feat: add example for GKE confidential nodes with GPU

[arthurlapertosa]

No description provided.

[arthurlapertosa]

@apeabody could you please run the build for this PR?

[apeabody]

/gcbrun

[arthurlapertosa]

@apeabody I don't have access to the GCP cloud build project. Could you please send me the error?

[apeabody]

@apeabody I don't have access to the GCP cloud build project. Could you please send me the error?

Error: Reference to undeclared input variable

  on ../../modules/beta-autopilot-private-cluster/cluster.tf line 72, in resource "google_container_cluster" "primary":
  72:       confidential_instance_type = lookup(var.node_pools[0], "confidential_instance_type", null)

An input variable with the name "node_pools" has not been declared. This
variable can be declared with a variable "node_pools" {} block.}

[arthurlapertosa]

@apeabody could you please re-run the build?

[apeabody]

/gcbrun

[arthurlapertosa]

@apeabody I think the build wasn't properly triggered, could you please take a look?

[apeabody]

/gcbrun

[apeabody]

@apeabody I think the build wasn't properly triggered, could you please take a look?

Might have been too quick after the merge, it's running now.

[apeabody]

Thanks @arthurlapertosa!

[apeabody]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a new example for creating a GKE cluster with confidential nodes and GPUs. This is a valuable addition. The changes include modifications to several Terraform modules to support confidential_instance_type and guest_accelerator configurations, along with the new example files and corresponding integration tests. The implementation is mostly correct, but I've found a few issues related to version constraints, external dependencies, and a bug in the for_each logic that need to be addressed.

[arthurlapertosa]

@apeabody I don't have access to the build error, could you please send it to me?

[arthurlapertosa]

@apeabody could you please rerun the build and the checks?

[apeabody]

/gcbrun

[apeabody]

@apeabody I don't have access to the build error, could you please send it to me?

It's expired, triggered a fresh test

[apeabody]

@apeabody I don't have access to the build error, could you please send it to me?

It's expired, triggered a fresh test

Thanks - This change looks pretty good, but we still need to enable the new test. Can you please add to the cloudbuild similar to https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/2458/files#diff-35f3e17c28a8a8de710f4be35fb5448d0e33c2d9b89fb2be7499b9830f890d12

[arthurlapertosa]

@apeabody sorry for the delay. Can you run the build, please?

[apeabody]

/gcbrun

[apeabody]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a new example for creating a GKE cluster with confidential nodes and GPUs. The implementation is solid, including updates to various modules to support confidential_instance_type and GPU configurations, and the addition of a comprehensive integration test. My review focuses on the new example files, where I've identified opportunities to simplify the Terraform code, remove unused resources, and improve documentation and test clarity. Overall, these are great additions that enhance the module's capabilities.

[gemini-code-assist]

The local variable master_auth_subnetwork is defined but never used in this public cluster example. This should be removed to avoid confusion. The corresponding subnet resource in network.tf should also be removed.

[gemini-code-assist]

This expression to look up the subnetwork name is unnecessarily complex. It can be simplified by using the local.subnet_name variable directly.

  subnetwork                        = local.subnet_name

[gemini-code-assist]

This subnet for master_auth_subnetwork is created but not used in this public cluster example. It should be removed to avoid provisioning unnecessary resources.

[gemini-code-assist]

The location output is missing a description. Please add one for clarity and consistency with other outputs.

output "location" {
  description = "The location (region or zone) in which the cluster resides."
  value = module.gke.location
}

[gemini-code-assist]

The JSON path nodeConfig.diskType is duplicated in the validateJSONPaths slice (it also appears on line 72). Please remove this duplicate entry to improve code clarity.

[apeabody]

Step #99 - "apply test-confidential-gpu-public":         	Error:      	Received unexpected error:
Step #99 - "apply test-confidential-gpu-public":         	            	FatalError{Underlying: error while running command: exit status 1; 
Step #99 - "apply test-confidential-gpu-public":         	            	Error: Error waiting for creating GKE cluster: Insufficient quota to satisfy the request: Not all instances running in IGM after 29.827554958s. Expected 1, running 0, transitioning 1. Current errors: [GCE_QUOTA_EXCEEDED]: Instance 'gke-confidential-gpu-clu-default-pool-ad60a6ba-xnqt' creation failed: Quota 'GPUS_PER_GPU_FAMILY' exceeded.  Limit: 0.0 in region us-central1.
Step #99 - "apply test-confidential-gpu-public":         	            	
Step #99 - "apply test-confidential-gpu-public":         	            	  with module.gke.google_container_cluster.primary,
Step #99 - "apply test-confidential-gpu-public":         	            	  on ../../modules/beta-public-cluster/cluster.tf line 22, in resource "google_container_cluster" "primary":
Step #99 - "apply test-confidential-gpu-public":         	            	  22: resource "google_container_cluster" "primary" {
Step #99 - "apply test-confidential-gpu-public":         	            	}
Step #99 - "apply test-confidential-gpu-public":         	Test:       	TestConfidentialGpuPublic

[arthurlapertosa]

@apeabody
Looks like the project used for testing has 0 GPUS_PER_GPU_FAMILY quota. This quota is necessary for this example to work, once it uses a container with a GPU.
Do you think we could get/request this quota?

[apeabody]

@apeabody Looks like the project used for testing has 0 GPUS_PER_GPU_FAMILY quota. This quota is necessary for this example to work, once it uses a container with a GPU. Do you think we could get/request this quota?

Hi @arthurlapertosa - They are ephemeral projects, so unfortunately that isn't really feasible. Could you switch to something more like NVIDIA T4 which we should have quota?

[arthurlapertosa]

I made some tests, and apparently only the nvidia H100 is supported with confidential computing. Also the docs only say it's only possible with H100: https://docs.cloud.google.com/confidential-computing/confidential-vm/docs/create-a-confidential-vm-instance-with-gpu.
Also, in the NVIDIA official website, it claims that the first GPU to support Confidential computing is the H100: https://www.nvidia.com/en-us/data-center/solutions/confidential-computing/ ("starting with the NVIDIA Hopper™ architecture, which introduced confidential computing on the GPU").
Maybe we can have a preemptible quota, which is much easier to obtain? (https://docs.cloud.google.com/confidential-computing/confidential-vm/docs/create-a-confidential-vm-instance-with-gpu#request-preemptible-quota)

[apeabody]

I made some tests, and apparently only the nvidia H100 is supported with confidential computing. Also the docs only say it's only possible with H100: https://docs.cloud.google.com/confidential-computing/confidential-vm/docs/create-a-confidential-vm-instance-with-gpu. Also, in the NVIDIA official website, it claims that the first GPU to support Confidential computing is the H100: https://www.nvidia.com/en-us/data-center/solutions/confidential-computing/ ("starting with the NVIDIA Hopper™ architecture, which introduced confidential computing on the GPU"). Maybe we can have a preemptible quota, which is much easier to obtain? (https://docs.cloud.google.com/confidential-computing/confidential-vm/docs/create-a-confidential-vm-instance-with-gpu#request-preemptible-quota)

Unfortunately the test projects are ephemeral.