From 37c63b9a0f28024464580a327b3121375f3b8f5e Mon Sep 17 00:00:00 2001 From: William Yardley Date: Tue, 10 Sep 2024 22:55:29 -0700 Subject: [PATCH 01/12] feat(TPG>=5.44)!: add support for `insecureKubeletReadonlyPortEnabled` Fixes #2013 --- README.md | 1 + autogen/main/README.md | 1 + autogen/main/cluster.tf.tmpl | 11 +++---- autogen/main/versions.tf.tmpl | 4 +-- cluster.tf | 22 +++++++------- examples/node_pool/main.tf | 29 ++++++++++--------- .../README.md | 1 + .../cluster.tf | 22 +++++++------- .../versions.tf | 4 +-- modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 22 +++++++------- modules/beta-private-cluster/versions.tf | 4 +-- .../README.md | 1 + .../cluster.tf | 22 +++++++------- .../versions.tf | 4 +-- modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 22 +++++++------- modules/beta-public-cluster/versions.tf | 4 +-- .../private-cluster-update-variant/README.md | 1 + .../private-cluster-update-variant/cluster.tf | 22 +++++++------- modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 22 +++++++------- 22 files changed, 123 insertions(+), 99 deletions(-) diff --git a/README.md b/README.md index 6520607820..3e4f5002c8 100644 --- a/README.md +++ b/README.md @@ -319,6 +319,7 @@ The node_pools variable takes the following parameters: | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | +| insecure_kubelet_readonly_port_enabled | Whether or not to enable the insecure Kubelet readonly port. It's strongly recommended to set this to "FALSE". One of "TRUE", "FALSE". | null | Optional | | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | diff --git a/autogen/main/README.md b/autogen/main/README.md index 9031338c76..835cdfb66c 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -213,6 +213,7 @@ The node_pools variable takes the following parameters: | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | +| insecure_kubelet_readonly_port_enabled | Whether or not to enable the insecure Kubelet readonly port. It's strongly recommended to set this to "FALSE". One of "TRUE", "FALSE". | null | Optional | | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 2bd439c8fa..0d7b559a02 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -1042,14 +1042,15 @@ resource "google_container_node_pool" "windows_pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"] )) != 0 ? [1] : [] content { - cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } {% if beta_cluster %} diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 88c2b21eff..cd6235746b 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,11 +24,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 7" + version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.40.0, < 7" + version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/cluster.tf b/cluster.tf index 1893d1323a..5aa765ff10 100644 --- a/cluster.tf +++ b/cluster.tf @@ -739,14 +739,15 @@ resource "google_container_node_pool" "pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"] )) != 0 ? [1] : [] content { - cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1029,14 +1030,15 @@ resource "google_container_node_pool" "windows_pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"] )) != 0 ? [1] : [] content { - cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 6d61682f5b..b24823b28a 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -67,20 +67,21 @@ module "gke" { service_account = var.compute_engine_service_account }, { - name = "pool-03" - machine_type = "n1-standard-2" - node_locations = "${var.region}-b,${var.region}-c" - autoscaling = false - node_count = 2 - disk_type = "pd-standard" - auto_upgrade = true - service_account = var.compute_engine_service_account - pod_range = "test" - sandbox_enabled = true - cpu_manager_policy = "static" - cpu_cfs_quota = true - local_ssd_ephemeral_count = 2 - pod_pids_limit = 4096 + name = "pool-03" + machine_type = "n1-standard-2" + node_locations = "${var.region}-b,${var.region}-c" + autoscaling = false + node_count = 2 + disk_type = "pd-standard" + auto_upgrade = true + service_account = var.compute_engine_service_account + pod_range = "test" + sandbox_enabled = true + cpu_manager_policy = "static" + cpu_cfs_quota = true + insecure_kubelet_readonly_port_enabled = "TRUE" + local_ssd_ephemeral_count = 2 + pod_pids_limit = 4096 }, { name = "pool-04" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 892f57c723..01defcd10d 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -377,6 +377,7 @@ The node_pools variable takes the following parameters: | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | +| insecure_kubelet_readonly_port_enabled | Whether or not to enable the insecure Kubelet readonly port. It's strongly recommended to set this to "FALSE". One of "TRUE", "FALSE". | null | Optional | | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 3b415dacb7..5ac5e213a7 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -913,14 +913,15 @@ resource "google_container_node_pool" "pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"] )) != 0 ? [1] : [] content { - cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1217,14 +1218,15 @@ resource "google_container_node_pool" "windows_pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"] )) != 0 ? [1] : [] content { - cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 9726aee6f5..4cf0fbbd51 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 7" + version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.40.0, < 7" + version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 9fb426c846..8e1d11211f 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -355,6 +355,7 @@ The node_pools variable takes the following parameters: | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | +| insecure_kubelet_readonly_port_enabled | Whether or not to enable the insecure Kubelet readonly port. It's strongly recommended to set this to "FALSE". One of "TRUE", "FALSE". | null | Optional | | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 231a019ce7..d5b9fff67e 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -830,14 +830,15 @@ resource "google_container_node_pool" "pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"] )) != 0 ? [1] : [] content { - cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1133,14 +1134,15 @@ resource "google_container_node_pool" "windows_pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"] )) != 0 ? [1] : [] content { - cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index a342884f69..3fec1681de 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 7" + version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.40.0, < 7" + version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 1e52d6f676..d22d937261 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -363,6 +363,7 @@ The node_pools variable takes the following parameters: | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | +| insecure_kubelet_readonly_port_enabled | Whether or not to enable the insecure Kubelet readonly port. It's strongly recommended to set this to "FALSE". One of "TRUE", "FALSE". | null | Optional | | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 02811eb278..67407eb616 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -892,14 +892,15 @@ resource "google_container_node_pool" "pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"] )) != 0 ? [1] : [] content { - cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1196,14 +1197,15 @@ resource "google_container_node_pool" "windows_pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"] )) != 0 ? [1] : [] content { - cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 24df34d950..e1f6fe63d0 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 7" + version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.40.0, < 7" + version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index b0700b78ea..40c14e5b4c 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -341,6 +341,7 @@ The node_pools variable takes the following parameters: | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | +| insecure_kubelet_readonly_port_enabled | Whether or not to enable the insecure Kubelet readonly port. It's strongly recommended to set this to "FALSE". One of "TRUE", "FALSE". | null | Optional | | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index a9df34b69c..486e1e340f 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -809,14 +809,15 @@ resource "google_container_node_pool" "pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"] )) != 0 ? [1] : [] content { - cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1112,14 +1113,15 @@ resource "google_container_node_pool" "windows_pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"] )) != 0 ? [1] : [] content { - cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index d62645f541..c313b65efb 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 7" + version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.40.0, < 7" + version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 3fb72c548c..d1298e0cad 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -355,6 +355,7 @@ The node_pools variable takes the following parameters: | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | +| insecure_kubelet_readonly_port_enabled | Whether or not to enable the insecure Kubelet readonly port. It's strongly recommended to set this to "FALSE". One of "TRUE", "FALSE". | null | Optional | | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 3e22af45b4..ca254b8078 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -843,14 +843,15 @@ resource "google_container_node_pool" "pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"] )) != 0 ? [1] : [] content { - cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1134,14 +1135,15 @@ resource "google_container_node_pool" "windows_pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"] )) != 0 ? [1] : [] content { - cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 6b68e9bff5..11d1700510 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -333,6 +333,7 @@ The node_pools variable takes the following parameters: | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | +| insecure_kubelet_readonly_port_enabled | Whether or not to enable the insecure Kubelet readonly port. It's strongly recommended to set this to "FALSE". One of "TRUE", "FALSE". | null | Optional | | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 35a11ad408..1e838b0699 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -760,14 +760,15 @@ resource "google_container_node_pool" "pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"] )) != 0 ? [1] : [] content { - cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1050,14 +1051,15 @@ resource "google_container_node_pool" "windows_pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"] )) != 0 ? [1] : [] content { - cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } From fe59a6fa5cd2356d45320df91e9bb41efc61b4ca Mon Sep 17 00:00:00 2001 From: William Yardley Date: Fri, 13 Sep 2024 16:40:57 -0700 Subject: [PATCH 02/12] update to support autopilot and node_config_defaults --- README.md | 1 + autogen/main/cluster.tf.tmpl | 13 +++++--- autogen/main/variables.tf.tmpl | 11 +++++++ cluster.tf | 14 ++++++-- examples/node_pool/main.tf | 2 +- examples/node_pool_update_variant/main.tf | 11 ++++--- examples/simple_autopilot_public/main.tf | 33 ++++++++++--------- .../beta-autopilot-private-cluster/README.md | 1 + .../beta-autopilot-private-cluster/cluster.tf | 6 +++- .../variables.tf | 11 +++++++ .../beta-autopilot-public-cluster/README.md | 1 + .../beta-autopilot-public-cluster/cluster.tf | 6 +++- .../variables.tf | 11 +++++++ .../README.md | 1 + .../cluster.tf | 5 +-- .../variables.tf | 11 +++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 5 +-- modules/beta-private-cluster/variables.tf | 11 +++++++ .../README.md | 1 + .../cluster.tf | 5 +-- .../variables.tf | 11 +++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 5 +-- modules/beta-public-cluster/variables.tf | 11 +++++++ .../private-cluster-update-variant/README.md | 1 + .../private-cluster-update-variant/cluster.tf | 14 ++++++-- .../variables.tf | 11 +++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 14 ++++++-- modules/private-cluster/variables.tf | 11 +++++++ variables.tf | 11 +++++++ 32 files changed, 209 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index 3e4f5002c8..2c75784680 100644 --- a/README.md +++ b/README.md @@ -190,6 +190,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 0d7b559a02..38f254e6d8 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -271,8 +271,12 @@ resource "google_container_cluster" "primary" { } {% if autopilot_cluster %} dynamic "node_pool_auto_config" { - for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? [1] : [] + for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled !="" ? [1] : [] content { + dynamic "kubelet_config" { + for_each = var.insecure_kubelet_readonly_port_enabled != "" ? [1] : [] + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled + } network_tags { tags = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? concat(var.network_tags, [local.cluster_network_tag]) : var.network_tags } @@ -661,7 +665,6 @@ resource "google_container_cluster" "primary" { } } } - {% if beta_cluster %} node_pool_defaults { node_config_defaults { @@ -678,12 +681,12 @@ resource "google_container_cluster" "primary" { gcfs_config { enabled = var.enable_gcfs } + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null {% endif %} } } - {% endif %} - {% if beta_cluster %} + {% if beta_cluster %} depends_on = [google_project_iam_member.service_agent] {% endif %} } @@ -1049,7 +1052,7 @@ resource "google_container_node_pool" "windows_pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 8a0666a82d..3f91118bd3 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -108,6 +108,17 @@ variable "service_external_ips" { default = false } +variable "insecure_kubelet_readonly_port_enabled" { + type = string + description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + default = "" + + validation { + condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) + error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." + } +} + {% if autopilot_cluster != true %} variable "datapath_provider" { type = string diff --git a/cluster.tf b/cluster.tf index 5aa765ff10..72aeeac420 100644 --- a/cluster.tf +++ b/cluster.tf @@ -500,6 +500,16 @@ resource "google_container_cluster" "primary" { } } } + + node_pool_defaults { + node_config_defaults { + gcfs_config { + enabled = var.enable_gcfs + } + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null + } + } + } /****************************************** Create Container Cluster node pools @@ -746,7 +756,7 @@ resource "google_container_node_pool" "pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1037,7 +1047,7 @@ resource "google_container_node_pool" "windows_pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index b24823b28a..498292051f 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -79,7 +79,7 @@ module "gke" { sandbox_enabled = true cpu_manager_policy = "static" cpu_cfs_quota = true - insecure_kubelet_readonly_port_enabled = "TRUE" + insecure_kubelet_readonly_port_enabled = "FALSE" local_ssd_ephemeral_count = 2 pod_pids_limit = 4096 }, diff --git a/examples/node_pool_update_variant/main.tf b/examples/node_pool_update_variant/main.tf index c0c3ba0b15..a150a73c42 100644 --- a/examples/node_pool_update_variant/main.tf +++ b/examples/node_pool_update_variant/main.tf @@ -61,11 +61,12 @@ module "gke" { node_pools = [ { - name = "pool-01" - min_count = 1 - max_count = 2 - service_account = var.compute_engine_service_account - auto_upgrade = true + name = "pool-01" + min_count = 1 + max_count = 2 + service_account = var.compute_engine_service_account + auto_upgrade = true + insecure_kubelet_readonly_port_enabled = "FALSE" }, { name = "pool-02" diff --git a/examples/simple_autopilot_public/main.tf b/examples/simple_autopilot_public/main.tf index 8a1ba5597a..705f6bd90a 100644 --- a/examples/simple_autopilot_public/main.tf +++ b/examples/simple_autopilot_public/main.tf @@ -36,22 +36,23 @@ module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-public-cluster" version = "~> 33.0" - project_id = var.project_id - name = "${local.cluster_type}-cluster" - regional = true - region = var.region - network = module.gcp-network.network_name - subnetwork = local.subnet_names[index(module.gcp-network.subnets_names, local.subnet_name)] - ip_range_pods = local.pods_range_name - ip_range_services = local.svc_range_name - release_channel = "RAPID" - enable_vertical_pod_autoscaling = true - network_tags = [local.cluster_type] - deletion_protection = false - enable_l4_ilb_subsetting = true - gcs_fuse_csi_driver = true - stateful_ha = false - gke_backup_agent_config = false + project_id = var.project_id + name = "${local.cluster_type}-cluster" + regional = true + region = var.region + network = module.gcp-network.network_name + subnetwork = local.subnet_names[index(module.gcp-network.subnets_names, local.subnet_name)] + ip_range_pods = local.pods_range_name + ip_range_services = local.svc_range_name + release_channel = "RAPID" + enable_vertical_pod_autoscaling = true + network_tags = [local.cluster_type] + deletion_protection = false + enable_l4_ilb_subsetting = true + gcs_fuse_csi_driver = true + insecure_kubelet_readonly_port_enabled = "FALSE" + stateful_ha = false + gke_backup_agent_config = false ray_operator_config = { enabled = true logging_enabled = true diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 930a3c0199..04979cd356 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -114,6 +114,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index f6716e75bf..a780978ddd 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -119,8 +119,12 @@ resource "google_container_cluster" "primary" { } } dynamic "node_pool_auto_config" { - for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? [1] : [] + for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != "" ? [1] : [] content { + dynamic "kubelet_config" { + for_each = var.insecure_kubelet_readonly_port_enabled != "" ? [1] : [] + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled + } network_tags { tags = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? concat(var.network_tags, [local.cluster_network_tag]) : var.network_tags } diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index b8d087b804..ac0fb83d99 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -108,6 +108,17 @@ variable "service_external_ips" { default = false } +variable "insecure_kubelet_readonly_port_enabled" { + type = string + description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + default = "" + + validation { + condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) + error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." + } +} + variable "maintenance_start_time" { type = string description = "Time window specified for daily or recurring maintenance operations in RFC3339 format" diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 9df58422ce..aee3d54403 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -105,6 +105,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 728ef8cb71..fa30b4d2fd 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -119,8 +119,12 @@ resource "google_container_cluster" "primary" { } } dynamic "node_pool_auto_config" { - for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? [1] : [] + for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != "" ? [1] : [] content { + dynamic "kubelet_config" { + for_each = var.insecure_kubelet_readonly_port_enabled != "" ? [1] : [] + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled + } network_tags { tags = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? concat(var.network_tags, [local.cluster_network_tag]) : var.network_tags } diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 22a05337af..0cab22ab6f 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -108,6 +108,17 @@ variable "service_external_ips" { default = false } +variable "insecure_kubelet_readonly_port_enabled" { + type = string + description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + default = "" + + validation { + condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) + error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." + } +} + variable "maintenance_start_time" { type = string description = "Time window specified for daily or recurring maintenance operations in RFC3339 format" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 01defcd10d..2c8a4822a5 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -233,6 +233,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 5ac5e213a7..722e8dbef2 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -581,6 +581,7 @@ resource "google_container_cluster" "primary" { gcfs_config { enabled = var.enable_gcfs } + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null } } @@ -920,7 +921,7 @@ resource "google_container_node_pool" "pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1225,7 +1226,7 @@ resource "google_container_node_pool" "windows_pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 195db8f643..5d894ea0df 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -108,6 +108,17 @@ variable "service_external_ips" { default = false } +variable "insecure_kubelet_readonly_port_enabled" { + type = string + description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + default = "" + + validation { + condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) + error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." + } +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 8e1d11211f..f1ff5d5cd9 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -211,6 +211,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index d5b9fff67e..88785871fe 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -581,6 +581,7 @@ resource "google_container_cluster" "primary" { gcfs_config { enabled = var.enable_gcfs } + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null } } @@ -837,7 +838,7 @@ resource "google_container_node_pool" "pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1141,7 +1142,7 @@ resource "google_container_node_pool" "windows_pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 195db8f643..5d894ea0df 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -108,6 +108,17 @@ variable "service_external_ips" { default = false } +variable "insecure_kubelet_readonly_port_enabled" { + type = string + description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + default = "" + + validation { + condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) + error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." + } +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index d22d937261..74f2f4b8f6 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -224,6 +224,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 67407eb616..29b98cebe4 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -560,6 +560,7 @@ resource "google_container_cluster" "primary" { gcfs_config { enabled = var.enable_gcfs } + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null } } @@ -899,7 +900,7 @@ resource "google_container_node_pool" "pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1204,7 +1205,7 @@ resource "google_container_node_pool" "windows_pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index e926a9568c..207a2d996a 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -108,6 +108,17 @@ variable "service_external_ips" { default = false } +variable "insecure_kubelet_readonly_port_enabled" { + type = string + description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + default = "" + + validation { + condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) + error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." + } +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 40c14e5b4c..4e7219fd3d 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -202,6 +202,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 486e1e340f..ddd0959931 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -560,6 +560,7 @@ resource "google_container_cluster" "primary" { gcfs_config { enabled = var.enable_gcfs } + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null } } @@ -816,7 +817,7 @@ resource "google_container_node_pool" "pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1120,7 +1121,7 @@ resource "google_container_node_pool" "windows_pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index e926a9568c..207a2d996a 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -108,6 +108,17 @@ variable "service_external_ips" { default = false } +variable "insecure_kubelet_readonly_port_enabled" { + type = string + description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + default = "" + + validation { + condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) + error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." + } +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index d1298e0cad..2cbea608bf 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -221,6 +221,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index ca254b8078..dad5c31f84 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -521,6 +521,16 @@ resource "google_container_cluster" "primary" { } } } + + node_pool_defaults { + node_config_defaults { + gcfs_config { + enabled = var.enable_gcfs + } + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null + } + } + } /****************************************** Create Container Cluster node pools @@ -850,7 +860,7 @@ resource "google_container_node_pool" "pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1142,7 +1152,7 @@ resource "google_container_node_pool" "windows_pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 728b64ad7d..33711afeb4 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -108,6 +108,17 @@ variable "service_external_ips" { default = false } +variable "insecure_kubelet_readonly_port_enabled" { + type = string + description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + default = "" + + validation { + condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) + error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." + } +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 11d1700510..af6509a9fc 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -199,6 +199,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 1e838b0699..19233f567b 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -521,6 +521,16 @@ resource "google_container_cluster" "primary" { } } } + + node_pool_defaults { + node_config_defaults { + gcfs_config { + enabled = var.enable_gcfs + } + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null + } + } + } /****************************************** Create Container Cluster node pools @@ -767,7 +777,7 @@ resource "google_container_node_pool" "pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1058,7 +1068,7 @@ resource "google_container_node_pool" "windows_pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 728b64ad7d..33711afeb4 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -108,6 +108,17 @@ variable "service_external_ips" { default = false } +variable "insecure_kubelet_readonly_port_enabled" { + type = string + description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + default = "" + + validation { + condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) + error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." + } +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/variables.tf b/variables.tf index 4e415d1aab..b644873102 100644 --- a/variables.tf +++ b/variables.tf @@ -108,6 +108,17 @@ variable "service_external_ips" { default = false } +variable "insecure_kubelet_readonly_port_enabled" { + type = string + description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." + default = "" + + validation { + condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) + error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." + } +} + variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." From f4ba813c87070de5be8b1694feacdac80530960d Mon Sep 17 00:00:00 2001 From: William Yardley Date: Mon, 16 Sep 2024 20:52:00 -0700 Subject: [PATCH 03/12] gate gcfs_config in node_config_defaults --- autogen/main/cluster.tf.tmpl | 2 ++ cluster.tf | 3 --- modules/private-cluster-update-variant/cluster.tf | 3 --- modules/private-cluster/cluster.tf | 3 --- 4 files changed, 2 insertions(+), 9 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 38f254e6d8..28344ff6e2 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -678,9 +678,11 @@ resource "google_container_cluster" "primary" { } {% endif %} {% if autopilot_cluster != true %} + {% if beta_cluster %} gcfs_config { enabled = var.enable_gcfs } + {% endif %} insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null {% endif %} } diff --git a/cluster.tf b/cluster.tf index 72aeeac420..ebb9db07fc 100644 --- a/cluster.tf +++ b/cluster.tf @@ -503,9 +503,6 @@ resource "google_container_cluster" "primary" { node_pool_defaults { node_config_defaults { - gcfs_config { - enabled = var.enable_gcfs - } insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null } } diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index dad5c31f84..3f6aa14053 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -524,9 +524,6 @@ resource "google_container_cluster" "primary" { node_pool_defaults { node_config_defaults { - gcfs_config { - enabled = var.enable_gcfs - } insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null } } diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 19233f567b..d8ca7532bb 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -524,9 +524,6 @@ resource "google_container_cluster" "primary" { node_pool_defaults { node_config_defaults { - gcfs_config { - enabled = var.enable_gcfs - } insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null } } From 9ebbd6d2da7c04d841799dd23f04ac1f62b6e614 Mon Sep 17 00:00:00 2001 From: William Yardley Date: Mon, 16 Sep 2024 22:02:57 -0700 Subject: [PATCH 04/12] update autopilot block name --- autogen/main/cluster.tf.tmpl | 2 +- modules/beta-autopilot-private-cluster/cluster.tf | 2 +- modules/beta-autopilot-public-cluster/cluster.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 28344ff6e2..1b4aae3db9 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -273,7 +273,7 @@ resource "google_container_cluster" "primary" { dynamic "node_pool_auto_config" { for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled !="" ? [1] : [] content { - dynamic "kubelet_config" { + dynamic "node_kubelet_config" { for_each = var.insecure_kubelet_readonly_port_enabled != "" ? [1] : [] insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled } diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index a780978ddd..b190f6fc0e 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -121,7 +121,7 @@ resource "google_container_cluster" "primary" { dynamic "node_pool_auto_config" { for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != "" ? [1] : [] content { - dynamic "kubelet_config" { + dynamic "node_kubelet_config" { for_each = var.insecure_kubelet_readonly_port_enabled != "" ? [1] : [] insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled } diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index fa30b4d2fd..15e5987760 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -121,7 +121,7 @@ resource "google_container_cluster" "primary" { dynamic "node_pool_auto_config" { for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != "" ? [1] : [] content { - dynamic "kubelet_config" { + dynamic "node_kubelet_config" { for_each = var.insecure_kubelet_readonly_port_enabled != "" ? [1] : [] insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled } From 4c2b88396d3d40edcb6aa20a5814914a15841698 Mon Sep 17 00:00:00 2001 From: William Yardley Date: Fri, 20 Sep 2024 16:19:21 -0700 Subject: [PATCH 05/12] update required provider versions --- autogen/main/versions.tf.tmpl | 4 ++-- modules/beta-private-cluster-update-variant/versions.tf | 4 ++-- modules/beta-private-cluster/versions.tf | 4 ++-- modules/beta-public-cluster-update-variant/versions.tf | 4 ++-- modules/beta-public-cluster/versions.tf | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index cd6235746b..2f1bb10828 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,11 +24,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" + version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 4cf0fbbd51..9f76385a85 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" + version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 3fec1681de..5527922101 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" + version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index e1f6fe63d0..15fa022c03 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" + version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index c313b65efb..fb0a7ea250 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0" + version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" } kubernetes = { source = "hashicorp/kubernetes" From f2755faa753cf187cee4e5f62f8b79e5d16535f0 Mon Sep 17 00:00:00 2001 From: William Yardley Date: Mon, 23 Sep 2024 10:52:59 -0700 Subject: [PATCH 06/12] Skip autopilot for now, require != 6.3.0, update non-beta versions.tf --- autogen/main/cluster.tf.tmpl | 6 +----- autogen/main/versions.tf.tmpl | 6 +++--- modules/beta-autopilot-private-cluster/cluster.tf | 6 +----- modules/beta-autopilot-public-cluster/cluster.tf | 6 +----- modules/beta-private-cluster-update-variant/versions.tf | 4 ++-- modules/beta-private-cluster/versions.tf | 4 ++-- modules/beta-public-cluster-update-variant/versions.tf | 4 ++-- modules/beta-public-cluster/versions.tf | 4 ++-- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- versions.tf | 2 +- 11 files changed, 17 insertions(+), 29 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 1b4aae3db9..bda9fb0b0b 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -271,12 +271,8 @@ resource "google_container_cluster" "primary" { } {% if autopilot_cluster %} dynamic "node_pool_auto_config" { - for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled !="" ? [1] : [] + for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? [1] : [] content { - dynamic "node_kubelet_config" { - for_each = var.insecure_kubelet_readonly_port_enabled != "" ? [1] : [] - insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled - } network_tags { tags = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? concat(var.network_tags, [local.cluster_network_tag]) : var.network_tags } diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 2f1bb10828..03057f57ad 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,11 +24,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" } kubernetes = { source = "hashicorp/kubernetes" @@ -89,7 +89,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 7" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index b190f6fc0e..f6716e75bf 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -119,12 +119,8 @@ resource "google_container_cluster" "primary" { } } dynamic "node_pool_auto_config" { - for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != "" ? [1] : [] + for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? [1] : [] content { - dynamic "node_kubelet_config" { - for_each = var.insecure_kubelet_readonly_port_enabled != "" ? [1] : [] - insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled - } network_tags { tags = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? concat(var.network_tags, [local.cluster_network_tag]) : var.network_tags } diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 15e5987760..728ef8cb71 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -119,12 +119,8 @@ resource "google_container_cluster" "primary" { } } dynamic "node_pool_auto_config" { - for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != "" ? [1] : [] + for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? [1] : [] content { - dynamic "node_kubelet_config" { - for_each = var.insecure_kubelet_readonly_port_enabled != "" ? [1] : [] - insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled - } network_tags { tags = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? concat(var.network_tags, [local.cluster_network_tag]) : var.network_tags } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 9f76385a85..c33107e9b4 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 5527922101..688e1b9453 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 15fa022c03..bab30b6db3 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index fb0a7ea250..2420fa8a6b 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.0, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index a91f502a79..17930353ac 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 7" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index acdcd3eef6..e5c3e505e8 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 7" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/versions.tf b/versions.tf index 57f0bb9a16..585cbe580a 100644 --- a/versions.tf +++ b/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 7" + version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" } kubernetes = { source = "hashicorp/kubernetes" From 5b7e2bfdd8d3ac0391ba22ec3586ab4c3177221e Mon Sep 17 00:00:00 2001 From: William Yardley Date: Mon, 23 Sep 2024 11:03:25 -0700 Subject: [PATCH 07/12] revert insecure_kubelet_readonly_port_enabled in example --- examples/simple_autopilot_public/main.tf | 33 ++++++++++++------------ 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/examples/simple_autopilot_public/main.tf b/examples/simple_autopilot_public/main.tf index 705f6bd90a..8a1ba5597a 100644 --- a/examples/simple_autopilot_public/main.tf +++ b/examples/simple_autopilot_public/main.tf @@ -36,23 +36,22 @@ module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-public-cluster" version = "~> 33.0" - project_id = var.project_id - name = "${local.cluster_type}-cluster" - regional = true - region = var.region - network = module.gcp-network.network_name - subnetwork = local.subnet_names[index(module.gcp-network.subnets_names, local.subnet_name)] - ip_range_pods = local.pods_range_name - ip_range_services = local.svc_range_name - release_channel = "RAPID" - enable_vertical_pod_autoscaling = true - network_tags = [local.cluster_type] - deletion_protection = false - enable_l4_ilb_subsetting = true - gcs_fuse_csi_driver = true - insecure_kubelet_readonly_port_enabled = "FALSE" - stateful_ha = false - gke_backup_agent_config = false + project_id = var.project_id + name = "${local.cluster_type}-cluster" + regional = true + region = var.region + network = module.gcp-network.network_name + subnetwork = local.subnet_names[index(module.gcp-network.subnets_names, local.subnet_name)] + ip_range_pods = local.pods_range_name + ip_range_services = local.svc_range_name + release_channel = "RAPID" + enable_vertical_pod_autoscaling = true + network_tags = [local.cluster_type] + deletion_protection = false + enable_l4_ilb_subsetting = true + gcs_fuse_csi_driver = true + stateful_ha = false + gke_backup_agent_config = false ray_operator_config = { enabled = true logging_enabled = true From d47309f7c5f726d66121fcd1d831839cb818fec1 Mon Sep 17 00:00:00 2001 From: William Yardley Date: Mon, 23 Sep 2024 11:20:46 -0700 Subject: [PATCH 08/12] remove from autopilot variables as well --- autogen/main/variables.tf.tmpl | 2 +- modules/beta-autopilot-private-cluster/README.md | 1 - modules/beta-autopilot-private-cluster/variables.tf | 11 ----------- modules/beta-autopilot-public-cluster/README.md | 1 - modules/beta-autopilot-public-cluster/variables.tf | 11 ----------- 5 files changed, 1 insertion(+), 25 deletions(-) diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 3f91118bd3..e8a57625ef 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -108,6 +108,7 @@ variable "service_external_ips" { default = false } +{% if autopilot_cluster != true %} variable "insecure_kubelet_readonly_port_enabled" { type = string description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." @@ -119,7 +120,6 @@ variable "insecure_kubelet_readonly_port_enabled" { } } -{% if autopilot_cluster != true %} variable "datapath_provider" { type = string description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature." diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 04979cd356..930a3c0199 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -114,7 +114,6 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | -| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index ac0fb83d99..b8d087b804 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -108,17 +108,6 @@ variable "service_external_ips" { default = false } -variable "insecure_kubelet_readonly_port_enabled" { - type = string - description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." - default = "" - - validation { - condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) - error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." - } -} - variable "maintenance_start_time" { type = string description = "Time window specified for daily or recurring maintenance operations in RFC3339 format" diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index aee3d54403..9df58422ce 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -105,7 +105,6 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | -| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 0cab22ab6f..22a05337af 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -108,17 +108,6 @@ variable "service_external_ips" { default = false } -variable "insecure_kubelet_readonly_port_enabled" { - type = string - description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." - default = "" - - validation { - condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) - error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." - } -} - variable "maintenance_start_time" { type = string description = "Time window specified for daily or recurring maintenance operations in RFC3339 format" From 83e57988b211b1e94e40b973c439f28dee8e2f17 Mon Sep 17 00:00:00 2001 From: William Yardley Date: Tue, 24 Sep 2024 17:50:33 -0700 Subject: [PATCH 09/12] update version specification order --- autogen/main/versions.tf.tmpl | 6 +++--- modules/beta-private-cluster-update-variant/versions.tf | 4 ++-- modules/beta-private-cluster/versions.tf | 4 ++-- modules/beta-public-cluster-update-variant/versions.tf | 4 ++-- modules/beta-public-cluster/versions.tf | 4 ++-- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- versions.tf | 2 +- 8 files changed, 14 insertions(+), 14 deletions(-) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 03057f57ad..b0c3247309 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,11 +24,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" + version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" + version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" @@ -89,7 +89,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" + version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index c33107e9b4..2170a572b2 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" + version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" + version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 688e1b9453..046c196a67 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" + version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" + version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index bab30b6db3..df071b0852 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" + version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" + version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 2420fa8a6b..23bd64efd7 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" + version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" + version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 17930353ac..a118270cfe 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" + version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index e5c3e505e8..31b0e12766 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" + version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/versions.tf b/versions.tf index 585cbe580a..e2c20d1be2 100644 --- a/versions.tf +++ b/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, < 7, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0" + version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" From 086d13803adabbe72c7e21f4726a6e4d4ca40e08 Mon Sep 17 00:00:00 2001 From: Will Yardley Date: Wed, 25 Sep 2024 09:34:53 -0700 Subject: [PATCH 10/12] Update autogen/main/cluster.tf.tmpl Co-authored-by: Andrew Peabody --- autogen/main/cluster.tf.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index bda9fb0b0b..eb3c6b6d2b 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -1050,7 +1050,7 @@ resource "google_container_node_pool" "windows_pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } From 114b68ef0ed29612055a0d13a50ca8991648aa33 Mon Sep 17 00:00:00 2001 From: William Yardley Date: Wed, 25 Sep 2024 09:40:11 -0700 Subject: [PATCH 11/12] switch to optional bool for module implementation --- README.md | 4 ++-- autogen/main/README.md | 2 +- autogen/main/cluster.tf.tmpl | 2 +- autogen/main/variables.tf.tmpl | 9 ++------- cluster.tf | 6 +++--- modules/beta-private-cluster-update-variant/README.md | 4 ++-- modules/beta-private-cluster-update-variant/cluster.tf | 6 +++--- modules/beta-private-cluster-update-variant/variables.tf | 9 ++------- modules/beta-private-cluster/README.md | 4 ++-- modules/beta-private-cluster/cluster.tf | 6 +++--- modules/beta-private-cluster/variables.tf | 9 ++------- modules/beta-public-cluster-update-variant/README.md | 4 ++-- modules/beta-public-cluster-update-variant/cluster.tf | 6 +++--- modules/beta-public-cluster-update-variant/variables.tf | 9 ++------- modules/beta-public-cluster/README.md | 4 ++-- modules/beta-public-cluster/cluster.tf | 6 +++--- modules/beta-public-cluster/variables.tf | 9 ++------- modules/private-cluster-update-variant/README.md | 4 ++-- modules/private-cluster-update-variant/cluster.tf | 6 +++--- modules/private-cluster-update-variant/variables.tf | 9 ++------- modules/private-cluster/README.md | 4 ++-- modules/private-cluster/cluster.tf | 6 +++--- modules/private-cluster/variables.tf | 9 ++------- variables.tf | 9 ++------- 24 files changed, 53 insertions(+), 93 deletions(-) diff --git a/README.md b/README.md index 2c75784680..a8ae382eb6 100644 --- a/README.md +++ b/README.md @@ -190,7 +190,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | -| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | @@ -320,7 +320,7 @@ The node_pools variable takes the following parameters: | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | -| insecure_kubelet_readonly_port_enabled | Whether or not to enable the insecure Kubelet readonly port. It's strongly recommended to set this to "FALSE". One of "TRUE", "FALSE". | null | Optional | +| insecure_kubelet_readonly_port_enabled | (boolean) Whether or not to enable the insecure Kubelet readonly port. | null | Optional | | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | diff --git a/autogen/main/README.md b/autogen/main/README.md index 835cdfb66c..9ccbf7736d 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -213,7 +213,7 @@ The node_pools variable takes the following parameters: | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | -| insecure_kubelet_readonly_port_enabled | Whether or not to enable the insecure Kubelet readonly port. It's strongly recommended to set this to "FALSE". One of "TRUE", "FALSE". | null | Optional | +| insecure_kubelet_readonly_port_enabled | (boolean) Whether or not to enable the insecure Kubelet readonly port. | null | Optional | | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index eb3c6b6d2b..a134ddf39a 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -679,7 +679,7 @@ resource "google_container_cluster" "primary" { enabled = var.enable_gcfs } {% endif %} - insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null {% endif %} } } diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index e8a57625ef..6d3d60ae41 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -110,14 +110,9 @@ variable "service_external_ips" { {% if autopilot_cluster != true %} variable "insecure_kubelet_readonly_port_enabled" { - type = string + type = bool description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." - default = "" - - validation { - condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) - error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." - } + default = null } variable "datapath_provider" { diff --git a/cluster.tf b/cluster.tf index ebb9db07fc..0e821fe071 100644 --- a/cluster.tf +++ b/cluster.tf @@ -503,7 +503,7 @@ resource "google_container_cluster" "primary" { node_pool_defaults { node_config_defaults { - insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null } } @@ -753,7 +753,7 @@ resource "google_container_node_pool" "pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1044,7 +1044,7 @@ resource "google_container_node_pool" "windows_pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 2c8a4822a5..bcff4546cc 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -233,7 +233,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | -| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | @@ -378,7 +378,7 @@ The node_pools variable takes the following parameters: | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | -| insecure_kubelet_readonly_port_enabled | Whether or not to enable the insecure Kubelet readonly port. It's strongly recommended to set this to "FALSE". One of "TRUE", "FALSE". | null | Optional | +| insecure_kubelet_readonly_port_enabled | (boolean) Whether or not to enable the insecure Kubelet readonly port. | null | Optional | | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 722e8dbef2..cb71bb0d95 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -581,7 +581,7 @@ resource "google_container_cluster" "primary" { gcfs_config { enabled = var.enable_gcfs } - insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null } } @@ -921,7 +921,7 @@ resource "google_container_node_pool" "pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1226,7 +1226,7 @@ resource "google_container_node_pool" "windows_pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 5d894ea0df..12bf92a229 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -109,14 +109,9 @@ variable "service_external_ips" { } variable "insecure_kubelet_readonly_port_enabled" { - type = string + type = bool description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." - default = "" - - validation { - condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) - error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." - } + default = null } variable "datapath_provider" { diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index f1ff5d5cd9..cfc7c03338 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -211,7 +211,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | -| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | @@ -356,7 +356,7 @@ The node_pools variable takes the following parameters: | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | -| insecure_kubelet_readonly_port_enabled | Whether or not to enable the insecure Kubelet readonly port. It's strongly recommended to set this to "FALSE". One of "TRUE", "FALSE". | null | Optional | +| insecure_kubelet_readonly_port_enabled | (boolean) Whether or not to enable the insecure Kubelet readonly port. | null | Optional | | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 88785871fe..863984c998 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -581,7 +581,7 @@ resource "google_container_cluster" "primary" { gcfs_config { enabled = var.enable_gcfs } - insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null } } @@ -838,7 +838,7 @@ resource "google_container_node_pool" "pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1142,7 +1142,7 @@ resource "google_container_node_pool" "windows_pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 5d894ea0df..12bf92a229 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -109,14 +109,9 @@ variable "service_external_ips" { } variable "insecure_kubelet_readonly_port_enabled" { - type = string + type = bool description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." - default = "" - - validation { - condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) - error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." - } + default = null } variable "datapath_provider" { diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 74f2f4b8f6..70a3479b96 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -224,7 +224,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | -| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | @@ -364,7 +364,7 @@ The node_pools variable takes the following parameters: | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | -| insecure_kubelet_readonly_port_enabled | Whether or not to enable the insecure Kubelet readonly port. It's strongly recommended to set this to "FALSE". One of "TRUE", "FALSE". | null | Optional | +| insecure_kubelet_readonly_port_enabled | (boolean) Whether or not to enable the insecure Kubelet readonly port. | null | Optional | | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 29b98cebe4..1796129c83 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -560,7 +560,7 @@ resource "google_container_cluster" "primary" { gcfs_config { enabled = var.enable_gcfs } - insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null } } @@ -900,7 +900,7 @@ resource "google_container_node_pool" "pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1205,7 +1205,7 @@ resource "google_container_node_pool" "windows_pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 207a2d996a..499075e902 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -109,14 +109,9 @@ variable "service_external_ips" { } variable "insecure_kubelet_readonly_port_enabled" { - type = string + type = bool description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." - default = "" - - validation { - condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) - error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." - } + default = null } variable "datapath_provider" { diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 4e7219fd3d..a4af452331 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -202,7 +202,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | -| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | @@ -342,7 +342,7 @@ The node_pools variable takes the following parameters: | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | -| insecure_kubelet_readonly_port_enabled | Whether or not to enable the insecure Kubelet readonly port. It's strongly recommended to set this to "FALSE". One of "TRUE", "FALSE". | null | Optional | +| insecure_kubelet_readonly_port_enabled | (boolean) Whether or not to enable the insecure Kubelet readonly port. | null | Optional | | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index ddd0959931..debed49080 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -560,7 +560,7 @@ resource "google_container_cluster" "primary" { gcfs_config { enabled = var.enable_gcfs } - insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null } } @@ -817,7 +817,7 @@ resource "google_container_node_pool" "pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1121,7 +1121,7 @@ resource "google_container_node_pool" "windows_pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 207a2d996a..499075e902 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -109,14 +109,9 @@ variable "service_external_ips" { } variable "insecure_kubelet_readonly_port_enabled" { - type = string + type = bool description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." - default = "" - - validation { - condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) - error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." - } + default = null } variable "datapath_provider" { diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 2cbea608bf..cb364f11f2 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -221,7 +221,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | -| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | @@ -356,7 +356,7 @@ The node_pools variable takes the following parameters: | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | -| insecure_kubelet_readonly_port_enabled | Whether or not to enable the insecure Kubelet readonly port. It's strongly recommended to set this to "FALSE". One of "TRUE", "FALSE". | null | Optional | +| insecure_kubelet_readonly_port_enabled | (boolean) Whether or not to enable the insecure Kubelet readonly port. | null | Optional | | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 3f6aa14053..aec454462f 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -524,7 +524,7 @@ resource "google_container_cluster" "primary" { node_pool_defaults { node_config_defaults { - insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null } } @@ -857,7 +857,7 @@ resource "google_container_node_pool" "pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1149,7 +1149,7 @@ resource "google_container_node_pool" "windows_pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 33711afeb4..70b2619e6c 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -109,14 +109,9 @@ variable "service_external_ips" { } variable "insecure_kubelet_readonly_port_enabled" { - type = string + type = bool description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." - default = "" - - validation { - condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) - error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." - } + default = null } variable "datapath_provider" { diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index af6509a9fc..96d897cb4b 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -199,7 +199,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | -| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `string` | `""` | no | +| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | @@ -334,7 +334,7 @@ The node_pools variable takes the following parameters: | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | -| insecure_kubelet_readonly_port_enabled | Whether or not to enable the insecure Kubelet readonly port. It's strongly recommended to set this to "FALSE". One of "TRUE", "FALSE". | null | Optional | +| insecure_kubelet_readonly_port_enabled | (boolean) Whether or not to enable the insecure Kubelet readonly port. | null | Optional | | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index d8ca7532bb..e31fa67829 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -524,7 +524,7 @@ resource "google_container_cluster" "primary" { node_pool_defaults { node_config_defaults { - insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null + insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null } } @@ -774,7 +774,7 @@ resource "google_container_node_pool" "pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1065,7 +1065,7 @@ resource "google_container_node_pool" "windows_pools" { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != "" ? var.insecure_kubelet_readonly_port_enabled : null) + insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null) pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 33711afeb4..70b2619e6c 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -109,14 +109,9 @@ variable "service_external_ips" { } variable "insecure_kubelet_readonly_port_enabled" { - type = string + type = bool description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." - default = "" - - validation { - condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) - error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." - } + default = null } variable "datapath_provider" { diff --git a/variables.tf b/variables.tf index b644873102..7f6f1f2a38 100644 --- a/variables.tf +++ b/variables.tf @@ -109,14 +109,9 @@ variable "service_external_ips" { } variable "insecure_kubelet_readonly_port_enabled" { - type = string + type = bool description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`." - default = "" - - validation { - condition = contains(["FALSE", "TRUE", ""], var.insecure_kubelet_readonly_port_enabled) - error_message = "The node_metadata value must be one of \"TRUE\", \"FALSE\", or empty string (\"\")." - } + default = null } variable "datapath_provider" { From b6c5fa6d083abc02bb05d6a993e8af93552e7907 Mon Sep 17 00:00:00 2001 From: William Yardley Date: Mon, 14 Oct 2024 12:14:39 -0700 Subject: [PATCH 12/12] update required versions --- autogen/main/versions.tf.tmpl | 6 +++--- modules/beta-private-cluster-update-variant/versions.tf | 4 ++-- modules/beta-private-cluster/versions.tf | 4 ++-- modules/beta-public-cluster-update-variant/versions.tf | 4 ++-- modules/beta-public-cluster/versions.tf | 4 ++-- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- versions.tf | 2 +- 8 files changed, 14 insertions(+), 14 deletions(-) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index b0c3247309..79a86d26bc 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,11 +24,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" + version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" + version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" @@ -89,7 +89,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" + version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 2170a572b2..c0535d96be 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" + version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" + version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 046c196a67..8131a8974b 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" + version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" + version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index df071b0852..f27bf6f46b 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" + version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" + version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 23bd64efd7..93418333f8 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" + version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" + version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index a118270cfe..0fd3a60946 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" + version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 31b0e12766..45e4fae95e 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" + version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/versions.tf b/versions.tf index e2c20d1be2..58d637c3f7 100644 --- a/versions.tf +++ b/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.44.1, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, < 7" + version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7" } kubernetes = { source = "hashicorp/kubernetes"