Refactor GKE cluster modules access configurations, add support for DNS endpoint (#2761)
* stub * gke standard module and tests * blueprints * tfdoc * autopilot * blueprints * tfdoc * gke hub module examples * dataproc and gke fixture
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
d59d182456
commit
d86b8d565c
@@ -19,18 +19,19 @@ module "cluster" {
|
||||
project_id = module.project.project_id
|
||||
name = "cluster"
|
||||
location = var.region
|
||||
access_config = {
|
||||
ip_access = {
|
||||
authorized_ranges = (
|
||||
var.cluster_network_config.master_authorized_cidr_blocks
|
||||
)
|
||||
}
|
||||
}
|
||||
vpc_config = {
|
||||
network = module.vpc.self_link
|
||||
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet-apigee"]
|
||||
secondary_range_names = {}
|
||||
master_authorized_ranges = var.cluster_network_config.master_authorized_cidr_blocks
|
||||
master_ipv4_cidr_block = var.cluster_network_config.master_cidr_block
|
||||
network = module.vpc.self_link
|
||||
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet-apigee"]
|
||||
secondary_range_names = {}
|
||||
}
|
||||
max_pods_per_node = 32
|
||||
private_cluster_config = {
|
||||
enable_private_endpoint = true
|
||||
master_global_access = false
|
||||
}
|
||||
enable_features = {
|
||||
workload_identity = true
|
||||
}
|
||||
|
||||
@@ -19,12 +19,17 @@ module "cluster" {
|
||||
project_id = module.project.project_id
|
||||
name = "cluster"
|
||||
location = var.region
|
||||
access_config = {
|
||||
ip_access = {
|
||||
authorized_ranges = (
|
||||
var.cluster_network_config.master_authorized_cidr_blocks
|
||||
)
|
||||
}
|
||||
}
|
||||
vpc_config = {
|
||||
network = module.vpc.self_link
|
||||
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet-cluster"]
|
||||
secondary_range_names = {}
|
||||
master_authorized_ranges = var.cluster_network_config.master_authorized_cidr_blocks
|
||||
master_ipv4_cidr_block = var.cluster_network_config.master_cidr_block
|
||||
network = module.vpc.self_link
|
||||
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet-cluster"]
|
||||
secondary_range_names = {}
|
||||
}
|
||||
# enable_features = {
|
||||
# autopilot = true
|
||||
|
||||
@@ -92,10 +92,6 @@ module "cluster" {
|
||||
network = module.vpc.self_link
|
||||
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
|
||||
}
|
||||
private_cluster_config = {
|
||||
enable_private_endpoint = false
|
||||
master_global_access = false
|
||||
}
|
||||
deletion_protection = var.deletion_protection
|
||||
}
|
||||
|
||||
|
||||
@@ -22,20 +22,20 @@ module "clusters" {
|
||||
project_id = module.fleet_project.project_id
|
||||
name = each.key
|
||||
location = var.region
|
||||
access_config = {
|
||||
ip_access = {
|
||||
authorized_ranges = merge(
|
||||
{ mgmt : var.mgmt_subnet_cidr_block },
|
||||
{
|
||||
for key, config in var.clusters_config :
|
||||
"pods-${key}" => config.pods_cidr_block if key != each.key
|
||||
}
|
||||
)
|
||||
}
|
||||
}
|
||||
vpc_config = {
|
||||
network = module.svpc.self_link
|
||||
subnetwork = module.svpc.subnet_self_links["${var.region}/subnet-${each.key}"]
|
||||
master_authorized_ranges = merge({
|
||||
mgmt : var.mgmt_subnet_cidr_block
|
||||
},
|
||||
{ for key, config in var.clusters_config :
|
||||
"pods-${key}" => config.pods_cidr_block if key != each.key
|
||||
})
|
||||
master_ipv4_cidr_block = each.value.master_cidr_block
|
||||
}
|
||||
private_cluster_config = {
|
||||
enable_private_endpoint = true
|
||||
master_global_access = true
|
||||
}
|
||||
release_channel = "REGULAR"
|
||||
labels = {
|
||||
|
||||
@@ -76,16 +76,15 @@ module "cluster" {
|
||||
deletion_protection = var.cluster_create.deletion_protection
|
||||
name = var.cluster_name
|
||||
location = var.region
|
||||
vpc_config = {
|
||||
network = local.cluster_vpc.network
|
||||
subnetwork = local.cluster_vpc.subnet
|
||||
secondary_range_names = local.cluster_vpc.secondary_range_names
|
||||
master_authorized_ranges = var.cluster_create.master_authorized_ranges
|
||||
master_ipv4_cidr_block = var.cluster_create.master_ipv4_cidr_block
|
||||
access_config = {
|
||||
ip_access = {
|
||||
authorized_ranges = var.cluster_create.master_authorized_ranges
|
||||
}
|
||||
}
|
||||
private_cluster_config = {
|
||||
enable_private_endpoint = true
|
||||
master_global_access = true
|
||||
vpc_config = {
|
||||
network = local.cluster_vpc.network
|
||||
subnetwork = local.cluster_vpc.subnet
|
||||
secondary_range_names = local.cluster_vpc.secondary_range_names
|
||||
}
|
||||
node_config = {
|
||||
service_account = module.cluster-service-account[0].email
|
||||
|
||||
@@ -48,7 +48,7 @@ There's a minor glitch that can surface running `terraform destroy`, where the s
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [billing_account_id](variables.tf#L15) | Billing account id used as default for new projects. | <code>string</code> | ✓ | |
|
||||
| [prefix](variables.tf#L69) | Prefix used for resource names. | <code>string</code> | ✓ | |
|
||||
| [root_node](variables.tf#L101) | Hierarchy node where projects will be created, 'organizations/org_id' or 'folders/folder_id'. | <code>string</code> | ✓ | |
|
||||
| [root_node](variables.tf#L93) | Hierarchy node where projects will be created, 'organizations/org_id' or 'folders/folder_id'. | <code>string</code> | ✓ | |
|
||||
| [cluster_create](variables.tf#L20) | Create GKE cluster and nodepool. | <code>bool</code> | | <code>true</code> |
|
||||
| [deletion_protection](variables.tf#L26) | Prevent Terraform from destroying data storage resources (storage buckets, GKE clusters, CloudSQL instances) in this blueprint. When this field is set in Terraform state, a terraform destroy or terraform apply that would delete data storage resources will fail. | <code>bool</code> | | <code>false</code> |
|
||||
| [ip_ranges](variables.tf#L33) | Subnet IP CIDR ranges. | <code>map(string)</code> | | <code title="{ gce = "10.0.16.0/24" gke = "10.0.32.0/24" }">{…}</code> |
|
||||
@@ -56,9 +56,8 @@ There's a minor glitch that can surface running `terraform destroy`, where the s
|
||||
| [owners_gce](variables.tf#L51) | GCE project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [owners_gke](variables.tf#L57) | GKE project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [owners_host](variables.tf#L63) | Host project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [private_service_ranges](variables.tf#L78) | Private service IP CIDR ranges. | <code>map(string)</code> | | <code title="{ cluster-1 = "192.168.0.0/28" }">{…}</code> |
|
||||
| [project_services](variables.tf#L86) | Service APIs enabled by default in new projects. | <code>list(string)</code> | | <code title="[ "container.googleapis.com", "stackdriver.googleapis.com", ]">[…]</code> |
|
||||
| [region](variables.tf#L95) | Region used. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [project_services](variables.tf#L78) | Service APIs enabled by default in new projects. | <code>list(string)</code> | | <code title="[ "container.googleapis.com", "stackdriver.googleapis.com", ]">[…]</code> |
|
||||
| [region](variables.tf#L87) | Region used. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -207,19 +207,16 @@ module "cluster-1" {
|
||||
name = "cluster-1"
|
||||
project_id = module.project-svc-gke.project_id
|
||||
location = "${var.region}-b"
|
||||
access_config = {
|
||||
ip_access = {
|
||||
authorized_ranges = { internal-vms = var.ip_ranges.gce }
|
||||
}
|
||||
}
|
||||
vpc_config = {
|
||||
network = module.vpc-shared.self_link
|
||||
subnetwork = module.vpc-shared.subnet_self_links["${var.region}/gke"]
|
||||
master_authorized_ranges = {
|
||||
internal-vms = var.ip_ranges.gce
|
||||
}
|
||||
master_ipv4_cidr_block = var.private_service_ranges.cluster-1
|
||||
}
|
||||
max_pods_per_node = 32
|
||||
private_cluster_config = {
|
||||
enable_private_endpoint = true
|
||||
master_global_access = true
|
||||
}
|
||||
labels = {
|
||||
environment = "test"
|
||||
}
|
||||
|
||||
@@ -75,14 +75,6 @@ variable "prefix" {
|
||||
}
|
||||
}
|
||||
|
||||
variable "private_service_ranges" {
|
||||
description = "Private service IP CIDR ranges."
|
||||
type = map(string)
|
||||
default = {
|
||||
cluster-1 = "192.168.0.0/28"
|
||||
}
|
||||
}
|
||||
|
||||
variable "project_services" {
|
||||
description = "Service APIs enabled by default in new projects."
|
||||
type = list(string)
|
||||
|
||||
@@ -61,6 +61,11 @@ module "chronicle-forwarder" {
|
||||
name = var.chronicle_forwarder.cluster_name
|
||||
location = var.region
|
||||
deletion_protection = false
|
||||
access_config = {
|
||||
ip_access = {
|
||||
authorized_ranges = var.chronicle_forwarder.master_authorized_ranges
|
||||
}
|
||||
}
|
||||
vpc_config = {
|
||||
network = var.network_config.network_self_link
|
||||
subnetwork = var.network_config.subnet_self_link
|
||||
@@ -68,12 +73,6 @@ module "chronicle-forwarder" {
|
||||
pods = "pods"
|
||||
services = "services"
|
||||
}
|
||||
master_ipv4_cidr_block = var.network_config.ip_range_gke_master
|
||||
master_authorized_ranges = var.chronicle_forwarder.master_authorized_ranges
|
||||
}
|
||||
private_cluster_config = {
|
||||
enable_private_endpoint = true
|
||||
master_global_access = true
|
||||
}
|
||||
enable_features = {
|
||||
gateway_api = true
|
||||
@@ -100,4 +99,4 @@ module "chronicle-forwarder-deployment" {
|
||||
source = "./secops-forwarder-deployment"
|
||||
depends_on = [module.chronicle-forwarder]
|
||||
tenants = var.tenants
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user