Skip to content

Commit

Permalink
feat!: support for gateway api (#1510)
Browse files Browse the repository at this point in the history
Co-authored-by: Eric Zhao <[email protected]>
  • Loading branch information
tuunit and ericyz authored Jan 3, 2023
1 parent bcd5e03 commit 4181276
Show file tree
Hide file tree
Showing 68 changed files with 820 additions and 34 deletions.
7 changes: 7 additions & 0 deletions .kitchen.yml
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,13 @@ suites:
systems:
- name: simple_regional_private
backend: local
- name: "simple_regional_with_gateway_api"
driver:
root_module_directory: test/fixtures/simple_regional_with_gateway_api
verifier:
systems:
- name: simple_regional_with_gateway_api
backend: local
- name: "simple_regional_with_kubeconfig"
driver:
root_module_directory: test/fixtures/simple_regional_with_kubeconfig
Expand Down
6 changes: 4 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,7 @@ Then perform the following commands on the root folder:
| filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
| gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
Expand Down Expand Up @@ -215,6 +216,7 @@ Then perform the following commands on the root folder:
| ca\_certificate | Cluster ca certificate (base64 encoded) |
| cluster\_id | Cluster ID |
| endpoint | Cluster endpoint |
| gateway\_api\_channel | The gateway api channel of this cluster. |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
| identity\_namespace | Workload Identity pool |
Expand Down Expand Up @@ -302,8 +304,8 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
#### Kubectl
- [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x
#### Terraform and Plugins
- [Terraform](https://www.terraform.io/downloads.html) 0.12
- [Terraform Provider for GCP][terraform-provider-google] v3.41
- [Terraform](https://www.terraform.io/downloads.html) 0.13+
- [Terraform Provider for GCP][terraform-provider-google] v4.47
#### gcloud
Some submodules use the [terraform-google-gcloud](https://github.com/terraform-google-modules/terraform-google-gcloud) module. By default, this module assumes you already have gcloud installed in your $PATH.
See the [module](https://github.com/terraform-google-modules/terraform-google-gcloud#downloading) documentation for more information.
Expand Down
6 changes: 3 additions & 3 deletions autogen/main/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -254,11 +254,11 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
#### Kubectl
- [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x
#### Terraform and Plugins
- [Terraform](https://www.terraform.io/downloads.html) 0.12
- [Terraform](https://www.terraform.io/downloads.html) 0.13+
{% if beta_cluster %}
- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v3.41
- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v4.47
{% else %}
- [Terraform Provider for GCP][terraform-provider-google] v3.41
- [Terraform Provider for GCP][terraform-provider-google] v4.47
{% endif %}
#### gcloud
Some submodules use the [terraform-google-gcloud](https://github.com/terraform-google-modules/terraform-google-gcloud) module. By default, this module assumes you already have gcloud installed in your $PATH.
Expand Down
9 changes: 9 additions & 0 deletions autogen/main/cluster.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,15 @@ resource "google_container_cluster" "primary" {
channel = release_channel.value.channel
}
}

dynamic "gateway_api_config" {
for_each = local.gateway_api_config

content {
channel = gateway_api_config.value.channel
}
}

dynamic "cost_management_config" {
for_each = var.enable_cost_allocation ? [1] : []
content {
Expand Down
1 change: 1 addition & 0 deletions autogen/main/main.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ locals {
{% endif %}

release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : []
gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : []

{% if autopilot_cluster != true %}
autoscaling_resource_limits = var.cluster_autoscaling.enabled ? concat([{
Expand Down
5 changes: 5 additions & 0 deletions autogen/main/outputs.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,11 @@ output "release_channel" {
value = var.release_channel
}

output "gateway_api_channel" {
description = "The gateway api channel of this cluster."
value = var.gateway_api_channel
}

output "identity_namespace" {
description = "Workload Identity pool"
value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].workload_pool : null
Expand Down
6 changes: 6 additions & 0 deletions autogen/main/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -454,6 +454,12 @@ variable "release_channel" {
default = null
}

variable "gateway_api_channel" {
type = string
description = "The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`."
default = null
}

variable "add_cluster_firewall_rules" {
type = bool
description = "Create additional firewall rules"
Expand Down
2 changes: 1 addition & 1 deletion autogen/main/versions.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 4.45.0, < 5.0"
version = ">= 4.47.0, < 5.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
Expand Down
15 changes: 15 additions & 0 deletions build/int.cloudbuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,21 @@ steps:
- verify simple-regional-with-kubeconfig-local
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy simple-regional-with-kubeconfig-local']
- id: converge simple-regional-with-gateway-api-local
waitFor:
- create all
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge simple-regional-with-gateway-api-local']
- id: verify simple-regional-with-gateway-api-local
waitFor:
- converge simple-regional-with-gateway-api-local
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify simple-regional-with-gateway-api-local']
- id: destroy simple-regional-with-gateway-api-local
waitFor:
- verify simple-regional-with-gateway-api-local
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy simple-regional-with-gateway-api-local']
- id: converge simple-regional-with-networking-local
waitFor:
- create all
Expand Down
9 changes: 9 additions & 0 deletions cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,15 @@ resource "google_container_cluster" "primary" {
channel = release_channel.value.channel
}
}

dynamic "gateway_api_config" {
for_each = local.gateway_api_config

content {
channel = gateway_api_config.value.channel
}
}

dynamic "cost_management_config" {
for_each = var.enable_cost_allocation ? [1] : []
content {
Expand Down
47 changes: 47 additions & 0 deletions examples/simple_regional_with_gateway_api/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Simple Regional Cluster

This example illustrates how to create a simple cluster.

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| cluster\_name\_suffix | A suffix to append to the default cluster name | `string` | `""` | no |
| compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | `any` | n/a | yes |
| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
| ip\_range\_pods | The secondary ip range to use for pods | `any` | n/a | yes |
| ip\_range\_services | The secondary ip range to use for services | `any` | n/a | yes |
| network | The VPC network to host the cluster in | `any` | n/a | yes |
| project\_id | The project ID to host the cluster in | `any` | n/a | yes |
| region | The region to host the cluster in | `any` | n/a | yes |
| skip\_provisioners | Flag to skip local-exec provisioners | `bool` | `false` | no |
| subnetwork | The subnetwork to host the cluster in | `any` | n/a | yes |

## Outputs

| Name | Description |
|------|-------------|
| ca\_certificate | n/a |
| client\_token | n/a |
| cluster\_name | Cluster name |
| ip\_range\_pods | The secondary IP range used for pods |
| ip\_range\_services | The secondary IP range used for services |
| kubernetes\_endpoint | n/a |
| location | n/a |
| master\_kubernetes\_version | The master Kubernetes version |
| network | n/a |
| project\_id | n/a |
| region | n/a |
| service\_account | The default service account used for running nodes. |
| subnetwork | n/a |
| zones | List of zones in which the cluster resides |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

To provision this example, run the following from within this directory:
- `terraform init` to get the plugins
- `terraform plan` to see the infrastructure plan
- `terraform apply` to apply the infrastructure build
- `terraform destroy` to destroy the built infrastructure
45 changes: 45 additions & 0 deletions examples/simple_regional_with_gateway_api/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
/**
* Copyright 2018 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

locals {
cluster_type = "simple-regional-gatewayapi"
}

data "google_client_config" "default" {}

provider "kubernetes" {
host = "https://${module.gke.endpoint}"
token = data.google_client_config.default.access_token
cluster_ca_certificate = base64decode(module.gke.ca_certificate)
}

module "gke" {
source = "../../"
project_id = var.project_id
name = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
regional = true
region = var.region
network = var.network
subnetwork = var.subnetwork
ip_range_pods = var.ip_range_pods
ip_range_services = var.ip_range_services
create_service_account = false
service_account = var.compute_engine_service_account
enable_cost_allocation = true
enable_binary_authorization = var.enable_binary_authorization
skip_provisioners = var.skip_provisioners
gateway_api_channel = var.gateway_api_channel
}
35 changes: 35 additions & 0 deletions examples/simple_regional_with_gateway_api/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
/**
* Copyright 2018 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

output "kubernetes_endpoint" {
sensitive = true
value = module.gke.endpoint
}

output "client_token" {
sensitive = true
value = base64encode(data.google_client_config.default.access_token)
}

output "ca_certificate" {
value = module.gke.ca_certificate
}

output "service_account" {
description = "The default service account used for running nodes."
value = module.gke.service_account
}

1 change: 1 addition & 0 deletions examples/simple_regional_with_gateway_api/test_outputs.tf
65 changes: 65 additions & 0 deletions examples/simple_regional_with_gateway_api/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
/**
* Copyright 2018 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

variable "project_id" {
description = "The project ID to host the cluster in"
}

variable "cluster_name_suffix" {
description = "A suffix to append to the default cluster name"
default = ""
}

variable "region" {
description = "The region to host the cluster in"
}

variable "network" {
description = "The VPC network to host the cluster in"
}

variable "subnetwork" {
description = "The subnetwork to host the cluster in"
}

variable "ip_range_pods" {
description = "The secondary ip range to use for pods"
}

variable "ip_range_services" {
description = "The secondary ip range to use for services"
}

variable "compute_engine_service_account" {
description = "Service account to associate to the nodes in the cluster"
}

variable "skip_provisioners" {
type = bool
description = "Flag to skip local-exec provisioners"
default = false
}

variable "enable_binary_authorization" {
description = "Enable BinAuthZ Admission controller"
default = false
}

variable "gateway_api_channel" {
type = string
description = "The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`."
default = null
}
28 changes: 28 additions & 0 deletions examples/simple_regional_with_gateway_api/versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
/**
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "~> 4.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
}
}
required_version = ">= 0.13"
}
3 changes: 2 additions & 1 deletion main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,8 @@ locals {
windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name]
windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools)))

release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : []
release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : []
gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : []

autoscaling_resource_limits = var.cluster_autoscaling.enabled ? concat([{
resource_type = "cpu"
Expand Down
Loading

0 comments on commit 4181276

Please sign in to comment.