Skip to content

Commit

Permalink
feat: bump enable_intranode_visibility to GA (#1956)
Browse files Browse the repository at this point in the history
  • Loading branch information
DrFaust92 authored Jul 15, 2024
1 parent a37bf7e commit 4274b0e
Show file tree
Hide file tree
Showing 35 changed files with 147 additions and 96 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,7 @@ Then perform the following commands on the root folder:
| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
Expand Down Expand Up @@ -258,6 +259,7 @@ Then perform the following commands on the root folder:
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
| identity\_namespace | Workload Identity pool |
| instance\_group\_urls | List of GKE generated instance groups |
| intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
| location | Cluster location (region if regional cluster, zone if zonal cluster) |
| logging\_service | Logging service used |
| master\_authorized\_networks\_config | Networks from which access to master is permitted |
Expand Down
4 changes: 2 additions & 2 deletions autogen/main/cluster.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -216,11 +216,11 @@ resource "google_container_cluster" "primary" {
}
}

enable_kubernetes_alpha = var.enable_kubernetes_alpha
enable_kubernetes_alpha = var.enable_kubernetes_alpha
enable_tpu = var.enable_tpu
{% if beta_cluster %}
enable_intranode_visibility = var.enable_intranode_visibility

{% if beta_cluster %}
dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
content {
Expand Down
4 changes: 2 additions & 2 deletions autogen/main/main.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -162,12 +162,12 @@ locals {
cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled
cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility

{% if beta_cluster %}
# BETA features
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false

Expand Down Expand Up @@ -225,6 +225,7 @@ locals {
workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
}]
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
{% if autopilot_cluster != true %}
cluster_mesh_certificates_config = local.workload_identity_enabled ? [{
enable_certificates = var.enable_mesh_certificates
Expand All @@ -238,7 +239,6 @@ locals {
cluster_telemetry_type_is_set = var.cluster_telemetry_type != null
{% endif %}
cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled

Expand Down
10 changes: 5 additions & 5 deletions autogen/main/outputs.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -224,11 +224,6 @@ output "pod_security_policy_enabled" {
value = local.cluster_pod_security_policy_enabled
}

output "intranode_visibility_enabled" {
description = "Whether intra-node visibility is enabled"
value = local.cluster_intranode_visibility_enabled
}

output "identity_service_enabled" {
description = "Whether Identity Service is enabled"
value = local.cluster_identity_service_enabled
Expand All @@ -240,6 +235,11 @@ output "secret_manager_addon_enabled" {
}
{% endif %}

output "intranode_visibility_enabled" {
description = "Whether intra-node visibility is enabled"
value = local.cluster_intranode_visibility_enabled
}

output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
Expand Down
12 changes: 6 additions & 6 deletions autogen/main/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -817,6 +817,12 @@ variable "config_connector" {
default = false
}

variable "enable_intranode_visibility" {
type = bool
description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network"
default = false
}

{% endif %}
variable "enable_l4_ilb_subsetting" {
type = bool
Expand Down Expand Up @@ -874,12 +880,6 @@ variable "sandbox_enabled" {
default = false
}

variable "enable_intranode_visibility" {
type = bool
description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network"
default = false
}

variable "enable_identity_service" {
type = bool
description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."
Expand Down
6 changes: 4 additions & 2 deletions cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -173,8 +173,10 @@ resource "google_container_cluster" "primary" {
}
}

enable_kubernetes_alpha = var.enable_kubernetes_alpha
enable_tpu = var.enable_tpu
enable_kubernetes_alpha = var.enable_kubernetes_alpha
enable_tpu = var.enable_tpu
enable_intranode_visibility = var.enable_intranode_visibility


enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting

Expand Down
4 changes: 3 additions & 1 deletion main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@ locals {
cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled
cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility


master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{
Expand Down Expand Up @@ -165,7 +166,8 @@ locals {
cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
}]
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_mesh_certificates_config = local.workload_identity_enabled ? [{
enable_certificates = var.enable_mesh_certificates
}] : []
Expand Down
6 changes: 3 additions & 3 deletions modules/beta-autopilot-private-cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -90,11 +90,11 @@ locals {
cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled
cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility

# BETA features
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false

Expand Down Expand Up @@ -128,12 +128,12 @@ locals {
cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
}]
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled

# BETA features
cluster_istio_enabled = !local.cluster_output_istio_disabled
cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled

Expand Down
10 changes: 5 additions & 5 deletions modules/beta-autopilot-private-cluster/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -179,11 +179,6 @@ output "pod_security_policy_enabled" {
value = local.cluster_pod_security_policy_enabled
}

output "intranode_visibility_enabled" {
description = "Whether intra-node visibility is enabled"
value = local.cluster_intranode_visibility_enabled
}

output "identity_service_enabled" {
description = "Whether Identity Service is enabled"
value = local.cluster_identity_service_enabled
Expand All @@ -194,6 +189,11 @@ output "secret_manager_addon_enabled" {
value = local.cluster_secret_manager_addon_enabled
}

output "intranode_visibility_enabled" {
description = "Whether intra-node visibility is enabled"
value = local.cluster_intranode_visibility_enabled
}

output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
Expand Down
6 changes: 3 additions & 3 deletions modules/beta-autopilot-public-cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -89,11 +89,11 @@ locals {
cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled
cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility

# BETA features
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false

Expand Down Expand Up @@ -127,12 +127,12 @@ locals {
cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
}]
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled

# BETA features
cluster_istio_enabled = !local.cluster_output_istio_disabled
cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled

Expand Down
10 changes: 5 additions & 5 deletions modules/beta-autopilot-public-cluster/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -169,11 +169,6 @@ output "pod_security_policy_enabled" {
value = local.cluster_pod_security_policy_enabled
}

output "intranode_visibility_enabled" {
description = "Whether intra-node visibility is enabled"
value = local.cluster_intranode_visibility_enabled
}

output "identity_service_enabled" {
description = "Whether Identity Service is enabled"
value = local.cluster_identity_service_enabled
Expand All @@ -184,6 +179,11 @@ output "secret_manager_addon_enabled" {
value = local.cluster_secret_manager_addon_enabled
}

output "intranode_visibility_enabled" {
description = "Whether intra-node visibility is enabled"
value = local.cluster_intranode_visibility_enabled
}

output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
Expand Down
6 changes: 3 additions & 3 deletions modules/beta-private-cluster-update-variant/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -135,11 +135,11 @@ locals {
cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled
cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility

# BETA features
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false

Expand Down Expand Up @@ -186,7 +186,8 @@ locals {
cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
}]
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_mesh_certificates_config = local.workload_identity_enabled ? [{
enable_certificates = var.enable_mesh_certificates
}] : []
Expand All @@ -195,7 +196,6 @@ locals {
cluster_istio_enabled = !local.cluster_output_istio_disabled
cluster_telemetry_type_is_set = var.cluster_telemetry_type != null
cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled

Expand Down
Loading

0 comments on commit 4274b0e

Please sign in to comment.