Skip to content

Commit

Permalink
feat(TPG>=5.33)!: add secret manager add-on config to beta modules (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
legal90 authored Jul 9, 2024
1 parent 3b0bbe8 commit 5c58d89
Show file tree
Hide file tree
Showing 37 changed files with 162 additions and 38 deletions.
7 changes: 7 additions & 0 deletions autogen/main/cluster.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,13 @@ resource "google_container_cluster" "primary" {
{% if beta_cluster %}
enable_intranode_visibility = var.enable_intranode_visibility

dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
content {
enabled = secret_manager_config.value
}
}

dynamic "pod_security_policy_config" {
for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : []
content {
Expand Down
2 changes: 2 additions & 0 deletions autogen/main/main.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,7 @@ locals {
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false

# /BETA features
{% endif %}
Expand Down Expand Up @@ -239,6 +240,7 @@ locals {
cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled

# /BETA features
{% endif %}
Expand Down
5 changes: 5 additions & 0 deletions autogen/main/outputs.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,11 @@ output "identity_service_enabled" {
description = "Whether Identity Service is enabled"
value = local.cluster_identity_service_enabled
}

output "secret_manager_addon_enabled" {
description = "Whether Secret Manager add-on is enabled"
value = local.cluster_secret_manager_addon_enabled
}
{% endif %}

output "fleet_membership" {
Expand Down
6 changes: 6 additions & 0 deletions autogen/main/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -862,6 +862,12 @@ variable "enable_pod_security_policy" {
default = false
}

variable "enable_secret_manager_addon" {
description = "(Beta) Enable the Secret Manager add-on for this cluster"
type = bool
default = false
}

variable "sandbox_enabled" {
type = bool
description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."
Expand Down
4 changes: 2 additions & 2 deletions autogen/main/versions.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 5.25.0, < 6"
version = ">= 5.33.0, < 6"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 5.25.0, < 6"
version = ">= 5.33.0, < 6"
}
kubernetes = {
source = "hashicorp/kubernetes"
Expand Down
1 change: 1 addition & 0 deletions modules/beta-autopilot-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,7 @@ Then perform the following commands on the root folder:
| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
| region | Cluster region |
| release\_channel | The release channel of this cluster |
| secret\_manager\_addon\_enabled | Whether Secret Manager add-on is enabled |
| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
| tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs |
| type | Cluster type (regional / zonal) |
Expand Down
10 changes: 6 additions & 4 deletions modules/beta-autopilot-private-cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -92,10 +92,11 @@ locals {
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false

# BETA features
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false

# /BETA features

Expand Down Expand Up @@ -134,6 +135,7 @@ locals {
cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled

# /BETA features

Expand Down
5 changes: 5 additions & 0 deletions modules/beta-autopilot-private-cluster/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,11 @@ output "identity_service_enabled" {
value = local.cluster_identity_service_enabled
}

output "secret_manager_addon_enabled" {
description = "Whether Secret Manager add-on is enabled"
value = local.cluster_secret_manager_addon_enabled
}

output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
Expand Down
4 changes: 2 additions & 2 deletions modules/beta-autopilot-private-cluster/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 5.25.0, < 6"
version = ">= 5.33.0, < 6"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 5.25.0, < 6"
version = ">= 5.33.0, < 6"
}
kubernetes = {
source = "hashicorp/kubernetes"
Expand Down
1 change: 1 addition & 0 deletions modules/beta-autopilot-public-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@ Then perform the following commands on the root folder:
| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
| region | Cluster region |
| release\_channel | The release channel of this cluster |
| secret\_manager\_addon\_enabled | Whether Secret Manager add-on is enabled |
| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
| tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs |
| type | Cluster type (regional / zonal) |
Expand Down
10 changes: 6 additions & 4 deletions modules/beta-autopilot-public-cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -91,10 +91,11 @@ locals {
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false

# BETA features
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false

# /BETA features

Expand Down Expand Up @@ -133,6 +134,7 @@ locals {
cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled

# /BETA features

Expand Down
5 changes: 5 additions & 0 deletions modules/beta-autopilot-public-cluster/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,11 @@ output "identity_service_enabled" {
value = local.cluster_identity_service_enabled
}

output "secret_manager_addon_enabled" {
description = "Whether Secret Manager add-on is enabled"
value = local.cluster_secret_manager_addon_enabled
}

output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
Expand Down
4 changes: 2 additions & 2 deletions modules/beta-autopilot-public-cluster/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 5.25.0, < 6"
version = ">= 5.33.0, < 6"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 5.25.0, < 6"
version = ">= 5.33.0, < 6"
}
kubernetes = {
source = "hashicorp/kubernetes"
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-private-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,7 @@ Then perform the following commands on the root folder:
| enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no |
| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no |
| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
| enable\_secret\_manager\_addon | (Beta) Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
Expand Down Expand Up @@ -329,6 +330,7 @@ Then perform the following commands on the root folder:
| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
| region | Cluster region |
| release\_channel | The release channel of this cluster |
| secret\_manager\_addon\_enabled | Whether Secret Manager add-on is enabled |
| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
| tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs |
| type | Cluster type (regional / zonal) |
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-private-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,13 @@ resource "google_container_cluster" "primary" {
enable_tpu = var.enable_tpu
enable_intranode_visibility = var.enable_intranode_visibility

dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
content {
enabled = secret_manager_config.value
}
}

dynamic "pod_security_policy_config" {
for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : []
content {
Expand Down
10 changes: 6 additions & 4 deletions modules/beta-private-cluster-update-variant/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -137,10 +137,11 @@ locals {
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false

# BETA features
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false

# /BETA features

Expand Down Expand Up @@ -196,6 +197,7 @@ locals {
cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled

# /BETA features

Expand Down
5 changes: 5 additions & 0 deletions modules/beta-private-cluster-update-variant/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,11 @@ output "identity_service_enabled" {
value = local.cluster_identity_service_enabled
}

output "secret_manager_addon_enabled" {
description = "Whether Secret Manager add-on is enabled"
value = local.cluster_secret_manager_addon_enabled
}

output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
Expand Down
6 changes: 6 additions & 0 deletions modules/beta-private-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -826,6 +826,12 @@ variable "enable_pod_security_policy" {
default = false
}

variable "enable_secret_manager_addon" {
description = "(Beta) Enable the Secret Manager add-on for this cluster"
type = bool
default = false
}

variable "sandbox_enabled" {
type = bool
description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)."
Expand Down
4 changes: 2 additions & 2 deletions modules/beta-private-cluster-update-variant/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 5.25.0, < 6"
version = ">= 5.33.0, < 6"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 5.25.0, < 6"
version = ">= 5.33.0, < 6"
}
kubernetes = {
source = "hashicorp/kubernetes"
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,7 @@ Then perform the following commands on the root folder:
| enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no |
| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no |
| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
| enable\_secret\_manager\_addon | (Beta) Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
Expand Down Expand Up @@ -307,6 +308,7 @@ Then perform the following commands on the root folder:
| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
| region | Cluster region |
| release\_channel | The release channel of this cluster |
| secret\_manager\_addon\_enabled | Whether Secret Manager add-on is enabled |
| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
| tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs |
| type | Cluster type (regional / zonal) |
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,13 @@ resource "google_container_cluster" "primary" {
enable_tpu = var.enable_tpu
enable_intranode_visibility = var.enable_intranode_visibility

dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
content {
enabled = secret_manager_config.value
}
}

dynamic "pod_security_policy_config" {
for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : []
content {
Expand Down
Loading

0 comments on commit 5c58d89

Please sign in to comment.