feat: support TPG v6.11 and control_plane_endpoints_config

Author: apeabody

README.md

@@ -263,6 +263,7 @@ Then perform the following commands on the root folder:
 | cluster\_id | Cluster ID |
 | dns\_cache\_enabled | Whether DNS Cache enabled |
 | endpoint | Cluster endpoint |
+| endpoint\_dns | Cluster endpoint DNS |
 | fleet\_membership | Fleet membership (if registered) |
 | gateway\_api\_channel | The gateway api channel of this cluster. |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |

autogen/main/cluster.tf.tmpl

@@ -632,6 +632,15 @@ resource "google_container_cluster" "primary" {
       }
     }
   }
+
+  dynamic "control_plane_endpoints_config" {
+    for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : [0]
+    content {
+      dns_endpoint_config {
+        allow_external_traffic = var.deploy_using_private_endpoint
+      }
+    }
+  }
 {% endif %}
 
   {% if autopilot_cluster != true %}

autogen/main/main.tf.tmpl

@@ -143,8 +143,9 @@ locals {
   cluster_output_regional_zones = google_container_cluster.primary.node_locations
   cluster_output_zones          = local.cluster_output_regional_zones
 
+  cluster_endpoint_dns       = google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint
 {% if private_cluster %}
-  cluster_endpoint           = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
+  cluster_endpoint           = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? (var.enable_private_endpoint || var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config[0].private_endpoint : google_container_cluster.primary.private_cluster_config[0].public_endpoint) : google_container_cluster.primary.endpoint
   cluster_peering_name       = (var.enable_private_nodes && length(google_container_cluster.primary.private_cluster_config) > 0) ? google_container_cluster.primary.private_cluster_config[0].peering_name : null
   cluster_endpoint_for_nodes = var.master_ipv4_cidr_block
 {% else %}

autogen/main/outputs.tf.tmpl

@@ -76,6 +76,24 @@ output "endpoint" {
   ]
 }
 
+output "endpoint_dns" {
+  sensitive   = true
+  description = "Cluster endpoint DNS"
+  value       = local.cluster_endpoint_dns
+  depends_on = [
+    /* Nominally, the endpoint is populated as soon as it is known to Terraform.
+    * However, the cluster may not be in a usable state yet.  Therefore any
+    * resources dependent on the cluster being up will fail to deploy.  With
+    * this explicit dependency, dependent resources can wait for the cluster
+    * to be up.
+    */
+    google_container_cluster.primary,
+    {% if autopilot_cluster != true %}
+    google_container_node_pool.pools,
+    {% endif %}
+  ]
+}
+
 output "min_master_version" {
   description = "Minimum master kubernetes version"
   value       = local.cluster_min_master_version

autogen/main/versions.tf.tmpl

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2022-2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,33 +24,33 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.7.0, < 6.11.0"
+      version = ">= 6.11.0, < 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.7.0, < 6.11.0"
+      version = ">= 6.11.0, < 7"
     }
 {% elif beta_cluster and autopilot_cluster %}
   required_providers {
     google = {
       source = "hashicorp/google"
-      version = ">= 6.5.0, < 6.11.0"
+      version = ">= 6.11.0, < 7"
     }
     google-beta = {
       source = "hashicorp/google-beta"
-      version = ">= 6.5.0, < 6.11.0"
+      version = ">= 6.11.0, < 7"
     }
 {% elif autopilot_cluster  %}
   required_providers {
     google = {
       source = "hashicorp/google"
-      version = ">= 6.5.0, < 6.11.0"
+      version = ">= 6.11.0, < 7"
     }
 {% else %}
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.7.0, < 6.11.0"
+      version = ">= 6.11.0, < 7"
     }
 {% endif %}
     kubernetes = {

examples/safer_cluster_iap_bastion/bastion.tf

@@ -34,4 +34,6 @@ module "bastion" {
   startup_script = templatefile("${path.module}/templates/startup-script.tftpl", {})
   members        = var.bastion_members
   shielded_vm    = "false"
+
+  service_account_roles = ["roles/container.viewer"]
 }

examples/simple_regional_beta/main.tf

@@ -20,12 +20,6 @@ locals {
 
 data "google_client_config" "default" {}
 
-provider "kubernetes" {
-  host                   = "https://${module.gke.endpoint}"
-  token                  = data.google_client_config.default.access_token
-  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
-}
-
 module "gke" {
   source  = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster"
   version = "~> 34.0"

examples/simple_regional_beta/versions.tf

@@ -23,8 +23,5 @@ terraform {
     google-beta = {
       source = "hashicorp/google-beta"
     }
-    kubernetes = {
-      source = "hashicorp/kubernetes"
-    }
   }
 }

main.tf

@@ -109,6 +109,7 @@ locals {
   cluster_output_regional_zones = google_container_cluster.primary.node_locations
   cluster_output_zones          = local.cluster_output_regional_zones
 
+  cluster_endpoint_dns       = google_container_cluster.primary.control_plane_endpoints_config[0].dns_endpoint_config[0].endpoint
   cluster_endpoint           = google_container_cluster.primary.endpoint
   cluster_endpoint_for_nodes = "${google_container_cluster.primary.endpoint}/32"
 

modules/beta-autopilot-private-cluster/README.md

@@ -170,6 +170,7 @@ Then perform the following commands on the root folder:
 | cluster\_id | Cluster ID |
 | dns\_cache\_enabled | Whether DNS Cache enabled |
 | endpoint | Cluster endpoint |
+| endpoint\_dns | Cluster endpoint DNS |
 | fleet\_membership | Fleet membership (if registered) |
 | gateway\_api\_channel | The gateway api channel of this cluster. |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |