Skip to content

Commit

Permalink
feat: bump identity_service_config to ga (#1997)
Browse files Browse the repository at this point in the history
Co-authored-by: Andrew Peabody <[email protected]>
  • Loading branch information
DrFaust92 and apeabody authored Jul 18, 2024
1 parent 9ae8b38 commit 9d6a400
Show file tree
Hide file tree
Showing 41 changed files with 175 additions and 105 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,7 @@ Then perform the following commands on the root folder:
| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
| enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no |
| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no |
| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
Expand Down Expand Up @@ -259,6 +260,7 @@ Then perform the following commands on the root folder:
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
| identity\_namespace | Workload Identity pool |
| identity\_service\_enabled | Whether Identity Service is enabled |
| instance\_group\_urls | List of GKE generated instance groups |
| intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
| location | Cluster location (region if regional cluster, zone if zonal cluster) |
Expand Down
14 changes: 7 additions & 7 deletions autogen/main/cluster.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,13 @@ resource "google_container_cluster" "primary" {
}
}

dynamic "identity_service_config" {
for_each = var.enable_identity_service ? [var.enable_identity_service] : []
content {
enabled = identity_service_config.value
}
}

enable_kubernetes_alpha = var.enable_kubernetes_alpha
enable_tpu = var.enable_tpu
enable_intranode_visibility = var.enable_intranode_visibility
Expand All @@ -234,13 +241,6 @@ resource "google_container_cluster" "primary" {
enabled = pod_security_policy_config.value
}
}

dynamic "identity_service_config" {
for_each = var.enable_identity_service ? [var.enable_identity_service] : []
content {
enabled = identity_service_config.value
}
}
{% endif %}
{% endif %}

Expand Down
4 changes: 2 additions & 2 deletions autogen/main/main.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -163,12 +163,12 @@ locals {
cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled=false }])[0].disabled
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false

{% if beta_cluster %}
# BETA features
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false

# /BETA features
Expand Down Expand Up @@ -226,6 +226,7 @@ locals {
}]
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
{% if autopilot_cluster != true %}
cluster_mesh_certificates_config = local.workload_identity_enabled ? [{
enable_certificates = var.enable_mesh_certificates
Expand All @@ -239,7 +240,6 @@ locals {
cluster_telemetry_type_is_set = var.cluster_telemetry_type != null
{% endif %}
cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled

# /BETA features
Expand Down
10 changes: 5 additions & 5 deletions autogen/main/outputs.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -224,17 +224,17 @@ output "pod_security_policy_enabled" {
value = local.cluster_pod_security_policy_enabled
}

output "identity_service_enabled" {
description = "Whether Identity Service is enabled"
value = local.cluster_identity_service_enabled
}

output "secret_manager_addon_enabled" {
description = "Whether Secret Manager add-on is enabled"
value = local.cluster_secret_manager_addon_enabled
}
{% endif %}

output "identity_service_enabled" {
description = "Whether Identity Service is enabled"
value = local.cluster_identity_service_enabled
}

output "intranode_visibility_enabled" {
description = "Whether intra-node visibility is enabled"
value = local.cluster_intranode_visibility_enabled
Expand Down
12 changes: 7 additions & 5 deletions autogen/main/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -886,18 +886,20 @@ variable "sandbox_enabled" {
default = false
}

variable "enable_identity_service" {
variable "enable_gcfs" {
type = bool
description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."
description = "Enable image streaming on cluster level."
default = false
}
{% endif %}
{% endif %}

variable "enable_gcfs" {
{% if autopilot_cluster != true %}
variable "enable_identity_service" {
type = bool
description = "Enable image streaming on cluster level."
description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."
default = false
}
{% endif %}
{% endif %}
{% if autopilot_cluster %}
variable "allow_net_admin" {
Expand Down
7 changes: 7 additions & 0 deletions cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,13 @@ resource "google_container_cluster" "primary" {
}
}

dynamic "identity_service_config" {
for_each = var.enable_identity_service ? [var.enable_identity_service] : []
content {
enabled = identity_service_config.value
}
}

enable_kubernetes_alpha = var.enable_kubernetes_alpha
enable_tpu = var.enable_tpu
enable_intranode_visibility = var.enable_intranode_visibility
Expand Down
2 changes: 2 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,7 @@ locals {
cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false


master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{
Expand Down Expand Up @@ -168,6 +169,7 @@ locals {
}]
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
cluster_mesh_certificates_config = local.workload_identity_enabled ? [{
enable_certificates = var.enable_mesh_certificates
}] : []
Expand Down
4 changes: 2 additions & 2 deletions modules/beta-autopilot-private-cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -91,11 +91,11 @@ locals {
cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false

# BETA features
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false

# /BETA features
Expand Down Expand Up @@ -130,11 +130,11 @@ locals {
}]
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled

# BETA features
cluster_istio_enabled = !local.cluster_output_istio_disabled
cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled

# /BETA features
Expand Down
10 changes: 5 additions & 5 deletions modules/beta-autopilot-private-cluster/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -179,16 +179,16 @@ output "pod_security_policy_enabled" {
value = local.cluster_pod_security_policy_enabled
}

output "identity_service_enabled" {
description = "Whether Identity Service is enabled"
value = local.cluster_identity_service_enabled
}

output "secret_manager_addon_enabled" {
description = "Whether Secret Manager add-on is enabled"
value = local.cluster_secret_manager_addon_enabled
}

output "identity_service_enabled" {
description = "Whether Identity Service is enabled"
value = local.cluster_identity_service_enabled
}

output "intranode_visibility_enabled" {
description = "Whether intra-node visibility is enabled"
value = local.cluster_intranode_visibility_enabled
Expand Down
1 change: 1 addition & 0 deletions modules/beta-autopilot-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -492,6 +492,7 @@ variable "enable_l4_ilb_subsetting" {
description = "Enable L4 ILB Subsetting on the cluster"
default = false
}

variable "allow_net_admin" {
description = "(Optional) Enable NET_ADMIN for the cluster."
type = bool
Expand Down
4 changes: 2 additions & 2 deletions modules/beta-autopilot-public-cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -90,11 +90,11 @@ locals {
cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled
cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false
cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false

# BETA features
cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false
cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false
cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false

# /BETA features
Expand Down Expand Up @@ -129,11 +129,11 @@ locals {
}]
confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled

# BETA features
cluster_istio_enabled = !local.cluster_output_istio_disabled
cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled
cluster_identity_service_enabled = local.cluster_output_identity_service_enabled
cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled

# /BETA features
Expand Down
10 changes: 5 additions & 5 deletions modules/beta-autopilot-public-cluster/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -169,16 +169,16 @@ output "pod_security_policy_enabled" {
value = local.cluster_pod_security_policy_enabled
}

output "identity_service_enabled" {
description = "Whether Identity Service is enabled"
value = local.cluster_identity_service_enabled
}

output "secret_manager_addon_enabled" {
description = "Whether Secret Manager add-on is enabled"
value = local.cluster_secret_manager_addon_enabled
}

output "identity_service_enabled" {
description = "Whether Identity Service is enabled"
value = local.cluster_identity_service_enabled
}

output "intranode_visibility_enabled" {
description = "Whether intra-node visibility is enabled"
value = local.cluster_intranode_visibility_enabled
Expand Down
1 change: 1 addition & 0 deletions modules/beta-autopilot-public-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -462,6 +462,7 @@ variable "enable_l4_ilb_subsetting" {
description = "Enable L4 ILB Subsetting on the cluster"
default = false
}

variable "allow_net_admin" {
description = "(Optional) Enable NET_ADMIN for the cluster."
type = bool
Expand Down
14 changes: 7 additions & 7 deletions modules/beta-private-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,13 @@ resource "google_container_cluster" "primary" {
}
}

dynamic "identity_service_config" {
for_each = var.enable_identity_service ? [var.enable_identity_service] : []
content {
enabled = identity_service_config.value
}
}

enable_kubernetes_alpha = var.enable_kubernetes_alpha
enable_tpu = var.enable_tpu
enable_intranode_visibility = var.enable_intranode_visibility
Expand All @@ -198,13 +205,6 @@ resource "google_container_cluster" "primary" {
}
}

dynamic "identity_service_config" {
for_each = var.enable_identity_service ? [var.enable_identity_service] : []
content {
enabled = identity_service_config.value
}
}

enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting

enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
Expand Down
Loading

0 comments on commit 9d6a400

Please sign in to comment.