feat: Simple GKE modules for ADC (#2397)

Author: daniel-cit

.gitignore

@@ -50,7 +50,8 @@ crash.log
 **/.kitchen.local.yml
 **/Gemfile.lock
 
-test/fixtures/shared/terraform.tfvars
+test/fixtures/**/terraform.tfvars
+modules/**/terraform.tfvars
 
 test/integration/gcloud/config.sh
 test/integration/tmp

build/int.cloudbuild.yaml

@@ -270,6 +270,36 @@ steps:
     - verify beta-cluster
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestBetaCluster --stage teardown --verbose']
+- id: apply gke-standard-cluster
+  waitFor:
+    - teardown beta-cluster
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestGKEStandardCluster --stage apply --verbose']
+- id: verify gke-standard-cluster
+  waitFor:
+    - apply gke-standard-cluster
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestGKEStandardCluster --stage verify --verbose']
+- id: teardown gke-standard-cluster
+  waitFor:
+    - verify gke-standard-cluster
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestGKEStandardCluster --stage teardown --verbose']
+- id: apply gke-autopilot-cluster
+  waitFor:
+    - teardown gke-standard-cluster
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestGKEAutopilotCluster --stage apply --verbose']
+- id: verify gke-autopilot-cluster
+  waitFor:
+    - apply gke-autopilot-cluster
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestGKEAutopilotCluster --stage verify --verbose']
+- id: teardown gke-autopilot-cluster
+  waitFor:
+    - verify gke-autopilot-cluster
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestGKEAutopilotCluster --stage teardown --verbose']
 - id: apply simple-windows-node-pool-local
   waitFor:
     - init-all

examples/gke_autopilot_cluster/README.md

@@ -0,0 +1,35 @@
+# GKE Autopilot Cluster
+
+This example creates a GKE private Autopilot clusterwith beta features.
+For a full example see [simple_autopilot_private](../simple_autopilot_private/README.md) example.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| project\_id | The project ID to host the cluster in | `any` | n/a | yes |
+| region | The region to host the cluster in | `any` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| addons\_config | The configuration for addons supported by GKE Autopilot. |
+| ca\_certificate | The cluster ca certificate (base64 encoded) |
+| cluster\_name | Cluster name |
+| endpoint | The cluster endpoint |
+| location | Cluster location |
+| master\_version | The master Kubernetes version |
+| network\_name | The name of the VPC being created |
+| node\_locations | Cluster node locations |
+| project\_id | The project ID the cluster is in |
+| subnets\_names | The names of the subnet being created |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/gke_autopilot_cluster/main.tf

@@ -0,0 +1,72 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  cluster_type           = "gke-autopilot"
+  default_workload_pool  = "${var.project_id}.svc.id.goog"
+  network_name           = "autopilot-network"
+  subnet_name            = "autopilot-subnet"
+  master_auth_subnetwork = "autopilot-master-subnet"
+  pods_range_name        = "ip-range-pods-autopilot"
+  svc_range_name         = "ip-range-svc-autopilot"
+}
+
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
+module "gke" {
+  source = "../../modules/gke-autopilot-cluster"
+
+  project    = var.project_id
+  name       = "${local.cluster_type}-cluster"
+  location   = var.region
+  network    = module.gcp-network.network_self_link
+  subnetwork = module.gcp-network.subnets_self_links[index(module.gcp-network.subnets_names, local.subnet_name)]
+
+  ip_allocation_policy = {
+    cluster_secondary_range_name  = local.pods_range_name
+    services_secondary_range_name = local.svc_range_name
+  }
+
+  private_cluster_config = {
+    enable_private_endpoint = true
+    enable_private_nodes    = true
+    master_ipv4_cidr_block  = "172.16.0.0/28"
+    master_global_access_config = {
+      enabled = true
+    }
+  }
+
+  master_authorized_networks_config = {
+    cidr_blocks = [{
+      cidr_block   = "10.60.0.0/17"
+      display_name = "VPC"
+    }]
+  }
+
+  confidential_nodes = {
+    enabled = true
+  }
+
+  workload_identity_config = {
+    workload_pool = local.default_workload_pool
+  }
+}

examples/gke_autopilot_cluster/network.tf

@@ -0,0 +1,50 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "gcp-network" {
+  source  = "terraform-google-modules/network/google"
+  version = ">= 7.5"
+
+  project_id   = var.project_id
+  network_name = local.network_name
+
+  subnets = [
+    {
+      subnet_name           = local.subnet_name
+      subnet_ip             = "10.0.0.0/17"
+      subnet_region         = var.region
+      subnet_private_access = true
+    },
+    {
+      subnet_name   = local.master_auth_subnetwork
+      subnet_ip     = "10.60.0.0/17"
+      subnet_region = var.region
+    },
+  ]
+
+  secondary_ranges = {
+    (local.subnet_name) = [
+      {
+        range_name    = local.pods_range_name
+        ip_cidr_range = "192.168.0.0/18"
+      },
+      {
+        range_name    = local.svc_range_name
+        ip_cidr_range = "192.168.64.0/18"
+      },
+    ]
+  }
+}

examples/gke_autopilot_cluster/outputs.tf

@@ -0,0 +1,67 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "endpoint" {
+  sensitive   = true
+  description = "The cluster endpoint"
+  value       = module.gke.endpoint
+}
+
+output "ca_certificate" {
+  sensitive   = true
+  description = "The cluster ca certificate (base64 encoded)"
+  value       = module.gke.ca_certificate
+}
+
+output "project_id" {
+  description = "The project ID the cluster is in"
+  value       = var.project_id
+}
+
+output "location" {
+  description = "Cluster location"
+  value       = module.gke.location
+}
+
+output "node_locations" {
+  description = "Cluster node locations"
+  value       = module.gke.node_locations
+}
+
+output "addons_config" {
+  description = "The configuration for addons supported by GKE Autopilot."
+  value       = module.gke.addons_config
+}
+
+output "cluster_name" {
+  description = "Cluster name"
+  value       = module.gke.cluster_name
+}
+
+output "network_name" {
+  description = "The name of the VPC being created"
+  value       = module.gcp-network.network_name
+}
+
+output "subnets_names" {
+  description = "The names of the subnet being created"
+  value       = module.gcp-network.subnets_names
+}
+
+output "master_version" {
+  description = "The master Kubernetes version"
+  value       = module.gke.master_version
+}

examples/gke_autopilot_cluster/variables.tf

@@ -0,0 +1,23 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project ID to host the cluster in"
+}
+
+variable "region" {
+  description = "The region to host the cluster in"
+}

examples/gke_autopilot_cluster/versions.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 1.3"
+  required_providers {
+    google = {
+      source = "hashicorp/google"
+    }
+    google-beta = {
+      source = "hashicorp/google-beta"
+    }
+    kubernetes = {
+      source = "hashicorp/kubernetes"
+    }
+  }
+}

examples/gke_standard_cluster/README.md

@@ -0,0 +1,41 @@
+# GKE Standard Cluster and Node Pool
+
+This example creates a GKE private cluster and Node Pool with beta features.
+For a full example see [simple_regional_private_beta](../simple_regional_private_beta/README.md) example.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| cluster\_name\_suffix | A suffix to append to the default cluster name | `string` | `""` | no |
+| dns\_cache | Boolean to enable / disable NodeLocal DNSCache | `bool` | `false` | no |
+| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
+| ip\_range\_pods | The secondary ip range to use for pods | `any` | n/a | yes |
+| ip\_range\_services | The secondary ip range to use for services | `any` | n/a | yes |
+| network | The VPC network to host the cluster in | `any` | n/a | yes |
+| project\_id | The project ID to host the cluster in | `any` | n/a | yes |
+| region | The region to host the cluster in | `any` | n/a | yes |
+| service\_account | Service account to associate to the nodes in the cluster | `any` | n/a | yes |
+| subnetwork | The subnetwork to host the cluster in | `any` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| addons\_config | The configuration for addons supported by GKE Autopilot. |
+| ca\_certificate | The cluster ca certificate (base64 encoded) |
+| cluster\_name | Cluster name |
+| endpoint | The cluster endpoint |
+| location | Cluster location |
+| master\_version | The master Kubernetes version |
+| node\_locations | Cluster node locations |
+| project\_id | The project ID the cluster is in |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure