Skip to content

Commit

Permalink
feat: support database encryption and google group rbac for autopilot (
Browse files Browse the repository at this point in the history
…#1265)

* feat: database encryption and google rbac for autopilot

* chore: cleanup ordering

* chore: cleanup ordering vars

* chore: more cleanup
  • Loading branch information
jmymy authored May 24, 2022
1 parent 4b7eeb3 commit 066149d
Show file tree
Hide file tree
Showing 15 changed files with 68 additions and 2 deletions.
5 changes: 3 additions & 2 deletions autogen/main/cluster.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -382,6 +382,7 @@ resource "google_container_cluster" "primary" {

{% if autopilot_cluster != true %}
remove_default_node_pool = var.remove_default_node_pool
{% endif %}

dynamic "database_encryption" {
for_each = var.database_encryption
Expand All @@ -392,6 +393,7 @@ resource "google_container_cluster" "primary" {
}
}

{% if autopilot_cluster != true %}
dynamic "workload_identity_config" {
for_each = local.cluster_workload_identity_config

Expand All @@ -401,14 +403,13 @@ resource "google_container_cluster" "primary" {
}
{% endif %}

{% if autopilot_cluster != true %}
dynamic "authenticator_groups_config" {
for_each = local.cluster_authenticator_security_group
content {
security_group = authenticator_groups_config.value.security_group
}
}
{% endif %}

{% if beta_cluster %}
notification_config {
pubsub {
Expand Down
2 changes: 2 additions & 0 deletions autogen/main/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -540,6 +540,7 @@ variable "default_max_pods_per_node" {
default = 110
}

{% endif %}
variable "database_encryption" {
description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
type = list(object({ state = string, key_name = string }))
Expand All @@ -550,6 +551,7 @@ variable "database_encryption" {
}]
}

{% if autopilot_cluster != true %}
variable "enable_shielded_nodes" {
type = bool
description = "Enable Shielded Nodes features on all nodes in this cluster"
Expand Down
1 change: 1 addition & 0 deletions cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -222,6 +222,7 @@ resource "google_container_cluster" "primary" {
security_group = authenticator_groups_config.value.security_group
}
}

}
/******************************************
Create Container Cluster node pools
Expand Down
1 change: 1 addition & 0 deletions modules/beta-autopilot-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ Then perform the following commands on the root folder:
| cluster\_telemetry\_type | Available options include ENABLED, DISABLED, and SYSTEM\_ONLY | `string` | `null` | no |
| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no |
| create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no |
| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | <pre>[<br> {<br> "key_name": "",<br> "state": "DECRYPTED"<br> }<br>]</pre> | no |
| datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no |
| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no |
| description | The description of the cluster | `string` | `""` | no |
Expand Down
17 changes: 17 additions & 0 deletions modules/beta-autopilot-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,23 @@ resource "google_container_cluster" "primary" {
}


dynamic "database_encryption" {
for_each = var.database_encryption

content {
key_name = database_encryption.value.key_name
state = database_encryption.value.state
}
}


dynamic "authenticator_groups_config" {
for_each = local.cluster_authenticator_security_group
content {
security_group = authenticator_groups_config.value.security_group
}
}

notification_config {
pubsub {
enabled = var.notification_config_topic != "" ? true : false
Expand Down
10 changes: 10 additions & 0 deletions modules/beta-autopilot-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -372,3 +372,13 @@ variable "enable_tpu" {
description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!"
default = false
}
variable "database_encryption" {
description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
type = list(object({ state = string, key_name = string }))

default = [{
state = "DECRYPTED"
key_name = ""
}]
}

1 change: 1 addition & 0 deletions modules/beta-autopilot-public-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ Then perform the following commands on the root folder:
| cluster\_telemetry\_type | Available options include ENABLED, DISABLED, and SYSTEM\_ONLY | `string` | `null` | no |
| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | `bool` | `false` | no |
| create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no |
| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | <pre>[<br> {<br> "key_name": "",<br> "state": "DECRYPTED"<br> }<br>]</pre> | no |
| datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no |
| description | The description of the cluster | `string` | `""` | no |
| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
Expand Down
17 changes: 17 additions & 0 deletions modules/beta-autopilot-public-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,23 @@ resource "google_container_cluster" "primary" {



dynamic "database_encryption" {
for_each = var.database_encryption

content {
key_name = database_encryption.value.key_name
state = database_encryption.value.state
}
}


dynamic "authenticator_groups_config" {
for_each = local.cluster_authenticator_security_group
content {
security_group = authenticator_groups_config.value.security_group
}
}

notification_config {
pubsub {
enabled = var.notification_config_topic != "" ? true : false
Expand Down
10 changes: 10 additions & 0 deletions modules/beta-autopilot-public-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -341,3 +341,13 @@ variable "enable_tpu" {
description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!"
default = false
}
variable "database_encryption" {
description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
type = list(object({ state = string, key_name = string }))

default = [{
state = "DECRYPTED"
key_name = ""
}]
}

1 change: 1 addition & 0 deletions modules/beta-private-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -355,6 +355,7 @@ resource "google_container_cluster" "primary" {
security_group = authenticator_groups_config.value.security_group
}
}

notification_config {
pubsub {
enabled = var.notification_config_topic != "" ? true : false
Expand Down
1 change: 1 addition & 0 deletions modules/beta-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -355,6 +355,7 @@ resource "google_container_cluster" "primary" {
security_group = authenticator_groups_config.value.security_group
}
}

notification_config {
pubsub {
enabled = var.notification_config_topic != "" ? true : false
Expand Down
1 change: 1 addition & 0 deletions modules/beta-public-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -336,6 +336,7 @@ resource "google_container_cluster" "primary" {
security_group = authenticator_groups_config.value.security_group
}
}

notification_config {
pubsub {
enabled = var.notification_config_topic != "" ? true : false
Expand Down
1 change: 1 addition & 0 deletions modules/beta-public-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -336,6 +336,7 @@ resource "google_container_cluster" "primary" {
security_group = authenticator_groups_config.value.security_group
}
}

notification_config {
pubsub {
enabled = var.notification_config_topic != "" ? true : false
Expand Down
1 change: 1 addition & 0 deletions modules/private-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,7 @@ resource "google_container_cluster" "primary" {
security_group = authenticator_groups_config.value.security_group
}
}

}
/******************************************
Create Container Cluster node pools
Expand Down
1 change: 1 addition & 0 deletions modules/private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,7 @@ resource "google_container_cluster" "primary" {
security_group = authenticator_groups_config.value.security_group
}
}

}
/******************************************
Create Container Cluster node pools
Expand Down

0 comments on commit 066149d

Please sign in to comment.