From 4eddbb7a8d2a4c28055255937645ef0a33eca491 Mon Sep 17 00:00:00 2001 From: Ciro Neto Date: Fri, 15 Aug 2025 15:17:44 -0400 Subject: [PATCH 1/3] feat: Support for GKE private clusters without default node pool --- modules/private-cluster/cluster.tf | 170 +++++++++++++++-------------- modules/private-cluster/main.tf | 4 +- 2 files changed, 89 insertions(+), 85 deletions(-) diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 957c87b591..8647af368d 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -32,6 +32,7 @@ resource "google_container_cluster" "primary" { cluster_ipv4_cidr = var.cluster_ipv4_cidr network = "projects/${local.network_project_id}/global/networks/${var.network}" deletion_protection = var.deletion_protection + initial_node_count = length(var.node_pools) == 0 ? var.initial_node_count : null dynamic "enable_k8s_beta_apis" { for_each = length(var.enable_k8s_beta_apis) > 0 ? [1] : [] @@ -464,112 +465,115 @@ resource "google_container_cluster" "primary" { update = lookup(var.timeouts, "update", "45m") delete = lookup(var.timeouts, "delete", "45m") } - node_pool { - name = "default-pool" - initial_node_count = var.initial_node_count - - management { - auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) - auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) - } - - node_config { - image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") - machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") - min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) - disk_type = lookup(var.node_pools[0], "disk_type", null) - dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] - content { - enabled = gcfs_config.value + dynamic "node_pool" { + for_each = length(var.node_pools) == 0 ? [] : [1] + content { + name = "default-pool" + initial_node_count = var.initial_node_count + + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + + node_config { + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + disk_type = lookup(var.node_pools[0], "disk_type", null) + dynamic "gcfs_config" { + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] + content { + enabled = gcfs_config.value + } } - } - dynamic "gvnic" { - for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] - content { - enabled = gvnic.value + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } } - } - dynamic "fast_socket" { - for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : [] - content { - enabled = fast_socket.value + dynamic "fast_socket" { + for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : [] + content { + enabled = fast_socket.value + } } - } - dynamic "kubelet_config" { - for_each = length(setintersection( - keys(var.node_pools[0]), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"] - )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : [] + dynamic "kubelet_config" { + for_each = length(setintersection( + keys(var.node_pools[0]), + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"] + )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : [] - content { - cpu_manager_policy = lookup(var.node_pools[0], "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(var.node_pools[0], "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(var.node_pools[0], "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null - pod_pids_limit = lookup(var.node_pools[0], "pod_pids_limit", null) - container_log_max_size = lookup(var.node_pools[0], "container_log_max_size", null) - container_log_max_files = lookup(var.node_pools[0], "container_log_max_files", null) - image_gc_low_threshold_percent = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null) - image_gc_high_threshold_percent = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null) - image_minimum_gc_age = lookup(var.node_pools[0], "image_minimum_gc_age", null) - image_maximum_gc_age = lookup(var.node_pools[0], "image_maximum_gc_age", null) - allowed_unsafe_sysctls = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)] + content { + cpu_manager_policy = lookup(var.node_pools[0], "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(var.node_pools[0], "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(var.node_pools[0], "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null + pod_pids_limit = lookup(var.node_pools[0], "pod_pids_limit", null) + container_log_max_size = lookup(var.node_pools[0], "container_log_max_size", null) + container_log_max_files = lookup(var.node_pools[0], "container_log_max_files", null) + image_gc_low_threshold_percent = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null) + image_gc_high_threshold_percent = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null) + image_minimum_gc_age = lookup(var.node_pools[0], "image_minimum_gc_age", null) + image_maximum_gc_age = lookup(var.node_pools[0], "image_maximum_gc_age", null) + allowed_unsafe_sysctls = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)] + } } - } - dynamic "sole_tenant_config" { - # node_affinity is currently the only member of sole_tenant_config - for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : [] - content { - dynamic "node_affinity" { - for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : [] - content { - key = lookup(jsondecode(node_affinity.value), "key", null) - operator = lookup(jsondecode(node_affinity.value), "operator", null) - values = lookup(jsondecode(node_affinity.value), "values", []) + dynamic "sole_tenant_config" { + # node_affinity is currently the only member of sole_tenant_config + for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : [] + content { + dynamic "node_affinity" { + for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : [] + content { + key = lookup(jsondecode(node_affinity.value), "key", null) + operator = lookup(jsondecode(node_affinity.value), "operator", null) + values = lookup(jsondecode(node_affinity.value), "values", []) + } } } } - } - service_account = lookup(var.node_pools[0], "service_account", local.service_account) + service_account = lookup(var.node_pools[0], "service_account", local.service_account) - tags = concat( - lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], - lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], - lookup(local.node_pools_tags, "all", []), - lookup(local.node_pools_tags, var.node_pools[0].name, []), - ) + tags = concat( + lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], + lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], + lookup(local.node_pools_tags, "all", []), + lookup(local.node_pools_tags, var.node_pools[0].name, []), + ) - logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") + logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") - dynamic "workload_metadata_config" { - for_each = local.cluster_node_metadata_config + dynamic "workload_metadata_config" { + for_each = local.cluster_node_metadata_config - content { - mode = workload_metadata_config.value.mode + content { + mode = workload_metadata_config.value.mode + } } - } - metadata = local.node_pools_metadata["all"] + metadata = local.node_pools_metadata["all"] - boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) - storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : [] + storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : [] - shielded_instance_config { - enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) - enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) - } + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } - local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null) - max_run_duration = lookup(var.node_pools[0], "max_run_duration", null) - flex_start = lookup(var.node_pools[0], "flex_start", null) + local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null) + max_run_duration = lookup(var.node_pools[0], "max_run_duration", null) + flex_start = lookup(var.node_pools[0], "flex_start", null) + } } } diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index b311f148c0..4df5aa8805 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -152,8 +152,8 @@ locals { cluster_zones = sort(local.cluster_output_zones) // node pool ID is in the form projects//locations//clusters//nodePools/ - cluster_name_parts_from_nodepool = split("/", element(values(google_container_node_pool.pools)[*].id, 0)) - cluster_name_computed = element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_name_parts_from_nodepool = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0)) + cluster_name_computed = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) cluster_network_tag = "gke-${var.name}" cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version From d4de1524e7134a53ccfca3a7b02699162cd05202 Mon Sep 17 00:00:00 2001 From: Ciro Neto Date: Tue, 19 Aug 2025 09:57:38 -0400 Subject: [PATCH 2/3] Run autogen and linter --- autogen/main/cluster.tf.tmpl | 185 +++++++++--------- autogen/main/main.tf.tmpl | 4 +- cluster.tf | 171 ++++++++-------- examples/node_pool/main.tf | 2 +- main.tf | 4 +- metadata.display.yaml | 3 + .../metadata.display.yaml | 3 + .../metadata.display.yaml | 3 + .../cluster.tf | 181 ++++++++--------- .../main.tf | 4 +- .../metadata.display.yaml | 3 + modules/beta-private-cluster/cluster.tf | 181 ++++++++--------- modules/beta-private-cluster/main.tf | 4 +- .../metadata.display.yaml | 3 + .../cluster.tf | 181 ++++++++--------- .../main.tf | 4 +- .../metadata.display.yaml | 3 + modules/beta-public-cluster/cluster.tf | 181 ++++++++--------- modules/beta-public-cluster/main.tf | 4 +- .../beta-public-cluster/metadata.display.yaml | 3 + .../private-cluster-update-variant/cluster.tf | 171 ++++++++-------- .../private-cluster-update-variant/main.tf | 4 +- .../metadata.display.yaml | 3 + modules/private-cluster/cluster.tf | 3 +- modules/private-cluster/metadata.display.yaml | 3 + 25 files changed, 687 insertions(+), 624 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index ef9e3282ed..26466ebffd 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -45,6 +45,8 @@ resource "google_container_cluster" "primary" { } {% if autopilot_cluster != true %} + initial_node_count = length(var.node_pools) == 0 ? var.initial_node_count : null + dynamic "network_policy" { for_each = local.cluster_network_policy @@ -604,121 +606,124 @@ resource "google_container_cluster" "primary" { delete = lookup(var.timeouts, "delete", "45m") } {% if autopilot_cluster != true %} - node_pool { - name = "default-pool" - initial_node_count = var.initial_node_count - - management { - auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) - auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) - } - - node_config { - image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") - machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") - min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) - disk_type = lookup(var.node_pools[0], "disk_type", null) - dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] - content { - enabled = gcfs_config.value - } + dynamic "node_pool" { + for_each = length(var.node_pools) == 0 ? [] : [1] + content { + name = "default-pool" + initial_node_count = var.initial_node_count + + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) } - dynamic "gvnic" { - for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] - content { - enabled = gvnic.value + node_config { + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + disk_type = lookup(var.node_pools[0], "disk_type", null) + dynamic "gcfs_config" { + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] + content { + enabled = gcfs_config.value + } } - } - dynamic "fast_socket" { - for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : [] - content { - enabled = fast_socket.value + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } } - } - dynamic "kubelet_config" { - for_each = length(setintersection( - keys(var.node_pools[0]), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"] - )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : [] + dynamic "fast_socket" { + for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : [] + content { + enabled = fast_socket.value + } + } - content { - cpu_manager_policy = lookup(var.node_pools[0], "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(var.node_pools[0], "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(var.node_pools[0], "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null - pod_pids_limit = lookup(var.node_pools[0], "pod_pids_limit", null) - container_log_max_size = lookup(var.node_pools[0], "container_log_max_size", null) - container_log_max_files = lookup(var.node_pools[0], "container_log_max_files", null) - image_gc_low_threshold_percent = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null) - image_gc_high_threshold_percent = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null) - image_minimum_gc_age = lookup(var.node_pools[0], "image_minimum_gc_age", null) - image_maximum_gc_age = lookup(var.node_pools[0], "image_maximum_gc_age", null) - allowed_unsafe_sysctls = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)] + dynamic "kubelet_config" { + for_each = length(setintersection( + keys(var.node_pools[0]), + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"] + )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : [] + + content { + cpu_manager_policy = lookup(var.node_pools[0], "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(var.node_pools[0], "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(var.node_pools[0], "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null + pod_pids_limit = lookup(var.node_pools[0], "pod_pids_limit", null) + container_log_max_size = lookup(var.node_pools[0], "container_log_max_size", null) + container_log_max_files = lookup(var.node_pools[0], "container_log_max_files", null) + image_gc_low_threshold_percent = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null) + image_gc_high_threshold_percent = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null) + image_minimum_gc_age = lookup(var.node_pools[0], "image_minimum_gc_age", null) + image_maximum_gc_age = lookup(var.node_pools[0], "image_maximum_gc_age", null) + allowed_unsafe_sysctls = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)] + } } - } - dynamic "sole_tenant_config" { - # node_affinity is currently the only member of sole_tenant_config - for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : [] - content { - dynamic "node_affinity" { - for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : [] - content { - key = lookup(jsondecode(node_affinity.value), "key", null) - operator = lookup(jsondecode(node_affinity.value), "operator", null) - values = lookup(jsondecode(node_affinity.value), "values", []) + dynamic "sole_tenant_config" { + # node_affinity is currently the only member of sole_tenant_config + for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : [] + content { + dynamic "node_affinity" { + for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : [] + content { + key = lookup(jsondecode(node_affinity.value), "key", null) + operator = lookup(jsondecode(node_affinity.value), "operator", null) + values = lookup(jsondecode(node_affinity.value), "values", []) + } } } } - } - service_account = lookup(var.node_pools[0], "service_account", local.service_account) + service_account = lookup(var.node_pools[0], "service_account", local.service_account) - tags = concat( - lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], - lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], - lookup(local.node_pools_tags, "all", []), - lookup(local.node_pools_tags, var.node_pools[0].name, []), - ) + tags = concat( + lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], + lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], + lookup(local.node_pools_tags, "all", []), + lookup(local.node_pools_tags, var.node_pools[0].name, []), + ) - logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") + logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") - dynamic "workload_metadata_config" { - for_each = local.cluster_node_metadata_config + dynamic "workload_metadata_config" { + for_each = local.cluster_node_metadata_config - content { - mode = workload_metadata_config.value.mode + content { + mode = workload_metadata_config.value.mode + } } - } - metadata = local.node_pools_metadata["all"] + metadata = local.node_pools_metadata["all"] - {% if beta_cluster %} - dynamic "sandbox_config" { - for_each = tobool((lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] - content { - sandbox_type = sandbox_config.value + {% if beta_cluster %} + dynamic "sandbox_config" { + for_each = tobool((lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } } - } - {% endif %} - boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) + {% endif %} + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) - storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : [] + storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : [] - shielded_instance_config { - enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) - enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) - } + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } - local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null) - max_run_duration = lookup(var.node_pools[0], "max_run_duration", null) - flex_start = lookup(var.node_pools[0], "flex_start", null) + local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null) + max_run_duration = lookup(var.node_pools[0], "max_run_duration", null) + flex_start = lookup(var.node_pools[0], "flex_start", null) + } } } {% endif %} diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index ce3268200c..7c3dfb0c27 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -203,8 +203,8 @@ locals { {% if autopilot_cluster != true %} // node pool ID is in the form projects//locations//clusters//nodePools/ - cluster_name_parts_from_nodepool = split("/", element(values(google_container_node_pool.pools)[*].id, 0)) - cluster_name_computed = element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_name_parts_from_nodepool = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0)) + cluster_name_computed = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) {% else %} // cluster ID is in the form project/location/name cluster_name_computed = element(split("/", local.cluster_id), length(split("/", local.cluster_id)) - 1) diff --git a/cluster.tf b/cluster.tf index 5c8dad2e96..3913bdfeb2 100644 --- a/cluster.tf +++ b/cluster.tf @@ -40,6 +40,8 @@ resource "google_container_cluster" "primary" { } } + initial_node_count = length(var.node_pools) == 0 ? var.initial_node_count : null + dynamic "network_policy" { for_each = local.cluster_network_policy @@ -464,112 +466,115 @@ resource "google_container_cluster" "primary" { update = lookup(var.timeouts, "update", "45m") delete = lookup(var.timeouts, "delete", "45m") } - node_pool { - name = "default-pool" - initial_node_count = var.initial_node_count - - management { - auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) - auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) - } - - node_config { - image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") - machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") - min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) - disk_type = lookup(var.node_pools[0], "disk_type", null) - dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] - content { - enabled = gcfs_config.value + dynamic "node_pool" { + for_each = length(var.node_pools) == 0 ? [] : [1] + content { + name = "default-pool" + initial_node_count = var.initial_node_count + + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + + node_config { + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + disk_type = lookup(var.node_pools[0], "disk_type", null) + dynamic "gcfs_config" { + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] + content { + enabled = gcfs_config.value + } } - } - dynamic "gvnic" { - for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] - content { - enabled = gvnic.value + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } } - } - dynamic "fast_socket" { - for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : [] - content { - enabled = fast_socket.value + dynamic "fast_socket" { + for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : [] + content { + enabled = fast_socket.value + } } - } - dynamic "kubelet_config" { - for_each = length(setintersection( - keys(var.node_pools[0]), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"] - )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : [] + dynamic "kubelet_config" { + for_each = length(setintersection( + keys(var.node_pools[0]), + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"] + )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : [] - content { - cpu_manager_policy = lookup(var.node_pools[0], "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(var.node_pools[0], "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(var.node_pools[0], "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null - pod_pids_limit = lookup(var.node_pools[0], "pod_pids_limit", null) - container_log_max_size = lookup(var.node_pools[0], "container_log_max_size", null) - container_log_max_files = lookup(var.node_pools[0], "container_log_max_files", null) - image_gc_low_threshold_percent = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null) - image_gc_high_threshold_percent = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null) - image_minimum_gc_age = lookup(var.node_pools[0], "image_minimum_gc_age", null) - image_maximum_gc_age = lookup(var.node_pools[0], "image_maximum_gc_age", null) - allowed_unsafe_sysctls = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)] + content { + cpu_manager_policy = lookup(var.node_pools[0], "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(var.node_pools[0], "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(var.node_pools[0], "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null + pod_pids_limit = lookup(var.node_pools[0], "pod_pids_limit", null) + container_log_max_size = lookup(var.node_pools[0], "container_log_max_size", null) + container_log_max_files = lookup(var.node_pools[0], "container_log_max_files", null) + image_gc_low_threshold_percent = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null) + image_gc_high_threshold_percent = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null) + image_minimum_gc_age = lookup(var.node_pools[0], "image_minimum_gc_age", null) + image_maximum_gc_age = lookup(var.node_pools[0], "image_maximum_gc_age", null) + allowed_unsafe_sysctls = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)] + } } - } - dynamic "sole_tenant_config" { - # node_affinity is currently the only member of sole_tenant_config - for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : [] - content { - dynamic "node_affinity" { - for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : [] - content { - key = lookup(jsondecode(node_affinity.value), "key", null) - operator = lookup(jsondecode(node_affinity.value), "operator", null) - values = lookup(jsondecode(node_affinity.value), "values", []) + dynamic "sole_tenant_config" { + # node_affinity is currently the only member of sole_tenant_config + for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : [] + content { + dynamic "node_affinity" { + for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : [] + content { + key = lookup(jsondecode(node_affinity.value), "key", null) + operator = lookup(jsondecode(node_affinity.value), "operator", null) + values = lookup(jsondecode(node_affinity.value), "values", []) + } } } } - } - service_account = lookup(var.node_pools[0], "service_account", local.service_account) + service_account = lookup(var.node_pools[0], "service_account", local.service_account) - tags = concat( - lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], - lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], - lookup(local.node_pools_tags, "all", []), - lookup(local.node_pools_tags, var.node_pools[0].name, []), - ) + tags = concat( + lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], + lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], + lookup(local.node_pools_tags, "all", []), + lookup(local.node_pools_tags, var.node_pools[0].name, []), + ) - logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") + logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") - dynamic "workload_metadata_config" { - for_each = local.cluster_node_metadata_config + dynamic "workload_metadata_config" { + for_each = local.cluster_node_metadata_config - content { - mode = workload_metadata_config.value.mode + content { + mode = workload_metadata_config.value.mode + } } - } - metadata = local.node_pools_metadata["all"] + metadata = local.node_pools_metadata["all"] - boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) - storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : [] + storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : [] - shielded_instance_config { - enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) - enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) - } + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } - local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null) - max_run_duration = lookup(var.node_pools[0], "max_run_duration", null) - flex_start = lookup(var.node_pools[0], "flex_start", null) + local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null) + max_run_duration = lookup(var.node_pools[0], "max_run_duration", null) + flex_start = lookup(var.node_pools[0], "flex_start", null) + } } } diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 8b66d525b2..0c9dbde134 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -163,7 +163,7 @@ module "gke" { } node_pools_cgroup_mode = { - all = "CGROUP_MODE_V2" + all = "CGROUP_MODE_V2" pool-01 = "CGROUP_MODE_V1" } diff --git a/main.tf b/main.tf index acd49578db..4b062f291f 100644 --- a/main.tf +++ b/main.tf @@ -145,8 +145,8 @@ locals { cluster_zones = sort(local.cluster_output_zones) // node pool ID is in the form projects//locations//clusters//nodePools/ - cluster_name_parts_from_nodepool = split("/", element(values(google_container_node_pool.pools)[*].id, 0)) - cluster_name_computed = element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_name_parts_from_nodepool = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0)) + cluster_name_computed = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) cluster_network_tag = "gke-${var.name}" cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/metadata.display.yaml b/metadata.display.yaml index 7a8f2526d0..bfeae35534 100644 --- a/metadata.display.yaml +++ b/metadata.display.yaml @@ -360,6 +360,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/modules/beta-autopilot-private-cluster/metadata.display.yaml b/modules/beta-autopilot-private-cluster/metadata.display.yaml index d8ed142100..4ea996f306 100644 --- a/modules/beta-autopilot-private-cluster/metadata.display.yaml +++ b/modules/beta-autopilot-private-cluster/metadata.display.yaml @@ -265,6 +265,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/modules/beta-autopilot-public-cluster/metadata.display.yaml b/modules/beta-autopilot-public-cluster/metadata.display.yaml index 589335cf21..028eefc581 100644 --- a/modules/beta-autopilot-public-cluster/metadata.display.yaml +++ b/modules/beta-autopilot-public-cluster/metadata.display.yaml @@ -247,6 +247,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 9ad2f76600..5f86b5b225 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -40,6 +40,8 @@ resource "google_container_cluster" "primary" { } } + initial_node_count = length(var.node_pools) == 0 ? var.initial_node_count : null + dynamic "network_policy" { for_each = local.cluster_network_policy @@ -501,119 +503,122 @@ resource "google_container_cluster" "primary" { update = lookup(var.timeouts, "update", "45m") delete = lookup(var.timeouts, "delete", "45m") } - node_pool { - name = "default-pool" - initial_node_count = var.initial_node_count - - management { - auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) - auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) - } - - node_config { - image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") - machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") - min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) - disk_type = lookup(var.node_pools[0], "disk_type", null) - dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] - content { - enabled = gcfs_config.value + dynamic "node_pool" { + for_each = length(var.node_pools) == 0 ? [] : [1] + content { + name = "default-pool" + initial_node_count = var.initial_node_count + + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + + node_config { + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + disk_type = lookup(var.node_pools[0], "disk_type", null) + dynamic "gcfs_config" { + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] + content { + enabled = gcfs_config.value + } } - } - dynamic "gvnic" { - for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] - content { - enabled = gvnic.value + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } } - } - dynamic "fast_socket" { - for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : [] - content { - enabled = fast_socket.value + dynamic "fast_socket" { + for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : [] + content { + enabled = fast_socket.value + } } - } - dynamic "kubelet_config" { - for_each = length(setintersection( - keys(var.node_pools[0]), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"] - )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : [] + dynamic "kubelet_config" { + for_each = length(setintersection( + keys(var.node_pools[0]), + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"] + )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : [] - content { - cpu_manager_policy = lookup(var.node_pools[0], "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(var.node_pools[0], "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(var.node_pools[0], "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null - pod_pids_limit = lookup(var.node_pools[0], "pod_pids_limit", null) - container_log_max_size = lookup(var.node_pools[0], "container_log_max_size", null) - container_log_max_files = lookup(var.node_pools[0], "container_log_max_files", null) - image_gc_low_threshold_percent = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null) - image_gc_high_threshold_percent = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null) - image_minimum_gc_age = lookup(var.node_pools[0], "image_minimum_gc_age", null) - image_maximum_gc_age = lookup(var.node_pools[0], "image_maximum_gc_age", null) - allowed_unsafe_sysctls = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)] + content { + cpu_manager_policy = lookup(var.node_pools[0], "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(var.node_pools[0], "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(var.node_pools[0], "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null + pod_pids_limit = lookup(var.node_pools[0], "pod_pids_limit", null) + container_log_max_size = lookup(var.node_pools[0], "container_log_max_size", null) + container_log_max_files = lookup(var.node_pools[0], "container_log_max_files", null) + image_gc_low_threshold_percent = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null) + image_gc_high_threshold_percent = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null) + image_minimum_gc_age = lookup(var.node_pools[0], "image_minimum_gc_age", null) + image_maximum_gc_age = lookup(var.node_pools[0], "image_maximum_gc_age", null) + allowed_unsafe_sysctls = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)] + } } - } - dynamic "sole_tenant_config" { - # node_affinity is currently the only member of sole_tenant_config - for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : [] - content { - dynamic "node_affinity" { - for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : [] - content { - key = lookup(jsondecode(node_affinity.value), "key", null) - operator = lookup(jsondecode(node_affinity.value), "operator", null) - values = lookup(jsondecode(node_affinity.value), "values", []) + dynamic "sole_tenant_config" { + # node_affinity is currently the only member of sole_tenant_config + for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : [] + content { + dynamic "node_affinity" { + for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : [] + content { + key = lookup(jsondecode(node_affinity.value), "key", null) + operator = lookup(jsondecode(node_affinity.value), "operator", null) + values = lookup(jsondecode(node_affinity.value), "values", []) + } } } } - } - service_account = lookup(var.node_pools[0], "service_account", local.service_account) + service_account = lookup(var.node_pools[0], "service_account", local.service_account) - tags = concat( - lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], - lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], - lookup(local.node_pools_tags, "all", []), - lookup(local.node_pools_tags, var.node_pools[0].name, []), - ) + tags = concat( + lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], + lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], + lookup(local.node_pools_tags, "all", []), + lookup(local.node_pools_tags, var.node_pools[0].name, []), + ) - logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") + logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") - dynamic "workload_metadata_config" { - for_each = local.cluster_node_metadata_config + dynamic "workload_metadata_config" { + for_each = local.cluster_node_metadata_config - content { - mode = workload_metadata_config.value.mode + content { + mode = workload_metadata_config.value.mode + } } - } - metadata = local.node_pools_metadata["all"] + metadata = local.node_pools_metadata["all"] - dynamic "sandbox_config" { - for_each = tobool((lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] - content { - sandbox_type = sandbox_config.value + dynamic "sandbox_config" { + for_each = tobool((lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } } - } - boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) - storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : [] + storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : [] - shielded_instance_config { - enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) - enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) - } + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } - local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null) - max_run_duration = lookup(var.node_pools[0], "max_run_duration", null) - flex_start = lookup(var.node_pools[0], "flex_start", null) + local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null) + max_run_duration = lookup(var.node_pools[0], "max_run_duration", null) + flex_start = lookup(var.node_pools[0], "flex_start", null) + } } } diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 7e82e41d1e..fec32022f2 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -169,8 +169,8 @@ locals { cluster_zones = sort(local.cluster_output_zones) // node pool ID is in the form projects//locations//clusters//nodePools/ - cluster_name_parts_from_nodepool = split("/", element(values(google_container_node_pool.pools)[*].id, 0)) - cluster_name_computed = element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_name_parts_from_nodepool = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0)) + cluster_name_computed = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) cluster_network_tag = "gke-${var.name}" cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/modules/beta-private-cluster-update-variant/metadata.display.yaml b/modules/beta-private-cluster-update-variant/metadata.display.yaml index 09b0d202bf..3c05bc88e3 100644 --- a/modules/beta-private-cluster-update-variant/metadata.display.yaml +++ b/modules/beta-private-cluster-update-variant/metadata.display.yaml @@ -403,6 +403,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 85902c01ff..d4530d7b93 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -40,6 +40,8 @@ resource "google_container_cluster" "primary" { } } + initial_node_count = length(var.node_pools) == 0 ? var.initial_node_count : null + dynamic "network_policy" { for_each = local.cluster_network_policy @@ -501,119 +503,122 @@ resource "google_container_cluster" "primary" { update = lookup(var.timeouts, "update", "45m") delete = lookup(var.timeouts, "delete", "45m") } - node_pool { - name = "default-pool" - initial_node_count = var.initial_node_count - - management { - auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) - auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) - } - - node_config { - image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") - machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") - min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) - disk_type = lookup(var.node_pools[0], "disk_type", null) - dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] - content { - enabled = gcfs_config.value + dynamic "node_pool" { + for_each = length(var.node_pools) == 0 ? [] : [1] + content { + name = "default-pool" + initial_node_count = var.initial_node_count + + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + + node_config { + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + disk_type = lookup(var.node_pools[0], "disk_type", null) + dynamic "gcfs_config" { + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] + content { + enabled = gcfs_config.value + } } - } - dynamic "gvnic" { - for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] - content { - enabled = gvnic.value + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } } - } - dynamic "fast_socket" { - for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : [] - content { - enabled = fast_socket.value + dynamic "fast_socket" { + for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : [] + content { + enabled = fast_socket.value + } } - } - dynamic "kubelet_config" { - for_each = length(setintersection( - keys(var.node_pools[0]), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"] - )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : [] + dynamic "kubelet_config" { + for_each = length(setintersection( + keys(var.node_pools[0]), + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"] + )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : [] - content { - cpu_manager_policy = lookup(var.node_pools[0], "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(var.node_pools[0], "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(var.node_pools[0], "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null - pod_pids_limit = lookup(var.node_pools[0], "pod_pids_limit", null) - container_log_max_size = lookup(var.node_pools[0], "container_log_max_size", null) - container_log_max_files = lookup(var.node_pools[0], "container_log_max_files", null) - image_gc_low_threshold_percent = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null) - image_gc_high_threshold_percent = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null) - image_minimum_gc_age = lookup(var.node_pools[0], "image_minimum_gc_age", null) - image_maximum_gc_age = lookup(var.node_pools[0], "image_maximum_gc_age", null) - allowed_unsafe_sysctls = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)] + content { + cpu_manager_policy = lookup(var.node_pools[0], "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(var.node_pools[0], "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(var.node_pools[0], "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null + pod_pids_limit = lookup(var.node_pools[0], "pod_pids_limit", null) + container_log_max_size = lookup(var.node_pools[0], "container_log_max_size", null) + container_log_max_files = lookup(var.node_pools[0], "container_log_max_files", null) + image_gc_low_threshold_percent = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null) + image_gc_high_threshold_percent = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null) + image_minimum_gc_age = lookup(var.node_pools[0], "image_minimum_gc_age", null) + image_maximum_gc_age = lookup(var.node_pools[0], "image_maximum_gc_age", null) + allowed_unsafe_sysctls = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)] + } } - } - dynamic "sole_tenant_config" { - # node_affinity is currently the only member of sole_tenant_config - for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : [] - content { - dynamic "node_affinity" { - for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : [] - content { - key = lookup(jsondecode(node_affinity.value), "key", null) - operator = lookup(jsondecode(node_affinity.value), "operator", null) - values = lookup(jsondecode(node_affinity.value), "values", []) + dynamic "sole_tenant_config" { + # node_affinity is currently the only member of sole_tenant_config + for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : [] + content { + dynamic "node_affinity" { + for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : [] + content { + key = lookup(jsondecode(node_affinity.value), "key", null) + operator = lookup(jsondecode(node_affinity.value), "operator", null) + values = lookup(jsondecode(node_affinity.value), "values", []) + } } } } - } - service_account = lookup(var.node_pools[0], "service_account", local.service_account) + service_account = lookup(var.node_pools[0], "service_account", local.service_account) - tags = concat( - lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], - lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], - lookup(local.node_pools_tags, "all", []), - lookup(local.node_pools_tags, var.node_pools[0].name, []), - ) + tags = concat( + lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], + lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], + lookup(local.node_pools_tags, "all", []), + lookup(local.node_pools_tags, var.node_pools[0].name, []), + ) - logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") + logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") - dynamic "workload_metadata_config" { - for_each = local.cluster_node_metadata_config + dynamic "workload_metadata_config" { + for_each = local.cluster_node_metadata_config - content { - mode = workload_metadata_config.value.mode + content { + mode = workload_metadata_config.value.mode + } } - } - metadata = local.node_pools_metadata["all"] + metadata = local.node_pools_metadata["all"] - dynamic "sandbox_config" { - for_each = tobool((lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] - content { - sandbox_type = sandbox_config.value + dynamic "sandbox_config" { + for_each = tobool((lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } } - } - boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) - storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : [] + storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : [] - shielded_instance_config { - enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) - enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) - } + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } - local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null) - max_run_duration = lookup(var.node_pools[0], "max_run_duration", null) - flex_start = lookup(var.node_pools[0], "flex_start", null) + local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null) + max_run_duration = lookup(var.node_pools[0], "max_run_duration", null) + flex_start = lookup(var.node_pools[0], "flex_start", null) + } } } diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 7e82e41d1e..fec32022f2 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -169,8 +169,8 @@ locals { cluster_zones = sort(local.cluster_output_zones) // node pool ID is in the form projects//locations//clusters//nodePools/ - cluster_name_parts_from_nodepool = split("/", element(values(google_container_node_pool.pools)[*].id, 0)) - cluster_name_computed = element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_name_parts_from_nodepool = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0)) + cluster_name_computed = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) cluster_network_tag = "gke-${var.name}" cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/modules/beta-private-cluster/metadata.display.yaml b/modules/beta-private-cluster/metadata.display.yaml index f5dc6b1146..018f6a79f9 100644 --- a/modules/beta-private-cluster/metadata.display.yaml +++ b/modules/beta-private-cluster/metadata.display.yaml @@ -403,6 +403,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 19abc02a5c..98c9e6fc2a 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -40,6 +40,8 @@ resource "google_container_cluster" "primary" { } } + initial_node_count = length(var.node_pools) == 0 ? var.initial_node_count : null + dynamic "network_policy" { for_each = local.cluster_network_policy @@ -501,119 +503,122 @@ resource "google_container_cluster" "primary" { update = lookup(var.timeouts, "update", "45m") delete = lookup(var.timeouts, "delete", "45m") } - node_pool { - name = "default-pool" - initial_node_count = var.initial_node_count - - management { - auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) - auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) - } - - node_config { - image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") - machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") - min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) - disk_type = lookup(var.node_pools[0], "disk_type", null) - dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] - content { - enabled = gcfs_config.value + dynamic "node_pool" { + for_each = length(var.node_pools) == 0 ? [] : [1] + content { + name = "default-pool" + initial_node_count = var.initial_node_count + + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + + node_config { + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + disk_type = lookup(var.node_pools[0], "disk_type", null) + dynamic "gcfs_config" { + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] + content { + enabled = gcfs_config.value + } } - } - dynamic "gvnic" { - for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] - content { - enabled = gvnic.value + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } } - } - dynamic "fast_socket" { - for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : [] - content { - enabled = fast_socket.value + dynamic "fast_socket" { + for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : [] + content { + enabled = fast_socket.value + } } - } - dynamic "kubelet_config" { - for_each = length(setintersection( - keys(var.node_pools[0]), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"] - )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : [] + dynamic "kubelet_config" { + for_each = length(setintersection( + keys(var.node_pools[0]), + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"] + )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : [] - content { - cpu_manager_policy = lookup(var.node_pools[0], "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(var.node_pools[0], "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(var.node_pools[0], "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null - pod_pids_limit = lookup(var.node_pools[0], "pod_pids_limit", null) - container_log_max_size = lookup(var.node_pools[0], "container_log_max_size", null) - container_log_max_files = lookup(var.node_pools[0], "container_log_max_files", null) - image_gc_low_threshold_percent = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null) - image_gc_high_threshold_percent = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null) - image_minimum_gc_age = lookup(var.node_pools[0], "image_minimum_gc_age", null) - image_maximum_gc_age = lookup(var.node_pools[0], "image_maximum_gc_age", null) - allowed_unsafe_sysctls = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)] + content { + cpu_manager_policy = lookup(var.node_pools[0], "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(var.node_pools[0], "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(var.node_pools[0], "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null + pod_pids_limit = lookup(var.node_pools[0], "pod_pids_limit", null) + container_log_max_size = lookup(var.node_pools[0], "container_log_max_size", null) + container_log_max_files = lookup(var.node_pools[0], "container_log_max_files", null) + image_gc_low_threshold_percent = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null) + image_gc_high_threshold_percent = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null) + image_minimum_gc_age = lookup(var.node_pools[0], "image_minimum_gc_age", null) + image_maximum_gc_age = lookup(var.node_pools[0], "image_maximum_gc_age", null) + allowed_unsafe_sysctls = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)] + } } - } - dynamic "sole_tenant_config" { - # node_affinity is currently the only member of sole_tenant_config - for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : [] - content { - dynamic "node_affinity" { - for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : [] - content { - key = lookup(jsondecode(node_affinity.value), "key", null) - operator = lookup(jsondecode(node_affinity.value), "operator", null) - values = lookup(jsondecode(node_affinity.value), "values", []) + dynamic "sole_tenant_config" { + # node_affinity is currently the only member of sole_tenant_config + for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : [] + content { + dynamic "node_affinity" { + for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : [] + content { + key = lookup(jsondecode(node_affinity.value), "key", null) + operator = lookup(jsondecode(node_affinity.value), "operator", null) + values = lookup(jsondecode(node_affinity.value), "values", []) + } } } } - } - service_account = lookup(var.node_pools[0], "service_account", local.service_account) + service_account = lookup(var.node_pools[0], "service_account", local.service_account) - tags = concat( - lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], - lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], - lookup(local.node_pools_tags, "all", []), - lookup(local.node_pools_tags, var.node_pools[0].name, []), - ) + tags = concat( + lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], + lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], + lookup(local.node_pools_tags, "all", []), + lookup(local.node_pools_tags, var.node_pools[0].name, []), + ) - logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") + logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") - dynamic "workload_metadata_config" { - for_each = local.cluster_node_metadata_config + dynamic "workload_metadata_config" { + for_each = local.cluster_node_metadata_config - content { - mode = workload_metadata_config.value.mode + content { + mode = workload_metadata_config.value.mode + } } - } - metadata = local.node_pools_metadata["all"] + metadata = local.node_pools_metadata["all"] - dynamic "sandbox_config" { - for_each = tobool((lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] - content { - sandbox_type = sandbox_config.value + dynamic "sandbox_config" { + for_each = tobool((lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } } - } - boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) - storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : [] + storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : [] - shielded_instance_config { - enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) - enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) - } + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } - local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null) - max_run_duration = lookup(var.node_pools[0], "max_run_duration", null) - flex_start = lookup(var.node_pools[0], "flex_start", null) + local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null) + max_run_duration = lookup(var.node_pools[0], "max_run_duration", null) + flex_start = lookup(var.node_pools[0], "flex_start", null) + } } } diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 015c44702c..ea2e238d49 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -162,8 +162,8 @@ locals { cluster_zones = sort(local.cluster_output_zones) // node pool ID is in the form projects//locations//clusters//nodePools/ - cluster_name_parts_from_nodepool = split("/", element(values(google_container_node_pool.pools)[*].id, 0)) - cluster_name_computed = element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_name_parts_from_nodepool = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0)) + cluster_name_computed = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) cluster_network_tag = "gke-${var.name}" cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/modules/beta-public-cluster-update-variant/metadata.display.yaml b/modules/beta-public-cluster-update-variant/metadata.display.yaml index 7d39ce2fc5..19e013a1a6 100644 --- a/modules/beta-public-cluster-update-variant/metadata.display.yaml +++ b/modules/beta-public-cluster-update-variant/metadata.display.yaml @@ -385,6 +385,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 3892ed0ba0..d205399c14 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -40,6 +40,8 @@ resource "google_container_cluster" "primary" { } } + initial_node_count = length(var.node_pools) == 0 ? var.initial_node_count : null + dynamic "network_policy" { for_each = local.cluster_network_policy @@ -501,119 +503,122 @@ resource "google_container_cluster" "primary" { update = lookup(var.timeouts, "update", "45m") delete = lookup(var.timeouts, "delete", "45m") } - node_pool { - name = "default-pool" - initial_node_count = var.initial_node_count - - management { - auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) - auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) - } - - node_config { - image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") - machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") - min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) - disk_type = lookup(var.node_pools[0], "disk_type", null) - dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] - content { - enabled = gcfs_config.value + dynamic "node_pool" { + for_each = length(var.node_pools) == 0 ? [] : [1] + content { + name = "default-pool" + initial_node_count = var.initial_node_count + + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + + node_config { + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + disk_type = lookup(var.node_pools[0], "disk_type", null) + dynamic "gcfs_config" { + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] + content { + enabled = gcfs_config.value + } } - } - dynamic "gvnic" { - for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] - content { - enabled = gvnic.value + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } } - } - dynamic "fast_socket" { - for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : [] - content { - enabled = fast_socket.value + dynamic "fast_socket" { + for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : [] + content { + enabled = fast_socket.value + } } - } - dynamic "kubelet_config" { - for_each = length(setintersection( - keys(var.node_pools[0]), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"] - )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : [] + dynamic "kubelet_config" { + for_each = length(setintersection( + keys(var.node_pools[0]), + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"] + )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : [] - content { - cpu_manager_policy = lookup(var.node_pools[0], "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(var.node_pools[0], "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(var.node_pools[0], "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null - pod_pids_limit = lookup(var.node_pools[0], "pod_pids_limit", null) - container_log_max_size = lookup(var.node_pools[0], "container_log_max_size", null) - container_log_max_files = lookup(var.node_pools[0], "container_log_max_files", null) - image_gc_low_threshold_percent = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null) - image_gc_high_threshold_percent = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null) - image_minimum_gc_age = lookup(var.node_pools[0], "image_minimum_gc_age", null) - image_maximum_gc_age = lookup(var.node_pools[0], "image_maximum_gc_age", null) - allowed_unsafe_sysctls = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)] + content { + cpu_manager_policy = lookup(var.node_pools[0], "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(var.node_pools[0], "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(var.node_pools[0], "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null + pod_pids_limit = lookup(var.node_pools[0], "pod_pids_limit", null) + container_log_max_size = lookup(var.node_pools[0], "container_log_max_size", null) + container_log_max_files = lookup(var.node_pools[0], "container_log_max_files", null) + image_gc_low_threshold_percent = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null) + image_gc_high_threshold_percent = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null) + image_minimum_gc_age = lookup(var.node_pools[0], "image_minimum_gc_age", null) + image_maximum_gc_age = lookup(var.node_pools[0], "image_maximum_gc_age", null) + allowed_unsafe_sysctls = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)] + } } - } - dynamic "sole_tenant_config" { - # node_affinity is currently the only member of sole_tenant_config - for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : [] - content { - dynamic "node_affinity" { - for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : [] - content { - key = lookup(jsondecode(node_affinity.value), "key", null) - operator = lookup(jsondecode(node_affinity.value), "operator", null) - values = lookup(jsondecode(node_affinity.value), "values", []) + dynamic "sole_tenant_config" { + # node_affinity is currently the only member of sole_tenant_config + for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : [] + content { + dynamic "node_affinity" { + for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : [] + content { + key = lookup(jsondecode(node_affinity.value), "key", null) + operator = lookup(jsondecode(node_affinity.value), "operator", null) + values = lookup(jsondecode(node_affinity.value), "values", []) + } } } } - } - service_account = lookup(var.node_pools[0], "service_account", local.service_account) + service_account = lookup(var.node_pools[0], "service_account", local.service_account) - tags = concat( - lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], - lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], - lookup(local.node_pools_tags, "all", []), - lookup(local.node_pools_tags, var.node_pools[0].name, []), - ) + tags = concat( + lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], + lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], + lookup(local.node_pools_tags, "all", []), + lookup(local.node_pools_tags, var.node_pools[0].name, []), + ) - logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") + logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") - dynamic "workload_metadata_config" { - for_each = local.cluster_node_metadata_config + dynamic "workload_metadata_config" { + for_each = local.cluster_node_metadata_config - content { - mode = workload_metadata_config.value.mode + content { + mode = workload_metadata_config.value.mode + } } - } - metadata = local.node_pools_metadata["all"] + metadata = local.node_pools_metadata["all"] - dynamic "sandbox_config" { - for_each = tobool((lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] - content { - sandbox_type = sandbox_config.value + dynamic "sandbox_config" { + for_each = tobool((lookup(var.node_pools[0], "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } } - } - boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) - storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : [] + storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : [] - shielded_instance_config { - enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) - enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) - } + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } - local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null) - max_run_duration = lookup(var.node_pools[0], "max_run_duration", null) - flex_start = lookup(var.node_pools[0], "flex_start", null) + local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null) + max_run_duration = lookup(var.node_pools[0], "max_run_duration", null) + flex_start = lookup(var.node_pools[0], "flex_start", null) + } } } diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 015c44702c..ea2e238d49 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -162,8 +162,8 @@ locals { cluster_zones = sort(local.cluster_output_zones) // node pool ID is in the form projects//locations//clusters//nodePools/ - cluster_name_parts_from_nodepool = split("/", element(values(google_container_node_pool.pools)[*].id, 0)) - cluster_name_computed = element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_name_parts_from_nodepool = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0)) + cluster_name_computed = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) cluster_network_tag = "gke-${var.name}" cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/modules/beta-public-cluster/metadata.display.yaml b/modules/beta-public-cluster/metadata.display.yaml index bcec9910d7..c4fc1f82b2 100644 --- a/modules/beta-public-cluster/metadata.display.yaml +++ b/modules/beta-public-cluster/metadata.display.yaml @@ -385,6 +385,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 7bf2019348..362b52b379 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -40,6 +40,8 @@ resource "google_container_cluster" "primary" { } } + initial_node_count = length(var.node_pools) == 0 ? var.initial_node_count : null + dynamic "network_policy" { for_each = local.cluster_network_policy @@ -464,112 +466,115 @@ resource "google_container_cluster" "primary" { update = lookup(var.timeouts, "update", "45m") delete = lookup(var.timeouts, "delete", "45m") } - node_pool { - name = "default-pool" - initial_node_count = var.initial_node_count - - management { - auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) - auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) - } - - node_config { - image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") - machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") - min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) - disk_type = lookup(var.node_pools[0], "disk_type", null) - dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] - content { - enabled = gcfs_config.value + dynamic "node_pool" { + for_each = length(var.node_pools) == 0 ? [] : [1] + content { + name = "default-pool" + initial_node_count = var.initial_node_count + + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + + node_config { + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + disk_type = lookup(var.node_pools[0], "disk_type", null) + dynamic "gcfs_config" { + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] + content { + enabled = gcfs_config.value + } } - } - dynamic "gvnic" { - for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] - content { - enabled = gvnic.value + dynamic "gvnic" { + for_each = lookup(var.node_pools[0], "enable_gvnic", false) ? [true] : [] + content { + enabled = gvnic.value + } } - } - dynamic "fast_socket" { - for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : [] - content { - enabled = fast_socket.value + dynamic "fast_socket" { + for_each = lookup(var.node_pools[0], "enable_fast_socket", null) != null ? [var.node_pools[0].enable_fast_socket] : [] + content { + enabled = fast_socket.value + } } - } - dynamic "kubelet_config" { - for_each = length(setintersection( - keys(var.node_pools[0]), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"] - )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : [] + dynamic "kubelet_config" { + for_each = length(setintersection( + keys(var.node_pools[0]), + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"] + )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : [] - content { - cpu_manager_policy = lookup(var.node_pools[0], "cpu_manager_policy", "static") - cpu_cfs_quota = lookup(var.node_pools[0], "cpu_cfs_quota", null) - cpu_cfs_quota_period = lookup(var.node_pools[0], "cpu_cfs_quota_period", null) - insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null - pod_pids_limit = lookup(var.node_pools[0], "pod_pids_limit", null) - container_log_max_size = lookup(var.node_pools[0], "container_log_max_size", null) - container_log_max_files = lookup(var.node_pools[0], "container_log_max_files", null) - image_gc_low_threshold_percent = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null) - image_gc_high_threshold_percent = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null) - image_minimum_gc_age = lookup(var.node_pools[0], "image_minimum_gc_age", null) - image_maximum_gc_age = lookup(var.node_pools[0], "image_maximum_gc_age", null) - allowed_unsafe_sysctls = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)] + content { + cpu_manager_policy = lookup(var.node_pools[0], "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(var.node_pools[0], "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(var.node_pools[0], "cpu_cfs_quota_period", null) + insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null + pod_pids_limit = lookup(var.node_pools[0], "pod_pids_limit", null) + container_log_max_size = lookup(var.node_pools[0], "container_log_max_size", null) + container_log_max_files = lookup(var.node_pools[0], "container_log_max_files", null) + image_gc_low_threshold_percent = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null) + image_gc_high_threshold_percent = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null) + image_minimum_gc_age = lookup(var.node_pools[0], "image_minimum_gc_age", null) + image_maximum_gc_age = lookup(var.node_pools[0], "image_maximum_gc_age", null) + allowed_unsafe_sysctls = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)] + } } - } - dynamic "sole_tenant_config" { - # node_affinity is currently the only member of sole_tenant_config - for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : [] - content { - dynamic "node_affinity" { - for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : [] - content { - key = lookup(jsondecode(node_affinity.value), "key", null) - operator = lookup(jsondecode(node_affinity.value), "operator", null) - values = lookup(jsondecode(node_affinity.value), "values", []) + dynamic "sole_tenant_config" { + # node_affinity is currently the only member of sole_tenant_config + for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : [] + content { + dynamic "node_affinity" { + for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : [] + content { + key = lookup(jsondecode(node_affinity.value), "key", null) + operator = lookup(jsondecode(node_affinity.value), "operator", null) + values = lookup(jsondecode(node_affinity.value), "values", []) + } } } } - } - service_account = lookup(var.node_pools[0], "service_account", local.service_account) + service_account = lookup(var.node_pools[0], "service_account", local.service_account) - tags = concat( - lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], - lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], - lookup(local.node_pools_tags, "all", []), - lookup(local.node_pools_tags, var.node_pools[0].name, []), - ) + tags = concat( + lookup(local.node_pools_tags, "default_values", [true, true])[0] ? [local.cluster_network_tag] : [], + lookup(local.node_pools_tags, "default_values", [true, true])[1] ? ["${local.cluster_network_tag}-default-pool"] : [], + lookup(local.node_pools_tags, "all", []), + lookup(local.node_pools_tags, var.node_pools[0].name, []), + ) - logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") + logging_variant = lookup(var.node_pools[0], "logging_variant", "DEFAULT") - dynamic "workload_metadata_config" { - for_each = local.cluster_node_metadata_config + dynamic "workload_metadata_config" { + for_each = local.cluster_node_metadata_config - content { - mode = workload_metadata_config.value.mode + content { + mode = workload_metadata_config.value.mode + } } - } - metadata = local.node_pools_metadata["all"] + metadata = local.node_pools_metadata["all"] - boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) - storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : [] + storage_pools = lookup(var.node_pools[0], "storage_pools", null) != null ? [var.node_pools[0].storage_pools] : [] - shielded_instance_config { - enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) - enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) - } + shielded_instance_config { + enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true) + } - local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null) - max_run_duration = lookup(var.node_pools[0], "max_run_duration", null) - flex_start = lookup(var.node_pools[0], "flex_start", null) + local_ssd_encryption_mode = lookup(var.node_pools[0], "local_ssd_encryption_mode", null) + max_run_duration = lookup(var.node_pools[0], "max_run_duration", null) + flex_start = lookup(var.node_pools[0], "flex_start", null) + } } } diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index b311f148c0..4df5aa8805 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -152,8 +152,8 @@ locals { cluster_zones = sort(local.cluster_output_zones) // node pool ID is in the form projects//locations//clusters//nodePools/ - cluster_name_parts_from_nodepool = split("/", element(values(google_container_node_pool.pools)[*].id, 0)) - cluster_name_computed = element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_name_parts_from_nodepool = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0)) + cluster_name_computed = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) cluster_network_tag = "gke-${var.name}" cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/modules/private-cluster-update-variant/metadata.display.yaml b/modules/private-cluster-update-variant/metadata.display.yaml index 81d8812d39..68ef79748d 100644 --- a/modules/private-cluster-update-variant/metadata.display.yaml +++ b/modules/private-cluster-update-variant/metadata.display.yaml @@ -379,6 +379,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 8647af368d..18eb2fc351 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -32,7 +32,6 @@ resource "google_container_cluster" "primary" { cluster_ipv4_cidr = var.cluster_ipv4_cidr network = "projects/${local.network_project_id}/global/networks/${var.network}" deletion_protection = var.deletion_protection - initial_node_count = length(var.node_pools) == 0 ? var.initial_node_count : null dynamic "enable_k8s_beta_apis" { for_each = length(var.enable_k8s_beta_apis) > 0 ? [1] : [] @@ -41,6 +40,8 @@ resource "google_container_cluster" "primary" { } } + initial_node_count = length(var.node_pools) == 0 ? var.initial_node_count : null + dynamic "network_policy" { for_each = local.cluster_network_policy diff --git a/modules/private-cluster/metadata.display.yaml b/modules/private-cluster/metadata.display.yaml index f2057b92c4..1c60ad3b28 100644 --- a/modules/private-cluster/metadata.display.yaml +++ b/modules/private-cluster/metadata.display.yaml @@ -379,6 +379,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region From a745e01b265ffe443f7229a93128a630343a5778 Mon Sep 17 00:00:00 2001 From: Ciro Neto Date: Fri, 31 Oct 2025 09:49:25 -0400 Subject: [PATCH 3/3] Simplify how cluster_name_computed is generated --- autogen/main/main.tf.tmpl | 4 +--- main.tf | 4 +--- modules/beta-private-cluster-update-variant/main.tf | 4 +--- modules/beta-private-cluster/main.tf | 4 +--- modules/beta-public-cluster-update-variant/main.tf | 4 +--- modules/beta-public-cluster/main.tf | 4 +--- modules/gke-node-pool/metadata.display.yaml | 2 +- modules/private-cluster-update-variant/main.tf | 4 +--- modules/private-cluster/main.tf | 4 +--- 9 files changed, 9 insertions(+), 25 deletions(-) diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 7c3dfb0c27..e2759ef7cf 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -202,9 +202,7 @@ locals { cluster_zones = sort(local.cluster_output_zones) {% if autopilot_cluster != true %} - // node pool ID is in the form projects//locations//clusters//nodePools/ - cluster_name_parts_from_nodepool = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0)) - cluster_name_computed = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_name_computed = var.name {% else %} // cluster ID is in the form project/location/name cluster_name_computed = element(split("/", local.cluster_id), length(split("/", local.cluster_id)) - 1) diff --git a/main.tf b/main.tf index 4b062f291f..de73e15a77 100644 --- a/main.tf +++ b/main.tf @@ -144,9 +144,7 @@ locals { cluster_region = var.regional ? var.region : join("-", slice(split("-", local.cluster_location), 0, 2)) cluster_zones = sort(local.cluster_output_zones) - // node pool ID is in the form projects//locations//clusters//nodePools/ - cluster_name_parts_from_nodepool = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0)) - cluster_name_computed = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_name_computed = var.name cluster_network_tag = "gke-${var.name}" cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index fec32022f2..c00c566ff8 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -168,9 +168,7 @@ locals { cluster_region = var.regional ? var.region : join("-", slice(split("-", local.cluster_location), 0, 2)) cluster_zones = sort(local.cluster_output_zones) - // node pool ID is in the form projects//locations//clusters//nodePools/ - cluster_name_parts_from_nodepool = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0)) - cluster_name_computed = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_name_computed = var.name cluster_network_tag = "gke-${var.name}" cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index fec32022f2..c00c566ff8 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -168,9 +168,7 @@ locals { cluster_region = var.regional ? var.region : join("-", slice(split("-", local.cluster_location), 0, 2)) cluster_zones = sort(local.cluster_output_zones) - // node pool ID is in the form projects//locations//clusters//nodePools/ - cluster_name_parts_from_nodepool = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0)) - cluster_name_computed = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_name_computed = var.name cluster_network_tag = "gke-${var.name}" cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index ea2e238d49..82a2f233b5 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -161,9 +161,7 @@ locals { cluster_region = var.regional ? var.region : join("-", slice(split("-", local.cluster_location), 0, 2)) cluster_zones = sort(local.cluster_output_zones) - // node pool ID is in the form projects//locations//clusters//nodePools/ - cluster_name_parts_from_nodepool = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0)) - cluster_name_computed = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_name_computed = var.name cluster_network_tag = "gke-${var.name}" cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index ea2e238d49..82a2f233b5 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -161,9 +161,7 @@ locals { cluster_region = var.regional ? var.region : join("-", slice(split("-", local.cluster_location), 0, 2)) cluster_zones = sort(local.cluster_output_zones) - // node pool ID is in the form projects//locations//clusters//nodePools/ - cluster_name_parts_from_nodepool = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0)) - cluster_name_computed = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_name_computed = var.name cluster_network_tag = "gke-${var.name}" cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/modules/gke-node-pool/metadata.display.yaml b/modules/gke-node-pool/metadata.display.yaml index 59c891c4e5..ea5c642218 100644 --- a/modules/gke-node-pool/metadata.display.yaml +++ b/modules/gke-node-pool/metadata.display.yaml @@ -62,9 +62,9 @@ spec: name: name: name title: Name - level: 1 regexValidation: ^[a-z]([a-z0-9-]{0,38}[a-z0-9])?$ validation: Node pool name must start with a lowercase letter followed by up to 39 lowercase letters, numbers, or hyphens and cannot end with a hyphen. + level: 1 name_prefix: name: name_prefix title: Name Prefix diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 4df5aa8805..e8a64be883 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -151,9 +151,7 @@ locals { cluster_region = var.regional ? var.region : join("-", slice(split("-", local.cluster_location), 0, 2)) cluster_zones = sort(local.cluster_output_zones) - // node pool ID is in the form projects//locations//clusters//nodePools/ - cluster_name_parts_from_nodepool = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0)) - cluster_name_computed = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_name_computed = var.name cluster_network_tag = "gke-${var.name}" cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 4df5aa8805..e8a64be883 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -151,9 +151,7 @@ locals { cluster_region = var.regional ? var.region : join("-", slice(split("-", local.cluster_location), 0, 2)) cluster_zones = sort(local.cluster_output_zones) - // node pool ID is in the form projects//locations//clusters//nodePools/ - cluster_name_parts_from_nodepool = length(var.node_pools) == 0 ? [] : split("/", element(values(google_container_node_pool.pools)[*].id, 0)) - cluster_name_computed = length(var.node_pools) == 0 ? var.name : element(local.cluster_name_parts_from_nodepool, length(local.cluster_name_parts_from_nodepool) - 3) + cluster_name_computed = var.name cluster_network_tag = "gke-${var.name}" cluster_ca_certificate = local.cluster_master_auth_map["cluster_ca_certificate"] cluster_master_version = local.cluster_output_master_version