Add peering route configuration support for private clusters (#60)
* add peering routes and node DNS cache support to GKE modules * fix peering config count * catch and fix vpc self link in peering resource
This commit is contained in:
parent
724950fe2a
commit
587f6113b2
|
@ -14,6 +14,16 @@
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
locals {
|
||||||
|
# The Google provider is unable to validate certain configurations of
|
||||||
|
# private_cluster_config when enable_private_nodes is false (provider docs)
|
||||||
|
is_private = try(var.private_cluster_config.enable_private_nodes, false)
|
||||||
|
peering = try(
|
||||||
|
google_container_cluster.cluster.private_cluster_config.0.peering_name,
|
||||||
|
null
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
resource "google_container_cluster" "cluster" {
|
resource "google_container_cluster" "cluster" {
|
||||||
provider = google-beta
|
provider = google-beta
|
||||||
project = var.project_id
|
project = var.project_id
|
||||||
|
@ -36,8 +46,12 @@ resource "google_container_cluster" "cluster" {
|
||||||
remove_default_node_pool = true
|
remove_default_node_pool = true
|
||||||
|
|
||||||
# node_config
|
# node_config
|
||||||
|
# TODO(ludomagno): compute addons map in locals and use a single dynamic block
|
||||||
|
|
||||||
addons_config {
|
addons_config {
|
||||||
|
dns_cache_config {
|
||||||
|
enabled = var.addons.dns_cache_config
|
||||||
|
}
|
||||||
http_load_balancing {
|
http_load_balancing {
|
||||||
disabled = ! var.addons.http_load_balancing
|
disabled = ! var.addons.http_load_balancing
|
||||||
}
|
}
|
||||||
|
@ -106,7 +120,7 @@ resource "google_container_cluster" "cluster" {
|
||||||
}
|
}
|
||||||
|
|
||||||
dynamic private_cluster_config {
|
dynamic private_cluster_config {
|
||||||
for_each = var.private_cluster_config != null ? [var.private_cluster_config] : []
|
for_each = local.is_private ? [var.private_cluster_config] : []
|
||||||
iterator = config
|
iterator = config
|
||||||
content {
|
content {
|
||||||
enable_private_nodes = config.value.enable_private_nodes
|
enable_private_nodes = config.value.enable_private_nodes
|
||||||
|
@ -195,3 +209,12 @@ resource "google_container_cluster" "cluster" {
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "google_compute_network_peering_routes_config" "gke_master" {
|
||||||
|
count = local.is_private && var.peering_config != null ? 1 : 0
|
||||||
|
project = var.project_id
|
||||||
|
peering = local.peering
|
||||||
|
network = element(reverse(split("/", var.network)), 0)
|
||||||
|
import_custom_routes = var.peering_config.import_routes
|
||||||
|
export_custom_routes = var.peering_config.export_routes
|
||||||
|
}
|
||||||
|
|
|
@ -17,24 +17,26 @@
|
||||||
variable "addons" {
|
variable "addons" {
|
||||||
description = "Addons enabled in the cluster (true means enabled)."
|
description = "Addons enabled in the cluster (true means enabled)."
|
||||||
type = object({
|
type = object({
|
||||||
|
cloudrun_config = bool
|
||||||
|
dns_cache_config = bool
|
||||||
horizontal_pod_autoscaling = bool
|
horizontal_pod_autoscaling = bool
|
||||||
http_load_balancing = bool
|
http_load_balancing = bool
|
||||||
network_policy_config = bool
|
|
||||||
cloudrun_config = bool
|
|
||||||
istio_config = object({
|
istio_config = object({
|
||||||
enabled = bool
|
enabled = bool
|
||||||
tls = bool
|
tls = bool
|
||||||
})
|
})
|
||||||
|
network_policy_config = bool
|
||||||
})
|
})
|
||||||
default = {
|
default = {
|
||||||
|
cloudrun_config = false
|
||||||
|
dns_cache_config = false
|
||||||
horizontal_pod_autoscaling = true
|
horizontal_pod_autoscaling = true
|
||||||
http_load_balancing = true
|
http_load_balancing = true
|
||||||
network_policy_config = false
|
|
||||||
cloudrun_config = false
|
|
||||||
istio_config = {
|
istio_config = {
|
||||||
enabled = false
|
enabled = false
|
||||||
tls = false
|
tls = false
|
||||||
}
|
}
|
||||||
|
network_policy_config = false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -169,6 +171,15 @@ variable "node_locations" {
|
||||||
default = []
|
default = []
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "peering_config" {
|
||||||
|
description = "Configure peering with the master VPC for private clusters."
|
||||||
|
type = object({
|
||||||
|
export_routes = bool
|
||||||
|
import_routes = bool
|
||||||
|
})
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
variable "pod_security_policy" {
|
variable "pod_security_policy" {
|
||||||
description = "Enable the PodSecurityPolicy feature."
|
description = "Enable the PodSecurityPolicy feature."
|
||||||
type = bool
|
type = bool
|
||||||
|
@ -176,7 +187,7 @@ variable "pod_security_policy" {
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "private_cluster_config" {
|
variable "private_cluster_config" {
|
||||||
description = "Enable and configure private cluster."
|
description = "Enable and configure private cluster, private nodes must be true if used."
|
||||||
type = object({
|
type = object({
|
||||||
enable_private_nodes = bool
|
enable_private_nodes = bool
|
||||||
enable_private_endpoint = bool
|
enable_private_endpoint = bool
|
||||||
|
|
Loading…
Reference in New Issue