22 KiB
GKE Multitenant
This stage allows creation and management of a fleet of GKE multitenant clusters, optionally leveraging GKE Hub to configure additional features. It's designed to be replicated once for every homogeneous set of clusters, either per environment or with more granularity as needed (e.g. teams or sets of teams sharing similar requirements).
The following diagram illustrates the high-level design of created resources, which can be adapted to specific requirements via variables:
Design overview and choices
The detailed architecture of the underlying resources is explained in the documentation of the GKE multitenant blueprint.
This stage creates a project containing as many clusters and node pools as requested by the user, configured via the variables explained below. The GKE clusters are created with the following setup:
- Even though public clusters are supported, this stage is designed with private clusters in mind so it only supports VPC-native clusters.
- Logging and monitoring configured to use Cloud Operations for system components and user workloads.
- GKE metering enabled by default and stored in a bigquery dataset created within the project.
- Optional GKE Fleet support with the possibility to enable any of the following features:
- Support for Config Sync, Hierarchy Controller, and Policy Controller when using Anthos Config Management.
- Groups for GKE can be enabled to facilitate the creation of flexible RBAC policies referencing group principals.
- Support for application layer secret encryption.
- Support to customize peering configuration of the control plane VPC (e.g. to import/export routes to the peered network)
- Some features are enabled by default in all clusters:
How to run this stage
This stage is meant to be executed after the FAST "foundational" stages: bootstrap, resource management, security and networking stages.
It's of course possible to run this stage in isolation, refer to the Running in isolation section below for details.
Before running this stage, you need to make sure you have the correct credentials and permissions, and localize variables by assigning values that match your configuration.
Provider and Terraform variables
As all other FAST stages, the mechanism used to pass variable values and pre-built provider files from one stage to the next is also leveraged here.
The commands to link or copy the provider and terraform variable files can be easily derived from the stage-links.sh
script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run.
../../../stage-links.sh ~/fast-config
# copy and paste the following commands for '3-gke-multitenant'
ln -s /home/ludomagno/fast-config/providers/3-gke-multitenant-providers.tf ./
ln -s /home/ludomagno/fast-config/tfvars/0-globals.auto.tfvars.json ./
ln -s /home/ludomagno/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./
ln -s /home/ludomagno/fast-config/tfvars/1-resman.auto.tfvars.json ./
ln -s /home/ludomagno/fast-config/tfvars/2-networking.auto.tfvars.json ./
ln -s /home/ludomagno/fast-config/tfvars/2-security.auto.tfvars.json ./
../../../stage-links.sh gs://xxx-prod-iac-core-outputs-0
# copy and paste the following commands for '3-gke-multitenant'
gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/providers/3-gke-multitenant-providers.tf ./
gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./
gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./
gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./
gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-networking.auto.tfvars.json ./
gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-security.auto.tfvars.json ./
Impersonating the automation service account
The preconfigured provider file uses impersonation to run with this stage's automation service account's credentials. The gcp-devops
and organization-admins
groups have the necessary IAM bindings in place to do that, so make sure the current user is a member of one of those groups.
Variable configuration
Variables in this stage -- like most other FAST stages -- are broadly divided into three separate sets:
- variables which refer to global values for the whole organization (org id, billing account id, prefix, etc.), which are pre-populated via the
0-globals.auto.tfvars.json
file linked or copied above - variables which refer to resources managed by previous stage, which are prepopulated here via the
*.auto.tfvars.json
files linked or copied above - and finally variables that optionally control this stage's behaviour and customizations, and can to be set in a custom
terraform.tfvars
file
The latter set is explained in the Customization sections below, and the full list can be found in the Variables table at the bottom of this document.
Running the stage
Once provider and variable values are in place and the correct user is configured, the stage can be run:
terraform init
terraform apply
Running in isolation
It's of course possible to run this stage in isolation, by making sure the architectural prerequisites are satisfied (e.g., networking), and that the Service Account running the stage is granted the roles/permissions below:
- on the organization or network folder level
roles/xpnAdmin
or a custom role which includes the following permissionscompute.organizations.enableXpnResource
,compute.organizations.disableXpnResource
,compute.subnetworks.setIamPolicy
,
- on each folder where projects are created
roles/logging.admin
roles/owner
roles/resourcemanager.folderAdmin
roles/resourcemanager.projectCreator
roles/xpnAdmin
- on the host project for the Shared VPC
roles/browser
roles/compute.viewer
- on the organization or billing account
roles/billing.admin
The VPC host project, VPC and subnets should already exist.
Customizations
This stage is designed with multi-tenancy in mind, and the expectation is that GKE clusters will mostly share a common set of defaults. Variables allow management of clusters, nodepools, and fleet registration and configurations.
Clusters and node pools
This is an example of declaring a private cluster with one nodepool via tfvars
file:
clusters = {
test-00 = {
description = "Cluster test 0"
location = "europe-west8"
private_cluster_config = {
enable_private_endpoint = true
master_global_access = true
}
vpc_config = {
subnetwork = "projects/ldj-dev-net-spoke-0/regions/europe-west8/subnetworks/gke"
master_ipv4_cidr_block = "172.16.20.0/28"
master_authorized_ranges = {
private = "10.0.0.0/8"
}
}
}
}
nodepools = {
test-00 = {
00 = {
node_count = { initial = 1 }
}
}
}
# tftest skip
If clusters share similar configurations, those can be centralized via locals
blocks in this stage's main.tf
file, and merged in with clusters via a simple for_each
loop. One example of this approach is provided in the underlying GKE multitenant blueprint.
Fleet management
Fleet management is entirely optional, and uses three separate variables:
fleet_features
: specifies the GKE fleet features you want activatefleet_configmanagement_templates
: defines configuration templates for specific sets of features (Config Management currently)fleet_configmanagement_clusters
: specifies which clusters are managed by fleet features, and the optional Config Management template for each clusterfleet_workload_identity
: to enables optional centralized Workload Identity
Leave all these variables unset (or set to null
) to disable fleet management. One example of a simple fleet configuration that integrates with the cluster example above:
fleet_features = {
configmanagement = true
identityservice = true
multiclusteringress = "test-0"
multiclusterservicediscovery = true
servicemesh = true
}
# tftest skip
Files
name | description | modules | resources |
---|---|---|---|
main.tf | GKE multitenant for development environment. | multitenant-fleet |
|
outputs.tf | Output variables. | google_storage_bucket_object · local_file |
|
variables-fast.tf | None | ||
variables.tf | Module variables. |
Variables
name | description | type | required | default | producer |
---|---|---|---|---|---|
automation | Automation resources created by the bootstrap stage. | object({…}) |
✓ | 0-bootstrap |
|
billing_account | Billing account id. If billing account is not part of the same org set is_org_level to false. |
object({…}) |
✓ | 0-bootstrap |
|
folder_ids | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) |
✓ | 1-resman |
|
host_project_ids | Host project for the shared VPC. | object({…}) |
✓ | 2-networking |
|
prefix | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string |
✓ | 0-bootstrap |
|
vpc_self_links | Self link for the shared VPC. | object({…}) |
✓ | 2-networking |
|
clusters | Clusters configuration. Refer to the gke-cluster-standard module for type details. | map(object({…})) |
{} |
||
fleet_configmanagement_clusters | Config management features enabled on specific sets of member clusters, in config name => [cluster name] format. | map(list(string)) |
{} |
||
fleet_configmanagement_templates | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | map(object({…})) |
{} |
||
fleet_features | Enable and configure fleet features. Set to null to disable GKE Hub if fleet workload identity is not used. | object({…}) |
null |
||
fleet_workload_identity | Use Fleet Workload Identity for clusters. Enables GKE Hub if set to true. | bool |
false |
||
iam | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
||
iam_by_principals | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the iam variable. |
map(list(string)) |
{} |
||
labels | Project-level labels. | map(string) |
{} |
||
nodepools | Nodepools configuration. Refer to the gke-nodepool module for type details. | map(map(object({…}))) |
{} |
||
outputs_location | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string |
null |
||
project_services | Additional project services to enable. | list(string) |
[] |
Outputs
name | description | sensitive | consumers |
---|---|---|---|
cluster_ids | Cluster ids. | ||
clusters | Cluster resources. | ✓ | |
project_id | GKE project id. |