Multipe-cluster example for multitenant-fleet example

2022-09-08 09:26:04 +02:00 · 2022-09-08 09:26:04 +02:00 · 15e45cb3b9
parent 3ffdd0dd43
commit 15e45cb3b9
2 changed files with 29 additions and 22 deletions
--- a/examples/gke-serverless/multitenant-fleet/README.md
+++ b/examples/gke-serverless/multitenant-fleet/README.md
@ -55,7 +55,7 @@ module "gke" {
    vpc_self_link   = "projects/my-host-project-id/global/networks/my-network"
  }

-authenticator_security_group = "gke-rbac-base@example.com"
+  authenticator_security_group = "gke-rbac-base@example.com"
  group_iam = {
    "gke-admin@example.com" = [
      "roles/container.admin"
@ -189,11 +189,14 @@ module "gke" {
 # tftest modules=1 resources=0
 ```

-## Multitenant configuration
+## Multiple clusters with GKE Fleet

+This example deploys two clusters and configures the several GKE Fleet features:

-## Fleet configuration
-
+- Enables [multi-cluster ingress](https://cloud.google.com/kubernetes-engine/docs/concepts/multi-cluster-ingress) and sets the configuration cluster to be `cluster-eu1`.
+- Enables [Multi-cluster services](https://cloud.google.com/kubernetes-engine/docs/concepts/multi-cluster-services) and gives assigns the [required roles](https://cloud.google.com/kubernetes-engine/docs/how-to/multi-cluster-services#authenticating) to its service accounts.
+- A `default` Config Management template is created with binary authorization, config sync enabled with a git repository, hierarchy controller, and policy controller.
+- The two clusters are configured to use the `default` Config Management template.

 ```hcl
 module "gke" {
@ -257,9 +260,18 @@ module "gke" {
    }
  }

+  fleet_features = {
+    appdevexperience             = false
+    configmanagement             = true
+    identityservice              = true
+    multiclusteringress          = "cluster-euw1"
+    multiclusterservicediscovery = true
+    servicemesh                  = true
+  }
+  fleet_workload_identity = true
  fleet_configmanagement_templates = {
    default = {
-      binauthz = false
+      binauthz = true
      config_sync = {
        git = {
          gcp_service_account_email = null
@ -268,31 +280,30 @@ module "gke" {
          secret_type               = "none"
          source_format             = "hierarchy"
          sync_branch               = "main"
-          sync_repo                 = "https://github.com/.../..."
+          sync_repo                 = "https://github.com/myorg/myrepo"
          sync_rev                  = null
          sync_wait_secs            = null
        }
        prevent_drift = true
        source_format = "hierarchy"
      }
-      hierarchy_controller = null
-      policy_controller    = null
+      hierarchy_controller = {
+        enable_hierarchical_resource_quota = true
+        enable_pod_tree_labels             = true
+      }
+      policy_controller    = {
+        audit_interval_seconds     = 30
+        exemptable_namespaces      = ["kube-system"]
+        log_denies_enabled         = true
+        referential_rules_enabled  = true
+        template_library_installed = true
+      }
      version              = "1.10.2"
    }
  }
-
  fleet_configmanagement_clusters = {
    default = ["cluster-euw1", "cluster-euw3"]
  }
-
-  fleet_features = {
-    appdevexperience             = false
-    configmanagement             = false
-    identityservice              = false
-    multiclusteringress          = "cluster-euw1"
-    multiclusterservicediscovery = true
-    servicemesh                  = false
-  }
 }

 # tftest modules=1 resources=0
--- a/examples/gke-serverless/multitenant-fleet/variables.tf
+++ b/examples/gke-serverless/multitenant-fleet/variables.tf
@ -14,10 +14,6 @@
 * limitations under the License.
 */

-# we deal with one env here
-# 1 project, m clusters
-# cloud dns for gke?
-
 variable "authenticator_security_group" {
  description = "Optional group used for Groups for GKE."
  type        = string