Add peering route configuration support for private clusters (#60)

* add peering routes and node DNS cache support to GKE modules * fix peering config count * catch and fix vpc self link in peering resource
2020-04-23 09:54:04 +02:00 · 2020-04-23 09:54:04 +02:00 · 587f6113b2
parent 724950fe2a
commit 587f6113b2
2 changed files with 40 additions and 6 deletions
--- a/modules/gke-cluster/main.tf
+++ b/modules/gke-cluster/main.tf
@ -14,6 +14,16 @@
 * limitations under the License.
 */

+locals {
+  # The Google provider is unable to validate certain configurations of
+  # private_cluster_config when enable_private_nodes is false (provider docs)
+  is_private = try(var.private_cluster_config.enable_private_nodes, false)
+  peering = try(
+    google_container_cluster.cluster.private_cluster_config.0.peering_name,
+    null
+  )
+}
+
 resource "google_container_cluster" "cluster" {
  provider                    = google-beta
  project                     = var.project_id
@ -36,8 +46,12 @@ resource "google_container_cluster" "cluster" {
  remove_default_node_pool    = true

  # node_config
+  # TODO(ludomagno): compute addons map in locals and use a single dynamic block

  addons_config {
+    dns_cache_config {
+      enabled = var.addons.dns_cache_config
+    }
    http_load_balancing {
      disabled = ! var.addons.http_load_balancing
    }
@ -106,7 +120,7 @@ resource "google_container_cluster" "cluster" {
  }

  dynamic private_cluster_config {
-    for_each = var.private_cluster_config != null ? [var.private_cluster_config] : []
+    for_each = local.is_private ? [var.private_cluster_config] : []
    iterator = config
    content {
      enable_private_nodes    = config.value.enable_private_nodes
@ -195,3 +209,12 @@ resource "google_container_cluster" "cluster" {
  }

 }
+
+resource "google_compute_network_peering_routes_config" "gke_master" {
+  count                = local.is_private && var.peering_config != null ? 1 : 0
+  project              = var.project_id
+  peering              = local.peering
+  network              = element(reverse(split("/", var.network)), 0)
+  import_custom_routes = var.peering_config.import_routes
+  export_custom_routes = var.peering_config.export_routes
+}
--- a/modules/gke-cluster/variables.tf
+++ b/modules/gke-cluster/variables.tf
@ -17,24 +17,26 @@
 variable "addons" {
  description = "Addons enabled in the cluster (true means enabled)."
  type = object({
+    cloudrun_config            = bool
+    dns_cache_config           = bool
    horizontal_pod_autoscaling = bool
    http_load_balancing        = bool
-    network_policy_config      = bool
-    cloudrun_config            = bool
    istio_config = object({
      enabled = bool
      tls     = bool
    })
+    network_policy_config = bool
  })
  default = {
+    cloudrun_config            = false
+    dns_cache_config           = false
    horizontal_pod_autoscaling = true
    http_load_balancing        = true
-    network_policy_config      = false
-    cloudrun_config            = false
    istio_config = {
      enabled = false
      tls     = false
    }
+    network_policy_config = false
  }
 }

@ -169,6 +171,15 @@ variable "node_locations" {
  default     = []
 }

+variable "peering_config" {
+  description = "Configure peering with the master VPC for private clusters."
+  type = object({
+    export_routes = bool
+    import_routes = bool
+  })
+  default = null
+}
+
 variable "pod_security_policy" {
  description = "Enable the PodSecurityPolicy feature."
  type        = bool
@ -176,7 +187,7 @@ variable "pod_security_policy" {
 }

 variable "private_cluster_config" {
-  description = "Enable and configure private cluster."
+  description = "Enable and configure private cluster, private nodes must be true if used."
  type = object({
    enable_private_nodes    = bool
    enable_private_endpoint = bool