Merge pull request #206 from terraform-google-modules/aaron-lane-v3.0.0

v3.0

Author: aaron-lane

.kitchen.yml

@@ -104,6 +104,20 @@ suites:
       systems:
         - name: stub_domains_private
           backend: local
+  - name: "upstream_nameservers"
+    driver:
+      root_module_directory: test/fixtures/upstream_nameservers
+    verifier:
+        systems:
+          - name: upstream_nameservers
+            backend: local
+  - name: "stub_domains_upstream_nameservers"
+    driver:
+      root_module_directory: test/fixtures/stub_domains_upstream_nameservers
+    verifier:
+        systems:
+          - name: stub_domains_upstream_nameservers
+            backend: local
   - name: "workload_metadata_config"
     driver:
       root_module_directory: test/fixtures/workload_metadata_config

CHANGELOG.md

@@ -8,6 +8,8 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 ## [Unreleased]
 
+## [v3.0.0] - 2019-07-08
+
 ### Added
 
 * Add configuration flag for enable BinAuthZ Admission controller [#160] [#188]
@@ -16,15 +18,16 @@ Extending the adopted spec, each change should have a link to its corresponding
 * Support to scale the default node cluster. [#149]
 * Support for configuring the network policy provider. [#159]
 * Support for database encryption. [#165]
-* Submodules for public and private clusters with beta features. [#124] [#188]
+* Submodules for public and private clusters with beta features. [#124] [#188] [#203]
 * Support for configuring cluster IPv4 CIDRs. [#193]
 * Support for configuring IP Masquerade. [#187]
 * Support for v2.9 of the Google providers. [#198]
+* Support for upstreamNameservers. [#207]
 
 ### Fixed
 
-* Dropped support for v2.7 of the Google providers; these versions were
-  incompatible with the guest accelerator. [#198]
+* Dropped support for versions of the Google provider earlier than v2.9; these versions multiple
+  incompatibilities with the module. [#198]
 
 ## [v2.1.0] - 2019-05-30
 
@@ -131,7 +134,8 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 * Initial release of module.
 
-[Unreleased]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v2.1.0...HEAD
+[Unreleased]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v3.0.0...HEAD
+[v3.0.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v2.1.0...v3.0.0
 [v2.1.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v2.0.1...v2.1.0
 [v2.0.1]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v2.0.0...v2.0.1
 [v2.0.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v1.0.1...v2.0.0
@@ -142,6 +146,8 @@ Extending the adopted spec, each change should have a link to its corresponding
 [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0
 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0
 
+[#207]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/207
+[#203]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/203
 [#198]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/198
 [#197]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/197
 [#193]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/193

README.md

@@ -97,6 +97,11 @@ Then perform the following commands on the root folder:
 - `terraform apply` to apply the infrastructure build
 - `terraform destroy` to destroy the built infrastructure
 
+## Upgrade to v3.0.0
+
+v3.0.0 is a breaking release. Refer to the
+[Upgrading to v3.0 guide][upgrading-to-v3.0] for details.
+
 ## Upgrade to v2.0.0
 
 v2.0.0 is a breaking release. Refer to the
@@ -154,6 +159,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
+| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `<list>` | no |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |
 
 ## Outputs
@@ -198,7 +204,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x
 #### Terraform and Plugins
 - [Terraform](https://www.terraform.io/downloads.html) 0.11.x
-- [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) v2.3, v2.6, v2.9
+- [Terraform Provider for GCP][terraform-provider-google] v2.9
 
 ### Configure a Service Account
 In order to execute this module you must have a Service Account with the
@@ -366,3 +372,5 @@ command.
 * Dockerfiles - hadolint. Can be found in homebrew
 
 [upgrading-to-v2.0]: docs/upgrading_to_v2.0.md
+[upgrading-to-v3.0]: docs/upgrading_to_v3.0.md
+[terraform-provider-google]: https://github.com/terraform-providers/terraform-provider-google

autogen/README.md

@@ -111,6 +111,11 @@ Then perform the following commands on the root folder:
 - `terraform apply` to apply the infrastructure build
 - `terraform destroy` to destroy the built infrastructure
 
+## Upgrade to v3.0.0
+
+v3.0.0 is a breaking release. Refer to the
+[Upgrading to v3.0 guide][upgrading-to-v3.0] for details.
+
 ## Upgrade to v2.0.0
 
 v2.0.0 is a breaking release. Refer to the
@@ -142,9 +147,9 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 #### Terraform and Plugins
 - [Terraform](https://www.terraform.io/downloads.html) 0.11.x
 {% if private_cluster or beta_cluster %}
-- [terraform-provider-google-beta](https://github.com/terraform-providers/terraform-provider-google-beta) v2.3, v2.6, v2.9
+- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v2.9
 {% else %}
-- [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) v2.3, v2.6, v2.9
+- [Terraform Provider for GCP][terraform-provider-google] v2.9
 {% endif %}
 
 ### Configure a Service Account
@@ -317,3 +322,13 @@ command.
 {% else %}
 [upgrading-to-v2.0]: docs/upgrading_to_v2.0.md
 {% endif %}
+{% if private_cluster or beta_cluster %}
+[upgrading-to-v3.0]: ../../docs/upgrading_to_v3.0.md
+{% else %}
+[upgrading-to-v3.0]: docs/upgrading_to_v3.0.md
+{% endif %}
+{% if private_cluster or beta_cluster %}
+[terraform-provider-google-beta]: https://github.com/terraform-providers/terraform-provider-google-beta
+{% else %}
+[terraform-provider-google]: https://github.com/terraform-providers/terraform-provider-google
+{% endif %}

autogen/cluster_regional.tf

@@ -107,6 +107,7 @@ resource "google_container_cluster" "primary" {
     node_config {
       service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
       {% if beta_cluster %}
+
       workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
       {% endif %}
     }

autogen/cluster_zonal.tf

@@ -39,10 +39,10 @@ resource "google_container_cluster" "zonal_primary" {
   monitoring_service = "${var.monitoring_service}"
 
   {% if beta_cluster %}
-  enable_binary_authorization       = "${var.enable_binary_authorization}"
-  pod_security_policy_config        = "${var.pod_security_policy_config}"
-  {% endif %}
+  enable_binary_authorization = "${var.enable_binary_authorization}"
+  pod_security_policy_config  = "${var.pod_security_policy_config}"
 
+  {% endif %}
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {
@@ -108,6 +108,7 @@ resource "google_container_cluster" "zonal_primary" {
     node_config {
       service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
       {% if beta_cluster %}
+
       workload_metadata_config = "${local.cluster_node_metadata_config["${var.node_metadata == "UNSPECIFIED" ? "unspecified" : "specified"}"]}"
       {% endif %}
     }

autogen/dns.tf

@@ -20,7 +20,7 @@
   Delete default kube-dns configmap
  *****************************************/
 resource "null_resource" "delete_default_kube_dns_configmap" {
-  count = "${local.custom_kube_dns_config ? 1 : 0}"
+  count = "${local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0}"
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
@@ -33,7 +33,7 @@ resource "null_resource" "delete_default_kube_dns_configmap" {
   Create kube-dns confimap
  *****************************************/
 resource "kubernetes_config_map" "kube-dns" {
-  count = "${local.custom_kube_dns_config ? 1 : 0}"
+  count = "${local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0}"
 
   metadata {
     name      = "kube-dns"
@@ -52,3 +52,49 @@ EOF
 
   depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
 }
+
+resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
+  count = "${!local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0}"
+
+  metadata {
+    name      = "kube-dns"
+    namespace = "kube-system"
+
+    labels {
+      maintained_by = "terraform"
+    }
+  }
+
+  data {
+    upstreamNameservers = <<EOF
+${jsonencode(var.upstream_nameservers)}
+EOF
+  }
+
+  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+}
+
+resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
+  count = "${local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0}"
+
+  metadata {
+    name      = "kube-dns"
+    namespace = "kube-system"
+
+    labels {
+      maintained_by = "terraform"
+    }
+  }
+
+  data {
+    upstreamNameservers = <<EOF
+${jsonencode(var.upstream_nameservers)}
+EOF
+
+    stubDomains = <<EOF
+${jsonencode(var.stub_domains)}
+EOF
+  }
+
+  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+}

autogen/main.tf

@@ -36,6 +36,7 @@ locals {
   node_version_regional       = "${var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional}"
   node_version_zonal          = "${var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal}"
   custom_kube_dns_config      = "${length(keys(var.stub_domains)) > 0 ? true : false}"
+  upstream_nameservers_config = "${length(var.upstream_nameservers) > 0 ? true : false}"
   network_project_id          = "${var.network_project_id != "" ? var.network_project_id : var.project_id}"
 
   cluster_type = "${var.regional ? "regional" : "zonal"}"
@@ -195,9 +196,8 @@ locals {
   cluster_kubernetes_dashboard_enabled       = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
 {% if beta_cluster %}
   # BETA features
-  cluster_istio_enabled    = "${local.cluster_type_output_istio_enabled[local.cluster_type] ? false : true}"
-  cluster_cloudrun_enabled = "${var.cloudrun}"
-
+  cluster_istio_enabled                      = "${local.cluster_type_output_istio_enabled[local.cluster_type] ? false : true}"
+  cluster_cloudrun_enabled                   = "${var.cloudrun}"
   cluster_pod_security_policy_enabled        = "${local.cluster_type_output_pod_security_policy_enabled[local.cluster_type] ? true : false}"
   # /BETA features
 {% endif %}

autogen/outputs.tf

@@ -113,6 +113,7 @@ output "service_account" {
   value       = "${local.service_account}"
 }
 {% if beta_cluster %}
+
 output "istio_enabled" {
   description = "Whether Istio is enabled"
   value       = "${local.cluster_istio_enabled}"

autogen/variables.tf

@@ -206,6 +206,12 @@ variable "stub_domains" {
   default     = {}
 }
 
+variable "upstream_nameservers" {
+  type        = "list"
+  description = "If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf"
+  default     = []
+}
+
 variable "non_masquerade_cidrs" {
   type        = "list"
   description = "List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading."