Skip to content

Commit

Permalink
feat(TPG>=6.7.0)!: promote secret_manager_config to GA (#2159)
Browse files Browse the repository at this point in the history
  • Loading branch information
wyardley authored Oct 31, 2024
1 parent cec659e commit 7931bf4
Show file tree
Hide file tree
Showing 53 changed files with 231 additions and 161 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@ Then perform the following commands on the root folder:
| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
| enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
Expand Down Expand Up @@ -282,6 +283,7 @@ Then perform the following commands on the root folder:
| node\_pools\_versions | Node pool versions by node pool name |
| region | Cluster region |
| release\_channel | The release channel of this cluster |
| secret\_manager\_addon\_enabled | Whether Secret Manager add-on is enabled |
| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
| tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs |
| type | Cluster type (regional / zonal) |
Expand Down
2 changes: 1 addition & 1 deletion autogen/main/cluster.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -243,14 +243,14 @@ resource "google_container_cluster" "primary" {

enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy

{% if beta_cluster %}
dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
content {
enabled = secret_manager_config.value
}
}

{% if beta_cluster %}
enable_fqdn_network_policy = var.enable_fqdn_network_policy
{% endif %}
{% if autopilot_cluster %}
Expand Down
14 changes: 7 additions & 7 deletions autogen/main/main.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -167,12 +167,12 @@ locals {
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false

{% if beta_cluster %}
# BETA features
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false

# /BETA features
{% endif %}
Expand Down Expand Up @@ -225,6 +225,7 @@ locals {
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled
{% if autopilot_cluster != true %}
cluster_mesh_certificates_config = local.workload_identity_enabled ? [{
enable_certificates = var.enable_mesh_certificates
Expand All @@ -233,12 +234,11 @@ locals {

{% if beta_cluster %}
# BETA features
cluster_istio_enabled = ! local.cluster_output_istio_disabled
cluster_istio_enabled = !local.cluster_output_istio_disabled
{% if autopilot_cluster != true %}
cluster_telemetry_type_is_set = var.cluster_telemetry_type != null
cluster_telemetry_type_is_set = var.cluster_telemetry_type != null
{% endif %}
cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled
cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled

# /BETA features
{% endif %}
Expand Down
10 changes: 5 additions & 5 deletions autogen/main/outputs.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -223,11 +223,6 @@ output "pod_security_policy_enabled" {
description = "Whether pod security policy is enabled"
value = local.cluster_pod_security_policy_enabled
}

output "secret_manager_addon_enabled" {
description = "Whether Secret Manager add-on is enabled"
value = local.cluster_secret_manager_addon_enabled
}
{% endif %}

output "identity_service_enabled" {
Expand All @@ -240,6 +235,11 @@ output "intranode_visibility_enabled" {
value = local.cluster_intranode_visibility_enabled
}

output "secret_manager_addon_enabled" {
description = "Whether Secret Manager add-on is enabled"
value = local.cluster_secret_manager_addon_enabled
}

output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
Expand Down
12 changes: 6 additions & 6 deletions autogen/main/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -613,6 +613,12 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}

variable "enable_secret_manager_addon" {
description = "Enable the Secret Manager add-on for this cluster"
type = bool
default = false
}
{% if beta_cluster %}

variable "workload_vulnerability_mode" {
Expand All @@ -632,12 +638,6 @@ variable "enable_fqdn_network_policy" {
description = "Enable FQDN Network Policies on the cluster"
default = null
}

variable "enable_secret_manager_addon" {
description = "(Beta) Enable the Secret Manager add-on for this cluster"
type = bool
default = false
}
{% endif %}

variable "enable_cilium_clusterwide_network_policy" {
Expand Down
6 changes: 3 additions & 3 deletions autogen/main/versions.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7"
version = ">= 6.7.0, < 7"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7"
version = ">= 6.7.0, < 7"
}
kubernetes = {
source = "hashicorp/kubernetes"
Expand Down Expand Up @@ -86,7 +86,7 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7"
version = ">= 6.7.0, < 7"
}
kubernetes = {
source = "hashicorp/kubernetes"
Expand Down
7 changes: 7 additions & 0 deletions cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,13 @@ resource "google_container_cluster" "primary" {

enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy

dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
content {
enabled = secret_manager_config.value
}
}

dynamic "master_authorized_networks_config" {
for_each = var.gcp_public_cidrs_access_enabled != null || length(var.master_authorized_networks) > 0 ? [true] : []
content {
Expand Down
33 changes: 17 additions & 16 deletions examples/simple_regional_private/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -36,22 +36,23 @@ module "gke" {
source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster"
version = "~> 34.0"

project_id = var.project_id
name = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
regional = true
region = var.region
network = var.network
subnetwork = var.subnetwork
ip_range_pods = var.ip_range_pods
ip_range_services = var.ip_range_services
create_service_account = false
service_account = var.compute_engine_service_account
enable_private_endpoint = true
enable_private_nodes = true
master_ipv4_cidr_block = "172.16.0.0/28"
default_max_pods_per_node = 20
remove_default_node_pool = true
deletion_protection = false
project_id = var.project_id
name = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
regional = true
region = var.region
network = var.network
subnetwork = var.subnetwork
ip_range_pods = var.ip_range_pods
ip_range_services = var.ip_range_services
create_service_account = false
service_account = var.compute_engine_service_account
enable_private_endpoint = true
enable_private_nodes = true
enable_secret_manager_addon = true
master_ipv4_cidr_block = "172.16.0.0/28"
default_max_pods_per_node = 20
remove_default_node_pool = true
deletion_protection = false

node_pools = [
{
Expand Down
2 changes: 2 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,7 @@ locals {
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false

cluster_output_node_pools_names = concat(
[for np in google_container_node_pool.pools : np.name], [""],
Expand Down Expand Up @@ -166,6 +167,7 @@ locals {
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled
cluster_mesh_certificates_config = local.workload_identity_enabled ? [{
enable_certificates = var.enable_mesh_certificates
}] : []
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-autopilot-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ Then perform the following commands on the root folder:
| enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no |
| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `true` | no |
| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
| enable\_secret\_manager\_addon | (Beta) Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `true` | no |
| filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |
Expand Down
12 changes: 6 additions & 6 deletions modules/beta-autopilot-private-cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -91,11 +91,11 @@ locals {
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false

# BETA features
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false

# /BETA features

Expand Down Expand Up @@ -125,11 +125,11 @@ locals {
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled

# BETA features
cluster_istio_enabled = !local.cluster_output_istio_disabled
cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled
cluster_istio_enabled = !local.cluster_output_istio_disabled
cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled

# /BETA features

Expand Down
10 changes: 5 additions & 5 deletions modules/beta-autopilot-private-cluster/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -179,11 +179,6 @@ output "pod_security_policy_enabled" {
value = local.cluster_pod_security_policy_enabled
}

output "secret_manager_addon_enabled" {
description = "Whether Secret Manager add-on is enabled"
value = local.cluster_secret_manager_addon_enabled
}

output "identity_service_enabled" {
description = "Whether Identity Service is enabled"
value = local.cluster_identity_service_enabled
Expand All @@ -194,6 +189,11 @@ output "intranode_visibility_enabled" {
value = local.cluster_intranode_visibility_enabled
}

output "secret_manager_addon_enabled" {
description = "Whether Secret Manager add-on is enabled"
value = local.cluster_secret_manager_addon_enabled
}

output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
Expand Down
12 changes: 6 additions & 6 deletions modules/beta-autopilot-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -382,6 +382,12 @@ variable "enable_confidential_nodes" {
default = false
}

variable "enable_secret_manager_addon" {
description = "Enable the Secret Manager add-on for this cluster"
type = bool
default = false
}

variable "workload_vulnerability_mode" {
description = "(beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC."
type = string
Expand All @@ -400,12 +406,6 @@ variable "enable_fqdn_network_policy" {
default = null
}

variable "enable_secret_manager_addon" {
description = "(Beta) Enable the Secret Manager add-on for this cluster"
type = bool
default = false
}

variable "enable_cilium_clusterwide_network_policy" {
type = bool
description = "Enable Cilium Cluster Wide Network Policies on the cluster"
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-autopilot-public-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ Then perform the following commands on the root folder:
| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
| enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
| enable\_secret\_manager\_addon | (Beta) Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `true` | no |
| filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |
Expand Down
Loading

0 comments on commit 7931bf4

Please sign in to comment.