From 712c69e92f3dd7e0917f29c6f8e4b553dbeee98a Mon Sep 17 00:00:00 2001 From: Bohdan Yurov Date: Wed, 6 Nov 2019 15:24:07 +0200 Subject: [PATCH 01/25] Fixes #180: Add tests for beta submodules/examples https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/180 Added tests for the beta private cluster. --- .kitchen.yml | 13 ++ build/int.cloudbuild.yaml | 20 ++ examples/simple_regional_beta/README.md | 5 + examples/simple_regional_beta/main.tf | 38 ++-- examples/simple_regional_beta/variables.tf | 33 +++ test/ci/beta-cluster.yml | 18 ++ test/fixtures/beta_cluster/main.tf | 78 +++++++ test/fixtures/beta_cluster/network.tf | 44 ++++ test/fixtures/beta_cluster/outputs.tf | 84 ++++++++ test/fixtures/beta_cluster/variables.tf | 1 + .../beta_cluster/controls/gcloud.rb | 204 ++++++++++++++++++ test/integration/beta_cluster/controls/gcp.rb | 31 +++ test/integration/beta_cluster/inspec.yml | 33 +++ test/setup/iam.tf | 10 + test/setup/main.tf | 2 - 15 files changed, 595 insertions(+), 19 deletions(-) create mode 100644 test/ci/beta-cluster.yml create mode 100644 test/fixtures/beta_cluster/main.tf create mode 100644 test/fixtures/beta_cluster/network.tf create mode 100644 test/fixtures/beta_cluster/outputs.tf create mode 120000 test/fixtures/beta_cluster/variables.tf create mode 100644 test/integration/beta_cluster/controls/gcloud.rb create mode 100644 test/integration/beta_cluster/controls/gcp.rb create mode 100644 test/integration/beta_cluster/inspec.yml diff --git a/.kitchen.yml b/.kitchen.yml index 6e9a7a24d8..10033a8a91 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -155,6 +155,19 @@ suites: systems: - name: workload_metadata_config backend: local + - name: "beta_cluster" + driver: + root_module_directory: test/fixtures/beta_cluster + verifier: + systems: + - name: gcloud + backend: local + controls: + - gcloud + - name: gcp + backend: gcp + controls: + - gcp - name: "deploy_service" driver: root_module_directory: test/fixtures/deploy_service diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index e78d0eb2ba..6982d474c8 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -244,6 +244,26 @@ steps: - verify workload-metadata-config-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy workload-metadata-config-local'] +- id: create beta-cluster-local + waitFor: + - prepare + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create beta-cluster-local'] +- id: converge beta-cluster-local + waitFor: + - create beta-cluster-local + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge beta-cluster-local'] +- id: verify beta-cluster-local + waitFor: + - converge beta-cluster-local + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify beta-cluster-local'] +#- id: destroy beta-cluster-local +# waitFor: +# - verify beta-cluster-local +# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' +# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy beta-cluster-local'] - id: create deploy-service-local waitFor: - prepare diff --git a/examples/simple_regional_beta/README.md b/examples/simple_regional_beta/README.md index 72bb221d9f..32bfc8fbfd 100644 --- a/examples/simple_regional_beta/README.md +++ b/examples/simple_regional_beta/README.md @@ -10,17 +10,22 @@ This example illustrates how to create a simple cluster with beta features. | cloudrun | Boolean to enable / disable CloudRun | string | `"true"` | no | | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | +| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `` | no | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes | | istio | Boolean to enable / disable Istio | string | `"true"` | no | | network | The VPC network to host the cluster in | string | n/a | yes | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no | | node\_pools | List of maps containing node pools | list(map(string)) | `` | no | +| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `` | no | | project\_id | The project ID to host the cluster in | string | n/a | yes | | region | The region to host the cluster in | string | n/a | yes | +| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | | subnetwork | The subnetwork to host the cluster in | string | n/a | yes | +| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list(string) | `` | no | ## Outputs diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index 0863cc51de..55acfaed79 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -24,23 +24,27 @@ provider "google-beta" { } module "gke" { - source = "../../modules/beta-public-cluster/" - project_id = var.project_id - name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" - regional = true - region = var.region - network = var.network - subnetwork = var.subnetwork - ip_range_pods = var.ip_range_pods - ip_range_services = var.ip_range_services - create_service_account = false - service_account = var.compute_engine_service_account - istio = var.istio - cloudrun = var.cloudrun - node_metadata = var.node_metadata - sandbox_enabled = var.sandbox_enabled - remove_default_node_pool = var.remove_default_node_pool - node_pools = var.node_pools + source = "../../modules/beta-public-cluster/" + project_id = var.project_id + name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" + regional = var.regional + region = var.region + zones = var.zones + network = var.network + subnetwork = var.subnetwork + ip_range_pods = var.ip_range_pods + ip_range_services = var.ip_range_services + create_service_account = var.compute_engine_service_account == "create" + service_account = var.compute_engine_service_account + istio = var.istio + cloudrun = var.cloudrun + node_metadata = var.node_metadata + sandbox_enabled = var.sandbox_enabled + remove_default_node_pool = var.remove_default_node_pool + node_pools = var.node_pools + database_encryption = var.database_encryption + enable_binary_authorization = var.enable_binary_authorization + pod_security_policy_config = var.pod_security_policy_config } data "google_client_config" "default" { diff --git a/examples/simple_regional_beta/variables.tf b/examples/simple_regional_beta/variables.tf index ed16642774..58e1ae7433 100644 --- a/examples/simple_regional_beta/variables.tf +++ b/examples/simple_regional_beta/variables.tf @@ -85,3 +85,36 @@ variable "node_pools" { }, ] } + +variable "database_encryption" { + description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." + type = list(object({ state = string, key_name = string })) + default = [{ + state = "DECRYPTED" + key_name = "" + }] +} + +variable "enable_binary_authorization" { + description = "Enable BinAuthZ Admission controller" + default = false +} + +variable "pod_security_policy_config" { + description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." + default = [{ + "enabled" = false + }] +} + +variable "zones" { + type = list(string) + description = "The zones to host the cluster in (optional if regional cluster / required if zonal)" + default = [] +} + +variable "regional" { + type = bool + description = "Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!)" + default = true +} diff --git a/test/ci/beta-cluster.yml b/test/ci/beta-cluster.yml new file mode 100644 index 0000000000..dd4ce29302 --- /dev/null +++ b/test/ci/beta-cluster.yml @@ -0,0 +1,18 @@ +--- + +platform: linux + +inputs: +- name: pull-request + path: terraform-google-kubernetes-engine + +run: + path: make + args: ['test_integration'] + dir: terraform-google-kubernetes-engine + +params: + SUITE: "beta-cluster-local" + COMPUTE_ENGINE_SERVICE_ACCOUNT: "" + REGION: "us-east4" + ZONES: '["us-east4-a", "us-east4-b", "us-east4-c"]' diff --git a/test/fixtures/beta_cluster/main.tf b/test/fixtures/beta_cluster/main.tf new file mode 100644 index 0000000000..4431b715f3 --- /dev/null +++ b/test/fixtures/beta_cluster/main.tf @@ -0,0 +1,78 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +provider "google" { + version = "~> 2.18.0" + project = var.project_id + region = var.region +} + +provider "google-beta" { + version = "~> 2.18.0" + project = var.project_id + region = var.region +} + +locals { + name = "beta-cluster-${random_string.suffix.result}" +} + +resource "google_kms_key_ring" "db" { + location = var.region + name = "${local.name}-db" +} + +resource "google_kms_crypto_key" "db" { + name = local.name + key_ring = google_kms_key_ring.db.self_link +} + +module "this" { + source = "../../../examples/simple_regional_beta" + + cluster_name_suffix = "-${random_string.suffix.result}" + project_id = var.project_id + regional = false + region = var.region + zones = slice(var.zones, 0, 1) + network = google_compute_network.main.name + subnetwork = google_compute_subnetwork.main.name + ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name + ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name + compute_engine_service_account = "create" + + // Beta features + istio = true + + database_encryption = [{ + state = "ENCRYPTED" + key_name = google_kms_crypto_key.db.self_link + }] + + cloudrun = true + + enable_binary_authorization = true + + pod_security_policy_config = [{ + enabled = true + }] + + node_metadata = "EXPOSE" +} + +data "google_client_config" "default" { +} diff --git a/test/fixtures/beta_cluster/network.tf b/test/fixtures/beta_cluster/network.tf new file mode 100644 index 0000000000..0a3f091958 --- /dev/null +++ b/test/fixtures/beta_cluster/network.tf @@ -0,0 +1,44 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "random_string" "suffix" { + length = 4 + special = false + upper = false +} + +resource "google_compute_network" "main" { + name = "cft-gke-test-${random_string.suffix.result}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "main" { + name = "cft-gke-test-${random_string.suffix.result}" + ip_cidr_range = "10.0.0.0/17" + region = var.region + network = google_compute_network.main.self_link + + secondary_ip_range { + range_name = "cft-gke-test-pods-${random_string.suffix.result}" + ip_cidr_range = "192.168.0.0/18" + } + + secondary_ip_range { + range_name = "cft-gke-test-services-${random_string.suffix.result}" + ip_cidr_range = "192.168.64.0/18" + } +} + diff --git a/test/fixtures/beta_cluster/outputs.tf b/test/fixtures/beta_cluster/outputs.tf new file mode 100644 index 0000000000..da60cf87cf --- /dev/null +++ b/test/fixtures/beta_cluster/outputs.tf @@ -0,0 +1,84 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "project_id" { + value = var.project_id +} + +output "region" { + value = module.this.region +} + +output "cluster_name" { + description = "Cluster name" + value = module.this.cluster_name +} + +output "network" { + value = google_compute_network.main.name +} + +output "subnetwork" { + value = google_compute_subnetwork.main.name +} + +output "location" { + value = module.this.location +} + +output "ip_range_pods" { + description = "The secondary IP range used for pods" + value = google_compute_subnetwork.main.secondary_ip_range[0].range_name +} + +output "ip_range_services" { + description = "The secondary IP range used for services" + value = google_compute_subnetwork.main.secondary_ip_range[1].range_name +} + +output "zones" { + description = "List of zones in which the cluster resides" + value = module.this.zones +} + +output "master_kubernetes_version" { + description = "The master Kubernetes version" + value = module.this.master_kubernetes_version +} + +output "kubernetes_endpoint" { + sensitive = true + value = module.this.kubernetes_endpoint +} + +output "client_token" { + sensitive = true + value = base64encode(data.google_client_config.default.access_token) +} + +output "ca_certificate" { + description = "The cluster CA certificate" + value = module.this.ca_certificate +} + +output "service_account" { + description = "The service account to default running nodes as if not overridden in `node_pools`." + value = module.this.service_account +} + +output "database_encryption_key_name" { + value = google_kms_crypto_key.db.self_link +} diff --git a/test/fixtures/beta_cluster/variables.tf b/test/fixtures/beta_cluster/variables.tf new file mode 120000 index 0000000000..c28fc18c01 --- /dev/null +++ b/test/fixtures/beta_cluster/variables.tf @@ -0,0 +1 @@ +../deploy_service/variables.tf \ No newline at end of file diff --git a/test/integration/beta_cluster/controls/gcloud.rb b/test/integration/beta_cluster/controls/gcloud.rb new file mode 100644 index 0000000000..455a81cb61 --- /dev/null +++ b/test/integration/beta_cluster/controls/gcloud.rb @@ -0,0 +1,204 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +project_id = attribute('project_id') +location = attribute('location') +cluster_name = attribute('cluster_name') +service_account = attribute('service_account') + +control "gcloud" do + title "Google Compute Engine GKE configuration" + describe command("gcloud beta --project=#{project_id} container clusters --zone=#{location} describe #{cluster_name} --format=json") do + its(:exit_status) { should eq 0 } + its(:stderr) { should eq '' } + + let!(:data) do + if subject.exit_status == 0 + JSON.parse(subject.stdout) + else + {} + end + end + + describe "cluster" do + it "is running" do + expect(data['status']).to eq 'RUNNING' + end + + it "is zonal" do + expect(data['location']).to match(/^(.*)[1-9]-[a-z]$/) + end + + it "is single zoned" do + expect(data['locations'].size).to eq 1 + end + + it "uses public nodes and master endpoint" do + expect(data['privateClusterConfig']).to eq nil + end + + it "has the expected addon settings" do + expect(data['addonsConfig']).to eq({ + "horizontalPodAutoscaling" => {}, + "httpLoadBalancing" => {}, + "kubernetesDashboard" => { + "disabled" => true, + }, + "networkPolicyConfig" => { + "disabled" => true, + }, + "istioConfig" => {}, + "cloudRunConfig" => {}, + }) + end + + it "has the expected binaryAuthorization config" do + expect(data['binaryAuthorization']).to eq({ + "enabled" => true, + }) + end + + it "has the expected nodeMetadata conseal config" do + expect(data['nodeConfig']['workloadMetadataConfig']).to eq({ + "nodeMetadata" => 'EXPOSE', + }) + end + + it "has the expected podSecurityPolicyConfig config" do + expect(data['podSecurityPolicyConfig']).to eq({ + "enabled" => true, + }) + end + + it "has the expected databaseEncryption config" do + expect(data['databaseEncryption']).to eq({ + "state" => 'ENCRYPTED', + "keyName" => attribute('database_encryption_key_name'), + }) + end + end + + describe "default node pool" do + let(:default_node_pool) { data['nodePools'].select { |p| p['name'] == "default-pool" }.first } + + it "has no initial node count" do + expect(default_node_pool['initialNodeCount']).to eq nil + end + + it "does not have autoscaling enabled" do + expect(default_node_pool['autoscaling']).to eq nil + end + end + + describe "node pool" do + let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" } } + + it "uses an automatically created service account" do + expect(node_pools).to include( + including( + "config" => including( + "serviceAccount" => service_account, + ), + ), + ) + end + + it "has autoscaling enabled" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "enabled" => true, + ), + ) + ) + end + + it "has the expected minimum node count" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "minNodeCount" => 1, + ), + ) + ) + end + + it "has the expected maximum node count" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "maxNodeCount" => 100, + ), + ) + ) + end + + it "is the expected machine type" do + expect(node_pools).to include( + including( + "config" => including( + "machineType" => "n1-standard-2", + ), + ) + ) + end + + it "has the expected disk size" do + expect(node_pools).to include( + including( + "config" => including( + "diskSizeGb" => 100, + ), + ) + ) + end + + it "has the expected labels" do + expect(node_pools).to include( + including( + "config" => including( + "labels" => including( + "cluster_name" => cluster_name, + "node_pool" => "default-node-pool", + ), + ), + ) + ) + end + + it "has the expected network tags" do + expect(node_pools).to include( + including( + "config" => including( + "tags" => match_array([ + "gke-#{cluster_name}", + "gke-#{cluster_name}-default-node-pool", + ]), + ), + ) + ) + end + + it "has autorepair enabled" do + expect(node_pools).to include( + including( + "management" => including( + "autoRepair" => true, + ), + ) + ) + end + end + end +end diff --git a/test/integration/beta_cluster/controls/gcp.rb b/test/integration/beta_cluster/controls/gcp.rb new file mode 100644 index 0000000000..6e9ade64ff --- /dev/null +++ b/test/integration/beta_cluster/controls/gcp.rb @@ -0,0 +1,31 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +control "gcp" do + title "Native InSpec Resources" + + service_account = attribute("service_account") + project_id = attribute("project_id") + + if service_account.start_with? "projects/" + service_account_name = service_account + else + service_account_name = "projects/#{project_id}/serviceAccounts/#{service_account}" + end + + describe google_service_account name: service_account_name do + its("display_name") { should eq "Terraform-managed service account for cluster #{attribute("cluster_name")}" } + its("project_id") { should eq project_id } + end +end diff --git a/test/integration/beta_cluster/inspec.yml b/test/integration/beta_cluster/inspec.yml new file mode 100644 index 0000000000..66062ea35d --- /dev/null +++ b/test/integration/beta_cluster/inspec.yml @@ -0,0 +1,33 @@ +name: beta_cluster +depends: + - name: inspec-gcp + git: https://github.com/inspec/inspec-gcp.git + tag: v0.10.0 +attributes: + - name: project_id + required: true + type: string + - name: location + required: true + type: string + - name: cluster_name + required: true + type: string + - name: master_kubernetes_version + required: true + type: string + - name: kubernetes_endpoint + required: true + type: string + - name: client_token + required: true + type: string + - name: service_account + required: true + type: string + - name: service_account + required: true + type: string + - name: database_encryption_key_name + required: true + type: string diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 7ff4de74bc..a06a490c24 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -16,6 +16,7 @@ locals { int_required_roles = [ + "roles/cloudkms.admin", "roles/cloudkms.cryptoKeyEncrypterDecrypter", "roles/compute.networkAdmin", "roles/container.admin", @@ -58,3 +59,12 @@ resource "google_project_iam_member" "int_test" { resource "google_service_account_key" "int_test" { service_account_id = google_service_account.int_test.id } + +resource "google_project_iam_binding" "kubernetes_engine_kms_access" { + project = module.gke-project.project_id + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + + members = [ + "serviceAccount:service-${module.gke-project.project_number}@container-engine-robot.iam.gserviceaccount.com", + ] +} diff --git a/test/setup/main.tf b/test/setup/main.tf index 70e10c46a3..f974c7408e 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -24,8 +24,6 @@ module "gke-project" { folder_id = var.folder_id billing_account = var.billing_account - auto_create_network = true - activate_apis = [ "bigquery-json.googleapis.com", "cloudkms.googleapis.com", From 0fa8e57a02da0e17a0ad94cdc517a474822327e5 Mon Sep 17 00:00:00 2001 From: bharathkkb Date: Thu, 28 Nov 2019 13:31:43 -0600 Subject: [PATCH 02/25] enable network_policy by default, fix examples --- README.md | 2 +- autogen/variables.tf.tmpl | 2 +- examples/stub_domains/main.tf | 1 - examples/stub_domains_private/main.tf | 1 - examples/stub_domains_upstream_nameservers/main.tf | 1 - examples/upstream_nameservers/main.tf | 1 - modules/beta-private-cluster-update-variant/README.md | 2 +- modules/beta-private-cluster-update-variant/variables.tf | 2 +- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/variables.tf | 2 +- modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/variables.tf | 2 +- modules/private-cluster-update-variant/README.md | 2 +- modules/private-cluster-update-variant/variables.tf | 2 +- modules/private-cluster/README.md | 2 +- modules/private-cluster/variables.tf | 2 +- variables.tf | 2 +- 17 files changed, 13 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 1cebf678c5..1112b0b348 100644 --- a/README.md +++ b/README.md @@ -153,7 +153,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no | | name | The name of the cluster (required) | string | n/a | yes | | network | The VPC network to host the cluster in (required) | string | n/a | yes | -| network\_policy | Enable network policy addon | bool | `"false"` | no | +| network\_policy | Enable network policy addon | bool | `"true"` | no | | network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | | node\_pools | List of maps containing node pools | list(map(string)) | `` | no | diff --git a/autogen/variables.tf.tmpl b/autogen/variables.tf.tmpl index 3295199e48..9a94ee8c66 100644 --- a/autogen/variables.tf.tmpl +++ b/autogen/variables.tf.tmpl @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = false + default = true } variable "network_policy_provider" { diff --git a/examples/stub_domains/main.tf b/examples/stub_domains/main.tf index b81dc0cf8c..90ffd97687 100644 --- a/examples/stub_domains/main.tf +++ b/examples/stub_domains/main.tf @@ -32,7 +32,6 @@ module "gke" { subnetwork = var.subnetwork ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services - network_policy = true service_account = var.compute_engine_service_account create_service_account = false diff --git a/examples/stub_domains_private/main.tf b/examples/stub_domains_private/main.tf index b263922b2a..31b3d7aec5 100644 --- a/examples/stub_domains_private/main.tf +++ b/examples/stub_domains_private/main.tf @@ -49,7 +49,6 @@ module "gke" { master_ipv4_cidr_block = "172.16.0.0/28" - network_policy = true create_service_account = false service_account = var.compute_engine_service_account diff --git a/examples/stub_domains_upstream_nameservers/main.tf b/examples/stub_domains_upstream_nameservers/main.tf index 4b7448b7e8..009de87950 100644 --- a/examples/stub_domains_upstream_nameservers/main.tf +++ b/examples/stub_domains_upstream_nameservers/main.tf @@ -32,7 +32,6 @@ module "gke" { subnetwork = var.subnetwork ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services - network_policy = true create_service_account = false service_account = var.compute_engine_service_account diff --git a/examples/upstream_nameservers/main.tf b/examples/upstream_nameservers/main.tf index 784e8a0cd3..26895f32eb 100644 --- a/examples/upstream_nameservers/main.tf +++ b/examples/upstream_nameservers/main.tf @@ -32,7 +32,6 @@ module "gke" { subnetwork = var.subnetwork ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services - network_policy = true create_service_account = false service_account = var.compute_engine_service_account diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 6df69df5bd..3577bac930 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -176,7 +176,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no | | name | The name of the cluster (required) | string | n/a | yes | | network | The VPC network to host the cluster in (required) | string | n/a | yes | -| network\_policy | Enable network policy addon | bool | `"false"` | no | +| network\_policy | Enable network policy addon | bool | `"true"` | no | | network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no | diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 62c47d002d..da7c358427 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = false + default = true } variable "network_policy_provider" { diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index b03a4ea921..8a799ccd3f 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -176,7 +176,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no | | name | The name of the cluster (required) | string | n/a | yes | | network | The VPC network to host the cluster in (required) | string | n/a | yes | -| network\_policy | Enable network policy addon | bool | `"false"` | no | +| network\_policy | Enable network policy addon | bool | `"true"` | no | | network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no | diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 62c47d002d..da7c358427 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = false + default = true } variable "network_policy_provider" { diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index b6ab1f39d3..f2df9a497f 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -167,7 +167,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no | | name | The name of the cluster (required) | string | n/a | yes | | network | The VPC network to host the cluster in (required) | string | n/a | yes | -| network\_policy | Enable network policy addon | bool | `"false"` | no | +| network\_policy | Enable network policy addon | bool | `"true"` | no | | network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no | diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 1a1b9c54b4..3b20891262 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = false + default = true } variable "network_policy_provider" { diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 8d26153072..e143917f25 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -162,7 +162,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no | | name | The name of the cluster (required) | string | n/a | yes | | network | The VPC network to host the cluster in (required) | string | n/a | yes | -| network\_policy | Enable network policy addon | bool | `"false"` | no | +| network\_policy | Enable network policy addon | bool | `"true"` | no | | network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | | node\_pools | List of maps containing node pools | list(map(string)) | `` | no | diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 9c75edb5ec..ff98b283b0 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = false + default = true } variable "network_policy_provider" { diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 60fbe8de76..eed365a5c4 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -162,7 +162,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no | | name | The name of the cluster (required) | string | n/a | yes | | network | The VPC network to host the cluster in (required) | string | n/a | yes | -| network\_policy | Enable network policy addon | bool | `"false"` | no | +| network\_policy | Enable network policy addon | bool | `"true"` | no | | network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | | node\_pools | List of maps containing node pools | list(map(string)) | `` | no | diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 9c75edb5ec..ff98b283b0 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = false + default = true } variable "network_policy_provider" { diff --git a/variables.tf b/variables.tf index 904cd6ddab..9c420fb423 100644 --- a/variables.tf +++ b/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = false + default = true } variable "network_policy_provider" { From 27a09f77005953722af7af002da53d2b1ca87429 Mon Sep 17 00:00:00 2001 From: bharathkkb Date: Thu, 28 Nov 2019 13:58:41 -0600 Subject: [PATCH 03/25] check for network policy enabled instead of disabled in kitchen tests --- .../private_zonal_with_networking/controls/gcloud.rb | 4 +--- test/integration/sandbox_enabled/controls/gcloud.rb | 4 +--- test/integration/simple_regional/controls/gcloud.rb | 4 +--- test/integration/simple_regional_private/controls/gcloud.rb | 4 +--- .../simple_regional_with_networking/controls/gcloud.rb | 4 +--- test/integration/simple_zonal/controls/gcloud.rb | 4 +--- test/integration/simple_zonal_private/controls/gcloud.rb | 4 +--- 7 files changed, 7 insertions(+), 21 deletions(-) diff --git a/test/integration/private_zonal_with_networking/controls/gcloud.rb b/test/integration/private_zonal_with_networking/controls/gcloud.rb index adaf6fd646..6e24b1142c 100644 --- a/test/integration/private_zonal_with_networking/controls/gcloud.rb +++ b/test/integration/private_zonal_with_networking/controls/gcloud.rb @@ -58,9 +58,7 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => { - "disabled" => true, - }, + "networkPolicyConfig" => {}, }) end end diff --git a/test/integration/sandbox_enabled/controls/gcloud.rb b/test/integration/sandbox_enabled/controls/gcloud.rb index eb0ffdaf46..a5b785e725 100644 --- a/test/integration/sandbox_enabled/controls/gcloud.rb +++ b/test/integration/sandbox_enabled/controls/gcloud.rb @@ -50,9 +50,7 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => { - "disabled" => true, - }, + "networkPolicyConfig" => {}, }) end end diff --git a/test/integration/simple_regional/controls/gcloud.rb b/test/integration/simple_regional/controls/gcloud.rb index e6bbcfc047..0f47490d40 100644 --- a/test/integration/simple_regional/controls/gcloud.rb +++ b/test/integration/simple_regional/controls/gcloud.rb @@ -50,9 +50,7 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => { - "disabled" => true, - }, + "networkPolicyConfig" => {}, }) end end diff --git a/test/integration/simple_regional_private/controls/gcloud.rb b/test/integration/simple_regional_private/controls/gcloud.rb index b15dafcd02..b86834a2a2 100644 --- a/test/integration/simple_regional_private/controls/gcloud.rb +++ b/test/integration/simple_regional_private/controls/gcloud.rb @@ -54,9 +54,7 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => { - "disabled" => true, - }, + "networkPolicyConfig" => {}, }) end end diff --git a/test/integration/simple_regional_with_networking/controls/gcloud.rb b/test/integration/simple_regional_with_networking/controls/gcloud.rb index e6bbcfc047..0f47490d40 100644 --- a/test/integration/simple_regional_with_networking/controls/gcloud.rb +++ b/test/integration/simple_regional_with_networking/controls/gcloud.rb @@ -50,9 +50,7 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => { - "disabled" => true, - }, + "networkPolicyConfig" => {}, }) end end diff --git a/test/integration/simple_zonal/controls/gcloud.rb b/test/integration/simple_zonal/controls/gcloud.rb index c2e72936b0..058ed9ba53 100644 --- a/test/integration/simple_zonal/controls/gcloud.rb +++ b/test/integration/simple_zonal/controls/gcloud.rb @@ -55,9 +55,7 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => { - "disabled" => true, - }, + "networkPolicyConfig" => {}, }) end end diff --git a/test/integration/simple_zonal_private/controls/gcloud.rb b/test/integration/simple_zonal_private/controls/gcloud.rb index 9968affcb6..653c11bb0c 100644 --- a/test/integration/simple_zonal_private/controls/gcloud.rb +++ b/test/integration/simple_zonal_private/controls/gcloud.rb @@ -58,9 +58,7 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => { - "disabled" => true, - }, + "networkPolicyConfig" => {}, }) end end From bfe328d0c1443b7286457c429346b81246807e58 Mon Sep 17 00:00:00 2001 From: Aaron Lane Date: Thu, 28 Nov 2019 12:20:07 -0500 Subject: [PATCH 04/25] Remove upgrade notes from CHANGELOG This content of this section is incomplete (missing 5.0.0) and redundant with the CHANGELOG. --- README.md | 19 ------------- autogen/README.md | 27 ------------------- .../README.md | 19 ------------- modules/beta-private-cluster/README.md | 19 ------------- modules/beta-public-cluster/README.md | 19 ------------- .../private-cluster-update-variant/README.md | 19 ------------- modules/private-cluster/README.md | 19 ------------- 7 files changed, 141 deletions(-) diff --git a/README.md b/README.md index 1112b0b348..9e0bdc76d8 100644 --- a/README.md +++ b/README.md @@ -108,22 +108,6 @@ Then perform the following commands on the root folder: - `terraform apply` to apply the infrastructure build - `terraform destroy` to destroy the built infrastructure -## Upgrade to v3.0.0 - -v3.0.0 is a breaking release. Refer to the -[Upgrading to v3.0 guide][upgrading-to-v3.0] for details. - -## Upgrade to v2.0.0 - -v2.0.0 is a breaking release. Refer to the -[Upgrading to v2.0 guide][upgrading-to-v2.0] for details. - -## Upgrade to v1.0.0 - -Version 1.0.0 of this module introduces a breaking change: adding the `disable-legacy-endpoints` metadata field to all node pools. This metadata is required by GKE and [determines whether the `/0.1/` and `/v1beta1/` paths are available in the nodes' metadata server](https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#disable-legacy-apis). If your applications do not require access to the node's metadata server, you can leave the default value of `true` provided by the module. If your applications require access to the metadata server, be sure to read the linked documentation to see if you need to set the value for this field to `false` to allow your applications access to the above metadata server paths. - -In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster. - ## Inputs @@ -251,9 +235,6 @@ The project has the following folders and files: - /README.MD: This file. - /modules: Private and beta sub modules. - -[upgrading-to-v2.0]: docs/upgrading_to_v2.0.md -[upgrading-to-v3.0]: docs/upgrading_to_v3.0.md [terraform-provider-google]: https://github.com/terraform-providers/terraform-provider-google [3.0.0]: https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/3.0.0 [terraform-0.12-upgrade]: https://www.terraform.io/upgrade-guides/0-12.html diff --git a/autogen/README.md b/autogen/README.md index c8e956a76e..71f0f6d986 100644 --- a/autogen/README.md +++ b/autogen/README.md @@ -125,22 +125,6 @@ Then perform the following commands on the root folder: - `terraform apply` to apply the infrastructure build - `terraform destroy` to destroy the built infrastructure -## Upgrade to v3.0.0 - -v3.0.0 is a breaking release. Refer to the -[Upgrading to v3.0 guide][upgrading-to-v3.0] for details. - -## Upgrade to v2.0.0 - -v2.0.0 is a breaking release. Refer to the -[Upgrading to v2.0 guide][upgrading-to-v2.0] for details. - -## Upgrade to v1.0.0 - -Version 1.0.0 of this module introduces a breaking change: adding the `disable-legacy-endpoints` metadata field to all node pools. This metadata is required by GKE and [determines whether the `/0.1/` and `/v1beta1/` paths are available in the nodes' metadata server](https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#disable-legacy-apis). If your applications do not require access to the node's metadata server, you can leave the default value of `true` provided by the module. If your applications require access to the metadata server, be sure to read the linked documentation to see if you need to set the value for this field to `false` to allow your applications access to the above metadata server paths. - -In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster. - @@ -199,17 +183,6 @@ The project has the following folders and files: - /README.MD: This file. - /modules: Private and beta sub modules. - -{% if private_cluster %} -[upgrading-to-v2.0]: ../../docs/upgrading_to_v2.0.md -{% else %} -[upgrading-to-v2.0]: docs/upgrading_to_v2.0.md -{% endif %} -{% if private_cluster or beta_cluster %} -[upgrading-to-v3.0]: ../../docs/upgrading_to_v3.0.md -{% else %} -[upgrading-to-v3.0]: docs/upgrading_to_v3.0.md -{% endif %} {% if beta_cluster %} [terraform-provider-google-beta]: https://github.com/terraform-providers/terraform-provider-google-beta {% else %} diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 3577bac930..5ef2738358 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -116,22 +116,6 @@ Then perform the following commands on the root folder: - `terraform apply` to apply the infrastructure build - `terraform destroy` to destroy the built infrastructure -## Upgrade to v3.0.0 - -v3.0.0 is a breaking release. Refer to the -[Upgrading to v3.0 guide][upgrading-to-v3.0] for details. - -## Upgrade to v2.0.0 - -v2.0.0 is a breaking release. Refer to the -[Upgrading to v2.0 guide][upgrading-to-v2.0] for details. - -## Upgrade to v1.0.0 - -Version 1.0.0 of this module introduces a breaking change: adding the `disable-legacy-endpoints` metadata field to all node pools. This metadata is required by GKE and [determines whether the `/0.1/` and `/v1beta1/` paths are available in the nodes' metadata server](https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#disable-legacy-apis). If your applications do not require access to the node's metadata server, you can leave the default value of `true` provided by the module. If your applications require access to the metadata server, be sure to read the linked documentation to see if you need to set the value for this field to `false` to allow your applications access to the above metadata server paths. - -In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster. - ## Inputs @@ -287,9 +271,6 @@ The project has the following folders and files: - /README.MD: This file. - /modules: Private and beta sub modules. - -[upgrading-to-v2.0]: ../../docs/upgrading_to_v2.0.md -[upgrading-to-v3.0]: ../../docs/upgrading_to_v3.0.md [terraform-provider-google-beta]: https://github.com/terraform-providers/terraform-provider-google-beta [3.0.0]: https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/3.0.0 [terraform-0.12-upgrade]: https://www.terraform.io/upgrade-guides/0-12.html diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 8a799ccd3f..6794e9bf64 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -116,22 +116,6 @@ Then perform the following commands on the root folder: - `terraform apply` to apply the infrastructure build - `terraform destroy` to destroy the built infrastructure -## Upgrade to v3.0.0 - -v3.0.0 is a breaking release. Refer to the -[Upgrading to v3.0 guide][upgrading-to-v3.0] for details. - -## Upgrade to v2.0.0 - -v2.0.0 is a breaking release. Refer to the -[Upgrading to v2.0 guide][upgrading-to-v2.0] for details. - -## Upgrade to v1.0.0 - -Version 1.0.0 of this module introduces a breaking change: adding the `disable-legacy-endpoints` metadata field to all node pools. This metadata is required by GKE and [determines whether the `/0.1/` and `/v1beta1/` paths are available in the nodes' metadata server](https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#disable-legacy-apis). If your applications do not require access to the node's metadata server, you can leave the default value of `true` provided by the module. If your applications require access to the metadata server, be sure to read the linked documentation to see if you need to set the value for this field to `false` to allow your applications access to the above metadata server paths. - -In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster. - ## Inputs @@ -287,9 +271,6 @@ The project has the following folders and files: - /README.MD: This file. - /modules: Private and beta sub modules. - -[upgrading-to-v2.0]: ../../docs/upgrading_to_v2.0.md -[upgrading-to-v3.0]: ../../docs/upgrading_to_v3.0.md [terraform-provider-google-beta]: https://github.com/terraform-providers/terraform-provider-google-beta [3.0.0]: https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/3.0.0 [terraform-0.12-upgrade]: https://www.terraform.io/upgrade-guides/0-12.html diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index f2df9a497f..7fbc72a36f 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -111,22 +111,6 @@ Then perform the following commands on the root folder: - `terraform apply` to apply the infrastructure build - `terraform destroy` to destroy the built infrastructure -## Upgrade to v3.0.0 - -v3.0.0 is a breaking release. Refer to the -[Upgrading to v3.0 guide][upgrading-to-v3.0] for details. - -## Upgrade to v2.0.0 - -v2.0.0 is a breaking release. Refer to the -[Upgrading to v2.0 guide][upgrading-to-v2.0] for details. - -## Upgrade to v1.0.0 - -Version 1.0.0 of this module introduces a breaking change: adding the `disable-legacy-endpoints` metadata field to all node pools. This metadata is required by GKE and [determines whether the `/0.1/` and `/v1beta1/` paths are available in the nodes' metadata server](https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#disable-legacy-apis). If your applications do not require access to the node's metadata server, you can leave the default value of `true` provided by the module. If your applications require access to the metadata server, be sure to read the linked documentation to see if you need to set the value for this field to `false` to allow your applications access to the above metadata server paths. - -In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster. - ## Inputs @@ -278,9 +262,6 @@ The project has the following folders and files: - /README.MD: This file. - /modules: Private and beta sub modules. - -[upgrading-to-v2.0]: docs/upgrading_to_v2.0.md -[upgrading-to-v3.0]: ../../docs/upgrading_to_v3.0.md [terraform-provider-google-beta]: https://github.com/terraform-providers/terraform-provider-google-beta [3.0.0]: https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/3.0.0 [terraform-0.12-upgrade]: https://www.terraform.io/upgrade-guides/0-12.html diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index e143917f25..7732c5b000 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -113,22 +113,6 @@ Then perform the following commands on the root folder: - `terraform apply` to apply the infrastructure build - `terraform destroy` to destroy the built infrastructure -## Upgrade to v3.0.0 - -v3.0.0 is a breaking release. Refer to the -[Upgrading to v3.0 guide][upgrading-to-v3.0] for details. - -## Upgrade to v2.0.0 - -v2.0.0 is a breaking release. Refer to the -[Upgrading to v2.0 guide][upgrading-to-v2.0] for details. - -## Upgrade to v1.0.0 - -Version 1.0.0 of this module introduces a breaking change: adding the `disable-legacy-endpoints` metadata field to all node pools. This metadata is required by GKE and [determines whether the `/0.1/` and `/v1beta1/` paths are available in the nodes' metadata server](https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#disable-legacy-apis). If your applications do not require access to the node's metadata server, you can leave the default value of `true` provided by the module. If your applications require access to the metadata server, be sure to read the linked documentation to see if you need to set the value for this field to `false` to allow your applications access to the above metadata server paths. - -In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster. - ## Inputs @@ -260,9 +244,6 @@ The project has the following folders and files: - /README.MD: This file. - /modules: Private and beta sub modules. - -[upgrading-to-v2.0]: ../../docs/upgrading_to_v2.0.md -[upgrading-to-v3.0]: ../../docs/upgrading_to_v3.0.md [terraform-provider-google]: https://github.com/terraform-providers/terraform-provider-google [3.0.0]: https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/3.0.0 [terraform-0.12-upgrade]: https://www.terraform.io/upgrade-guides/0-12.html diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index eed365a5c4..ddfaa0199d 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -113,22 +113,6 @@ Then perform the following commands on the root folder: - `terraform apply` to apply the infrastructure build - `terraform destroy` to destroy the built infrastructure -## Upgrade to v3.0.0 - -v3.0.0 is a breaking release. Refer to the -[Upgrading to v3.0 guide][upgrading-to-v3.0] for details. - -## Upgrade to v2.0.0 - -v2.0.0 is a breaking release. Refer to the -[Upgrading to v2.0 guide][upgrading-to-v2.0] for details. - -## Upgrade to v1.0.0 - -Version 1.0.0 of this module introduces a breaking change: adding the `disable-legacy-endpoints` metadata field to all node pools. This metadata is required by GKE and [determines whether the `/0.1/` and `/v1beta1/` paths are available in the nodes' metadata server](https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#disable-legacy-apis). If your applications do not require access to the node's metadata server, you can leave the default value of `true` provided by the module. If your applications require access to the metadata server, be sure to read the linked documentation to see if you need to set the value for this field to `false` to allow your applications access to the above metadata server paths. - -In either case, upgrading to module version `v1.0.0` will trigger a recreation of all node pools in the cluster. - ## Inputs @@ -260,9 +244,6 @@ The project has the following folders and files: - /README.MD: This file. - /modules: Private and beta sub modules. - -[upgrading-to-v2.0]: ../../docs/upgrading_to_v2.0.md -[upgrading-to-v3.0]: ../../docs/upgrading_to_v3.0.md [terraform-provider-google]: https://github.com/terraform-providers/terraform-provider-google [3.0.0]: https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/3.0.0 [terraform-0.12-upgrade]: https://www.terraform.io/upgrade-guides/0-12.html From e04e2498a27d7c3b89b6830fb827633eee38e420 Mon Sep 17 00:00:00 2001 From: Aaron Lane Date: Thu, 28 Nov 2019 12:23:30 -0500 Subject: [PATCH 05/25] Add #354, 6.0.0 to CHANGELOG --- CHANGELOG.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index aca3cd5f8a..b2f2d2ec67 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,10 @@ Extending the adopted spec, each change should have a link to its corresponding ## [Unreleased] +## [v6.0.0] - 2019-11-28 + +v6.0.0 is a backwards-incompatible release. Please see the [upgrading guide](./docs/upgrading_to_v6.0.md). + ### Added * Support for Shielded Nodes beta feature via `enabled_shielded_nodes` variable. [#300] @@ -23,6 +27,7 @@ Extending the adopted spec, each change should have a link to its corresponding * `private_zonal_with_networking` example. [#308] * `regional_private_node_pool_oauth_scopes` example. [#321] * The `cluster_autoscaling` variable for beta submodules. [#93] +* The `master_authorized_networks` variable. [#354] ### Changed @@ -34,6 +39,7 @@ Extending the adopted spec, each change should have a link to its corresponding * **Breaking**: Removed support for enabling the Kubernetes dashboard, as this is deprecated on GKE. [#337] * **Beaking**: Removed support for versions of the Google provider and the Google Beta provider older than 2.18. [#261] +* **Breaking**: Removed the `master_authorized_networks_config` variable. [#354] ### Fixed @@ -236,7 +242,8 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o * Initial release of module. -[Unreleased]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.2.0...HEAD +[Unreleased]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v6.0.0...HEAD +[v6.0.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.2.0...v6.0.0 [v5.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.1.1...v5.2.0 [v5.1.1]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.1.0...v5.1.1 [v5.1.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.0.0...v5.1.0 @@ -254,6 +261,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0 +[#354]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/354 [#350]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/350 [#340]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/340 [#339]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/339 From 2dc001c51b9f9bae2bbef6b20bab588bda88414f Mon Sep 17 00:00:00 2001 From: Aaron Lane Date: Fri, 29 Nov 2019 10:47:30 -0500 Subject: [PATCH 06/25] Add #138 to CHANGELOG --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b2f2d2ec67..9f60301859 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,6 +34,7 @@ v6.0.0 is a backwards-incompatible release. Please see the [upgrading guide](./d * The `node_pool_labels`, `node_pool_tags`, and `node_pool_taints` variables have defaults and can be overridden within the `node_pools` object. [#3] * `upstream_nameservers` variable is typed as a list of strings. [#350] +* The `network_policy` variable defaults to `true`. [#138] ### Removed @@ -315,6 +316,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o [#151]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/151 [#149]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/149 [#148]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/148 +[#136]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/138 [#136]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/136 [#132]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/132 [#124]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/124 From 101604ab4b477d2cfdfa57f2f3dee949b0ef3bb3 Mon Sep 17 00:00:00 2001 From: Aaron Lane Date: Fri, 29 Nov 2019 12:01:57 -0500 Subject: [PATCH 07/25] Update beta_cluster project configuration --- test/fixtures/beta_cluster/main.tf | 19 ++++--------------- test/fixtures/beta_cluster/network.tf | 3 ++- test/fixtures/beta_cluster/outputs.tf | 2 +- test/setup/iam.tf | 4 ++-- 4 files changed, 9 insertions(+), 19 deletions(-) diff --git a/test/fixtures/beta_cluster/main.tf b/test/fixtures/beta_cluster/main.tf index 4431b715f3..58941b7f69 100644 --- a/test/fixtures/beta_cluster/main.tf +++ b/test/fixtures/beta_cluster/main.tf @@ -14,26 +14,15 @@ * limitations under the License. */ - -provider "google" { - version = "~> 2.18.0" - project = var.project_id - region = var.region -} - -provider "google-beta" { - version = "~> 2.18.0" - project = var.project_id - region = var.region -} - locals { - name = "beta-cluster-${random_string.suffix.result}" + name = "beta-cluster-${random_string.suffix.result}" + project_id = var.project_ids[0] } resource "google_kms_key_ring" "db" { location = var.region name = "${local.name}-db" + project = local.project_id } resource "google_kms_crypto_key" "db" { @@ -45,7 +34,7 @@ module "this" { source = "../../../examples/simple_regional_beta" cluster_name_suffix = "-${random_string.suffix.result}" - project_id = var.project_id + project_id = local.project_id regional = false region = var.region zones = slice(var.zones, 0, 1) diff --git a/test/fixtures/beta_cluster/network.tf b/test/fixtures/beta_cluster/network.tf index 0a3f091958..c173435cbe 100644 --- a/test/fixtures/beta_cluster/network.tf +++ b/test/fixtures/beta_cluster/network.tf @@ -23,6 +23,7 @@ resource "random_string" "suffix" { resource "google_compute_network" "main" { name = "cft-gke-test-${random_string.suffix.result}" auto_create_subnetworks = false + project = local.project_id } resource "google_compute_subnetwork" "main" { @@ -30,6 +31,7 @@ resource "google_compute_subnetwork" "main" { ip_cidr_range = "10.0.0.0/17" region = var.region network = google_compute_network.main.self_link + project = local.project_id secondary_ip_range { range_name = "cft-gke-test-pods-${random_string.suffix.result}" @@ -41,4 +43,3 @@ resource "google_compute_subnetwork" "main" { ip_cidr_range = "192.168.64.0/18" } } - diff --git a/test/fixtures/beta_cluster/outputs.tf b/test/fixtures/beta_cluster/outputs.tf index da60cf87cf..f2d5730ec1 100644 --- a/test/fixtures/beta_cluster/outputs.tf +++ b/test/fixtures/beta_cluster/outputs.tf @@ -15,7 +15,7 @@ */ output "project_id" { - value = var.project_id + value = local.project_id } output "region" { diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 4bf09d5eb5..8685b9af5c 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -75,10 +75,10 @@ resource "google_service_account_key" "int_test" { } resource "google_project_iam_binding" "kubernetes_engine_kms_access" { - project = module.gke-project.project_id + project = module.gke-project-1.project_id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" members = [ - "serviceAccount:service-${module.gke-project.project_number}@container-engine-robot.iam.gserviceaccount.com", + "serviceAccount:service-${module.gke-project-1.project_number}@container-engine-robot.iam.gserviceaccount.com", ] } From 10777ff38b221df569c66488691d2b5c127bf548 Mon Sep 17 00:00:00 2001 From: Aaron Lane Date: Fri, 29 Nov 2019 12:47:33 -0500 Subject: [PATCH 08/25] Fix check for network policy config --- test/integration/beta_cluster/controls/gcloud.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/test/integration/beta_cluster/controls/gcloud.rb b/test/integration/beta_cluster/controls/gcloud.rb index 455a81cb61..032be9601a 100644 --- a/test/integration/beta_cluster/controls/gcloud.rb +++ b/test/integration/beta_cluster/controls/gcloud.rb @@ -55,9 +55,7 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => { - "disabled" => true, - }, + "networkPolicyConfig" => {}, "istioConfig" => {}, "cloudRunConfig" => {}, }) From 2635557cd7581c38b2bca4675b6afcf5167a8eab Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Thu, 14 Nov 2019 14:19:24 -0500 Subject: [PATCH 09/25] Add more detailed documentation for private cluster connectivity. --- autogen/README.md | 13 +++++++++++-- .../beta-private-cluster-update-variant/README.md | 11 ++++++++++- modules/beta-private-cluster/README.md | 11 ++++++++++- modules/private-cluster-update-variant/README.md | 11 ++++++++++- modules/private-cluster/README.md | 11 ++++++++++- 5 files changed, 51 insertions(+), 6 deletions(-) diff --git a/autogen/README.md b/autogen/README.md index c8e956a76e..03179b90d7 100644 --- a/autogen/README.md +++ b/autogen/README.md @@ -12,9 +12,18 @@ The resources/services/activations/deletions that this module will create/trigge Sub modules are provided from creating private clusters, beta private clusters, and beta public clusters as well. Beta sub modules allow for the use of various GKE beta features. See the modules directory for the various sub modules. {% if private_cluster %} -**Note**: You must run Terraform from a VM on the same VPC as your cluster, otherwise there will be issues connecting to the GKE master. +## Private Cluster Endpoints +When creating a [private cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters), nodes are provisioned with private IPs. +The Kubernetes master endpoint is also [locked down](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#access_to_the_cluster_endpoints), which affects these module features: +- `configure_ip_masq` +- `stub_domains` - {% endif %} +If you are *not* using these features, then the module will function normally for private clusters and no special configuration is needed. +If you are using these features with a private cluster, you will need to either: +1. Run Terraform from a VM on the same VPC as your cluster (allowing it to connect to the private endpoint) and set `deploy_using_private_endpoint` to `true`. +2. Include the external IP of your Terraform deployer in the `master_authorized_networks_config`. + +{% endif %} ## Compatibility diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 3577bac930..c91b69bd62 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -10,7 +10,16 @@ The resources/services/activations/deletions that this module will create/trigge Sub modules are provided from creating private clusters, beta private clusters, and beta public clusters as well. Beta sub modules allow for the use of various GKE beta features. See the modules directory for the various sub modules. -**Note**: You must run Terraform from a VM on the same VPC as your cluster, otherwise there will be issues connecting to the GKE master. +## Private Cluster Endpoints +When creating a [private cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters), nodes are provisioned with private IPs. +The Kubernetes master endpoint is also [locked down](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#access_to_the_cluster_endpoints), which affects these module features: +- `configure_ip_masq` +- `stub_domains` + +If you are *not* using these features, then the module will function normally for private clusters and no special configuration is needed. +If you are using these features with a private cluster, you will need to either: +1. Run Terraform from a VM on the same VPC as your cluster (allowing it to connect to the private endpoint) and set `deploy_using_private_endpoint` to `true`. +2. Include the external IP of your Terraform deployer in the `master_authorized_networks_config`. ## Compatibility diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 8a799ccd3f..3a77c19984 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -10,7 +10,16 @@ The resources/services/activations/deletions that this module will create/trigge Sub modules are provided from creating private clusters, beta private clusters, and beta public clusters as well. Beta sub modules allow for the use of various GKE beta features. See the modules directory for the various sub modules. -**Note**: You must run Terraform from a VM on the same VPC as your cluster, otherwise there will be issues connecting to the GKE master. +## Private Cluster Endpoints +When creating a [private cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters), nodes are provisioned with private IPs. +The Kubernetes master endpoint is also [locked down](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#access_to_the_cluster_endpoints), which affects these module features: +- `configure_ip_masq` +- `stub_domains` + +If you are *not* using these features, then the module will function normally for private clusters and no special configuration is needed. +If you are using these features with a private cluster, you will need to either: +1. Run Terraform from a VM on the same VPC as your cluster (allowing it to connect to the private endpoint) and set `deploy_using_private_endpoint` to `true`. +2. Include the external IP of your Terraform deployer in the `master_authorized_networks_config`. ## Compatibility diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index e143917f25..c15361a377 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -10,7 +10,16 @@ The resources/services/activations/deletions that this module will create/trigge Sub modules are provided from creating private clusters, beta private clusters, and beta public clusters as well. Beta sub modules allow for the use of various GKE beta features. See the modules directory for the various sub modules. -**Note**: You must run Terraform from a VM on the same VPC as your cluster, otherwise there will be issues connecting to the GKE master. +## Private Cluster Endpoints +When creating a [private cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters), nodes are provisioned with private IPs. +The Kubernetes master endpoint is also [locked down](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#access_to_the_cluster_endpoints), which affects these module features: +- `configure_ip_masq` +- `stub_domains` + +If you are *not* using these features, then the module will function normally for private clusters and no special configuration is needed. +If you are using these features with a private cluster, you will need to either: +1. Run Terraform from a VM on the same VPC as your cluster (allowing it to connect to the private endpoint) and set `deploy_using_private_endpoint` to `true`. +2. Include the external IP of your Terraform deployer in the `master_authorized_networks_config`. ## Compatibility diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index eed365a5c4..aa4f0008ba 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -10,7 +10,16 @@ The resources/services/activations/deletions that this module will create/trigge Sub modules are provided from creating private clusters, beta private clusters, and beta public clusters as well. Beta sub modules allow for the use of various GKE beta features. See the modules directory for the various sub modules. -**Note**: You must run Terraform from a VM on the same VPC as your cluster, otherwise there will be issues connecting to the GKE master. +## Private Cluster Endpoints +When creating a [private cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters), nodes are provisioned with private IPs. +The Kubernetes master endpoint is also [locked down](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#access_to_the_cluster_endpoints), which affects these module features: +- `configure_ip_masq` +- `stub_domains` + +If you are *not* using these features, then the module will function normally for private clusters and no special configuration is needed. +If you are using these features with a private cluster, you will need to either: +1. Run Terraform from a VM on the same VPC as your cluster (allowing it to connect to the private endpoint) and set `deploy_using_private_endpoint` to `true`. +2. Include the external IP of your Terraform deployer in the `master_authorized_networks_config`. ## Compatibility From 07a3ebe8f4a32f7083451cb3eceb2658039d47ae Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Sat, 30 Nov 2019 20:54:50 -0500 Subject: [PATCH 10/25] Amend master authorized docs --- autogen/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/autogen/README.md b/autogen/README.md index 03179b90d7..da942c1ad6 100644 --- a/autogen/README.md +++ b/autogen/README.md @@ -21,7 +21,9 @@ The Kubernetes master endpoint is also [locked down](https://cloud.google.com/ku If you are *not* using these features, then the module will function normally for private clusters and no special configuration is needed. If you are using these features with a private cluster, you will need to either: 1. Run Terraform from a VM on the same VPC as your cluster (allowing it to connect to the private endpoint) and set `deploy_using_private_endpoint` to `true`. -2. Include the external IP of your Terraform deployer in the `master_authorized_networks_config`. +2. Enable (beta) [route export functionality](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#master-on-prem-routing) to connect from an on-premise network over a VPN or Interconnect. +3. Include the external IP of your Terraform deployer in the `master_authorized_networks` configuration. Note that only IP addresses reserved in Google Cloud (such as in other VPCs) can be whitelisted. +4. Deploy a [bastion host](https://github.com/terraform-google-modules/terraform-google-bastion-host) or [proxy](https://cloud.google.com/solutions/creating-kubernetes-engine-private-clusters-with-net-proxies) in the same VPC as your GKE cluster. {% endif %} From 7a5e792b8c512b9f611eea36b1c23313e8b4e220 Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Sat, 30 Nov 2019 20:56:11 -0500 Subject: [PATCH 11/25] Regenerate docs --- modules/beta-private-cluster-update-variant/README.md | 4 +++- modules/beta-private-cluster/README.md | 4 +++- modules/private-cluster-update-variant/README.md | 4 +++- modules/private-cluster/README.md | 4 +++- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index c91b69bd62..2cfe1c9bf4 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -19,7 +19,9 @@ The Kubernetes master endpoint is also [locked down](https://cloud.google.com/ku If you are *not* using these features, then the module will function normally for private clusters and no special configuration is needed. If you are using these features with a private cluster, you will need to either: 1. Run Terraform from a VM on the same VPC as your cluster (allowing it to connect to the private endpoint) and set `deploy_using_private_endpoint` to `true`. -2. Include the external IP of your Terraform deployer in the `master_authorized_networks_config`. +2. Enable (beta) [route export functionality](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#master-on-prem-routing) to connect from an on-premise network over a VPN or Interconnect. +3. Include the external IP of your Terraform deployer in the `master_authorized_networks` configuration. Note that only IP addresses reserved in Google Cloud (such as in other VPCs) can be whitelisted. +4. Deploy a [bastion host](https://github.com/terraform-google-modules/terraform-google-bastion-host) or [proxy](https://cloud.google.com/solutions/creating-kubernetes-engine-private-clusters-with-net-proxies) in the same VPC as your GKE cluster. ## Compatibility diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 3a77c19984..6917cb6007 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -19,7 +19,9 @@ The Kubernetes master endpoint is also [locked down](https://cloud.google.com/ku If you are *not* using these features, then the module will function normally for private clusters and no special configuration is needed. If you are using these features with a private cluster, you will need to either: 1. Run Terraform from a VM on the same VPC as your cluster (allowing it to connect to the private endpoint) and set `deploy_using_private_endpoint` to `true`. -2. Include the external IP of your Terraform deployer in the `master_authorized_networks_config`. +2. Enable (beta) [route export functionality](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#master-on-prem-routing) to connect from an on-premise network over a VPN or Interconnect. +3. Include the external IP of your Terraform deployer in the `master_authorized_networks` configuration. Note that only IP addresses reserved in Google Cloud (such as in other VPCs) can be whitelisted. +4. Deploy a [bastion host](https://github.com/terraform-google-modules/terraform-google-bastion-host) or [proxy](https://cloud.google.com/solutions/creating-kubernetes-engine-private-clusters-with-net-proxies) in the same VPC as your GKE cluster. ## Compatibility diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index c15361a377..8215c1eeba 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -19,7 +19,9 @@ The Kubernetes master endpoint is also [locked down](https://cloud.google.com/ku If you are *not* using these features, then the module will function normally for private clusters and no special configuration is needed. If you are using these features with a private cluster, you will need to either: 1. Run Terraform from a VM on the same VPC as your cluster (allowing it to connect to the private endpoint) and set `deploy_using_private_endpoint` to `true`. -2. Include the external IP of your Terraform deployer in the `master_authorized_networks_config`. +2. Enable (beta) [route export functionality](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#master-on-prem-routing) to connect from an on-premise network over a VPN or Interconnect. +3. Include the external IP of your Terraform deployer in the `master_authorized_networks` configuration. Note that only IP addresses reserved in Google Cloud (such as in other VPCs) can be whitelisted. +4. Deploy a [bastion host](https://github.com/terraform-google-modules/terraform-google-bastion-host) or [proxy](https://cloud.google.com/solutions/creating-kubernetes-engine-private-clusters-with-net-proxies) in the same VPC as your GKE cluster. ## Compatibility diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index aa4f0008ba..5f80738abf 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -19,7 +19,9 @@ The Kubernetes master endpoint is also [locked down](https://cloud.google.com/ku If you are *not* using these features, then the module will function normally for private clusters and no special configuration is needed. If you are using these features with a private cluster, you will need to either: 1. Run Terraform from a VM on the same VPC as your cluster (allowing it to connect to the private endpoint) and set `deploy_using_private_endpoint` to `true`. -2. Include the external IP of your Terraform deployer in the `master_authorized_networks_config`. +2. Enable (beta) [route export functionality](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#master-on-prem-routing) to connect from an on-premise network over a VPN or Interconnect. +3. Include the external IP of your Terraform deployer in the `master_authorized_networks` configuration. Note that only IP addresses reserved in Google Cloud (such as in other VPCs) can be whitelisted. +4. Deploy a [bastion host](https://github.com/terraform-google-modules/terraform-google-bastion-host) or [proxy](https://cloud.google.com/solutions/creating-kubernetes-engine-private-clusters-with-net-proxies) in the same VPC as your GKE cluster. ## Compatibility From 718a3019d51475fc532d03cd716795123d7b3f1f Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Sat, 30 Nov 2019 21:06:41 -0500 Subject: [PATCH 12/25] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9f60301859..eaaa41aed3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -262,6 +262,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0 +[#138]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/138 [#354]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/354 [#350]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/350 [#340]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/340 From 958eec96cbe3b5d09e852b140607217061c1c4a9 Mon Sep 17 00:00:00 2001 From: pp Date: Fri, 22 Nov 2019 17:43:26 +0200 Subject: [PATCH 13/25] Add variable to allow a pre-generated SSH key to be passed to the ACM module * Fix #329 --- modules/acm/README.md | 1 + modules/acm/main.tf | 2 +- modules/acm/variables.tf | 6 ++++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/acm/README.md b/modules/acm/README.md index bef7eccd53..9960667669 100644 --- a/modules/acm/README.md +++ b/modules/acm/README.md @@ -53,6 +53,7 @@ By default, this module will attempt to download the ACM operator from Google di | operator\_path | Path to the operator yaml config. If unset, will download from GCS releases. | string | `"null"` | no | | policy\_dir | Subfolder containing configs in ACM Git repo | string | n/a | yes | | project\_id | The project in which the resource belongs. | string | n/a | yes | +| ssh\_auth\_key | Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function. | string | `"null"` | no | | sync\_branch | ACM repo Git branch | string | `"master"` | no | | sync\_repo | ACM Git repo address | string | n/a | yes | diff --git a/modules/acm/main.tf b/modules/acm/main.tf index 3a78172ad6..69b5755337 100644 --- a/modules/acm/main.tf +++ b/modules/acm/main.tf @@ -18,7 +18,7 @@ locals { cluster_endpoint = "https://${var.cluster_endpoint}" token = data.google_client_config.default.access_token cluster_ca_certificate = data.google_container_cluster.primary.master_auth.0.cluster_ca_certificate - private_key = var.create_ssh_key ? tls_private_key.git_creds[0].private_key_pem : "" + private_key = var.create_ssh_key && var.ssh_auth_key == null ? tls_private_key.git_creds[0].private_key_pem : var.ssh_auth_key download_operator = var.operator_path == null ? true : false operator_path = local.download_operator ? "${path.module}/config-management-operator.yaml" : var.operator_path } diff --git a/modules/acm/variables.tf b/modules/acm/variables.tf index 513556364d..d56f20b073 100644 --- a/modules/acm/variables.tf +++ b/modules/acm/variables.tf @@ -62,6 +62,12 @@ variable "create_ssh_key" { default = true } +variable "ssh_auth_key" { + description = "Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function." + type = string + default = null +} + variable "enable_policy_controller" { description = "Whether to enable the ACM Policy Controller on the cluster" type = bool From dc0d051bcab903e668bf5e4cbefe10eb875cea57 Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Mon, 2 Dec 2019 11:25:26 -0500 Subject: [PATCH 14/25] Relax provider version constraint --- autogen/versions.tf.tmpl | 4 ++-- modules/beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- versions.tf | 2 +- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/autogen/versions.tf.tmpl b/autogen/versions.tf.tmpl index 387a2e37c8..3024374262 100644 --- a/autogen/versions.tf.tmpl +++ b/autogen/versions.tf.tmpl @@ -19,9 +19,9 @@ terraform { required_providers { {% if beta_cluster %} - google-beta = "~> 2.18.0" + google-beta = "~> 2.18" {% else %} - google = "~> 2.18.0" + google = "~> 2.18" {% endif %} } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 8e29303fa9..cdf71b53b4 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = ">= 0.12" required_providers { - google-beta = "~> 2.18.0" + google-beta = "~> 2.18" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 8e29303fa9..cdf71b53b4 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = ">= 0.12" required_providers { - google-beta = "~> 2.18.0" + google-beta = "~> 2.18" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 8e29303fa9..cdf71b53b4 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = ">= 0.12" required_providers { - google-beta = "~> 2.18.0" + google-beta = "~> 2.18" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index e4544656fa..38e1d1bf9c 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = ">= 0.12" required_providers { - google = "~> 2.18.0" + google = "~> 2.18" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index e4544656fa..38e1d1bf9c 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = ">= 0.12" required_providers { - google = "~> 2.18.0" + google = "~> 2.18" } } diff --git a/versions.tf b/versions.tf index e4544656fa..38e1d1bf9c 100644 --- a/versions.tf +++ b/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = ">= 0.12" required_providers { - google = "~> 2.18.0" + google = "~> 2.18" } } From abf3ed9a5a8b8ca1b1dcddafeb1972da10d3300b Mon Sep 17 00:00:00 2001 From: Aaron Lane <10655063+aaron-lane@users.noreply.github.com> Date: Mon, 2 Dec 2019 13:10:49 -0500 Subject: [PATCH 15/25] Add #359, v6.0.1 to CHANGELOG --- CHANGELOG.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eaaa41aed3..1311e6e625 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,12 @@ Extending the adopted spec, each change should have a link to its corresponding ## [Unreleased] +## [v6.0.1] - 2019-12-02 + +### Fixed + +- The required Google provider constraint has been relaxed to `~> 2.18`. [#359] + ## [v6.0.0] - 2019-11-28 v6.0.0 is a backwards-incompatible release. Please see the [upgrading guide](./docs/upgrading_to_v6.0.md). @@ -243,7 +249,8 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o * Initial release of module. -[Unreleased]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v6.0.0...HEAD +[Unreleased]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v6.0.1...HEAD +[v6.0.1]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v6.0.0...v6.0.1 [v6.0.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.2.0...v6.0.0 [v5.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.1.1...v5.2.0 [v5.1.1]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.1.0...v5.1.1 @@ -262,7 +269,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0 -[#138]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/138 +[#359]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/359 [#354]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/354 [#350]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/350 [#340]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/340 @@ -317,6 +324,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o [#151]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/151 [#149]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/149 [#148]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/148 +[#138]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/138 [#136]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/138 [#136]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/136 [#132]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/132 From 3246192be0a35c9d0cfff55f197da476e6714df5 Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Mon, 2 Dec 2019 17:17:38 -0500 Subject: [PATCH 16/25] Compute region output for zonal clusters --- autogen/main.tf.tmpl | 11 +++++------ main.tf | 11 +++++------ modules/beta-private-cluster-update-variant/main.tf | 11 +++++------ modules/beta-private-cluster/main.tf | 11 +++++------ modules/beta-public-cluster/main.tf | 11 +++++------ modules/private-cluster-update-variant/main.tf | 11 +++++------ modules/private-cluster/main.tf | 11 +++++------ 7 files changed, 35 insertions(+), 42 deletions(-) diff --git a/autogen/main.tf.tmpl b/autogen/main.tf.tmpl index 3ac28cc16a..a9dc61b013 100644 --- a/autogen/main.tf.tmpl +++ b/autogen/main.tf.tmpl @@ -96,8 +96,6 @@ locals { {% endif %} cluster_output_name = google_container_cluster.primary.name - cluster_output_location = google_container_cluster.primary.location - cluster_output_region = google_container_cluster.primary.region cluster_output_regional_zones = google_container_cluster.primary.node_locations cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones @@ -137,11 +135,12 @@ locals { cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] cluster_master_auth_map = local.cluster_master_auth_list_layer2[0] - # cluster locals + + cluster_location = google_container_cluster.primary.location + cluster_region = var.regional ? google_container_cluster.primary.region : join("-", slice(split("-", local.cluster_location), 0, 2)) + cluster_zones = sort(local.cluster_output_zones) + cluster_name = local.cluster_output_name - cluster_location = local.cluster_output_location - cluster_region = local.cluster_output_region - cluster_zones = sort(local.cluster_output_zones) cluster_endpoint = local.cluster_output_endpoint cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/main.tf b/main.tf index 409cbfe55b..5cd5b596bf 100644 --- a/main.tf +++ b/main.tf @@ -64,8 +64,6 @@ locals { cluster_output_name = google_container_cluster.primary.name - cluster_output_location = google_container_cluster.primary.location - cluster_output_region = google_container_cluster.primary.region cluster_output_regional_zones = google_container_cluster.primary.node_locations cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones @@ -92,11 +90,12 @@ locals { cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] cluster_master_auth_map = local.cluster_master_auth_list_layer2[0] - # cluster locals + + cluster_location = google_container_cluster.primary.location + cluster_region = var.regional ? google_container_cluster.primary.region : join("-", slice(split("-", local.cluster_location), 0, 2)) + cluster_zones = sort(local.cluster_output_zones) + cluster_name = local.cluster_output_name - cluster_location = local.cluster_output_location - cluster_region = local.cluster_output_region - cluster_zones = sort(local.cluster_output_zones) cluster_endpoint = local.cluster_output_endpoint cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 9afc2502b8..1e126eca41 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -88,8 +88,6 @@ locals { cluster_output_name = google_container_cluster.primary.name - cluster_output_location = google_container_cluster.primary.location - cluster_output_region = google_container_cluster.primary.region cluster_output_regional_zones = google_container_cluster.primary.node_locations cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones @@ -123,11 +121,12 @@ locals { cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] cluster_master_auth_map = local.cluster_master_auth_list_layer2[0] - # cluster locals + + cluster_location = google_container_cluster.primary.location + cluster_region = var.regional ? google_container_cluster.primary.region : join("-", slice(split("-", local.cluster_location), 0, 2)) + cluster_zones = sort(local.cluster_output_zones) + cluster_name = local.cluster_output_name - cluster_location = local.cluster_output_location - cluster_region = local.cluster_output_region - cluster_zones = sort(local.cluster_output_zones) cluster_endpoint = local.cluster_output_endpoint cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 9afc2502b8..1e126eca41 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -88,8 +88,6 @@ locals { cluster_output_name = google_container_cluster.primary.name - cluster_output_location = google_container_cluster.primary.location - cluster_output_region = google_container_cluster.primary.region cluster_output_regional_zones = google_container_cluster.primary.node_locations cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones @@ -123,11 +121,12 @@ locals { cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] cluster_master_auth_map = local.cluster_master_auth_list_layer2[0] - # cluster locals + + cluster_location = google_container_cluster.primary.location + cluster_region = var.regional ? google_container_cluster.primary.region : join("-", slice(split("-", local.cluster_location), 0, 2)) + cluster_zones = sort(local.cluster_output_zones) + cluster_name = local.cluster_output_name - cluster_location = local.cluster_output_location - cluster_region = local.cluster_output_region - cluster_zones = sort(local.cluster_output_zones) cluster_endpoint = local.cluster_output_endpoint cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 5cff8bdd4e..b64c40cd15 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -88,8 +88,6 @@ locals { cluster_output_name = google_container_cluster.primary.name - cluster_output_location = google_container_cluster.primary.location - cluster_output_region = google_container_cluster.primary.region cluster_output_regional_zones = google_container_cluster.primary.node_locations cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones @@ -123,11 +121,12 @@ locals { cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] cluster_master_auth_map = local.cluster_master_auth_list_layer2[0] - # cluster locals + + cluster_location = google_container_cluster.primary.location + cluster_region = var.regional ? google_container_cluster.primary.region : join("-", slice(split("-", local.cluster_location), 0, 2)) + cluster_zones = sort(local.cluster_output_zones) + cluster_name = local.cluster_output_name - cluster_location = local.cluster_output_location - cluster_region = local.cluster_output_region - cluster_zones = sort(local.cluster_output_zones) cluster_endpoint = local.cluster_output_endpoint cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 7dea99f25c..c36ff21005 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -64,8 +64,6 @@ locals { cluster_output_name = google_container_cluster.primary.name - cluster_output_location = google_container_cluster.primary.location - cluster_output_region = google_container_cluster.primary.region cluster_output_regional_zones = google_container_cluster.primary.node_locations cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones @@ -92,11 +90,12 @@ locals { cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] cluster_master_auth_map = local.cluster_master_auth_list_layer2[0] - # cluster locals + + cluster_location = google_container_cluster.primary.location + cluster_region = var.regional ? google_container_cluster.primary.region : join("-", slice(split("-", local.cluster_location), 0, 2)) + cluster_zones = sort(local.cluster_output_zones) + cluster_name = local.cluster_output_name - cluster_location = local.cluster_output_location - cluster_region = local.cluster_output_region - cluster_zones = sort(local.cluster_output_zones) cluster_endpoint = local.cluster_output_endpoint cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 7dea99f25c..c36ff21005 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -64,8 +64,6 @@ locals { cluster_output_name = google_container_cluster.primary.name - cluster_output_location = google_container_cluster.primary.location - cluster_output_region = google_container_cluster.primary.region cluster_output_regional_zones = google_container_cluster.primary.node_locations cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones @@ -92,11 +90,12 @@ locals { cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] cluster_master_auth_map = local.cluster_master_auth_list_layer2[0] - # cluster locals + + cluster_location = google_container_cluster.primary.location + cluster_region = var.regional ? google_container_cluster.primary.region : join("-", slice(split("-", local.cluster_location), 0, 2)) + cluster_zones = sort(local.cluster_output_zones) + cluster_name = local.cluster_output_name - cluster_location = local.cluster_output_location - cluster_region = local.cluster_output_region - cluster_zones = sort(local.cluster_output_zones) cluster_endpoint = local.cluster_output_endpoint cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version From c3345f0bd43b318997bad2d0e874fe74cb06258a Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Mon, 2 Dec 2019 18:32:22 -0500 Subject: [PATCH 17/25] Update CHANGELOG.md --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1311e6e625..08b16665ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,9 @@ Extending the adopted spec, each change should have a link to its corresponding ## [Unreleased] +### Added +- Support for using a pre-existing Service Account with the ACM submodule. [#346](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/346) + ## [v6.0.1] - 2019-12-02 ### Fixed From 08f89da1893820f9a0919f6a6607f40355f5b60d Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Mon, 2 Dec 2019 18:32:58 -0500 Subject: [PATCH 18/25] Fix typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 08b16665ed..4af17aed2d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -48,7 +48,7 @@ v6.0.0 is a backwards-incompatible release. Please see the [upgrading guide](./d ### Removed * **Breaking**: Removed support for enabling the Kubernetes dashboard, as this is deprecated on GKE. [#337] -* **Beaking**: Removed support for versions of the Google provider and the Google Beta provider older than 2.18. [#261] +* **Breaking**: Removed support for versions of the Google provider and the Google Beta provider older than 2.18. [#261] * **Breaking**: Removed the `master_authorized_networks_config` variable. [#354] ### Fixed From 112f2237b9558fc132583845ea67df1760d4064e Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Mon, 2 Dec 2019 18:33:19 -0500 Subject: [PATCH 19/25] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4af17aed2d..07d247cc99 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ Extending the adopted spec, each change should have a link to its corresponding ### Fixed -- The required Google provider constraint has been relaxed to `~> 2.18`. [#359] +- The required Google provider constraint has been relaxed to `~> 2.18` (>= 2.18, <3.0). [#359] ## [v6.0.0] - 2019-11-28 From 262ac9b24bf6f8ae121c68b7b1d3b9e3cd76b867 Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Tue, 3 Dec 2019 10:57:21 -0500 Subject: [PATCH 20/25] Update CHANGELOG.md --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 07d247cc99..d24679243c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,9 +8,14 @@ Extending the adopted spec, each change should have a link to its corresponding ## [Unreleased] +## [v6.1.0] - 2019-12-03 + ### Added - Support for using a pre-existing Service Account with the ACM submodule. [#346](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/346) +### Fixed +- Compute region output for zonal clusters. [#362](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/362) + ## [v6.0.1] - 2019-12-02 ### Fixed From fd20cdd1b5939b5cdc6d3a428037743f24dd589c Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Tue, 3 Dec 2019 10:57:47 -0500 Subject: [PATCH 21/25] Update CHANGELOG.md --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d24679243c..00f9d7ce0f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -257,7 +257,8 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o * Initial release of module. -[Unreleased]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v6.0.1...HEAD +[Unreleased]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v6.1.0...HEAD +[v6.1.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v6.0.1...v6.1.0 [v6.0.1]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v6.0.0...v6.0.1 [v6.0.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.2.0...v6.0.0 [v5.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.1.1...v5.2.0 From e2579f0dd856840bb95d1a5a232491f36ec8639c Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Wed, 4 Dec 2019 10:53:15 -0500 Subject: [PATCH 22/25] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 00f9d7ce0f..691c7645a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -260,7 +260,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o [Unreleased]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v6.1.0...HEAD [v6.1.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v6.0.1...v6.1.0 [v6.0.1]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v6.0.0...v6.0.1 -[v6.0.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.2.0...v6.0.0 +[v6.0.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.1.0...v6.0.0 [v5.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.1.1...v5.2.0 [v5.1.1]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.1.0...v5.1.1 [v5.1.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.0.0...v5.1.0 From a36f4e39576203647fdeb097ab492ca78ac65c5f Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Wed, 4 Dec 2019 11:26:47 -0500 Subject: [PATCH 23/25] Switch to dynamic block for private_cluster_config --- autogen/cluster.tf.tmpl | 16 ++++++++++++---- .../cluster.tf | 16 ++++++++++++---- modules/beta-private-cluster/cluster.tf | 16 ++++++++++++---- .../private-cluster-update-variant/cluster.tf | 16 ++++++++++++---- modules/private-cluster/cluster.tf | 16 ++++++++++++---- 5 files changed, 60 insertions(+), 20 deletions(-) diff --git a/autogen/cluster.tf.tmpl b/autogen/cluster.tf.tmpl index dc19ed2d90..18db2b5859 100644 --- a/autogen/cluster.tf.tmpl +++ b/autogen/cluster.tf.tmpl @@ -191,10 +191,18 @@ resource "google_container_cluster" "primary" { } {% if private_cluster %} - private_cluster_config { - enable_private_endpoint = var.enable_private_endpoint - enable_private_nodes = var.enable_private_nodes - master_ipv4_cidr_block = var.master_ipv4_cidr_block + dynamic "private_cluster_config" { + for_each = var.enable_private_nodes ? [{ + enable_private_nodes = var.enable_private_nodes, + enable_private_endpoint = var.enable_private_endpoint + master_ipv4_cidr_block = var.master_ipv4_cidr_block + }] : [] + + content { + enable_private_endpoint = private_cluster_config.value.enable_private_endpoint + enable_private_nodes = private_cluster_config.value.enable_private_nodes + master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + } } {% endif %} diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 10fcf764a3..2daaa9ee57 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -178,10 +178,18 @@ resource "google_container_cluster" "primary" { } } - private_cluster_config { - enable_private_endpoint = var.enable_private_endpoint - enable_private_nodes = var.enable_private_nodes - master_ipv4_cidr_block = var.master_ipv4_cidr_block + dynamic "private_cluster_config" { + for_each = var.enable_private_nodes ? [{ + enable_private_nodes = var.enable_private_nodes, + enable_private_endpoint = var.enable_private_endpoint + master_ipv4_cidr_block = var.master_ipv4_cidr_block + }] : [] + + content { + enable_private_endpoint = private_cluster_config.value.enable_private_endpoint + enable_private_nodes = private_cluster_config.value.enable_private_nodes + master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + } } remove_default_node_pool = var.remove_default_node_pool diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index f2789bfd03..a0121e77b2 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -178,10 +178,18 @@ resource "google_container_cluster" "primary" { } } - private_cluster_config { - enable_private_endpoint = var.enable_private_endpoint - enable_private_nodes = var.enable_private_nodes - master_ipv4_cidr_block = var.master_ipv4_cidr_block + dynamic "private_cluster_config" { + for_each = var.enable_private_nodes ? [{ + enable_private_nodes = var.enable_private_nodes, + enable_private_endpoint = var.enable_private_endpoint + master_ipv4_cidr_block = var.master_ipv4_cidr_block + }] : [] + + content { + enable_private_endpoint = private_cluster_config.value.enable_private_endpoint + enable_private_nodes = private_cluster_config.value.enable_private_nodes + master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + } } remove_default_node_pool = var.remove_default_node_pool diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 7027d766ce..15e64c823b 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -114,10 +114,18 @@ resource "google_container_cluster" "primary" { } } - private_cluster_config { - enable_private_endpoint = var.enable_private_endpoint - enable_private_nodes = var.enable_private_nodes - master_ipv4_cidr_block = var.master_ipv4_cidr_block + dynamic "private_cluster_config" { + for_each = var.enable_private_nodes ? [{ + enable_private_nodes = var.enable_private_nodes, + enable_private_endpoint = var.enable_private_endpoint + master_ipv4_cidr_block = var.master_ipv4_cidr_block + }] : [] + + content { + enable_private_endpoint = private_cluster_config.value.enable_private_endpoint + enable_private_nodes = private_cluster_config.value.enable_private_nodes + master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + } } remove_default_node_pool = var.remove_default_node_pool diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index acb6f29a68..e5ce88da5f 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -114,10 +114,18 @@ resource "google_container_cluster" "primary" { } } - private_cluster_config { - enable_private_endpoint = var.enable_private_endpoint - enable_private_nodes = var.enable_private_nodes - master_ipv4_cidr_block = var.master_ipv4_cidr_block + dynamic "private_cluster_config" { + for_each = var.enable_private_nodes ? [{ + enable_private_nodes = var.enable_private_nodes, + enable_private_endpoint = var.enable_private_endpoint + master_ipv4_cidr_block = var.master_ipv4_cidr_block + }] : [] + + content { + enable_private_endpoint = private_cluster_config.value.enable_private_endpoint + enable_private_nodes = private_cluster_config.value.enable_private_nodes + master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + } } remove_default_node_pool = var.remove_default_node_pool From e5da9f13e3391c3e4b7c37bf28e7e99957090fda Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Wed, 4 Dec 2019 11:27:37 -0500 Subject: [PATCH 24/25] Fix cluster endpoint ouput when enable_private_nodes is false --- autogen/main.tf.tmpl | 5 ++--- main.tf | 3 +-- modules/beta-private-cluster-update-variant/main.tf | 3 +-- modules/beta-private-cluster/main.tf | 3 +-- modules/beta-public-cluster/main.tf | 3 +-- modules/private-cluster-update-variant/main.tf | 3 +-- modules/private-cluster/main.tf | 3 +-- 7 files changed, 8 insertions(+), 15 deletions(-) diff --git a/autogen/main.tf.tmpl b/autogen/main.tf.tmpl index a9dc61b013..5c79b2bea5 100644 --- a/autogen/main.tf.tmpl +++ b/autogen/main.tf.tmpl @@ -101,9 +101,9 @@ locals { cluster_output_zones = local.cluster_output_regional_zones {% if private_cluster %} - cluster_output_endpoint = var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint + cluster_endpoint = var.enable_private_nodes ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint) : google_container_cluster.primary.endpoint {% else %} - cluster_output_endpoint = google_container_cluster.primary.endpoint + cluster_endpoint = google_container_cluster.primary.endpoint {% endif %} cluster_output_master_auth = concat(google_container_cluster.primary.*.master_auth, []) @@ -141,7 +141,6 @@ locals { cluster_zones = sort(local.cluster_output_zones) cluster_name = local.cluster_output_name - cluster_endpoint = local.cluster_output_endpoint cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version cluster_min_master_version = local.cluster_output_min_master_version diff --git a/main.tf b/main.tf index 5cd5b596bf..45a8cd6f2c 100644 --- a/main.tf +++ b/main.tf @@ -68,7 +68,7 @@ locals { cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones - cluster_output_endpoint = google_container_cluster.primary.endpoint + cluster_endpoint = google_container_cluster.primary.endpoint cluster_output_master_auth = concat(google_container_cluster.primary.*.master_auth, []) cluster_output_master_version = google_container_cluster.primary.master_version @@ -96,7 +96,6 @@ locals { cluster_zones = sort(local.cluster_output_zones) cluster_name = local.cluster_output_name - cluster_endpoint = local.cluster_output_endpoint cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version cluster_min_master_version = local.cluster_output_min_master_version diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 1e126eca41..37e06e58f1 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -92,7 +92,7 @@ locals { cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones - cluster_output_endpoint = var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint + cluster_endpoint = var.enable_private_nodes ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint) : google_container_cluster.primary.endpoint cluster_output_master_auth = concat(google_container_cluster.primary.*.master_auth, []) cluster_output_master_version = google_container_cluster.primary.master_version @@ -127,7 +127,6 @@ locals { cluster_zones = sort(local.cluster_output_zones) cluster_name = local.cluster_output_name - cluster_endpoint = local.cluster_output_endpoint cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version cluster_min_master_version = local.cluster_output_min_master_version diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 1e126eca41..37e06e58f1 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -92,7 +92,7 @@ locals { cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones - cluster_output_endpoint = var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint + cluster_endpoint = var.enable_private_nodes ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint) : google_container_cluster.primary.endpoint cluster_output_master_auth = concat(google_container_cluster.primary.*.master_auth, []) cluster_output_master_version = google_container_cluster.primary.master_version @@ -127,7 +127,6 @@ locals { cluster_zones = sort(local.cluster_output_zones) cluster_name = local.cluster_output_name - cluster_endpoint = local.cluster_output_endpoint cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version cluster_min_master_version = local.cluster_output_min_master_version diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index b64c40cd15..2742594d87 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -92,7 +92,7 @@ locals { cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones - cluster_output_endpoint = google_container_cluster.primary.endpoint + cluster_endpoint = google_container_cluster.primary.endpoint cluster_output_master_auth = concat(google_container_cluster.primary.*.master_auth, []) cluster_output_master_version = google_container_cluster.primary.master_version @@ -127,7 +127,6 @@ locals { cluster_zones = sort(local.cluster_output_zones) cluster_name = local.cluster_output_name - cluster_endpoint = local.cluster_output_endpoint cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version cluster_min_master_version = local.cluster_output_min_master_version diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index c36ff21005..3955a61e13 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -68,7 +68,7 @@ locals { cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones - cluster_output_endpoint = var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint + cluster_endpoint = var.enable_private_nodes ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint) : google_container_cluster.primary.endpoint cluster_output_master_auth = concat(google_container_cluster.primary.*.master_auth, []) cluster_output_master_version = google_container_cluster.primary.master_version @@ -96,7 +96,6 @@ locals { cluster_zones = sort(local.cluster_output_zones) cluster_name = local.cluster_output_name - cluster_endpoint = local.cluster_output_endpoint cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version cluster_min_master_version = local.cluster_output_min_master_version diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index c36ff21005..3955a61e13 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -68,7 +68,7 @@ locals { cluster_output_zonal_zones = local.zone_count > 1 ? slice(var.zones, 1, local.zone_count) : [] cluster_output_zones = local.cluster_output_regional_zones - cluster_output_endpoint = var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint + cluster_endpoint = var.enable_private_nodes ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint) : google_container_cluster.primary.endpoint cluster_output_master_auth = concat(google_container_cluster.primary.*.master_auth, []) cluster_output_master_version = google_container_cluster.primary.master_version @@ -96,7 +96,6 @@ locals { cluster_zones = sort(local.cluster_output_zones) cluster_name = local.cluster_output_name - cluster_endpoint = local.cluster_output_endpoint cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version cluster_min_master_version = local.cluster_output_min_master_version From ee5deaaec7c1403c15a8d5b3c3dd314a63d27063 Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Wed, 4 Dec 2019 22:25:51 -0500 Subject: [PATCH 25/25] Update CHANGELOG.md --- CHANGELOG.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 691c7645a6..18be4c015e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,12 @@ Extending the adopted spec, each change should have a link to its corresponding ## [Unreleased] +## [v6.1.1] - 2019-12-04 + +### Fixed + +- Fix endpoint output for private clusters where `private_nodes=false`. [#365](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/365) + ## [v6.1.0] - 2019-12-03 ### Added @@ -257,7 +263,8 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o * Initial release of module. -[Unreleased]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v6.1.0...HEAD +[Unreleased]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v6.1.1...HEAD +[v6.1.1]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v6.1.0...v6.1.1 [v6.1.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v6.0.1...v6.1.0 [v6.0.1]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v6.0.0...v6.0.1 [v6.0.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v5.1.0...v6.0.0