Merge pull request #217 from Dev25/beta-v2

morgante · web-flow · commit 5c17b2ebeab6 · 2019-08-21T20:44:08.000-04:00
Add Authenticator Groups
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,7 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216]
 * Support for Workload Identity beta feature [#234]
+* Support for Google Groups based RBAC beta feature [#217]
 
 ## [v4.1.0] 2019-07-24
 
diff --git a/autogen/cluster.tf b/autogen/cluster.tf
@@ -189,6 +189,13 @@ resource "google_container_cluster" "primary" {
       identity_namespace = workload_identity_config.value.identity_namespace
     }
   }
+
+  dynamic "authenticator_groups_config" {
+    for_each = local.cluster_authenticator_security_group
+    content {
+      security_group = authenticator_groups_config.value.security_group
+    }
+  }
 {% endif %}
 }
 
diff --git a/autogen/main.tf b/autogen/main.tf
@@ -71,6 +71,10 @@ locals {
     node_metadata = var.node_metadata
   }]
 
+  cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
+    security_group = var.authenticator_security_group
+  }]
+
 {% endif %}
 
   cluster_output_name           = google_container_cluster.primary.name
diff --git a/autogen/variables.tf b/autogen/variables.tf
@@ -383,5 +383,10 @@ variable "identity_namespace" {
   default     = ""
 }
 
+variable "authenticator_security_group" {
+  type        = string
+  description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com"
+  default     = null
+}
 
 {% endif %}
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
@@ -136,6 +136,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no |
 | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
 | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
 | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
@@ -176,6 +176,13 @@ resource "google_container_cluster" "primary" {
       identity_namespace = workload_identity_config.value.identity_namespace
     }
   }
+
+  dynamic "authenticator_groups_config" {
+    for_each = local.cluster_authenticator_security_group
+    content {
+      security_group = authenticator_groups_config.value.security_group
+    }
+  }
 }
 
 /******************************************
diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf
@@ -66,6 +66,10 @@ locals {
     node_metadata = var.node_metadata
   }]
 
+  cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
+    security_group = var.authenticator_security_group
+  }]
+
 
   cluster_output_name           = google_container_cluster.primary.name
   cluster_output_location       = google_container_cluster.primary.location
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
@@ -380,4 +380,9 @@ variable "identity_namespace" {
   default     = ""
 }
 
+variable "authenticator_security_group" {
+  type        = string
+  description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com"
+  default     = null
+}
 
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
@@ -131,6 +131,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no |
 | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
 | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
 | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
@@ -171,6 +171,13 @@ resource "google_container_cluster" "primary" {
       identity_namespace = workload_identity_config.value.identity_namespace
     }
   }
+
+  dynamic "authenticator_groups_config" {
+    for_each = local.cluster_authenticator_security_group
+    content {
+      security_group = authenticator_groups_config.value.security_group
+    }
+  }
 }
 
 /******************************************
diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf
@@ -66,6 +66,10 @@ locals {
     node_metadata = var.node_metadata
   }]
 
+  cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
+    security_group = var.authenticator_security_group
+  }]
+
 
   cluster_output_name           = google_container_cluster.primary.name
   cluster_output_location       = google_container_cluster.primary.location
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
@@ -356,4 +356,9 @@ variable "identity_namespace" {
   default     = ""
 }
 
+variable "authenticator_security_group" {
+  type        = string
+  description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com"
+  default     = null
+}
 

Original file line number	Diff line number	Diff line change
`@@ -189,6 +189,13 @@ resource "google_container_cluster" "primary" {`
`189`	`189`	`identity_namespace = workload_identity_config.value.identity_namespace`
`190`	`190`	`}`
`191`	`191`	`}`
	`192`	`+`
	`193`	`+ dynamic "authenticator_groups_config" {`
	`194`	`+ for_each = local.cluster_authenticator_security_group`
	`195`	`+ content {`
	`196`	`+ security_group = authenticator_groups_config.value.security_group`
	`197`	`+ }`
	`198`	`+ }`
`192`	`199`	`{% endif %}`
`193`	`200`	`}`
`194`	`201`
Original file line number	Diff line number	Diff line change
`@@ -383,5 +383,10 @@ variable "identity_namespace" {`
`383`	`383`	`default = ""`
`384`	`384`	`}`
`385`	`385`
	`386`	`+variable "authenticator_security_group" {`
	`387`	`+ type = string`
	`388`	`+ description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected]"`
	`389`	`+ default = null`
	`390`	`+}`
`386`	`391`
`387`	`392`	`{% endif %}`
Original file line number	Diff line number	Diff line change
`@@ -176,6 +176,13 @@ resource "google_container_cluster" "primary" {`
`176`	`176`	`identity_namespace = workload_identity_config.value.identity_namespace`
`177`	`177`	`}`
`178`	`178`	`}`
	`179`	`+`
	`180`	`+ dynamic "authenticator_groups_config" {`
	`181`	`+ for_each = local.cluster_authenticator_security_group`
	`182`	`+ content {`
	`183`	`+ security_group = authenticator_groups_config.value.security_group`
	`184`	`+ }`
	`185`	`+ }`
`179`	`186`	`}`
`180`	`187`
`181`	`188`	`/******************************************`
Original file line number	Diff line number	Diff line change
`@@ -380,4 +380,9 @@ variable "identity_namespace" {`
`380`	`380`	`default = ""`
`381`	`381`	`}`
`382`	`382`
	`383`	`+variable "authenticator_security_group" {`
	`384`	`+ type = string`
	`385`	`+ description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected]"`
	`386`	`+ default = null`
	`387`	`+}`
`383`	`388`
Original file line number	Diff line number	Diff line change
`@@ -171,6 +171,13 @@ resource "google_container_cluster" "primary" {`
`171`	`171`	`identity_namespace = workload_identity_config.value.identity_namespace`
`172`	`172`	`}`
`173`	`173`	`}`
	`174`	`+`
	`175`	`+ dynamic "authenticator_groups_config" {`
	`176`	`+ for_each = local.cluster_authenticator_security_group`
	`177`	`+ content {`
	`178`	`+ security_group = authenticator_groups_config.value.security_group`
	`179`	`+ }`
	`180`	`+ }`
`174`	`181`	`}`
`175`	`182`
`176`	`183`	`/******************************************`