Merge branch 'master' into maunope/network-dashboards-updates
This commit is contained in:
commit
17ee413a7e
|
@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file.
|
|||
|
||||
### BLUEPRINTS
|
||||
|
||||
- [[#868](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/868)] **incompatible change:** Refactor GKE module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-10-10 07:38:21+00:00 -->
|
||||
- [[#818](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/818)] Example wordpress ([skalolazka](https://github.com/skalolazka)) <!-- 2022-10-07 14:24:38+00:00 -->
|
||||
- [[#861](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/861)] Leverage new shared VPC project config defaults across the repo ([juliocc](https://github.com/juliocc)) <!-- 2022-10-07 07:50:43+00:00 -->
|
||||
- [[#854](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/854)] Added an example of a Nginx reverse proxy cluster using RMIGs ([rosmo](https://github.com/rosmo)) <!-- 2022-10-04 13:49:44+00:00 -->
|
||||
|
@ -27,6 +28,8 @@ All notable changes to this project will be documented in this file.
|
|||
|
||||
### FAST
|
||||
|
||||
- [[#868](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/868)] **incompatible change:** Refactor GKE module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-10-10 07:38:21+00:00 -->
|
||||
- [[#867](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/867)] FAST: Replace NVAs in 02-networking-nva with COS-based VMs ([sruffilli](https://github.com/sruffilli)) <!-- 2022-10-10 07:16:29+00:00 -->
|
||||
- [[#865](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/865)] Enable FAST 00-cicd provider test ([ludoo](https://github.com/ludoo)) <!-- 2022-10-07 11:20:57+00:00 -->
|
||||
- [[#861](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/861)] Leverage new shared VPC project config defaults across the repo ([juliocc](https://github.com/juliocc)) <!-- 2022-10-07 07:50:43+00:00 -->
|
||||
- [[#858](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/858)] Default gcp-support to gcp-devops ([juliocc](https://github.com/juliocc)) <!-- 2022-10-06 12:58:26+00:00 -->
|
||||
|
@ -38,6 +41,8 @@ All notable changes to this project will be documented in this file.
|
|||
|
||||
### MODULES
|
||||
|
||||
- [[#868](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/868)] **incompatible change:** Refactor GKE module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-10-10 07:38:21+00:00 -->
|
||||
- [[#866](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/866)] Update ipprefix_by_netmask.sh in nva module ([sruffilli](https://github.com/sruffilli)) <!-- 2022-10-09 15:26:54+00:00 -->
|
||||
- [[#860](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/860)] **incompatible change:** Refactor compute-vm for Terraform 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-10-07 08:53:53+00:00 -->
|
||||
- [[#861](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/861)] Leverage new shared VPC project config defaults across the repo ([juliocc](https://github.com/juliocc)) <!-- 2022-10-07 07:50:43+00:00 -->
|
||||
- [[#859](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/859)] Make project shared VPC fields optional ([juliocc](https://github.com/juliocc)) <!-- 2022-10-06 14:18:01+00:00 -->
|
||||
|
|
|
@ -83,21 +83,19 @@ module "nat" {
|
|||
}
|
||||
|
||||
module "cluster" {
|
||||
source = "../../../modules/gke-cluster"
|
||||
project_id = module.project.project_id
|
||||
name = "${local.prefix}cluster"
|
||||
location = var.zone
|
||||
network = module.vpc.self_link
|
||||
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
|
||||
secondary_range_pods = "pods"
|
||||
secondary_range_services = "services"
|
||||
source = "../../../modules/gke-cluster"
|
||||
project_id = module.project.project_id
|
||||
name = "${local.prefix}cluster"
|
||||
location = var.zone
|
||||
vpc_config = {
|
||||
network = module.vpc.self_link
|
||||
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
|
||||
}
|
||||
private_cluster_config = {
|
||||
enable_private_nodes = true
|
||||
enable_private_endpoint = false
|
||||
master_ipv4_cidr_block = var.master_cidr_block
|
||||
master_global_access = false
|
||||
}
|
||||
workload_identity = true
|
||||
}
|
||||
|
||||
module "cluster_nodepool" {
|
||||
|
|
|
@ -133,30 +133,27 @@ module "mgmt_server" {
|
|||
}
|
||||
|
||||
module "clusters" {
|
||||
for_each = var.clusters_config
|
||||
source = "../../../modules/gke-cluster"
|
||||
project_id = module.fleet_project.project_id
|
||||
name = each.key
|
||||
location = var.region
|
||||
network = module.svpc.self_link
|
||||
subnetwork = module.svpc.subnet_self_links["${var.region}/subnet-${each.key}"]
|
||||
secondary_range_pods = "pods"
|
||||
secondary_range_services = "services"
|
||||
for_each = var.clusters_config
|
||||
source = "../../../modules/gke-cluster"
|
||||
project_id = module.fleet_project.project_id
|
||||
name = each.key
|
||||
location = var.region
|
||||
vpc_config = {
|
||||
network = module.svpc.self_link
|
||||
subnetwork = module.svpc.subnet_self_links["${var.region}/subnet-${each.key}"]
|
||||
master_authorized_ranges = merge({
|
||||
mgmt : var.mgmt_subnet_cidr_block
|
||||
},
|
||||
{ for key, config in var.clusters_config :
|
||||
"pods-${key}" => config.pods_cidr_block if key != each.key
|
||||
})
|
||||
}
|
||||
private_cluster_config = {
|
||||
enable_private_nodes = true
|
||||
enable_private_endpoint = true
|
||||
master_ipv4_cidr_block = each.value.master_cidr_block
|
||||
master_global_access = true
|
||||
}
|
||||
master_authorized_ranges = merge({
|
||||
mgmt : var.mgmt_subnet_cidr_block
|
||||
},
|
||||
{ for key, config in var.clusters_config :
|
||||
"pods-${key}" => config.pods_cidr_block if key != each.key
|
||||
})
|
||||
enable_autopilot = false
|
||||
release_channel = "REGULAR"
|
||||
workload_identity = true
|
||||
release_channel = "REGULAR"
|
||||
labels = {
|
||||
mesh_id = "proj-${module.fleet_project.number}"
|
||||
}
|
||||
|
|
|
@ -24,93 +24,69 @@ locals {
|
|||
}
|
||||
|
||||
module "gke-cluster" {
|
||||
source = "../../../modules/gke-cluster"
|
||||
for_each = local.clusters
|
||||
name = each.key
|
||||
project_id = module.gke-project-0.project_id
|
||||
description = each.value.description
|
||||
location = each.value.location
|
||||
network = var.vpc_config.vpc_self_link
|
||||
subnetwork = each.value.net.subnet
|
||||
secondary_range_pods = each.value.net.pods
|
||||
secondary_range_services = each.value.net.services
|
||||
labels = each.value.labels
|
||||
addons = {
|
||||
cloudrun_config = each.value.overrides.cloudrun_config
|
||||
dns_cache_config = true
|
||||
http_load_balancing = true
|
||||
gce_persistent_disk_csi_driver_config = true
|
||||
horizontal_pod_autoscaling = true
|
||||
config_connector_config = true
|
||||
kalm_config = false
|
||||
gcp_filestore_csi_driver_config = each.value.overrides.gcp_filestore_csi_driver_config
|
||||
gke_backup_agent_config = false
|
||||
# enable only if enable_dataplane_v2 is changed to false below
|
||||
network_policy_config = false
|
||||
istio_config = {
|
||||
enabled = false
|
||||
tls = false
|
||||
source = "../../../modules/gke-cluster"
|
||||
for_each = local.clusters
|
||||
name = each.key
|
||||
project_id = module.gke-project-0.project_id
|
||||
description = each.value.description
|
||||
location = each.value.location
|
||||
vpc_config = {
|
||||
network = var.vpc_config.vpc_self_link
|
||||
subnetwork = each.value.net.subnet
|
||||
secondary_range_names = {
|
||||
pods = each.value.net.pods
|
||||
services = each.value.net.services
|
||||
}
|
||||
master_authorized_ranges = each.value.overrides.master_authorized_ranges
|
||||
}
|
||||
labels = each.value.labels
|
||||
enable_addons = {
|
||||
cloudrun = each.value.overrides.cloudrun_config
|
||||
config_connector = true
|
||||
dns_cache = true
|
||||
gce_persistent_disk_csi_driver = true
|
||||
gcp_filestore_csi_driver = each.value.overrides.gcp_filestore_csi_driver_config
|
||||
gke_backup_agent = false
|
||||
horizontal_pod_autoscaling = true
|
||||
http_load_balancing = true
|
||||
}
|
||||
enable_features = {
|
||||
cloud_dns = var.dns_domain == null ? null : {
|
||||
cluster_dns = "CLOUD_DNS"
|
||||
cluster_dns_scope = "VPC_SCOPE"
|
||||
cluster_dns_domain = "${each.key}.${var.dns_domain}"
|
||||
}
|
||||
database_encryption = (
|
||||
each.value.overrides.database_encryption_key == null
|
||||
? null
|
||||
: {
|
||||
state = "ENCRYPTED"
|
||||
key_name = each.value.overrides.database_encryption_key
|
||||
}
|
||||
)
|
||||
dataplane_v2 = true
|
||||
groups_for_rbac = var.authenticator_security_group
|
||||
intranode_visibility = true
|
||||
pod_security_policy = each.value.overrides.pod_security_policy
|
||||
resource_usage_export = {
|
||||
dataset = module.gke-dataset-resource-usage.dataset_id
|
||||
}
|
||||
shielded_nodes = true
|
||||
vertical_pod_autoscaling = each.value.overrides.vertical_pod_autoscaling
|
||||
workload_identity = true
|
||||
}
|
||||
# change these here for all clusters if absolutely needed
|
||||
authenticator_security_group = var.authenticator_security_group
|
||||
enable_dataplane_v2 = true
|
||||
enable_l4_ilb_subsetting = false
|
||||
enable_intranode_visibility = true
|
||||
enable_shielded_nodes = true
|
||||
workload_identity = true
|
||||
private_cluster_config = {
|
||||
enable_private_nodes = true
|
||||
enable_private_endpoint = false
|
||||
enable_private_endpoint = true
|
||||
master_ipv4_cidr_block = each.value.net.master_range
|
||||
master_global_access = true
|
||||
}
|
||||
dns_config = each.value.dns_domain == null ? null : {
|
||||
cluster_dns = "CLOUD_DNS"
|
||||
cluster_dns_scope = "VPC_SCOPE"
|
||||
cluster_dns_domain = "${each.key}.${var.dns_domain}"
|
||||
peering_config = var.peering_config == null ? null : {
|
||||
export_routes = var.peering_config.export_routes
|
||||
import_routes = var.peering_config.import_routes
|
||||
project_id = var.vpc_config.host_project_id
|
||||
}
|
||||
}
|
||||
logging_config = ["SYSTEM_COMPONENTS", "WORKLOADS"]
|
||||
monitoring_config = ["SYSTEM_COMPONENTS", "WORKLOADS"]
|
||||
|
||||
peering_config = var.peering_config == null ? null : {
|
||||
export_routes = var.peering_config.export_routes
|
||||
import_routes = var.peering_config.import_routes
|
||||
project_id = var.vpc_config.host_project_id
|
||||
}
|
||||
resource_usage_export_config = {
|
||||
enabled = true
|
||||
dataset = module.gke-dataset-resource-usage.dataset_id
|
||||
}
|
||||
# TODO: the attributes below are "primed" from project-level defaults
|
||||
# in locals, merge defaults with cluster-level stuff
|
||||
# TODO(jccb): change fabric module
|
||||
database_encryption = (
|
||||
each.value.overrides.database_encryption_key == null
|
||||
? {
|
||||
enabled = false
|
||||
state = null
|
||||
key_name = null
|
||||
}
|
||||
: {
|
||||
enabled = true
|
||||
state = "ENCRYPTED"
|
||||
key_name = each.value.overrides.database_encryption_key
|
||||
}
|
||||
)
|
||||
default_max_pods_per_node = each.value.overrides.max_pods_per_node
|
||||
master_authorized_ranges = each.value.overrides.master_authorized_ranges
|
||||
pod_security_policy = each.value.overrides.pod_security_policy
|
||||
release_channel = each.value.overrides.release_channel
|
||||
vertical_pod_autoscaling = each.value.overrides.vertical_pod_autoscaling
|
||||
# dynamic "cluster_autoscaling" {
|
||||
# for_each = each.value.cluster_autoscaling == null ? {} : { 1 = 1 }
|
||||
# content {
|
||||
# enabled = true
|
||||
# cpu_min = each.value.cluster_autoscaling.cpu_min
|
||||
# cpu_max = each.value.cluster_autoscaling.cpu_max
|
||||
# memory_min = each.value.cluster_autoscaling.memory_min
|
||||
# memory_max = each.value.cluster_autoscaling.memory_max
|
||||
# }
|
||||
# }
|
||||
max_pods_per_node = each.value.overrides.max_pods_per_node
|
||||
release_channel = each.value.overrides.release_channel
|
||||
}
|
||||
|
|
|
@ -237,31 +237,29 @@ module "service-account-gce" {
|
|||
################################################################################
|
||||
|
||||
module "cluster-1" {
|
||||
source = "../../../modules/gke-cluster"
|
||||
name = "${local.prefix}cluster-1"
|
||||
project_id = module.project.project_id
|
||||
location = "${var.region}-b"
|
||||
network = module.vpc-spoke-2.self_link
|
||||
subnetwork = module.vpc-spoke-2.subnet_self_links["${var.region}/${local.prefix}spoke-2-1"]
|
||||
secondary_range_pods = "pods"
|
||||
secondary_range_services = "services"
|
||||
default_max_pods_per_node = 32
|
||||
source = "../../../modules/gke-cluster"
|
||||
name = "${local.prefix}cluster-1"
|
||||
project_id = module.project.project_id
|
||||
location = "${var.region}-b"
|
||||
vpc_config = {
|
||||
network = module.vpc-spoke-2.self_link
|
||||
subnetwork = module.vpc-spoke-2.subnet_self_links["${var.region}/${local.prefix}spoke-2-1"]
|
||||
master_authorized_ranges = {
|
||||
for name, range in var.ip_ranges : name => range
|
||||
}
|
||||
}
|
||||
max_pods_per_node = 32
|
||||
labels = {
|
||||
environment = "test"
|
||||
}
|
||||
master_authorized_ranges = {
|
||||
for name, range in var.ip_ranges : name => range
|
||||
}
|
||||
private_cluster_config = {
|
||||
enable_private_nodes = true
|
||||
enable_private_endpoint = true
|
||||
master_ipv4_cidr_block = var.private_service_ranges.spoke-2-cluster-1
|
||||
master_global_access = true
|
||||
}
|
||||
peering_config = {
|
||||
export_routes = true
|
||||
import_routes = false
|
||||
project_id = null
|
||||
peering_config = {
|
||||
export_routes = true
|
||||
import_routes = false
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -196,28 +196,27 @@ module "vm-bastion" {
|
|||
################################################################################
|
||||
|
||||
module "cluster-1" {
|
||||
source = "../../../modules/gke-cluster"
|
||||
count = var.cluster_create ? 1 : 0
|
||||
name = "cluster-1"
|
||||
project_id = module.project-svc-gke.project_id
|
||||
location = "${var.region}-b"
|
||||
network = module.vpc-shared.self_link
|
||||
subnetwork = module.vpc-shared.subnet_self_links["${var.region}/gke"]
|
||||
secondary_range_pods = "pods"
|
||||
secondary_range_services = "services"
|
||||
default_max_pods_per_node = 32
|
||||
labels = {
|
||||
environment = "test"
|
||||
}
|
||||
master_authorized_ranges = {
|
||||
internal-vms = var.ip_ranges.gce
|
||||
source = "../../../modules/gke-cluster"
|
||||
count = var.cluster_create ? 1 : 0
|
||||
name = "cluster-1"
|
||||
project_id = module.project-svc-gke.project_id
|
||||
location = "${var.region}-b"
|
||||
vpc_config = {
|
||||
network = module.vpc-shared.self_link
|
||||
subnetwork = module.vpc-shared.subnet_self_links["${var.region}/gke"]
|
||||
master_authorized_ranges = {
|
||||
internal-vms = var.ip_ranges.gce
|
||||
}
|
||||
}
|
||||
max_pods_per_node = 32
|
||||
private_cluster_config = {
|
||||
enable_private_nodes = true
|
||||
enable_private_endpoint = true
|
||||
master_ipv4_cidr_block = var.private_service_ranges.cluster-1
|
||||
master_global_access = true
|
||||
}
|
||||
labels = {
|
||||
environment = "test"
|
||||
}
|
||||
}
|
||||
|
||||
module "cluster-1-nodepool-1" {
|
||||
|
|
|
@ -8,20 +8,23 @@ This module allows simplified creation and management of GKE clusters and should
|
|||
|
||||
```hcl
|
||||
module "cluster-1" {
|
||||
source = "./fabric/modules/gke-cluster"
|
||||
project_id = "myproject"
|
||||
name = "cluster-1"
|
||||
location = "europe-west1-b"
|
||||
network = var.vpc.self_link
|
||||
subnetwork = var.subnet.self_link
|
||||
secondary_range_pods = "pods"
|
||||
secondary_range_services = "services"
|
||||
default_max_pods_per_node = 32
|
||||
master_authorized_ranges = {
|
||||
internal-vms = "10.0.0.0/8"
|
||||
source = "./fabric/modules/gke-cluster"
|
||||
project_id = "myproject"
|
||||
name = "cluster-1"
|
||||
location = "europe-west1-b"
|
||||
vpc_config = {
|
||||
network = var.vpc.self_link
|
||||
subnetwork = var.subnet.self_link
|
||||
secondary_range_names = {
|
||||
pods = "pods"
|
||||
services = "services"
|
||||
}
|
||||
master_authorized_ranges = {
|
||||
internal-vms = "10.0.0.0/8"
|
||||
}
|
||||
}
|
||||
max_pods_per_node = 32
|
||||
private_cluster_config = {
|
||||
enable_private_nodes = true
|
||||
enable_private_endpoint = true
|
||||
master_ipv4_cidr_block = "192.168.0.0/28"
|
||||
master_global_access = false
|
||||
|
@ -37,25 +40,30 @@ module "cluster-1" {
|
|||
|
||||
```hcl
|
||||
module "cluster-1" {
|
||||
source = "./fabric/modules/gke-cluster"
|
||||
project_id = "myproject"
|
||||
name = "cluster-1"
|
||||
location = "europe-west1-b"
|
||||
network = var.vpc.self_link
|
||||
subnetwork = var.subnet.self_link
|
||||
secondary_range_pods = "pods"
|
||||
secondary_range_services = "services"
|
||||
default_max_pods_per_node = 32
|
||||
enable_dataplane_v2 = true
|
||||
master_authorized_ranges = {
|
||||
internal-vms = "10.0.0.0/8"
|
||||
source = "./fabric/modules/gke-cluster"
|
||||
project_id = "myproject"
|
||||
name = "cluster-1"
|
||||
location = "europe-west1-b"
|
||||
vpc_config = {
|
||||
network = var.vpc.self_link
|
||||
subnetwork = var.subnet.self_link
|
||||
secondary_range_names = {
|
||||
pods = "pods"
|
||||
services = "services"
|
||||
}
|
||||
master_authorized_ranges = {
|
||||
internal-vms = "10.0.0.0/8"
|
||||
}
|
||||
}
|
||||
private_cluster_config = {
|
||||
enable_private_nodes = true
|
||||
enable_private_endpoint = true
|
||||
master_ipv4_cidr_block = "192.168.0.0/28"
|
||||
master_global_access = false
|
||||
}
|
||||
enable_features = {
|
||||
dataplane_v2 = true
|
||||
workload_identity = true
|
||||
}
|
||||
labels = {
|
||||
environment = "dev"
|
||||
}
|
||||
|
@ -68,44 +76,24 @@ module "cluster-1" {
|
|||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [location](variables.tf#L161) | Cluster zone or region. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L228) | Cluster name. | <code>string</code> | ✓ | |
|
||||
| [network](variables.tf#L233) | Name or self link of the VPC used for the cluster. Use the self link for Shared VPC. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L277) | Cluster project id. | <code>string</code> | ✓ | |
|
||||
| [secondary_range_pods](variables.tf#L300) | Subnet secondary range name used for pods. | <code>string</code> | ✓ | |
|
||||
| [secondary_range_services](variables.tf#L305) | Subnet secondary range name used for services. | <code>string</code> | ✓ | |
|
||||
| [subnetwork](variables.tf#L310) | VPC subnetwork name or self link. | <code>string</code> | ✓ | |
|
||||
| [addons](variables.tf#L17) | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun_config = bool dns_cache_config = bool horizontal_pod_autoscaling = bool http_load_balancing = bool istio_config = object({ enabled = bool tls = bool }) network_policy_config = bool gce_persistent_disk_csi_driver_config = bool gcp_filestore_csi_driver_config = bool config_connector_config = bool kalm_config = bool gke_backup_agent_config = bool })">object({…})</code> | | <code title="{ cloudrun_config = false dns_cache_config = false horizontal_pod_autoscaling = true http_load_balancing = true istio_config = { enabled = false tls = false } network_policy_config = false gce_persistent_disk_csi_driver_config = false gcp_filestore_csi_driver_config = false config_connector_config = false kalm_config = false gke_backup_agent_config = false }">{…}</code> |
|
||||
| [authenticator_security_group](variables.tf#L53) | RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com. | <code>string</code> | | <code>null</code> |
|
||||
| [cluster_autoscaling](variables.tf#L59) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object({ enabled = bool cpu_min = number cpu_max = number memory_min = number memory_max = number })">object({…})</code> | | <code title="{ enabled = false cpu_min = 0 cpu_max = 0 memory_min = 0 memory_max = 0 }">{…}</code> |
|
||||
| [database_encryption](variables.tf#L77) | Enable and configure GKE application-layer secrets encryption. | <code title="object({ enabled = bool state = string key_name = string })">object({…})</code> | | <code title="{ enabled = false state = "DECRYPTED" key_name = null }">{…}</code> |
|
||||
| [default_max_pods_per_node](variables.tf#L91) | Maximum number of pods per node in this cluster. | <code>number</code> | | <code>110</code> |
|
||||
| [description](variables.tf#L97) | Cluster description. | <code>string</code> | | <code>null</code> |
|
||||
| [dns_config](variables.tf#L103) | Configuration for Using Cloud DNS for GKE. | <code title="object({ cluster_dns = string cluster_dns_scope = string cluster_dns_domain = string })">object({…})</code> | | <code>null</code> |
|
||||
| [enable_autopilot](variables.tf#L113) | Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node). | <code>bool</code> | | <code>false</code> |
|
||||
| [enable_binary_authorization](variables.tf#L119) | Enable Google Binary Authorization. | <code>bool</code> | | <code>false</code> |
|
||||
| [enable_dataplane_v2](variables.tf#L125) | Enable Dataplane V2 on the cluster, will disable network_policy addons config. | <code>bool</code> | | <code>false</code> |
|
||||
| [enable_intranode_visibility](variables.tf#L131) | Enable intra-node visibility to make same node pod to pod traffic visible. | <code>bool</code> | | <code>null</code> |
|
||||
| [enable_l4_ilb_subsetting](variables.tf#L137) | Enable L4ILB Subsetting. | <code>bool</code> | | <code>null</code> |
|
||||
| [enable_shielded_nodes](variables.tf#L143) | Enable Shielded Nodes features on all nodes in this cluster. | <code>bool</code> | | <code>null</code> |
|
||||
| [enable_tpu](variables.tf#L149) | Enable Cloud TPU resources in this cluster. | <code>bool</code> | | <code>null</code> |
|
||||
| [labels](variables.tf#L155) | Cluster resource labels. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [logging_config](variables.tf#L166) | Logging configuration (enabled components). | <code>list(string)</code> | | <code>null</code> |
|
||||
| [logging_service](variables.tf#L172) | Logging service (disable with an empty string). | <code>string</code> | | <code>"logging.googleapis.com/kubernetes"</code> |
|
||||
| [maintenance_config](variables.tf#L178) | Maintenance window configuration. | <code title="object({ daily_maintenance_window = object({ start_time = string }) recurring_window = object({ start_time = string end_time = string recurrence = string }) maintenance_exclusion = list(object({ exclusion_name = string start_time = string end_time = string })) })">object({…})</code> | | <code title="{ daily_maintenance_window = { start_time = "03:00" } recurring_window = null maintenance_exclusion = [] }">{…}</code> |
|
||||
| [master_authorized_ranges](variables.tf#L204) | External Ip address ranges that can access the Kubernetes cluster master through HTTPS. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [min_master_version](variables.tf#L210) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
||||
| [monitoring_config](variables.tf#L216) | Monitoring configuration (enabled components). | <code>list(string)</code> | | <code>null</code> |
|
||||
| [monitoring_service](variables.tf#L222) | Monitoring service (disable with an empty string). | <code>string</code> | | <code>"monitoring.googleapis.com/kubernetes"</code> |
|
||||
| [node_locations](variables.tf#L238) | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [notification_config](variables.tf#L244) | GKE Cluster upgrade notifications via PubSub. | <code>bool</code> | | <code>false</code> |
|
||||
| [peering_config](variables.tf#L250) | Configure peering with the master VPC for private clusters. | <code title="object({ export_routes = bool import_routes = bool project_id = string })">object({…})</code> | | <code>null</code> |
|
||||
| [pod_security_policy](variables.tf#L260) | Enable the PodSecurityPolicy feature. | <code>bool</code> | | <code>null</code> |
|
||||
| [private_cluster_config](variables.tf#L266) | Enable and configure private cluster, private nodes must be true if used. | <code title="object({ enable_private_nodes = bool enable_private_endpoint = bool master_ipv4_cidr_block = string master_global_access = bool })">object({…})</code> | | <code>null</code> |
|
||||
| [release_channel](variables.tf#L282) | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
|
||||
| [resource_usage_export_config](variables.tf#L288) | Configure the ResourceUsageExportConfig feature. | <code title="object({ enabled = bool dataset = string })">object({…})</code> | | <code title="{ enabled = null dataset = null }">{…}</code> |
|
||||
| [vertical_pod_autoscaling](variables.tf#L315) | Enable the Vertical Pod Autoscaling feature. | <code>bool</code> | | <code>null</code> |
|
||||
| [workload_identity](variables.tf#L321) | Enable the Workload Identity feature. | <code>bool</code> | | <code>true</code> |
|
||||
| [location](variables.tf#L118) | Cluster zone or region. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L170) | Cluster name. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L197) | Cluster project id. | <code>string</code> | ✓ | |
|
||||
| [vpc_config](variables.tf#L208) | VPC-level configuration. | <code title="object({ network = string subnetwork = string secondary_range_blocks = optional(object({ pods = string services = string }), ) secondary_range_names = optional(object({ pods = string services = string }), { pods = "pods", services = "services" }) master_authorized_ranges = optional(map(string)) })">object({…})</code> | ✓ | |
|
||||
| [cluster_autoscaling](variables.tf#L17) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object({ auto_provisioning_defaults = optional(object({ boot_disk_kms_key = optional(string) image_type = optional(string) oauth_scopes = optional(list(string)) service_account = optional(string) })) cpu_limits = optional(object({ min = number max = number })) mem_limits = optional(object({ min = number max = number })) })">object({…})</code> | | <code>null</code> |
|
||||
| [description](variables.tf#L38) | Cluster description. | <code>string</code> | | <code>null</code> |
|
||||
| [enable_addons](variables.tf#L44) | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun = optional(bool, false) config_connector = optional(bool, false) dns_cache = optional(bool, false) gce_persistent_disk_csi_driver = optional(bool, false) gcp_filestore_csi_driver = optional(bool, false) gke_backup_agent = optional(bool, false) horizontal_pod_autoscaling = optional(bool, false) http_load_balancing = optional(bool, false) istio = optional(object({ enable_tls = bool })) kalm = optional(bool, false) network_policy = optional(bool, false) })">object({…})</code> | | <code title="{ horizontal_pod_autoscaling = true http_load_balancing = true }">{…}</code> |
|
||||
| [enable_features](variables.tf#L68) | Enable cluster-level features. Certain features allow configuration. | <code title="object({ autopilot = optional(bool, false) binary_authorization = optional(bool, false) cloud_dns = optional(object({ provider = optional(string) scope = optional(string) domain = optional(string) })) database_encryption = optional(object({ state = string key_name = string })) dataplane_v2 = optional(bool, false) groups_for_rbac = optional(string) intranode_visibility = optional(bool, false) l4_ilb_subsetting = optional(bool, false) pod_security_policy = optional(bool, false) resource_usage_export = optional(object({ dataset = optional(string) enable_network_egress_metering = optional(bool, false) enable_resource_consumption_metering = optional(bool, false) })) shielded_nodes = optional(bool, false) tpu = optional(bool, false) upgrade_notifications = optional(object({ topic_id = optional(string) })) vertical_pod_autoscaling = optional(bool, false) workload_identity = optional(bool, false) })">object({…})</code> | | <code title="{ workload_identity = true resource_usage_export = null }">{…}</code> |
|
||||
| [issue_client_certificate](variables.tf#L106) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
|
||||
| [labels](variables.tf#L112) | Cluster resource labels. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [logging_config](variables.tf#L123) | Logging configuration. | <code>list(string)</code> | | <code>["SYSTEM_COMPONENTS"]</code> |
|
||||
| [maintenance_config](variables.tf#L129) | Maintenance window configuration. | <code title="object({ daily_window_start_time = optional(string) recurring_window = optional(object({ start_time = string end_time = string recurrence = string })) maintenance_exclusions = optional(list(object({ name = string start_time = string end_time = string scope = optional(string) }))) })">object({…})</code> | | <code title="{ daily_window_start_time = "03:00" recurring_window = null maintenance_exclusion = [] }">{…}</code> |
|
||||
| [max_pods_per_node](variables.tf#L152) | Maximum number of pods per node in this cluster. | <code>number</code> | | <code>110</code> |
|
||||
| [min_master_version](variables.tf#L158) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
||||
| [monitoring_config](variables.tf#L164) | Monitoring components. | <code>list(string)</code> | | <code>["SYSTEM_COMPONENTS"]</code> |
|
||||
| [node_locations](variables.tf#L175) | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [private_cluster_config](variables.tf#L182) | Private cluster configuration. | <code title="object({ enable_private_endpoint = optional(bool) master_ipv4_cidr_block = optional(string) master_global_access = optional(bool) peering_config = optional(object({ export_routes = optional(bool) import_routes = optional(bool) project_id = optional(string) })) })">object({…})</code> | | <code>null</code> |
|
||||
| [release_channel](variables.tf#L202) | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -14,159 +14,216 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
locals {
|
||||
# The Google provider is unable to validate certain configurations of
|
||||
# private_cluster_config when enable_private_nodes is false (provider docs)
|
||||
is_private = try(var.private_cluster_config.enable_private_nodes, false)
|
||||
peering = try(
|
||||
google_container_cluster.cluster.private_cluster_config.0.peering_name,
|
||||
null
|
||||
)
|
||||
peering_project_id = (
|
||||
try(var.peering_config.project_id, null) == null
|
||||
? var.project_id
|
||||
: var.peering_config.project_id
|
||||
)
|
||||
}
|
||||
|
||||
resource "google_container_cluster" "cluster" {
|
||||
provider = google-beta
|
||||
project = var.project_id
|
||||
name = var.name
|
||||
description = var.description
|
||||
location = var.location
|
||||
node_locations = length(var.node_locations) == 0 ? null : var.node_locations
|
||||
min_master_version = var.min_master_version
|
||||
network = var.network
|
||||
subnetwork = var.subnetwork
|
||||
logging_service = var.monitoring_config != null ? null : var.logging_config == null ? var.logging_service : null
|
||||
monitoring_service = var.monitoring_config == null ? var.monitoring_service : null
|
||||
resource_labels = var.labels
|
||||
default_max_pods_per_node = var.enable_autopilot ? null : var.default_max_pods_per_node
|
||||
enable_intranode_visibility = var.enable_intranode_visibility
|
||||
enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
|
||||
enable_shielded_nodes = var.enable_shielded_nodes
|
||||
enable_tpu = var.enable_tpu
|
||||
initial_node_count = 1
|
||||
remove_default_node_pool = var.enable_autopilot ? null : true
|
||||
datapath_provider = var.enable_dataplane_v2 ? "ADVANCED_DATAPATH" : "DATAPATH_PROVIDER_UNSPECIFIED"
|
||||
enable_autopilot = var.enable_autopilot == true ? true : null
|
||||
provider = google-beta
|
||||
project = var.project_id
|
||||
name = var.name
|
||||
description = var.description
|
||||
location = var.location
|
||||
node_locations = (
|
||||
length(var.node_locations) == 0 ? null : var.node_locations
|
||||
)
|
||||
min_master_version = var.min_master_version
|
||||
network = var.vpc_config.network
|
||||
subnetwork = var.vpc_config.subnetwork
|
||||
resource_labels = var.labels
|
||||
default_max_pods_per_node = (
|
||||
var.enable_features.autopilot ? null : var.max_pods_per_node
|
||||
)
|
||||
enable_intranode_visibility = (
|
||||
var.enable_features.autopilot ? null : var.enable_features.intranode_visibility
|
||||
)
|
||||
enable_l4_ilb_subsetting = var.enable_features.l4_ilb_subsetting
|
||||
enable_shielded_nodes = (
|
||||
var.enable_features.autopilot ? null : var.enable_features.shielded_nodes
|
||||
)
|
||||
enable_tpu = var.enable_features.tpu
|
||||
initial_node_count = 1
|
||||
remove_default_node_pool = var.enable_features.autopilot ? null : true
|
||||
datapath_provider = (
|
||||
var.enable_features.dataplane_v2
|
||||
? "ADVANCED_DATAPATH"
|
||||
: "DATAPATH_PROVIDER_UNSPECIFIED"
|
||||
)
|
||||
enable_autopilot = var.enable_features.autopilot ? true : null
|
||||
|
||||
# the default nodepool is deleted here, use the gke-nodepool module instead
|
||||
# node_config {}
|
||||
# NOTE: Default node_pool is deleted, so node_config (here) is extranneous.
|
||||
# Specify that node_config as an parameter to gke-nodepool module instead.
|
||||
|
||||
# TODO(ludomagno): compute addons map in locals and use a single dynamic block
|
||||
addons_config {
|
||||
dynamic "dns_cache_config" {
|
||||
# Pass the user-provided value when autopilot is disabled. When
|
||||
# autopilot is enabled, pass the value only when the addon is
|
||||
# set to true. This will fail but warns the user that autopilot
|
||||
# doesn't support this option, instead of silently discarding
|
||||
# and hiding the error
|
||||
for_each = !var.enable_autopilot || (var.enable_autopilot && var.addons.dns_cache_config) ? [""] : []
|
||||
for_each = !var.enable_features.autopilot ? [""] : []
|
||||
content {
|
||||
enabled = var.addons.dns_cache_config
|
||||
enabled = var.enable_addons.dns_cache
|
||||
}
|
||||
}
|
||||
http_load_balancing {
|
||||
disabled = !var.addons.http_load_balancing
|
||||
disabled = !var.enable_addons.http_load_balancing
|
||||
}
|
||||
horizontal_pod_autoscaling {
|
||||
disabled = !var.addons.horizontal_pod_autoscaling
|
||||
disabled = !var.enable_addons.horizontal_pod_autoscaling
|
||||
}
|
||||
dynamic "network_policy_config" {
|
||||
for_each = !var.enable_autopilot ? [""] : []
|
||||
for_each = !var.enable_features.autopilot ? [""] : []
|
||||
content {
|
||||
disabled = !var.addons.network_policy_config
|
||||
disabled = !var.enable_addons.network_policy
|
||||
}
|
||||
}
|
||||
cloudrun_config {
|
||||
disabled = !var.addons.cloudrun_config
|
||||
disabled = !var.enable_addons.cloudrun
|
||||
}
|
||||
istio_config {
|
||||
disabled = !var.addons.istio_config.enabled
|
||||
auth = var.addons.istio_config.tls ? "AUTH_MUTUAL_TLS" : "AUTH_NONE"
|
||||
disabled = var.enable_addons.istio == null
|
||||
auth = (
|
||||
try(var.enable_addons.istio.enable_tls, false) ? "AUTH_MUTUAL_TLS" : "AUTH_NONE"
|
||||
)
|
||||
}
|
||||
gce_persistent_disk_csi_driver_config {
|
||||
enabled = var.enable_autopilot || var.addons.gce_persistent_disk_csi_driver_config
|
||||
enabled = var.enable_addons.gce_persistent_disk_csi_driver
|
||||
}
|
||||
dynamic "gcp_filestore_csi_driver_config" {
|
||||
# Pass the user-provided value when autopilot is disabled. When
|
||||
# autopilot is enabled, pass the value only when the addon is
|
||||
# set to true. This will fail but warns the user that autopilot
|
||||
# doesn't support this option, instead of silently discarding
|
||||
# and hiding the error
|
||||
for_each = var.enable_autopilot && !var.addons.gcp_filestore_csi_driver_config ? [] : [""]
|
||||
for_each = !var.enable_features.autopilot ? [""] : []
|
||||
content {
|
||||
enabled = var.addons.gcp_filestore_csi_driver_config
|
||||
enabled = var.enable_addons.gcp_filestore_csi_driver
|
||||
}
|
||||
}
|
||||
kalm_config {
|
||||
enabled = var.addons.kalm_config
|
||||
enabled = var.enable_addons.kalm
|
||||
}
|
||||
config_connector_config {
|
||||
enabled = var.addons.config_connector_config
|
||||
enabled = var.enable_addons.config_connector
|
||||
}
|
||||
gke_backup_agent_config {
|
||||
enabled = var.addons.gke_backup_agent_config
|
||||
enabled = var.enable_addons.gke_backup_agent
|
||||
}
|
||||
}
|
||||
|
||||
# TODO(ludomagno): support setting address ranges instead of range names
|
||||
# https://www.terraform.io/docs/providers/google/r/container_cluster.html#cluster_ipv4_cidr_block
|
||||
ip_allocation_policy {
|
||||
cluster_secondary_range_name = var.secondary_range_pods
|
||||
services_secondary_range_name = var.secondary_range_services
|
||||
dynamic "authenticator_groups_config" {
|
||||
for_each = var.enable_features.groups_for_rbac != null ? [""] : []
|
||||
content {
|
||||
security_group = var.enable_features.groups_for_rbac
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "binary_authorization" {
|
||||
for_each = var.enable_features.binary_authorization ? [""] : []
|
||||
content {
|
||||
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "cluster_autoscaling" {
|
||||
for_each = var.cluster_autoscaling == null ? [] : [""]
|
||||
content {
|
||||
enabled = true
|
||||
dynamic "resource_limits" {
|
||||
for_each = var.cluster_autoscaling.cpu_limits != null ? [""] : []
|
||||
content {
|
||||
resource_type = "cpu"
|
||||
minimum = var.cluster_autoscaling.cpu_limits.min
|
||||
maximum = var.cluster_autoscaling.cpu_limits.max
|
||||
}
|
||||
}
|
||||
dynamic "resource_limits" {
|
||||
for_each = var.cluster_autoscaling.mem_limits != null ? [""] : []
|
||||
content {
|
||||
resource_type = "cpu"
|
||||
minimum = var.cluster_autoscaling.mem_limits.min
|
||||
maximum = var.cluster_autoscaling.mem_limits.max
|
||||
}
|
||||
}
|
||||
// TODO: support GPUs too
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "database_encryption" {
|
||||
for_each = var.enable_features.database_encryption != null ? [""] : []
|
||||
content {
|
||||
state = var.enable_features.database_encryption.state
|
||||
key_name = var.enable_features.database_encryption.key_name
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "dns_config" {
|
||||
for_each = var.enable_features.cloud_dns != null ? [""] : []
|
||||
content {
|
||||
cluster_dns = enable_features.cloud_dns.cluster_dns
|
||||
cluster_dns_scope = enable_features.cloud_dns.cluster_dns_scope
|
||||
cluster_dns_domain = enable_features.cloud_dns.cluster_dns_domain
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "ip_allocation_policy" {
|
||||
for_each = var.vpc_config.secondary_range_blocks != null ? [""] : []
|
||||
content {
|
||||
cluster_ipv4_cidr_block = var.vpc_config.secondary_range_blocks.pods
|
||||
services_ipv4_cidr_block = var.vpc_config.secondary_range_blocks.services
|
||||
}
|
||||
}
|
||||
dynamic "ip_allocation_policy" {
|
||||
for_each = var.vpc_config.secondary_range_names != null ? [""] : []
|
||||
content {
|
||||
cluster_secondary_range_name = var.vpc_config.secondary_range_names.pods
|
||||
services_secondary_range_name = var.vpc_config.secondary_range_names.services
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "logging_config" {
|
||||
for_each = var.logging_config != null ? [""] : []
|
||||
content {
|
||||
enable_components = var.logging_config
|
||||
}
|
||||
}
|
||||
|
||||
# https://www.terraform.io/docs/providers/google/r/container_cluster.html#daily_maintenance_window
|
||||
maintenance_policy {
|
||||
dynamic "daily_maintenance_window" {
|
||||
for_each = var.maintenance_config != null && lookup(var.maintenance_config, "daily_maintenance_window", null) != null ? [var.maintenance_config.daily_maintenance_window] : []
|
||||
iterator = config
|
||||
for_each = (
|
||||
try(var.maintenance_config.daily_window_start_time, null) != null
|
||||
? [""]
|
||||
: []
|
||||
)
|
||||
content {
|
||||
start_time = config.value.start_time
|
||||
start_time = var.maintenance_config.daily_window_start_time
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "recurring_window" {
|
||||
for_each = var.maintenance_config != null && lookup(var.maintenance_config, "recurring_window", null) != null ? [var.maintenance_config.recurring_window] : []
|
||||
iterator = config
|
||||
for_each = (
|
||||
try(var.maintenance_config.recurring_window, null) != null
|
||||
? [""]
|
||||
: []
|
||||
)
|
||||
content {
|
||||
start_time = config.value.start_time
|
||||
end_time = config.value.end_time
|
||||
recurrence = config.value.recurrence
|
||||
start_time = var.maintenance_config.recurring_window.start_time
|
||||
end_time = var.maintenance_config.recurring_window.end_time
|
||||
recurrence = var.maintenance_config.recurring_window.recurrence
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "maintenance_exclusion" {
|
||||
for_each = var.maintenance_config != null && lookup(var.maintenance_config, "maintenance_exclusion", null) != null ? var.maintenance_config.maintenance_exclusion : []
|
||||
iterator = config
|
||||
for_each = (
|
||||
try(var.maintenance_config.maintenance_exclusions, null) == null
|
||||
? []
|
||||
: var.maintenance_config.maintenance_exclusions
|
||||
)
|
||||
iterator = exclusion
|
||||
content {
|
||||
exclusion_name = config.value.exclusion_name
|
||||
start_time = config.value.start_time
|
||||
end_time = config.value.end_time
|
||||
exclusion_name = exclusion.value.name
|
||||
start_time = exclusion.value.start_time
|
||||
end_time = exclusion.value.end_time
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
master_auth {
|
||||
client_certificate_config {
|
||||
issue_client_certificate = false
|
||||
issue_client_certificate = var.issue_client_certificate
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "master_authorized_networks_config" {
|
||||
for_each = (
|
||||
length(var.master_authorized_ranges) == 0
|
||||
? []
|
||||
: [var.master_authorized_ranges]
|
||||
)
|
||||
iterator = ranges
|
||||
for_each = var.vpc_config.master_authorized_ranges != null ? [""] : []
|
||||
content {
|
||||
dynamic "cidr_blocks" {
|
||||
for_each = ranges.value
|
||||
for_each = var.vpc_config.master_authorized_ranges
|
||||
iterator = range
|
||||
content {
|
||||
cidr_block = range.value
|
||||
|
@ -176,69 +233,58 @@ resource "google_container_cluster" "cluster" {
|
|||
}
|
||||
}
|
||||
|
||||
#the network_policy block is enabled if network_policy_config and network_dataplane_v2 is set to false. Dataplane V2 has built-in network policies.
|
||||
dynamic "network_policy" {
|
||||
for_each = var.addons.network_policy_config ? [""] : []
|
||||
dynamic "monitoring_config" {
|
||||
for_each = var.monitoring_config != null ? [""] : []
|
||||
content {
|
||||
enabled = var.enable_dataplane_v2 ? false : true
|
||||
provider = var.enable_dataplane_v2 ? "PROVIDER_UNSPECIFIED" : "CALICO"
|
||||
enable_components = var.monitoring_config
|
||||
}
|
||||
}
|
||||
|
||||
# dataplane v2 has bult-in network policies
|
||||
dynamic "network_policy" {
|
||||
for_each = (
|
||||
var.enable_addons.network_policy && !var.enable_features.dataplane_v2
|
||||
? [""]
|
||||
: []
|
||||
)
|
||||
content {
|
||||
enabled = true
|
||||
provider = "CALICO"
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "notification_config" {
|
||||
for_each = var.enable_features.upgrade_notifications != null ? [""] : []
|
||||
content {
|
||||
pubsub {
|
||||
enabled = true
|
||||
topic = (
|
||||
try(var.enable_features.upgrade_notifications.topic_id, null) != null
|
||||
? var.enable_features.upgrade_notifications.topic_id
|
||||
: google_pubsub_topic.notifications[0].id
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "private_cluster_config" {
|
||||
for_each = local.is_private ? [var.private_cluster_config] : []
|
||||
iterator = config
|
||||
for_each = (
|
||||
var.private_cluster_config != null ? [""] : []
|
||||
)
|
||||
content {
|
||||
enable_private_nodes = config.value.enable_private_nodes
|
||||
enable_private_endpoint = config.value.enable_private_endpoint
|
||||
master_ipv4_cidr_block = config.value.master_ipv4_cidr_block
|
||||
enable_private_nodes = true
|
||||
enable_private_endpoint = var.private_cluster_config.enable_private_endpoint
|
||||
master_ipv4_cidr_block = var.private_cluster_config.master_ipv4_cidr_block
|
||||
master_global_access_config {
|
||||
enabled = config.value.master_global_access
|
||||
enabled = var.private_cluster_config.master_global_access
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# beta features
|
||||
|
||||
dynamic "authenticator_groups_config" {
|
||||
for_each = var.authenticator_security_group == null ? [] : [""]
|
||||
content {
|
||||
security_group = var.authenticator_security_group
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "cluster_autoscaling" {
|
||||
for_each = var.cluster_autoscaling.enabled ? [var.cluster_autoscaling] : []
|
||||
iterator = config
|
||||
content {
|
||||
enabled = true
|
||||
resource_limits {
|
||||
resource_type = "cpu"
|
||||
minimum = config.value.cpu_min
|
||||
maximum = config.value.cpu_max
|
||||
}
|
||||
resource_limits {
|
||||
resource_type = "memory"
|
||||
minimum = config.value.memory_min
|
||||
maximum = config.value.memory_max
|
||||
}
|
||||
// TODO: support GPUs too
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "database_encryption" {
|
||||
for_each = var.database_encryption.enabled ? [var.database_encryption] : []
|
||||
iterator = config
|
||||
content {
|
||||
state = config.value.state
|
||||
key_name = config.value.key_name
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "pod_security_policy_config" {
|
||||
for_each = var.pod_security_policy != null ? [""] : []
|
||||
for_each = var.enable_features.pod_security_policy ? [""] : []
|
||||
content {
|
||||
enabled = var.pod_security_policy
|
||||
enabled = var.enable_features.pod_security_policy
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -251,86 +297,61 @@ resource "google_container_cluster" "cluster" {
|
|||
|
||||
dynamic "resource_usage_export_config" {
|
||||
for_each = (
|
||||
var.resource_usage_export_config.enabled != null
|
||||
&&
|
||||
var.resource_usage_export_config.dataset != null
|
||||
? [""] : []
|
||||
try(var.enable_features.resource_usage_export.dataset, null) != null
|
||||
? [""]
|
||||
: []
|
||||
)
|
||||
content {
|
||||
enable_network_egress_metering = var.resource_usage_export_config.enabled
|
||||
enable_network_egress_metering = (
|
||||
var.enable_features.resource_usage_export.enable_network_egress_metering
|
||||
)
|
||||
enable_resource_consumption_metering = (
|
||||
var.enable_features.resource_usage_export.enable_resource_consumption_metering
|
||||
)
|
||||
bigquery_destination {
|
||||
dataset_id = var.resource_usage_export_config.dataset
|
||||
dataset_id = var.enable_features.resource_usage_export.dataset
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "vertical_pod_autoscaling" {
|
||||
for_each = var.vertical_pod_autoscaling == null ? [] : [""]
|
||||
for_each = var.enable_features.vertical_pod_autoscaling ? [""] : []
|
||||
content {
|
||||
enabled = var.vertical_pod_autoscaling
|
||||
enabled = var.enable_features.vertical_pod_autoscaling
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "workload_identity_config" {
|
||||
for_each = var.workload_identity && !var.enable_autopilot ? [""] : []
|
||||
for_each = var.enable_features.workload_identity ? [""] : []
|
||||
content {
|
||||
workload_pool = "${var.project_id}.svc.id.goog"
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "monitoring_config" {
|
||||
for_each = var.monitoring_config != null ? [""] : []
|
||||
content {
|
||||
enable_components = var.monitoring_config
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "logging_config" {
|
||||
for_each = var.logging_config != null ? [""] : []
|
||||
content {
|
||||
enable_components = var.logging_config
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "binary_authorization" {
|
||||
for_each = var.enable_binary_authorization ? [""] : []
|
||||
content {
|
||||
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "dns_config" {
|
||||
for_each = var.dns_config != null ? [""] : []
|
||||
content {
|
||||
cluster_dns = var.dns_config.cluster_dns
|
||||
cluster_dns_scope = var.dns_config.cluster_dns_scope
|
||||
cluster_dns_domain = var.dns_config.cluster_dns_domain
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "notification_config" {
|
||||
for_each = var.notification_config ? [""] : []
|
||||
content {
|
||||
pubsub {
|
||||
enabled = var.notification_config
|
||||
topic = var.notification_config ? google_pubsub_topic.notifications[0].id : null
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_network_peering_routes_config" "gke_master" {
|
||||
count = local.is_private && var.peering_config != null ? 1 : 0
|
||||
project = local.peering_project_id
|
||||
peering = local.peering
|
||||
network = element(reverse(split("/", var.network)), 0)
|
||||
import_custom_routes = var.peering_config.import_routes
|
||||
export_custom_routes = var.peering_config.export_routes
|
||||
count = (
|
||||
try(var.private_cluster_config.peering_config, null) != null ? 1 : 0
|
||||
)
|
||||
project = (
|
||||
try(var.private_cluster_config.peering_config, null) == null
|
||||
? var.project_id
|
||||
: var.private_cluster_config.peering_config.project_id
|
||||
)
|
||||
peering = try(
|
||||
google_container_cluster.cluster.private_cluster_config.0.peering_name,
|
||||
null
|
||||
)
|
||||
network = element(reverse(split("/", var.vpc_config.network)), 0)
|
||||
import_custom_routes = var.private_cluster_config.peering_config.import_routes
|
||||
export_custom_routes = var.private_cluster_config.peering_config.export_routes
|
||||
}
|
||||
|
||||
resource "google_pubsub_topic" "notifications" {
|
||||
count = var.notification_config ? 1 : 0
|
||||
name = "gke-pubsub-notifications"
|
||||
count = (
|
||||
try(var.enable_features.upgrade_notifications.topic_id, null) == null ? 0 : 1
|
||||
)
|
||||
name = "gke-pubsub-notifications"
|
||||
labels = {
|
||||
content = "gke-notifications"
|
||||
}
|
||||
|
|
|
@ -53,7 +53,7 @@ output "name" {
|
|||
|
||||
output "notifications" {
|
||||
description = "GKE PubSub notifications topic."
|
||||
value = var.notification_config ? google_pubsub_topic.notifications[0].id : null
|
||||
value = try(google_pubsub_topic.notifications[0].id, null)
|
||||
}
|
||||
|
||||
output "self_link" {
|
||||
|
|
|
@ -14,84 +14,25 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "addons" {
|
||||
description = "Addons enabled in the cluster (true means enabled)."
|
||||
type = object({
|
||||
cloudrun_config = bool
|
||||
dns_cache_config = bool
|
||||
horizontal_pod_autoscaling = bool
|
||||
http_load_balancing = bool
|
||||
istio_config = object({
|
||||
enabled = bool
|
||||
tls = bool
|
||||
})
|
||||
network_policy_config = bool
|
||||
gce_persistent_disk_csi_driver_config = bool
|
||||
gcp_filestore_csi_driver_config = bool
|
||||
config_connector_config = bool
|
||||
kalm_config = bool
|
||||
gke_backup_agent_config = bool
|
||||
})
|
||||
default = {
|
||||
cloudrun_config = false
|
||||
dns_cache_config = false
|
||||
horizontal_pod_autoscaling = true
|
||||
http_load_balancing = true
|
||||
istio_config = {
|
||||
enabled = false
|
||||
tls = false
|
||||
}
|
||||
network_policy_config = false
|
||||
gce_persistent_disk_csi_driver_config = false
|
||||
gcp_filestore_csi_driver_config = false
|
||||
config_connector_config = false
|
||||
kalm_config = false
|
||||
gke_backup_agent_config = false
|
||||
}
|
||||
}
|
||||
|
||||
variable "authenticator_security_group" {
|
||||
description = "RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com."
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "cluster_autoscaling" {
|
||||
description = "Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler."
|
||||
type = object({
|
||||
enabled = bool
|
||||
cpu_min = number
|
||||
cpu_max = number
|
||||
memory_min = number
|
||||
memory_max = number
|
||||
auto_provisioning_defaults = optional(object({
|
||||
boot_disk_kms_key = optional(string)
|
||||
image_type = optional(string)
|
||||
oauth_scopes = optional(list(string))
|
||||
service_account = optional(string)
|
||||
}))
|
||||
cpu_limits = optional(object({
|
||||
min = number
|
||||
max = number
|
||||
}))
|
||||
mem_limits = optional(object({
|
||||
min = number
|
||||
max = number
|
||||
}))
|
||||
})
|
||||
default = {
|
||||
enabled = false
|
||||
cpu_min = 0
|
||||
cpu_max = 0
|
||||
memory_min = 0
|
||||
memory_max = 0
|
||||
}
|
||||
}
|
||||
|
||||
variable "database_encryption" {
|
||||
description = "Enable and configure GKE application-layer secrets encryption."
|
||||
type = object({
|
||||
enabled = bool
|
||||
state = string
|
||||
key_name = string
|
||||
})
|
||||
default = {
|
||||
enabled = false
|
||||
state = "DECRYPTED"
|
||||
key_name = null
|
||||
}
|
||||
}
|
||||
|
||||
variable "default_max_pods_per_node" {
|
||||
description = "Maximum number of pods per node in this cluster."
|
||||
type = number
|
||||
default = 110
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
|
@ -100,58 +41,74 @@ variable "description" {
|
|||
default = null
|
||||
}
|
||||
|
||||
variable "dns_config" {
|
||||
description = "Configuration for Using Cloud DNS for GKE."
|
||||
variable "enable_addons" {
|
||||
description = "Addons enabled in the cluster (true means enabled)."
|
||||
type = object({
|
||||
cluster_dns = string
|
||||
cluster_dns_scope = string
|
||||
cluster_dns_domain = string
|
||||
cloudrun = optional(bool, false)
|
||||
config_connector = optional(bool, false)
|
||||
dns_cache = optional(bool, false)
|
||||
gce_persistent_disk_csi_driver = optional(bool, false)
|
||||
gcp_filestore_csi_driver = optional(bool, false)
|
||||
gke_backup_agent = optional(bool, false)
|
||||
horizontal_pod_autoscaling = optional(bool, false)
|
||||
http_load_balancing = optional(bool, false)
|
||||
istio = optional(object({
|
||||
enable_tls = bool
|
||||
}))
|
||||
kalm = optional(bool, false)
|
||||
network_policy = optional(bool, false)
|
||||
})
|
||||
default = null
|
||||
default = {
|
||||
horizontal_pod_autoscaling = true
|
||||
http_load_balancing = true
|
||||
}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "enable_autopilot" {
|
||||
description = "Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node)."
|
||||
variable "enable_features" {
|
||||
description = "Enable cluster-level features. Certain features allow configuration."
|
||||
type = object({
|
||||
autopilot = optional(bool, false)
|
||||
binary_authorization = optional(bool, false)
|
||||
cloud_dns = optional(object({
|
||||
provider = optional(string)
|
||||
scope = optional(string)
|
||||
domain = optional(string)
|
||||
}))
|
||||
database_encryption = optional(object({
|
||||
state = string
|
||||
key_name = string
|
||||
}))
|
||||
dataplane_v2 = optional(bool, false)
|
||||
groups_for_rbac = optional(string)
|
||||
intranode_visibility = optional(bool, false)
|
||||
l4_ilb_subsetting = optional(bool, false)
|
||||
pod_security_policy = optional(bool, false)
|
||||
resource_usage_export = optional(object({
|
||||
dataset = optional(string)
|
||||
enable_network_egress_metering = optional(bool, false)
|
||||
enable_resource_consumption_metering = optional(bool, false)
|
||||
}))
|
||||
shielded_nodes = optional(bool, false)
|
||||
tpu = optional(bool, false)
|
||||
upgrade_notifications = optional(object({
|
||||
topic_id = optional(string)
|
||||
}))
|
||||
vertical_pod_autoscaling = optional(bool, false)
|
||||
workload_identity = optional(bool, false)
|
||||
})
|
||||
default = {
|
||||
workload_identity = true
|
||||
resource_usage_export = null
|
||||
}
|
||||
}
|
||||
|
||||
variable "issue_client_certificate" {
|
||||
description = "Enable issuing client certificate."
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "enable_binary_authorization" {
|
||||
description = "Enable Google Binary Authorization."
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "enable_dataplane_v2" {
|
||||
description = "Enable Dataplane V2 on the cluster, will disable network_policy addons config."
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "enable_intranode_visibility" {
|
||||
description = "Enable intra-node visibility to make same node pod to pod traffic visible."
|
||||
type = bool
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "enable_l4_ilb_subsetting" {
|
||||
description = "Enable L4ILB Subsetting."
|
||||
type = bool
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "enable_shielded_nodes" {
|
||||
description = "Enable Shielded Nodes features on all nodes in this cluster."
|
||||
type = bool
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "enable_tpu" {
|
||||
description = "Enable Cloud TPU resources in this cluster."
|
||||
type = bool
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "labels" {
|
||||
description = "Cluster resource labels."
|
||||
type = map(string)
|
||||
|
@ -164,47 +121,38 @@ variable "location" {
|
|||
}
|
||||
|
||||
variable "logging_config" {
|
||||
description = "Logging configuration (enabled components)."
|
||||
description = "Logging configuration."
|
||||
type = list(string)
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "logging_service" {
|
||||
description = "Logging service (disable with an empty string)."
|
||||
type = string
|
||||
default = "logging.googleapis.com/kubernetes"
|
||||
default = ["SYSTEM_COMPONENTS"]
|
||||
}
|
||||
|
||||
variable "maintenance_config" {
|
||||
description = "Maintenance window configuration."
|
||||
type = object({
|
||||
daily_maintenance_window = object({
|
||||
start_time = string
|
||||
})
|
||||
recurring_window = object({
|
||||
daily_window_start_time = optional(string)
|
||||
recurring_window = optional(object({
|
||||
start_time = string
|
||||
end_time = string
|
||||
recurrence = string
|
||||
})
|
||||
maintenance_exclusion = list(object({
|
||||
exclusion_name = string
|
||||
start_time = string
|
||||
end_time = string
|
||||
}))
|
||||
maintenance_exclusions = optional(list(object({
|
||||
name = string
|
||||
start_time = string
|
||||
end_time = string
|
||||
scope = optional(string)
|
||||
})))
|
||||
})
|
||||
default = {
|
||||
daily_maintenance_window = {
|
||||
start_time = "03:00"
|
||||
}
|
||||
recurring_window = null
|
||||
maintenance_exclusion = []
|
||||
daily_window_start_time = "03:00"
|
||||
recurring_window = null
|
||||
maintenance_exclusion = []
|
||||
}
|
||||
}
|
||||
|
||||
variable "master_authorized_ranges" {
|
||||
description = "External Ip address ranges that can access the Kubernetes cluster master through HTTPS."
|
||||
type = map(string)
|
||||
default = {}
|
||||
variable "max_pods_per_node" {
|
||||
description = "Maximum number of pods per node in this cluster."
|
||||
type = number
|
||||
default = 110
|
||||
}
|
||||
|
||||
variable "min_master_version" {
|
||||
|
@ -214,15 +162,9 @@ variable "min_master_version" {
|
|||
}
|
||||
|
||||
variable "monitoring_config" {
|
||||
description = "Monitoring configuration (enabled components)."
|
||||
description = "Monitoring components."
|
||||
type = list(string)
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "monitoring_service" {
|
||||
description = "Monitoring service (disable with an empty string)."
|
||||
type = string
|
||||
default = "monitoring.googleapis.com/kubernetes"
|
||||
default = ["SYSTEM_COMPONENTS"]
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
|
@ -230,46 +172,24 @@ variable "name" {
|
|||
type = string
|
||||
}
|
||||
|
||||
variable "network" {
|
||||
description = "Name or self link of the VPC used for the cluster. Use the self link for Shared VPC."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "node_locations" {
|
||||
description = "Zones in which the cluster's nodes are located."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "notification_config" {
|
||||
description = "GKE Cluster upgrade notifications via PubSub."
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "peering_config" {
|
||||
description = "Configure peering with the master VPC for private clusters."
|
||||
type = object({
|
||||
export_routes = bool
|
||||
import_routes = bool
|
||||
project_id = string
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "pod_security_policy" {
|
||||
description = "Enable the PodSecurityPolicy feature."
|
||||
type = bool
|
||||
default = null
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "private_cluster_config" {
|
||||
description = "Enable and configure private cluster, private nodes must be true if used."
|
||||
description = "Private cluster configuration."
|
||||
type = object({
|
||||
enable_private_nodes = bool
|
||||
enable_private_endpoint = bool
|
||||
master_ipv4_cidr_block = string
|
||||
master_global_access = bool
|
||||
enable_private_endpoint = optional(bool)
|
||||
master_ipv4_cidr_block = optional(string)
|
||||
master_global_access = optional(bool)
|
||||
peering_config = optional(object({
|
||||
export_routes = optional(bool)
|
||||
import_routes = optional(bool)
|
||||
project_id = optional(string)
|
||||
}))
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
@ -285,41 +205,20 @@ variable "release_channel" {
|
|||
default = null
|
||||
}
|
||||
|
||||
variable "resource_usage_export_config" {
|
||||
description = "Configure the ResourceUsageExportConfig feature."
|
||||
variable "vpc_config" {
|
||||
description = "VPC-level configuration."
|
||||
type = object({
|
||||
enabled = bool
|
||||
dataset = string
|
||||
network = string
|
||||
subnetwork = string
|
||||
secondary_range_blocks = optional(object({
|
||||
pods = string
|
||||
services = string
|
||||
}), )
|
||||
secondary_range_names = optional(object({
|
||||
pods = string
|
||||
services = string
|
||||
}), { pods = "pods", services = "services" })
|
||||
master_authorized_ranges = optional(map(string))
|
||||
})
|
||||
default = {
|
||||
enabled = null
|
||||
dataset = null
|
||||
}
|
||||
}
|
||||
|
||||
variable "secondary_range_pods" {
|
||||
description = "Subnet secondary range name used for pods."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "secondary_range_services" {
|
||||
description = "Subnet secondary range name used for services."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "subnetwork" {
|
||||
description = "VPC subnetwork name or self link."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "vertical_pod_autoscaling" {
|
||||
description = "Enable the Vertical Pod Autoscaling feature."
|
||||
type = bool
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "workload_identity" {
|
||||
description = "Enable the Workload Identity feature."
|
||||
type = bool
|
||||
default = true
|
||||
nullable = false
|
||||
}
|
||||
|
|
|
@ -48,18 +48,20 @@ module "vpc" {
|
|||
}
|
||||
|
||||
module "cluster_1" {
|
||||
source = "./fabric/modules/gke-cluster"
|
||||
project_id = module.project.project_id
|
||||
name = "cluster-1"
|
||||
location = "europe-west1-b"
|
||||
network = module.vpc.self_link
|
||||
subnetwork = module.vpc.subnet_self_links["europe-west1/cluster-1"]
|
||||
secondary_range_pods = "pods"
|
||||
secondary_range_services = "services"
|
||||
enable_dataplane_v2 = true
|
||||
master_authorized_ranges = { rfc1918_10_8 = "10.0.0.0/8" }
|
||||
source = "./fabric/modules/gke-cluster"
|
||||
project_id = module.project.project_id
|
||||
name = "cluster-1"
|
||||
location = "europe-west1"
|
||||
vpc_config = {
|
||||
network = module.vpc.self_link
|
||||
subnetwork = module.vpc.subnet_self_links["europe-west1/cluster-1"]
|
||||
master_authorized_ranges = { rfc1918_10_8 = "10.0.0.0/8" }
|
||||
}
|
||||
enable_features = {
|
||||
dataplane_v2 = true
|
||||
workload_identity = true
|
||||
}
|
||||
private_cluster_config = {
|
||||
enable_private_nodes = true
|
||||
enable_private_endpoint = true
|
||||
master_ipv4_cidr_block = "192.168.0.0/28"
|
||||
master_global_access = false
|
||||
|
@ -225,27 +227,24 @@ module "firewall" {
|
|||
}
|
||||
|
||||
module "cluster_1" {
|
||||
source = "./fabric/modules/gke-cluster"
|
||||
project_id = module.project.project_id
|
||||
name = "cluster-1"
|
||||
location = "europe-wes1"
|
||||
network = module.vpc.self_link
|
||||
subnetwork = module.vpc.subnet_self_links["europe-west1/subnet-cluster-1"]
|
||||
secondary_range_pods = "pods"
|
||||
secondary_range_services = "services"
|
||||
source = "./fabric/modules/gke-cluster"
|
||||
project_id = module.project.project_id
|
||||
name = "cluster-1"
|
||||
location = "europe-west1"
|
||||
vpc_config = {
|
||||
network = module.vpc.self_link
|
||||
subnetwork = module.vpc.subnet_self_links["europe-west1/subnet-cluster-1"]
|
||||
master_authorized_ranges = {
|
||||
mgmt = "10.0.0.0/28"
|
||||
pods-cluster-1 = "10.3.0.0/16"
|
||||
}
|
||||
}
|
||||
private_cluster_config = {
|
||||
enable_private_nodes = true
|
||||
enable_private_endpoint = false
|
||||
master_ipv4_cidr_block = "192.168.1.0/28"
|
||||
master_global_access = true
|
||||
}
|
||||
master_authorized_ranges = {
|
||||
mgmt = "10.0.0.0/28"
|
||||
pods-cluster-1 = "10.3.0.0/16"
|
||||
}
|
||||
enable_autopilot = false
|
||||
release_channel = "REGULAR"
|
||||
workload_identity = true
|
||||
release_channel = "REGULAR"
|
||||
labels = {
|
||||
mesh_id = "proj-${module.project.number}"
|
||||
}
|
||||
|
@ -266,25 +265,22 @@ module "cluster_1_nodepool" {
|
|||
module "cluster_2" {
|
||||
source = "./fabric/modules/gke-cluster"
|
||||
project_id = module.project.project_id
|
||||
name = "cluster-1"
|
||||
location = "europe-wes1"
|
||||
network = module.vpc.self_link
|
||||
subnetwork = module.vpc.subnet_self_links["europe-west4/subnet-cluster-2"]
|
||||
secondary_range_pods = "pods"
|
||||
secondary_range_services = "services"
|
||||
name = "cluster-2"
|
||||
location = "europe-west4"
|
||||
vpc_config = {
|
||||
network = module.vpc.self_link
|
||||
subnetwork = module.vpc.subnet_self_links["europe-west4/subnet-cluster-2"]
|
||||
master_authorized_ranges = {
|
||||
mgmt = "10.0.0.0/28"
|
||||
pods-cluster-1 = "10.3.0.0/16"
|
||||
}
|
||||
}
|
||||
private_cluster_config = {
|
||||
enable_private_nodes = true
|
||||
enable_private_endpoint = false
|
||||
master_ipv4_cidr_block = "192.168.2.0/28"
|
||||
master_global_access = true
|
||||
}
|
||||
master_authorized_ranges = {
|
||||
mgmt = "10.0.0.0/28"
|
||||
pods-cluster-1 = "10.1.0.0/16"
|
||||
}
|
||||
enable_autopilot = false
|
||||
release_channel = "REGULAR"
|
||||
workload_identity = true
|
||||
release_channel = "REGULAR"
|
||||
labels = {
|
||||
mesh_id = "proj-${module.project.number}"
|
||||
}
|
||||
|
|
|
@ -15,7 +15,7 @@
|
|||
*/
|
||||
|
||||
module "test" {
|
||||
source = "../../../../../blueprints/networking/shared-vpc-gke"
|
||||
source = "../../../../../blueprints/gke/shared-vpc-gke"
|
||||
billing_account_id = var.billing_account_id
|
||||
prefix = var.prefix
|
||||
root_node = var.root_node
|
|
@ -15,14 +15,14 @@
|
|||
*/
|
||||
|
||||
module "test" {
|
||||
source = "../../../../modules/gke-cluster"
|
||||
project_id = "my-project"
|
||||
name = "cluster-1"
|
||||
location = "europe-west1-b"
|
||||
network = "mynetwork"
|
||||
subnetwork = "mysubnet"
|
||||
secondary_range_pods = "pods"
|
||||
secondary_range_services = "services"
|
||||
enable_autopilot = var.enable_autopilot
|
||||
addons = var.addons
|
||||
source = "../../../../modules/gke-cluster"
|
||||
project_id = "my-project"
|
||||
name = "cluster-1"
|
||||
location = "europe-west1-b"
|
||||
vpc_config = {
|
||||
network = "mynetwork"
|
||||
subnetwork = "mysubnet"
|
||||
}
|
||||
enable_addons = var.enable_addons
|
||||
enable_features = var.enable_features
|
||||
}
|
||||
|
|
|
@ -14,25 +14,17 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "enable_autopilot" {
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "addons" {
|
||||
variable "enable_addons" {
|
||||
type = any
|
||||
default = {
|
||||
cloudrun_config = false
|
||||
dns_cache_config = false
|
||||
horizontal_pod_autoscaling = true
|
||||
http_load_balancing = true
|
||||
istio_config = {
|
||||
enabled = false
|
||||
tls = false
|
||||
}
|
||||
network_policy_config = false
|
||||
gce_persistent_disk_csi_driver_config = false
|
||||
gcp_filestore_csi_driver_config = false
|
||||
config_connector_config = false
|
||||
kalm_config = false
|
||||
gke_backup_agent_config = false
|
||||
}
|
||||
}
|
||||
|
||||
variable "enable_features" {
|
||||
type = any
|
||||
default = {
|
||||
workload_identity = true
|
||||
}
|
||||
}
|
||||
|
|
|
@ -28,9 +28,8 @@ def test_standard(plan_runner):
|
|||
|
||||
def test_autopilot(plan_runner):
|
||||
"Test resources created with variable defaults."
|
||||
_, resources = plan_runner(enable_autopilot="true")
|
||||
_, resources = plan_runner(enable_features='{ autopilot=true }')
|
||||
assert len(resources) == 1
|
||||
|
||||
cluster_config = resources[0]['values']
|
||||
assert cluster_config['name'] == "cluster-1"
|
||||
assert cluster_config['network'] == "mynetwork"
|
||||
|
|
Loading…
Reference in New Issue