Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 14 additions & 7 deletions autogen/safer-cluster/main.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -89,13 +89,18 @@ module "gke" {
// If removing the default node pool, initial_node_count should be at least 1.
initial_node_count = (var.initial_node_count == 0) ? 1 : var.initial_node_count

node_pools = var.node_pools
windows_node_pools = var.windows_node_pools
node_pools_labels = var.node_pools_labels
node_pools_resource_labels = var.node_pools_resource_labels
node_pools_metadata = var.node_pools_metadata
node_pools_taints = var.node_pools_taints
node_pools_tags = var.node_pools_tags
node_pools = var.node_pools
windows_node_pools = var.windows_node_pools
node_pools_labels = var.node_pools_labels
node_pools_resource_labels = var.node_pools_resource_labels
node_pools_resource_manager_tags = var.node_pools_resource_manager_tags
node_pools_metadata = var.node_pools_metadata
node_pools_linux_node_configs_sysctls = var.node_pools_linux_node_configs_sysctls
node_pools_cgroup_mode = var.node_pools_cgroup_mode
node_pools_hugepage_size_2m = var.node_pools_hugepage_size_2m
node_pools_hugepage_size_1g = var.node_pools_hugepage_size_1g
node_pools_taints = var.node_pools_taints
node_pools_tags = var.node_pools_tags

node_pools_oauth_scopes = var.node_pools_oauth_scopes

Expand Down Expand Up @@ -216,6 +221,8 @@ module "gke" {

enable_gcfs = var.enable_gcfs

enable_secret_manager_addon = var.enable_secret_manager_addon

// Enabling vulnerability and audit for workloads
workload_vulnerability_mode = var.workload_vulnerability_mode
workload_config_audit_mode = var.workload_config_audit_mode
Expand Down
60 changes: 60 additions & 0 deletions autogen/safer-cluster/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,16 @@ variable "node_pools_resource_labels" {
}
}

variable "node_pools_resource_manager_tags" {
type = map(map(string))
description = "Map of maps containing resource manager tags by node-pool name"

default = {
all = {}
default-node-pool = {}
}
}

variable "node_pools_metadata" {
type = map(map(string))
description = "Map of maps containing node metadata by node-pool name"
Expand All @@ -195,6 +205,50 @@ variable "node_pools_metadata" {
}
}

variable "node_pools_linux_node_configs_sysctls" {
type = map(map(string))
description = "Map of maps containing linux node config sysctls by node-pool name"

# Default is being set in variables_defaults.tf
default = {
all = {}
default-node-pool = {}
}
}

variable "node_pools_cgroup_mode" {
type = map(string)
description = "Map of strings containing cgroup node config by node-pool name"

# Default is being set in variables_defaults.tf
default = {
all = ""
default-node-pool = ""
}
}

variable "node_pools_hugepage_size_2m" {
type = map(string)
description = "Map of strings containing hugepage size 2m node config by node-pool name"

# Default is being set in variables_defaults.tf
default = {
all = ""
default-node-pool = ""
}
}

variable "node_pools_hugepage_size_1g" {
type = map(string)
description = "Map of strings containing hugepage size 1g config by node-pool name"

# Default is being set in variables_defaults.tf
default = {
all = ""
default-node-pool = ""
}
}

variable "node_pools_taints" {
type = map(list(object({ key = string, value = string, effect = string })))
description = "Map of lists containing node taints by node-pool name"
Expand Down Expand Up @@ -540,6 +594,12 @@ variable "enable_gcfs" {
default = false
}

variable "enable_secret_manager_addon" {
description = "Enable the Secret Manager add-on for this cluster"
type = bool
default = false
}

variable "enable_mesh_certificates" {
type = bool
default = false
Expand Down
6 changes: 6 additions & 0 deletions modules/safer-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,7 @@ For simplicity, we suggest using `roles/container.admin` and
| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no |
| enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no |
| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
| filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |
Expand Down Expand Up @@ -261,10 +262,15 @@ For simplicity, we suggest using `roles/container.admin` and
| network | The VPC network to host the cluster in | `string` | n/a | yes |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
| node\_pools | List of maps containing node pools | `list(map(string))` | <pre>[<br> {<br> "name": "default-node-pool"<br> }<br>]</pre> | no |
| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | <pre>{<br> "all": "",<br> "default-node-pool": ""<br>}</pre> | no |
| node\_pools\_hugepage\_size\_1g | Map of strings containing hugepage size 1g config by node-pool name | `map(string)` | <pre>{<br> "all": "",<br> "default-node-pool": ""<br>}</pre> | no |
| node\_pools\_hugepage\_size\_2m | Map of strings containing hugepage size 2m node config by node-pool name | `map(string)` | <pre>{<br> "all": "",<br> "default-node-pool": ""<br>}</pre> | no |
| node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | <pre>{<br> "all": {},<br> "default-node-pool": {}<br>}</pre> | no |
| node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | <pre>{<br> "all": {},<br> "default-node-pool": {}<br>}</pre> | no |
| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | <pre>{<br> "all": {},<br> "default-node-pool": {}<br>}</pre> | no |
| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | <pre>{<br> "all": [<br> "https://www.googleapis.com/auth/cloud-platform"<br> ],<br> "default-node-pool": []<br>}</pre> | no |
| node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | <pre>{<br> "all": {},<br> "default-node-pool": {}<br>}</pre> | no |
| node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | <pre>{<br> "all": {},<br> "default-node-pool": {}<br>}</pre> | no |
| node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | <pre>{<br> "all": [],<br> "default-node-pool": []<br>}</pre> | no |
| node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | <pre>{<br> "all": [],<br> "default-node-pool": []<br>}</pre> | no |
| notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
Expand Down
21 changes: 14 additions & 7 deletions modules/safer-cluster-update-variant/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -85,13 +85,18 @@ module "gke" {
// If removing the default node pool, initial_node_count should be at least 1.
initial_node_count = (var.initial_node_count == 0) ? 1 : var.initial_node_count

node_pools = var.node_pools
windows_node_pools = var.windows_node_pools
node_pools_labels = var.node_pools_labels
node_pools_resource_labels = var.node_pools_resource_labels
node_pools_metadata = var.node_pools_metadata
node_pools_taints = var.node_pools_taints
node_pools_tags = var.node_pools_tags
node_pools = var.node_pools
windows_node_pools = var.windows_node_pools
node_pools_labels = var.node_pools_labels
node_pools_resource_labels = var.node_pools_resource_labels
node_pools_resource_manager_tags = var.node_pools_resource_manager_tags
node_pools_metadata = var.node_pools_metadata
node_pools_linux_node_configs_sysctls = var.node_pools_linux_node_configs_sysctls
node_pools_cgroup_mode = var.node_pools_cgroup_mode
node_pools_hugepage_size_2m = var.node_pools_hugepage_size_2m
node_pools_hugepage_size_1g = var.node_pools_hugepage_size_1g
node_pools_taints = var.node_pools_taints
node_pools_tags = var.node_pools_tags

node_pools_oauth_scopes = var.node_pools_oauth_scopes

Expand Down Expand Up @@ -212,6 +217,8 @@ module "gke" {

enable_gcfs = var.enable_gcfs

enable_secret_manager_addon = var.enable_secret_manager_addon

// Enabling vulnerability and audit for workloads
workload_vulnerability_mode = var.workload_vulnerability_mode
workload_config_audit_mode = var.workload_config_audit_mode
Expand Down
18 changes: 18 additions & 0 deletions modules/safer-cluster-update-variant/metadata.display.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,9 @@ spec:
enable_private_endpoint:
name: enable_private_endpoint
title: Enable Private Endpoint
enable_secret_manager_addon:
name: enable_secret_manager_addon
title: Enable Secret Manager Addon
enable_shielded_nodes:
name: enable_shielded_nodes
title: Enable Shielded Nodes
Expand Down Expand Up @@ -208,9 +211,21 @@ spec:
node_pools:
name: node_pools
title: Node Pools
node_pools_cgroup_mode:
name: node_pools_cgroup_mode
title: Node Pools Cgroup Mode
node_pools_hugepage_size_1g:
name: node_pools_hugepage_size_1g
title: Node Pools Hugepage Size 1G
node_pools_hugepage_size_2m:
name: node_pools_hugepage_size_2m
title: Node Pools Hugepage Size 2M
node_pools_labels:
name: node_pools_labels
title: Node Pools Labels
node_pools_linux_node_configs_sysctls:
name: node_pools_linux_node_configs_sysctls
title: Node Pools Linux Node Configs Sysctls
node_pools_metadata:
name: node_pools_metadata
title: Node Pools Metadata
Expand All @@ -220,6 +235,9 @@ spec:
node_pools_resource_labels:
name: node_pools_resource_labels
title: Node Pools Resource Labels
node_pools_resource_manager_tags:
name: node_pools_resource_manager_tags
title: Node Pools Resource Manager Tags
node_pools_tags:
name: node_pools_tags
title: Node Pools Tags
Expand Down
34 changes: 34 additions & 0 deletions modules/safer-cluster-update-variant/metadata.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -236,12 +236,42 @@ spec:
defaultValue:
all: {}
default-node-pool: {}
- name: node_pools_resource_manager_tags
description: Map of maps containing resource manager tags by node-pool name
varType: map(map(string))
defaultValue:
all: {}
default-node-pool: {}
- name: node_pools_metadata
description: Map of maps containing node metadata by node-pool name
varType: map(map(string))
defaultValue:
all: {}
default-node-pool: {}
- name: node_pools_linux_node_configs_sysctls
description: Map of maps containing linux node config sysctls by node-pool name
varType: map(map(string))
defaultValue:
all: {}
default-node-pool: {}
- name: node_pools_cgroup_mode
description: Map of strings containing cgroup node config by node-pool name
varType: map(string)
defaultValue:
all: ""
default-node-pool: ""
- name: node_pools_hugepage_size_2m
description: Map of strings containing hugepage size 2m node config by node-pool name
varType: map(string)
defaultValue:
all: ""
default-node-pool: ""
- name: node_pools_hugepage_size_1g
description: Map of strings containing hugepage size 1g config by node-pool name
varType: map(string)
defaultValue:
all: ""
default-node-pool: ""
- name: node_pools_taints
description: Map of lists containing node taints by node-pool name
varType: map(list(object({ key = string, value = string, effect = string })))
Expand Down Expand Up @@ -476,6 +506,10 @@ spec:
description: Enable image streaming on cluster level.
varType: bool
defaultValue: false
- name: enable_secret_manager_addon
description: Enable the Secret Manager add-on for this cluster
varType: bool
defaultValue: false
- name: enable_mesh_certificates
description: Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity.
varType: bool
Expand Down
60 changes: 60 additions & 0 deletions modules/safer-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,16 @@ variable "node_pools_resource_labels" {
}
}

variable "node_pools_resource_manager_tags" {
type = map(map(string))
description = "Map of maps containing resource manager tags by node-pool name"

default = {
all = {}
default-node-pool = {}
}
}

variable "node_pools_metadata" {
type = map(map(string))
description = "Map of maps containing node metadata by node-pool name"
Expand All @@ -195,6 +205,50 @@ variable "node_pools_metadata" {
}
}

variable "node_pools_linux_node_configs_sysctls" {
type = map(map(string))
description = "Map of maps containing linux node config sysctls by node-pool name"

# Default is being set in variables_defaults.tf
default = {
all = {}
default-node-pool = {}
}
}

variable "node_pools_cgroup_mode" {
type = map(string)
description = "Map of strings containing cgroup node config by node-pool name"

# Default is being set in variables_defaults.tf
default = {
all = ""
default-node-pool = ""
}
}

variable "node_pools_hugepage_size_2m" {
type = map(string)
description = "Map of strings containing hugepage size 2m node config by node-pool name"

# Default is being set in variables_defaults.tf
default = {
all = ""
default-node-pool = ""
}
}

variable "node_pools_hugepage_size_1g" {
type = map(string)
description = "Map of strings containing hugepage size 1g config by node-pool name"

# Default is being set in variables_defaults.tf
default = {
all = ""
default-node-pool = ""
}
}

variable "node_pools_taints" {
type = map(list(object({ key = string, value = string, effect = string })))
description = "Map of lists containing node taints by node-pool name"
Expand Down Expand Up @@ -540,6 +594,12 @@ variable "enable_gcfs" {
default = false
}

variable "enable_secret_manager_addon" {
description = "Enable the Secret Manager add-on for this cluster"
type = bool
default = false
}

variable "enable_mesh_certificates" {
type = bool
default = false
Expand Down
6 changes: 6 additions & 0 deletions modules/safer-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,7 @@ For simplicity, we suggest using `roles/container.admin` and
| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no |
| enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no |
| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
| filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |
Expand Down Expand Up @@ -261,10 +262,15 @@ For simplicity, we suggest using `roles/container.admin` and
| network | The VPC network to host the cluster in | `string` | n/a | yes |
| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
| node\_pools | List of maps containing node pools | `list(map(string))` | <pre>[<br> {<br> "name": "default-node-pool"<br> }<br>]</pre> | no |
| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | <pre>{<br> "all": "",<br> "default-node-pool": ""<br>}</pre> | no |
| node\_pools\_hugepage\_size\_1g | Map of strings containing hugepage size 1g config by node-pool name | `map(string)` | <pre>{<br> "all": "",<br> "default-node-pool": ""<br>}</pre> | no |
| node\_pools\_hugepage\_size\_2m | Map of strings containing hugepage size 2m node config by node-pool name | `map(string)` | <pre>{<br> "all": "",<br> "default-node-pool": ""<br>}</pre> | no |
| node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | <pre>{<br> "all": {},<br> "default-node-pool": {}<br>}</pre> | no |
| node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | <pre>{<br> "all": {},<br> "default-node-pool": {}<br>}</pre> | no |
| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | <pre>{<br> "all": {},<br> "default-node-pool": {}<br>}</pre> | no |
| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | <pre>{<br> "all": [<br> "https://www.googleapis.com/auth/cloud-platform"<br> ],<br> "default-node-pool": []<br>}</pre> | no |
| node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | <pre>{<br> "all": {},<br> "default-node-pool": {}<br>}</pre> | no |
| node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | <pre>{<br> "all": {},<br> "default-node-pool": {}<br>}</pre> | no |
| node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | <pre>{<br> "all": [],<br> "default-node-pool": []<br>}</pre> | no |
| node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | <pre>{<br> "all": [],<br> "default-node-pool": []<br>}</pre> | no |
| notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
Expand Down
Loading