220 lines
15 KiB
Markdown
220 lines
15 KiB
Markdown
# GKE cluster Standard module
|
|
|
|
This module allows simplified creation and management of GKE Standard clusters and should be used together with the GKE nodepool module, as the default nodepool is turned off here and cannot be re-enabled. Some sensible defaults are set initially, in order to allow less verbose usage for most use cases.
|
|
|
|
## Example
|
|
|
|
### GKE Cluster
|
|
|
|
```hcl
|
|
module "cluster-1" {
|
|
source = "./fabric/modules/gke-cluster-standard"
|
|
project_id = "myproject"
|
|
name = "cluster-1"
|
|
location = "europe-west1-b"
|
|
vpc_config = {
|
|
network = var.vpc.self_link
|
|
subnetwork = var.subnet.self_link
|
|
secondary_range_names = {
|
|
pods = "pods"
|
|
services = "services"
|
|
}
|
|
master_authorized_ranges = {
|
|
internal-vms = "10.0.0.0/8"
|
|
}
|
|
master_ipv4_cidr_block = "192.168.0.0/28"
|
|
}
|
|
max_pods_per_node = 32
|
|
private_cluster_config = {
|
|
enable_private_endpoint = true
|
|
master_global_access = false
|
|
}
|
|
labels = {
|
|
environment = "dev"
|
|
}
|
|
}
|
|
# tftest modules=1 resources=1 inventory=basic.yaml
|
|
```
|
|
|
|
### GKE Cluster with Dataplane V2 enabled
|
|
|
|
```hcl
|
|
module "cluster-1" {
|
|
source = "./fabric/modules/gke-cluster-standard"
|
|
project_id = "myproject"
|
|
name = "cluster-dataplane-v2"
|
|
location = "europe-west1-b"
|
|
vpc_config = {
|
|
network = var.vpc.self_link
|
|
subnetwork = var.subnet.self_link
|
|
secondary_range_names = {
|
|
pods = "pods"
|
|
services = "services"
|
|
}
|
|
master_authorized_ranges = {
|
|
internal-vms = "10.0.0.0/8"
|
|
}
|
|
master_ipv4_cidr_block = "192.168.0.0/28"
|
|
}
|
|
private_cluster_config = {
|
|
enable_private_endpoint = true
|
|
master_global_access = false
|
|
}
|
|
enable_features = {
|
|
dataplane_v2 = true
|
|
workload_identity = true
|
|
}
|
|
labels = {
|
|
environment = "dev"
|
|
}
|
|
}
|
|
# tftest modules=1 resources=1 inventory=dataplane-v2.yaml
|
|
```
|
|
|
|
### Managing GKE logs
|
|
|
|
This example shows you how to [control which logs are sent from your GKE cluster to Cloud Logging](https://cloud.google.com/stackdriver/docs/solutions/gke/installing).
|
|
|
|
When you create a new GKE cluster, [Cloud Operations for GKE](https://cloud.google.com/stackdriver/docs/solutions/gke) integration with Cloud Logging is enabled by default and [System logs](https://cloud.google.com/stackdriver/docs/solutions/gke/managing-logs#what_logs) are collected. You can enable collection of several other [types of logs](https://cloud.google.com/stackdriver/docs/solutions/gke/managing-logs#what_logs). The following example enables collection of *all* optional logs.
|
|
|
|
```hcl
|
|
module "cluster-1" {
|
|
source = "./fabric/modules/gke-cluster-standard"
|
|
project_id = "myproject"
|
|
name = "cluster-1"
|
|
location = "europe-west1-b"
|
|
vpc_config = {
|
|
network = var.vpc.self_link
|
|
subnetwork = var.subnet.self_link
|
|
}
|
|
logging_config = {
|
|
enable_workloads_logs = true
|
|
enable_api_server_logs = true
|
|
enable_scheduler_logs = true
|
|
enable_controller_manager_logs = true
|
|
}
|
|
}
|
|
# tftest modules=1 resources=1 inventory=logging-config-enable-all.yaml
|
|
```
|
|
|
|
### Disable GKE logs collection
|
|
|
|
This example shows how to fully disable logs collection on a GKE Standard cluster. This is not recommended.
|
|
|
|
> **Warning**
|
|
> If you've disabled Cloud Logging or Cloud Monitoring, GKE customer support
|
|
> is offered on a best-effort basis and might require additional effort
|
|
> from your engineering team.
|
|
|
|
```hcl
|
|
module "cluster-1" {
|
|
source = "./fabric/modules/gke-cluster-standard"
|
|
project_id = "myproject"
|
|
name = "cluster-1"
|
|
location = "europe-west1-b"
|
|
vpc_config = {
|
|
network = var.vpc.self_link
|
|
subnetwork = var.subnet.self_link
|
|
}
|
|
logging_config = {
|
|
enable_system_logs = false
|
|
}
|
|
}
|
|
# tftest modules=1 resources=1 inventory=logging-config-disable-all.yaml
|
|
```
|
|
|
|
### Cloud DNS
|
|
|
|
This example shows how to [use Cloud DNS as a Kubernetes DNS provider](https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-dns) for GKE Standard clusters.
|
|
|
|
```hcl
|
|
module "cluster-1" {
|
|
source = "./fabric/modules/gke-cluster-standard"
|
|
project_id = var.project_id
|
|
name = "cluster-1"
|
|
location = "europe-west1-b"
|
|
vpc_config = {
|
|
network = var.vpc.self_link
|
|
subnetwork = var.subnet.self_link
|
|
secondary_range_names = { pods = "pods", services = "services" }
|
|
}
|
|
enable_features = {
|
|
dns = {
|
|
provider = "CLOUD_DNS"
|
|
scope = "CLUSTER_SCOPE"
|
|
domain = "gke.local"
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=1 inventory=dns.yaml
|
|
```
|
|
|
|
### Backup for GKE
|
|
|
|
This example shows how to [enable the Backup for GKE agent and configure a Backup Plan](https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/concepts/backup-for-gke) for GKE Standard clusters.
|
|
|
|
```hcl
|
|
module "cluster-1" {
|
|
source = "./fabric/modules/gke-cluster-standard"
|
|
project_id = var.project_id
|
|
name = "cluster-1"
|
|
location = "europe-west1-b"
|
|
vpc_config = {
|
|
network = var.vpc.self_link
|
|
subnetwork = var.subnet.self_link
|
|
secondary_range_names = { pods = "pods", services = "services" }
|
|
}
|
|
backup_configs = {
|
|
enable_backup_agent = true
|
|
backup_plans = {
|
|
"backup-1" = {
|
|
region = "europe-west-2"
|
|
schedule = "0 9 * * 1"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=2 inventory=backup.yaml
|
|
```
|
|
<!-- BEGIN TFDOC -->
|
|
## Variables
|
|
|
|
| name | description | type | required | default |
|
|
|---|---|:---:|:---:|:---:|
|
|
| [location](variables.tf#L138) | Cluster zone or region. | <code>string</code> | ✓ | |
|
|
| [name](variables.tf#L210) | Cluster name. | <code>string</code> | ✓ | |
|
|
| [project_id](variables.tf#L236) | Cluster project id. | <code>string</code> | ✓ | |
|
|
| [vpc_config](variables.tf#L253) | VPC-level configuration. | <code title="object({ network = string subnetwork = string master_ipv4_cidr_block = optional(string) secondary_range_blocks = optional(object({ pods = string services = string })) secondary_range_names = optional(object({ pods = string services = string }), { pods = "pods", services = "services" }) master_authorized_ranges = optional(map(string)) stack_type = optional(string) })">object({…})</code> | ✓ | |
|
|
| [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | <code title="object({ enable_backup_agent = optional(bool, false) backup_plans = optional(map(object({ encryption_key = optional(string) include_secrets = optional(bool, true) include_volume_data = optional(bool, true) namespaces = optional(list(string)) region = string schedule = string retention_policy_days = optional(string) retention_policy_lock = optional(bool, false) retention_policy_delete_lock_days = optional(string) })), {}) })">object({…})</code> | | <code>{}</code> |
|
|
| [cluster_autoscaling](variables.tf#L37) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object({ auto_provisioning_defaults = optional(object({ boot_disk_kms_key = optional(string) image_type = optional(string) oauth_scopes = optional(list(string)) service_account = optional(string) })) cpu_limits = optional(object({ min = number max = number })) mem_limits = optional(object({ min = number max = number })) })">object({…})</code> | | <code>null</code> |
|
|
| [description](variables.tf#L58) | Cluster description. | <code>string</code> | | <code>null</code> |
|
|
| [enable_addons](variables.tf#L64) | Addons enabled in the cluster (true means enabled). | <code title="object({ cloudrun = optional(bool, false) config_connector = optional(bool, false) dns_cache = optional(bool, false) gce_persistent_disk_csi_driver = optional(bool, false) gcp_filestore_csi_driver = optional(bool, false) horizontal_pod_autoscaling = optional(bool, false) http_load_balancing = optional(bool, false) istio = optional(object({ enable_tls = bool })) kalm = optional(bool, false) network_policy = optional(bool, false) })">object({…})</code> | | <code title="{ horizontal_pod_autoscaling = true http_load_balancing = true }">{…}</code> |
|
|
| [enable_features](variables.tf#L87) | Enable cluster-level features. Certain features allow configuration. | <code title="object({ binary_authorization = optional(bool, false) cost_management = optional(bool, false) dns = optional(object({ provider = optional(string) scope = optional(string) domain = optional(string) })) database_encryption = optional(object({ state = string key_name = string })) dataplane_v2 = optional(bool, false) gateway_api = optional(bool, false) groups_for_rbac = optional(string) intranode_visibility = optional(bool, false) l4_ilb_subsetting = optional(bool, false) mesh_certificates = optional(bool) pod_security_policy = optional(bool, false) resource_usage_export = optional(object({ dataset = string enable_network_egress_metering = optional(bool) enable_resource_consumption_metering = optional(bool) })) shielded_nodes = optional(bool, false) tpu = optional(bool, false) upgrade_notifications = optional(object({ topic_id = optional(string) })) vertical_pod_autoscaling = optional(bool, false) workload_identity = optional(bool, true) })">object({…})</code> | | <code title="{ workload_identity = true }">{…}</code> |
|
|
| [issue_client_certificate](variables.tf#L126) | Enable issuing client certificate. | <code>bool</code> | | <code>false</code> |
|
|
| [labels](variables.tf#L132) | Cluster resource labels. | <code>map(string)</code> | | <code>null</code> |
|
|
| [logging_config](variables.tf#L143) | Logging configuration. | <code title="object({ enable_system_logs = optional(bool, true) enable_workloads_logs = optional(bool, false) enable_api_server_logs = optional(bool, false) enable_scheduler_logs = optional(bool, false) enable_controller_manager_logs = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
|
| [maintenance_config](variables.tf#L164) | Maintenance window configuration. | <code title="object({ daily_window_start_time = optional(string) recurring_window = optional(object({ start_time = string end_time = string recurrence = string })) maintenance_exclusions = optional(list(object({ name = string start_time = string end_time = string scope = optional(string) }))) })">object({…})</code> | | <code title="{ daily_window_start_time = "03:00" recurring_window = null maintenance_exclusion = [] }">{…}</code> |
|
|
| [max_pods_per_node](variables.tf#L187) | Maximum number of pods per node in this cluster. | <code>number</code> | | <code>110</code> |
|
|
| [min_master_version](variables.tf#L193) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> | | <code>null</code> |
|
|
| [monitoring_config](variables.tf#L199) | Monitoring components. | <code title="object({ enable_components = optional(list(string)) managed_prometheus = optional(bool) })">object({…})</code> | | <code title="{ enable_components = ["SYSTEM_COMPONENTS"] }">{…}</code> |
|
|
| [node_locations](variables.tf#L215) | Zones in which the cluster's nodes are located. | <code>list(string)</code> | | <code>[]</code> |
|
|
| [private_cluster_config](variables.tf#L222) | Private cluster configuration. | <code title="object({ enable_private_endpoint = optional(bool) master_global_access = optional(bool) peering_config = optional(object({ export_routes = optional(bool) import_routes = optional(bool) project_id = optional(string) })) })">object({…})</code> | | <code>null</code> |
|
|
| [release_channel](variables.tf#L241) | Release channel for GKE upgrades. | <code>string</code> | | <code>null</code> |
|
|
| [tags](variables.tf#L247) | Network tags applied to nodes. | <code>list(string)</code> | | <code>null</code> |
|
|
|
|
## Outputs
|
|
|
|
| name | description | sensitive |
|
|
|---|---|:---:|
|
|
| [ca_certificate](outputs.tf#L17) | Public certificate of the cluster (base64-encoded). | ✓ |
|
|
| [cluster](outputs.tf#L23) | Cluster resource. | ✓ |
|
|
| [endpoint](outputs.tf#L29) | Cluster endpoint. | |
|
|
| [id](outputs.tf#L34) | FUlly qualified cluster id. | |
|
|
| [location](outputs.tf#L39) | Cluster location. | |
|
|
| [master_version](outputs.tf#L44) | Master version. | |
|
|
| [name](outputs.tf#L49) | Cluster name. | |
|
|
| [notifications](outputs.tf#L54) | GKE PubSub notifications topic. | |
|
|
| [self_link](outputs.tf#L59) | Cluster self link. | ✓ |
|
|
| [workload_identity_pool](outputs.tf#L65) | Workload identity pool. | |
|
|
<!-- END TFDOC -->
|