Skip to content

Commit 260be87

Browse files
arthurlapertosaarthurlapertosa
authored
feat: add hyperdisk confidential node pool to the confidential safer cluster example (#2311)
1 parent 9124dbe commit 260be87

File tree

11 files changed

+69
-33
lines changed

11 files changed

+69
-33
lines changed

autogen/main/cluster.tf.tmpl

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -536,6 +536,7 @@ resource "google_container_cluster" "primary" {
536536
machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium")
537537
min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "")
538538
enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false)
539+
disk_type = lookup(var.node_pools[0], "disk_type", null)
539540
dynamic "gcfs_config" {
540541
for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : []
541542
content {

cluster.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -412,6 +412,7 @@ resource "google_container_cluster" "primary" {
412412
machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium")
413413
min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "")
414414
enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false)
415+
disk_type = lookup(var.node_pools[0], "disk_type", null)
415416
dynamic "gcfs_config" {
416417
for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : []
417418
content {

examples/confidential_safer_cluster/main.tf

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -45,11 +45,21 @@ data "google_container_engine_versions" "current" {
4545
location = var.region
4646
}
4747

48+
data "google_project" "main" {
49+
project_id = var.project_id
50+
}
51+
4852
resource "random_shuffle" "version" {
4953
input = data.google_container_engine_versions.current.valid_master_versions
5054
result_count = 1
5155
}
5256

57+
resource "google_kms_crypto_key_iam_member" "main" {
58+
crypto_key_id = module.kms.keys[local.key_name]
59+
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
60+
member = "serviceAccount:service-${data.google_project.main.number}@compute-system.iam.gserviceaccount.com"
61+
}
62+
5363
module "gke" {
5464
source = "terraform-google-modules/kubernetes-engine/google//modules/safer-cluster"
5565
version = "~> 36.0"
@@ -87,9 +97,11 @@ module "gke" {
8797

8898
node_pools = [
8999
{
90-
name = "default"
91-
machine_type = "n2d-standard-2"
92-
enable_secure_boot = true
100+
name = "default"
101+
machine_type = "n2d-standard-2"
102+
disk_type = "hyperdisk-balanced"
103+
boot_disk_kms_key = module.kms.keys[local.key_name]
104+
enable_confidential_storage = true
93105
},
94106
]
95107

modules/beta-private-cluster-update-variant/cluster.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -449,6 +449,7 @@ resource "google_container_cluster" "primary" {
449449
machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium")
450450
min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "")
451451
enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false)
452+
disk_type = lookup(var.node_pools[0], "disk_type", null)
452453
dynamic "gcfs_config" {
453454
for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : []
454455
content {

modules/beta-private-cluster/cluster.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -449,6 +449,7 @@ resource "google_container_cluster" "primary" {
449449
machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium")
450450
min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "")
451451
enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false)
452+
disk_type = lookup(var.node_pools[0], "disk_type", null)
452453
dynamic "gcfs_config" {
453454
for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : []
454455
content {

modules/beta-public-cluster-update-variant/cluster.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -449,6 +449,7 @@ resource "google_container_cluster" "primary" {
449449
machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium")
450450
min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "")
451451
enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false)
452+
disk_type = lookup(var.node_pools[0], "disk_type", null)
452453
dynamic "gcfs_config" {
453454
for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : []
454455
content {

modules/beta-public-cluster/cluster.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -449,6 +449,7 @@ resource "google_container_cluster" "primary" {
449449
machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium")
450450
min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "")
451451
enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false)
452+
disk_type = lookup(var.node_pools[0], "disk_type", null)
452453
dynamic "gcfs_config" {
453454
for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : []
454455
content {

modules/private-cluster-update-variant/cluster.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -412,6 +412,7 @@ resource "google_container_cluster" "primary" {
412412
machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium")
413413
min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "")
414414
enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false)
415+
disk_type = lookup(var.node_pools[0], "disk_type", null)
415416
dynamic "gcfs_config" {
416417
for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : []
417418
content {

modules/private-cluster/cluster.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -412,6 +412,7 @@ resource "google_container_cluster" "primary" {
412412
machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium")
413413
min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "")
414414
enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false)
415+
disk_type = lookup(var.node_pools[0], "disk_type", null)
415416
dynamic "gcfs_config" {
416417
for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : []
417418
content {

test/integration/confidential_safer_cluster/confidential_safer_cluster_test.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,14 @@ func TestConfidentialSaferCluster(t *testing.T) {
6363
"binaryAuthorization.evaluationMode",
6464
"legacyAbac",
6565
"meshCertificates.enableCertificates",
66+
"nodeConfig.bootDiskKmsKey",
67+
"nodeConfig.diskType",
68+
"nodeConfig.enableConfidentialStorage",
69+
"nodeConfig.machineType",
70+
"nodeConfig.diskType",
71+
"nodePools.enableConfidentialStorage",
72+
"nodePools.diskType",
73+
"nodePools.bootDiskKmsKey",
6674
"nodePools.autoscaling",
6775
"nodePools.config.machineType",
6876
"nodePools.config.diskSizeGb",

0 commit comments

Comments
 (0)