diff --git a/README.md b/README.md index 1cde1eb11a..2361c54d42 100644 --- a/README.md +++ b/README.md @@ -199,6 +199,7 @@ Then perform the following commands on the root folder: | hpa\_profile | Enable the Horizontal Pod Autoscaling profile for this cluster. Values are "NONE" and "PERFORMANCE". | `string` | `""` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| in\_transit\_encryption\_config | Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. | `string` | `null` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 68dd57636f..306302feea 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -254,6 +254,8 @@ resource "google_container_cluster" "primary" { disable_l4_lb_firewall_reconciliation = var.disable_l4_lb_firewall_reconciliation enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + + in_transit_encryption_config = var.in_transit_encryption_config dynamic "secret_manager_config" { for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index c54a0f7e39..d5a46d0cb8 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -696,6 +696,12 @@ variable "enable_cilium_clusterwide_network_policy" { default = false } +variable "in_transit_encryption_config" { + type = string + description = "Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`." + default = null +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/cluster.tf b/cluster.tf index 56c051812d..a20934d6b5 100644 --- a/cluster.tf +++ b/cluster.tf @@ -194,6 +194,8 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + in_transit_encryption_config = var.in_transit_encryption_config + dynamic "secret_manager_config" { for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] content { diff --git a/metadata.display.yaml b/metadata.display.yaml index c7781354d4..3ad2498ec7 100644 --- a/metadata.display.yaml +++ b/metadata.display.yaml @@ -204,6 +204,9 @@ spec: identity_namespace: name: identity_namespace title: Identity Namespace + in_transit_encryption_config: + name: in_transit_encryption_config + title: In Transit Encryption Config initial_node_count: name: initial_node_count title: Initial Node Count diff --git a/metadata.yaml b/metadata.yaml index e02a5b449d..baa223e554 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -540,6 +540,9 @@ spec: description: Enable Cilium Cluster Wide Network Policies on the cluster varType: bool defaultValue: false + - name: in_transit_encryption_config + description: Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. + varType: string - name: security_posture_mode description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. varType: string diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 7c7dbd17ea..866eedfa99 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -118,6 +118,7 @@ Then perform the following commands on the root folder: | hpa\_profile | Enable the Horizontal Pod Autoscaling profile for this cluster. Values are "NONE" and "PERFORMANCE". | `string` | `""` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| in\_transit\_encryption\_config | Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. | `string` | `null` | no | | insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. | `bool` | `null` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | | ip\_range\_services | The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used. | `string` | `null` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 53169d6a0a..72a52a7363 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -114,6 +114,8 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + in_transit_encryption_config = var.in_transit_encryption_config + dynamic "secret_manager_config" { for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] content { diff --git a/modules/beta-autopilot-private-cluster/metadata.display.yaml b/modules/beta-autopilot-private-cluster/metadata.display.yaml index b441677fda..33e8d36fd4 100644 --- a/modules/beta-autopilot-private-cluster/metadata.display.yaml +++ b/modules/beta-autopilot-private-cluster/metadata.display.yaml @@ -166,6 +166,9 @@ spec: identity_namespace: name: identity_namespace title: Identity Namespace + in_transit_encryption_config: + name: in_transit_encryption_config + title: In Transit Encryption Config insecure_kubelet_readonly_port_enabled: name: insecure_kubelet_readonly_port_enabled title: Insecure Kubelet Readonly Port Enabled diff --git a/modules/beta-autopilot-private-cluster/metadata.yaml b/modules/beta-autopilot-private-cluster/metadata.yaml index c8977d4437..56dc362fc1 100644 --- a/modules/beta-autopilot-private-cluster/metadata.yaml +++ b/modules/beta-autopilot-private-cluster/metadata.yaml @@ -375,6 +375,9 @@ spec: description: Enable Cilium Cluster Wide Network Policies on the cluster varType: bool defaultValue: false + - name: in_transit_encryption_config + description: Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. + varType: string - name: security_posture_mode description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. varType: string diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 3d531372be..d95e31d2a7 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -423,6 +423,12 @@ variable "enable_cilium_clusterwide_network_policy" { default = false } +variable "in_transit_encryption_config" { + type = string + description = "Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`." + default = null +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 5398da0f1a..88519eb6b2 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -109,6 +109,7 @@ Then perform the following commands on the root folder: | hpa\_profile | Enable the Horizontal Pod Autoscaling profile for this cluster. Values are "NONE" and "PERFORMANCE". | `string` | `""` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| in\_transit\_encryption\_config | Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. | `string` | `null` | no | | insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. | `bool` | `null` | no | | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes | | ip\_range\_services | The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used. | `string` | `null` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 4813baaf48..0e29c4fdf6 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -114,6 +114,8 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + in_transit_encryption_config = var.in_transit_encryption_config + dynamic "secret_manager_config" { for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] content { diff --git a/modules/beta-autopilot-public-cluster/metadata.display.yaml b/modules/beta-autopilot-public-cluster/metadata.display.yaml index 6b48bc0f35..2c6accc9fa 100644 --- a/modules/beta-autopilot-public-cluster/metadata.display.yaml +++ b/modules/beta-autopilot-public-cluster/metadata.display.yaml @@ -157,6 +157,9 @@ spec: identity_namespace: name: identity_namespace title: Identity Namespace + in_transit_encryption_config: + name: in_transit_encryption_config + title: In Transit Encryption Config insecure_kubelet_readonly_port_enabled: name: insecure_kubelet_readonly_port_enabled title: Insecure Kubelet Readonly Port Enabled diff --git a/modules/beta-autopilot-public-cluster/metadata.yaml b/modules/beta-autopilot-public-cluster/metadata.yaml index 574a1f396d..8851eb6233 100644 --- a/modules/beta-autopilot-public-cluster/metadata.yaml +++ b/modules/beta-autopilot-public-cluster/metadata.yaml @@ -353,6 +353,9 @@ spec: description: Enable Cilium Cluster Wide Network Policies on the cluster varType: bool defaultValue: false + - name: in_transit_encryption_config + description: Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. + varType: string - name: security_posture_mode description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. varType: string diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 2692fe4b21..5f861cb692 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -387,6 +387,12 @@ variable "enable_cilium_clusterwide_network_policy" { default = false } +variable "in_transit_encryption_config" { + type = string + description = "Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`." + default = null +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 30180c066e..cebd4a0f15 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -238,6 +238,7 @@ Then perform the following commands on the root folder: | hpa\_profile | Enable the Horizontal Pod Autoscaling profile for this cluster. Values are "NONE" and "PERFORMANCE". | `string` | `""` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| in\_transit\_encryption\_config | Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. | `string` | `null` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 7be100dc71..1f1cce0b6d 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -207,6 +207,8 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + in_transit_encryption_config = var.in_transit_encryption_config + dynamic "secret_manager_config" { for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] content { diff --git a/modules/beta-private-cluster-update-variant/metadata.display.yaml b/modules/beta-private-cluster-update-variant/metadata.display.yaml index 293a6bc5bb..23799bac63 100644 --- a/modules/beta-private-cluster-update-variant/metadata.display.yaml +++ b/modules/beta-private-cluster-update-variant/metadata.display.yaml @@ -229,6 +229,9 @@ spec: identity_namespace: name: identity_namespace title: Identity Namespace + in_transit_encryption_config: + name: in_transit_encryption_config + title: In Transit Encryption Config initial_node_count: name: initial_node_count title: Initial Node Count diff --git a/modules/beta-private-cluster-update-variant/metadata.yaml b/modules/beta-private-cluster-update-variant/metadata.yaml index 1541553128..5c319dd6b4 100644 --- a/modules/beta-private-cluster-update-variant/metadata.yaml +++ b/modules/beta-private-cluster-update-variant/metadata.yaml @@ -539,6 +539,9 @@ spec: description: Enable Cilium Cluster Wide Network Policies on the cluster varType: bool defaultValue: false + - name: in_transit_encryption_config + description: Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. + varType: string - name: security_posture_mode description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. varType: string diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 9d56e06557..91915970a6 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -653,6 +653,12 @@ variable "enable_cilium_clusterwide_network_policy" { default = false } +variable "in_transit_encryption_config" { + type = string + description = "Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`." + default = null +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index d84ca51c61..cea37bce42 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -216,6 +216,7 @@ Then perform the following commands on the root folder: | hpa\_profile | Enable the Horizontal Pod Autoscaling profile for this cluster. Values are "NONE" and "PERFORMANCE". | `string` | `""` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| in\_transit\_encryption\_config | Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. | `string` | `null` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 568e5bc4d9..074a70b563 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -207,6 +207,8 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + in_transit_encryption_config = var.in_transit_encryption_config + dynamic "secret_manager_config" { for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] content { diff --git a/modules/beta-private-cluster/metadata.display.yaml b/modules/beta-private-cluster/metadata.display.yaml index a23bbaf03a..e197a3997b 100644 --- a/modules/beta-private-cluster/metadata.display.yaml +++ b/modules/beta-private-cluster/metadata.display.yaml @@ -229,6 +229,9 @@ spec: identity_namespace: name: identity_namespace title: Identity Namespace + in_transit_encryption_config: + name: in_transit_encryption_config + title: In Transit Encryption Config initial_node_count: name: initial_node_count title: Initial Node Count diff --git a/modules/beta-private-cluster/metadata.yaml b/modules/beta-private-cluster/metadata.yaml index b44c792627..c9d614f274 100644 --- a/modules/beta-private-cluster/metadata.yaml +++ b/modules/beta-private-cluster/metadata.yaml @@ -539,6 +539,9 @@ spec: description: Enable Cilium Cluster Wide Network Policies on the cluster varType: bool defaultValue: false + - name: in_transit_encryption_config + description: Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. + varType: string - name: security_posture_mode description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. varType: string diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 9d56e06557..91915970a6 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -653,6 +653,12 @@ variable "enable_cilium_clusterwide_network_policy" { default = false } +variable "in_transit_encryption_config" { + type = string + description = "Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`." + default = null +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 17e75f10ae..31655f6af7 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -229,6 +229,7 @@ Then perform the following commands on the root folder: | hpa\_profile | Enable the Horizontal Pod Autoscaling profile for this cluster. Values are "NONE" and "PERFORMANCE". | `string` | `""` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| in\_transit\_encryption\_config | Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. | `string` | `null` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 7e5c32c87e..29d16c667c 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -207,6 +207,8 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + in_transit_encryption_config = var.in_transit_encryption_config + dynamic "secret_manager_config" { for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] content { diff --git a/modules/beta-public-cluster-update-variant/metadata.display.yaml b/modules/beta-public-cluster-update-variant/metadata.display.yaml index b4a44ed666..dfe9b7e1c0 100644 --- a/modules/beta-public-cluster-update-variant/metadata.display.yaml +++ b/modules/beta-public-cluster-update-variant/metadata.display.yaml @@ -220,6 +220,9 @@ spec: identity_namespace: name: identity_namespace title: Identity Namespace + in_transit_encryption_config: + name: in_transit_encryption_config + title: In Transit Encryption Config initial_node_count: name: initial_node_count title: Initial Node Count diff --git a/modules/beta-public-cluster-update-variant/metadata.yaml b/modules/beta-public-cluster-update-variant/metadata.yaml index d687f9daf9..566eefdd2f 100644 --- a/modules/beta-public-cluster-update-variant/metadata.yaml +++ b/modules/beta-public-cluster-update-variant/metadata.yaml @@ -517,6 +517,9 @@ spec: description: Enable Cilium Cluster Wide Network Policies on the cluster varType: bool defaultValue: false + - name: in_transit_encryption_config + description: Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. + varType: string - name: security_posture_mode description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. varType: string diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 51d3894674..d626499f6a 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -617,6 +617,12 @@ variable "enable_cilium_clusterwide_network_policy" { default = false } +variable "in_transit_encryption_config" { + type = string + description = "Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`." + default = null +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index f78f1ab72b..36653306cf 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -207,6 +207,7 @@ Then perform the following commands on the root folder: | hpa\_profile | Enable the Horizontal Pod Autoscaling profile for this cluster. Values are "NONE" and "PERFORMANCE". | `string` | `""` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| in\_transit\_encryption\_config | Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. | `string` | `null` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 7044d4c597..b9149a9808 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -207,6 +207,8 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + in_transit_encryption_config = var.in_transit_encryption_config + dynamic "secret_manager_config" { for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] content { diff --git a/modules/beta-public-cluster/metadata.display.yaml b/modules/beta-public-cluster/metadata.display.yaml index 2ea5ce6423..0a0b2ead20 100644 --- a/modules/beta-public-cluster/metadata.display.yaml +++ b/modules/beta-public-cluster/metadata.display.yaml @@ -220,6 +220,9 @@ spec: identity_namespace: name: identity_namespace title: Identity Namespace + in_transit_encryption_config: + name: in_transit_encryption_config + title: In Transit Encryption Config initial_node_count: name: initial_node_count title: Initial Node Count diff --git a/modules/beta-public-cluster/metadata.yaml b/modules/beta-public-cluster/metadata.yaml index 168332b485..f18cef7cd2 100644 --- a/modules/beta-public-cluster/metadata.yaml +++ b/modules/beta-public-cluster/metadata.yaml @@ -517,6 +517,9 @@ spec: description: Enable Cilium Cluster Wide Network Policies on the cluster varType: bool defaultValue: false + - name: in_transit_encryption_config + description: Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. + varType: string - name: security_posture_mode description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. varType: string diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 51d3894674..d626499f6a 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -617,6 +617,12 @@ variable "enable_cilium_clusterwide_network_policy" { default = false } +variable "in_transit_encryption_config" { + type = string + description = "Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`." + default = null +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index c8f3f2d393..fbbd38dea3 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -230,6 +230,7 @@ Then perform the following commands on the root folder: | hpa\_profile | Enable the Horizontal Pod Autoscaling profile for this cluster. Values are "NONE" and "PERFORMANCE". | `string` | `""` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| in\_transit\_encryption\_config | Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. | `string` | `null` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 883b0487e8..a3ce4e02c0 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -194,6 +194,8 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + in_transit_encryption_config = var.in_transit_encryption_config + dynamic "secret_manager_config" { for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] content { diff --git a/modules/private-cluster-update-variant/metadata.display.yaml b/modules/private-cluster-update-variant/metadata.display.yaml index 5be741d64e..d38fcf1dae 100644 --- a/modules/private-cluster-update-variant/metadata.display.yaml +++ b/modules/private-cluster-update-variant/metadata.display.yaml @@ -214,6 +214,9 @@ spec: identity_namespace: name: identity_namespace title: Identity Namespace + in_transit_encryption_config: + name: in_transit_encryption_config + title: In Transit Encryption Config initial_node_count: name: initial_node_count title: Initial Node Count diff --git a/modules/private-cluster-update-variant/metadata.yaml b/modules/private-cluster-update-variant/metadata.yaml index d5272fe80d..e710f587e4 100644 --- a/modules/private-cluster-update-variant/metadata.yaml +++ b/modules/private-cluster-update-variant/metadata.yaml @@ -528,6 +528,9 @@ spec: description: Enable Cilium Cluster Wide Network Policies on the cluster varType: bool defaultValue: false + - name: in_transit_encryption_config + description: Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. + varType: string - name: security_posture_mode description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. varType: string diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index c3bf75cd26..a06456b25a 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -635,6 +635,12 @@ variable "enable_cilium_clusterwide_network_policy" { default = false } +variable "in_transit_encryption_config" { + type = string + description = "Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`." + default = null +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 9c8d602a2b..3c09aa397a 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -208,6 +208,7 @@ Then perform the following commands on the root folder: | hpa\_profile | Enable the Horizontal Pod Autoscaling profile for this cluster. Values are "NONE" and "PERFORMANCE". | `string` | `""` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | | identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no | +| in\_transit\_encryption\_config | Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. | `string` | `null` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no | | insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index e2d235c810..755f215276 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -194,6 +194,8 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + in_transit_encryption_config = var.in_transit_encryption_config + dynamic "secret_manager_config" { for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] content { diff --git a/modules/private-cluster/metadata.display.yaml b/modules/private-cluster/metadata.display.yaml index f4f088055b..559b445d2b 100644 --- a/modules/private-cluster/metadata.display.yaml +++ b/modules/private-cluster/metadata.display.yaml @@ -214,6 +214,9 @@ spec: identity_namespace: name: identity_namespace title: Identity Namespace + in_transit_encryption_config: + name: in_transit_encryption_config + title: In Transit Encryption Config initial_node_count: name: initial_node_count title: Initial Node Count diff --git a/modules/private-cluster/metadata.yaml b/modules/private-cluster/metadata.yaml index edf6455d10..caf10e495a 100644 --- a/modules/private-cluster/metadata.yaml +++ b/modules/private-cluster/metadata.yaml @@ -528,6 +528,9 @@ spec: description: Enable Cilium Cluster Wide Network Policies on the cluster varType: bool defaultValue: false + - name: in_transit_encryption_config + description: Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`. + varType: string - name: security_posture_mode description: Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. varType: string diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index c3bf75cd26..a06456b25a 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -635,6 +635,12 @@ variable "enable_cilium_clusterwide_network_policy" { default = false } +variable "in_transit_encryption_config" { + type = string + description = "Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`." + default = null +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/variables.tf b/variables.tf index 50bcb931f0..8c31c7a5e5 100644 --- a/variables.tf +++ b/variables.tf @@ -599,6 +599,12 @@ variable "enable_cilium_clusterwide_network_policy" { default = false } +variable "in_transit_encryption_config" { + type = string + description = "Defines the config of in-transit encryption. Valid values are `IN_TRANSIT_ENCRYPTION_DISABLED` and `IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT`." + default = null +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string