {
|
||||
configmanagement = {
|
||||
binauthz = false
|
||||
config_sync = {
|
||||
gcp_service_account_email = null
|
||||
https_proxy = null
|
||||
policy_dir = "fast/stages/03-gke/config"
|
||||
secret_type = "none"
|
||||
source_format = "hierarchy"
|
||||
sync_branch = "fast-dev-gke-marzi"
|
||||
sync_repo = "https://github.com/GoogleCloudPlatform/cloud-foundation-fabric"
|
||||
sync_rev = null
|
||||
}
|
||||
hierarchy_controller = null
|
||||
policy_controller = {
|
||||
exemptable_namespaces = [
|
||||
"asm-system",
|
||||
"config-management-system",
|
||||
"config-management-monitoring",
|
||||
"gatekeeper-system",
|
||||
"kube-system",
|
||||
"cos-auditd"
|
||||
]
|
||||
log_denies_enabled = true
|
||||
referential_rules_enabled = false
|
||||
template_library_installed = true
|
||||
}
|
||||
version = "1.10.2"
|
||||
}
|
||||
}
|
||||
features = var.fleet_features
|
||||
configmanagement_templates = var.fleet_configmanagement_templates
|
||||
configmanagement_clusters = var.fleet_configmanagement_clusters
|
||||
workload_identity_clusters = (
|
||||
var.fleet_workload_identity ? keys(var.clusters) : []
|
||||
)
|
||||
}
|
||||
|
|
|
@ -44,14 +44,18 @@ module "gke-project-0" {
|
|||
shared_vpc_service_config = {
|
||||
attach = true
|
||||
host_project = var.host_project_ids.dev-spoke-0
|
||||
service_identity_iam = {
|
||||
service_identity_iam = merge({
|
||||
"roles/compute.networkUser" = [
|
||||
"cloudservices", "container-engine"
|
||||
]
|
||||
"roles/container.hostServiceAgentUser" = [
|
||||
"container-engine"
|
||||
]
|
||||
}
|
||||
},
|
||||
!local.fleet_mcs_enabled ? {} : {
|
||||
"roles/multiclusterservicediscovery.serviceAgent" = ["gke-mcs"]
|
||||
"roles/compute.networkViewer" = ["gke-mcs-importer"]
|
||||
})
|
||||
}
|
||||
# specify project-level org policies here if you need them
|
||||
# policy_boolean = {
|
||||
|
|
|
@ -103,6 +103,69 @@ variable "dns_domain" {
|
|||
default = null
|
||||
}
|
||||
|
||||
variable "fleet_configmanagement_clusters" {
|
||||
description = "Config management features enabled on specific sets of member clusters, in config name => [cluster name] format."
|
||||
type = map(list(string))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
|
||||
variable "fleet_configmanagement_templates" {
|
||||
description = "Sets of config management configurations that can be applied to member clusters, in config name => {options} format."
|
||||
type = map(object({
|
||||
binauthz = bool
|
||||
config_sync = object({
|
||||
git = object({
|
||||
gcp_service_account_email = string
|
||||
https_proxy = string
|
||||
policy_dir = string
|
||||
secret_type = string
|
||||
sync_branch = string
|
||||
sync_repo = string
|
||||
sync_rev = string
|
||||
sync_wait_secs = number
|
||||
})
|
||||
prevent_drift = string
|
||||
source_format = string
|
||||
})
|
||||
hierarchy_controller = object({
|
||||
enable_hierarchical_resource_quota = bool
|
||||
enable_pod_tree_labels = bool
|
||||
})
|
||||
policy_controller = object({
|
||||
audit_interval_seconds = number
|
||||
exemptable_namespaces = list(string)
|
||||
log_denies_enabled = bool
|
||||
referential_rules_enabled = bool
|
||||
template_library_installed = bool
|
||||
})
|
||||
version = string
|
||||
}))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "fleet_features" {
|
||||
description = "Enable and configue fleet features. Set to null to disable GKE Hub if fleet workload identity is not used."
|
||||
type = object({
|
||||
appdevexperience = bool
|
||||
configmanagement = bool
|
||||
identityservice = bool
|
||||
multiclusteringress = string
|
||||
multiclusterservicediscovery = bool
|
||||
servicemesh = bool
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "fleet_workload_identity" {
|
||||
description = "Use Fleet Workload Identity for clusters. Enables GKE Hub if set to true."
|
||||
type = bool
|
||||
default = true
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "folder_ids" {
|
||||
# tfdoc:variable:source 01-resman
|
||||
description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created."
|
||||
|
@ -111,6 +174,13 @@ variable "folder_ids" {
|
|||
})
|
||||
}
|
||||
|
||||
variable "group_iam" {
|
||||
description = "Project-level IAM bindings for groups. Use group emails as keys, list of roles as values."
|
||||
type = map(list(string))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "host_project_ids" {
|
||||
# tfdoc:variable:source 02-networking
|
||||
description = "Host project for the shared VPC."
|
||||
|
@ -119,13 +189,6 @@ variable "host_project_ids" {
|
|||
})
|
||||
}
|
||||
|
||||
variable "group_iam" {
|
||||
description = "Project-level IAM bindings for groups. Use group emails as keys, list of roles as values."
|
||||
type = map(list(string))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "labels" {
|
||||
description = "Project-level labels."
|
||||
type = map(string)
|
||||
|
|
|
@ -40,7 +40,9 @@ locals {
|
|||
fleet = "service-%s@gcp-sa-gkehub"
|
||||
gae-flex = "service-%s@gae-api-prod"
|
||||
# TODO: deprecate gcf
|
||||
gcf = "service-%s@gcf-admin-robot"
|
||||
gcf = "service-%s@gcf-admin-robot"
|
||||
# TODO: jit?
|
||||
gke-mcs = "service-%s@gcp-sa-mcsd"
|
||||
monitoring-notifications = "service-%s@gcp-sa-monitoring-notification"
|
||||
pubsub = "service-%s@gcp-sa-pubsub"
|
||||
secretmanager = "service-%s@gcp-sa-secretmanager"
|
||||
|
@ -55,10 +57,15 @@ locals {
|
|||
service_account_cloud_services = (
|
||||
"${local.project.number}@cloudservices.gserviceaccount.com"
|
||||
)
|
||||
service_accounts_robots = {
|
||||
for k, v in local._service_accounts_robot_services :
|
||||
k => "${format(v, local.project.number)}.iam.gserviceaccount.com"
|
||||
}
|
||||
service_accounts_robots = merge(
|
||||
{
|
||||
for k, v in local._service_accounts_robot_services :
|
||||
k => "${format(v, local.project.number)}.iam.gserviceaccount.com"
|
||||
},
|
||||
{
|
||||
gke-mcs-importer = "${local.project.project_id}.svc.id.goog[gke-mcs/gke-mcs-importer]"
|
||||
}
|
||||
)
|
||||
service_accounts_jit_services = [
|
||||
"cloudasset.googleapis.com",
|
||||
"gkehub.googleapis.com",
|
||||
|
|
Loading…
Reference in New Issue