Merge branch 'df-cmek-01' of https://github.com/terraform-google-modules/cloud-foundation-fabric into df-cmek-01
This commit is contained in:
Lorenzo Caggioni
commit
3237db06d8
11
CHANGELOG.md
11
CHANGELOG.md
|
|
@ -3,15 +3,16 @@
|
|||
All notable changes to this project will be documented in this file.
|
||||
|
||||
## [Unreleased]
|
||||
- Create `pubsub` service identity if service is enabled
|
||||
- create `pubsub` service identity if service is enabled
|
||||
- support for creation of GKE Autopilot clusters
|
||||
- Add support for CMEK keys in Data Foundation end to end example
|
||||
|
||||
## [5.0.0] - 2021-06-17
|
||||
|
||||
- Fix `message_retention_duration` variable type in `pubsub` module
|
||||
- Move `bq` robot service account into the robot service account project output
|
||||
- Add IAM cryptDecrypt role to robot service account on specified keys
|
||||
- Add Service Identity creation on `project` module if secretmanager enabled
|
||||
- fix `message_retention_duration` variable type in `pubsub` module
|
||||
- move `bq` robot service account into the robot service account project output
|
||||
- add IAM cryptDecrypt role to robot service account on specified keys
|
||||
- add Service Identity creation on `project` module if secretmanager enabled
|
||||
- add Data Foundation end to end example
|
||||
|
||||
## [4.9.0] - 2021-06-04
|
||||
|
|
|
|||
|
|
@ -75,12 +75,13 @@ module "cluster-1" {
|
|||
| secondary_range_pods | Subnet secondary range name used for pods. | <code title="">string</code> | ✓ | |
|
||||
| secondary_range_services | Subnet secondary range name used for services. | <code title="">string</code> | ✓ | |
|
||||
| subnetwork | VPC subnetwork name or self link. | <code title="">string</code> | ✓ | |
|
||||
| *addons* | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun_config = bool dns_cache_config = bool horizontal_pod_autoscaling = bool http_load_balancing = bool istio_config = object({ enabled = bool tls = bool }) network_policy_config = bool gce_persistent_disk_csi_driver_config = bool })">object({...})</code> | | <code title="{ cloudrun_config = false dns_cache_config = false horizontal_pod_autoscaling = true http_load_balancing = true istio_config = { enabled = false tls = false } network_policy_config = false gce_persistent_disk_csi_driver_config = false }">...</code> |
|
||||
| *addons* | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun_config = bool dns_cache_config = bool horizontal_pod_autoscaling = bool http_load_balancing = bool istio_config = object({ enabled = bool tls = bool }) network_policy_config = bool gce_persistent_disk_csi_driver_config = bool })">object({...})</code> | | <code title="{ cloudrun_config = false dns_cache_config = false horizontal_pod_autoscaling = true http_load_balancing = true istio_config = { enabled = false tls = false } network_policy_config = false gce_persistent_disk_csi_driver_config = false }">...</code> |
|
||||
| *authenticator_security_group* | RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *cluster_autoscaling* | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object({ enabled = bool cpu_min = number cpu_max = number memory_min = number memory_max = number })">object({...})</code> | | <code title="{ enabled = false cpu_min = 0 cpu_max = 0 memory_min = 0 memory_max = 0 }">...</code> |
|
||||
| *database_encryption* | Enable and configure GKE application-layer secrets encryption. | <code title="object({ enabled = bool state = string key_name = string })">object({...})</code> | | <code title="{ enabled = false state = "DECRYPTED" key_name = null }">...</code> |
|
||||
| *default_max_pods_per_node* | Maximum number of pods per node in this cluster. | <code title="">number</code> | | <code title="">110</code> |
|
||||
| *description* | Cluster description. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *enable_autopilot* | Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node) | <code title="">bool</code> | | <code title="">false</code> |
|
||||
| *enable_binary_authorization* | Enable Google Binary Authorization. | <code title="">bool</code> | | <code title="">null</code> |
|
||||
| *enable_dataplane_v2* | Enable Dataplane V2 on the cluster, will disable network_policy addons config | <code title="">bool</code> | | <code title="">false</code> |
|
||||
| *enable_intranode_visibility* | Enable intra-node visibility to make same node pod to pod traffic visible. | <code title="">bool</code> | | <code title="">null</code> |
|
||||
|
|
|
|||
|
|
@ -42,15 +42,16 @@ resource "google_container_cluster" "cluster" {
|
|||
logging_service = var.logging_service
|
||||
monitoring_service = var.monitoring_service
|
||||
resource_labels = var.labels
|
||||
default_max_pods_per_node = var.default_max_pods_per_node
|
||||
default_max_pods_per_node = var.enable_autopilot ? null : var.default_max_pods_per_node
|
||||
enable_binary_authorization = var.enable_binary_authorization
|
||||
enable_intranode_visibility = var.enable_intranode_visibility
|
||||
enable_shielded_nodes = var.enable_shielded_nodes
|
||||
enable_tpu = var.enable_tpu
|
||||
initial_node_count = 1
|
||||
remove_default_node_pool = true
|
||||
remove_default_node_pool = var.enable_autopilot ? null : true
|
||||
datapath_provider = var.enable_dataplane_v2 ? "ADVANCED_DATAPATH" : "DATAPATH_PROVIDER_UNSPECIFIED"
|
||||
|
||||
enable_autopilot = var.enable_autopilot == true ? true : null
|
||||
|
||||
# node_config {}
|
||||
# NOTE: Default node_pool is deleted, so node_config (here) is extranneous.
|
||||
# Specify that node_config as an parameter to gke-nodepool module instead.
|
||||
|
|
@ -66,8 +67,11 @@ resource "google_container_cluster" "cluster" {
|
|||
horizontal_pod_autoscaling {
|
||||
disabled = !var.addons.horizontal_pod_autoscaling
|
||||
}
|
||||
network_policy_config {
|
||||
disabled = !var.addons.network_policy_config
|
||||
dynamic "network_policy_config" {
|
||||
for_each = !var.enable_autopilot ? [""] : []
|
||||
content {
|
||||
disabled = !var.addons.network_policy_config
|
||||
}
|
||||
}
|
||||
cloudrun_config {
|
||||
disabled = !var.addons.cloudrun_config
|
||||
|
|
@ -125,7 +129,7 @@ resource "google_container_cluster" "cluster" {
|
|||
dynamic "network_policy" {
|
||||
for_each = var.addons.network_policy_config ? [""] : []
|
||||
content {
|
||||
enabled = var.enable_dataplane_v2 ? false : true
|
||||
enabled = var.enable_dataplane_v2 ? false : true
|
||||
provider = var.enable_dataplane_v2 ? "PROVIDER_UNSPECIFIED" : "CALICO"
|
||||
}
|
||||
}
|
||||
|
|
@ -217,7 +221,7 @@ resource "google_container_cluster" "cluster" {
|
|||
}
|
||||
|
||||
dynamic "workload_identity_config" {
|
||||
for_each = var.workload_identity ? [""] : []
|
||||
for_each = var.workload_identity && !var.enable_autopilot ? [""] : []
|
||||
content {
|
||||
identity_namespace = "${var.project_id}.svc.id.goog"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -25,9 +25,7 @@ variable "addons" {
|
|||
enabled = bool
|
||||
tls = bool
|
||||
})
|
||||
|
||||
network_policy_config = bool
|
||||
|
||||
network_policy_config = bool
|
||||
gce_persistent_disk_csi_driver_config = bool
|
||||
})
|
||||
default = {
|
||||
|
|
@ -39,15 +37,15 @@ variable "addons" {
|
|||
enabled = false
|
||||
tls = false
|
||||
}
|
||||
network_policy_config = false
|
||||
network_policy_config = false
|
||||
gce_persistent_disk_csi_driver_config = false
|
||||
}
|
||||
}
|
||||
|
||||
variable "enable_dataplane_v2" {
|
||||
description = "Enable Dataplane V2 on the cluster, will disable network_policy addons config"
|
||||
type = bool
|
||||
default = false
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "authenticator_security_group" {
|
||||
|
|
@ -257,3 +255,10 @@ variable "workload_identity" {
|
|||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "enable_autopilot" {
|
||||
description = "Create cluster in autopilot mode. With autopilot there's no need to create node-pools and some features are not supported (e.g. setting default_max_pods_per_node)"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue