terraform: add more GKE options

terraform/gke.tf.sample

@@ -4,10 +4,10 @@ locals {
   cluster_name = ""
 }
 
-
 # https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
 # You cannot use a cluster master, node, Pod, or Service IP range that overlaps with 172.17.0.0/16.
 # The size of the RFC 1918 block for the cluster master must be /28.
+
 module "vpc" {
   #####################################
   # Do not modify the following lines #
@@ -96,15 +96,15 @@ module "gke" {
   #. cluster_version (optional): latest
   #+ GKE Cluster version to use.
 
+  #. cluster_release_channel (optional): STABLE
+  #+ GKE Cluster release channel to use. Accepted values are UNSPECIFIED, RAPID, REGULAR and STABLE. Defaults to STABLE.
+
   #. cluster_regional (optional): false
   #+ If the GKE Cluster must be regional or zonal. Be careful, this setting is destructive.
 
-  #. enable_private_endpoint (optional): false
+  #. enable_only_private_endpoint (optional): false
   #+ If true, only enable the private endpoint which disable the Public endpoint entirely. If false, private endpoint will be enabled, and the public endpoint will be only accessible by master authorized networks.
 
-  #. grant_registry_access (optional): true
-  #+ Grants created cluster-specific service account storage.objectViewer role.
-
   #. master_authorized_networks (optional): []
   #+ List of master authorized networks.
   # master_authorized_networks = [
@@ -120,9 +120,21 @@ module "gke" {
   #. enable_horizontal_pod_autoscaling (optional): true
   #+ Enable GKE Cluster horizontal pod autoscaling addon.
 
+  #. enable_vertical_pod_autoscaling (optional): false
+  #+ Enable GKE Cluster vertical pod autoscaling addon. Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it.
+
   #. enable_http_load_balancing (optional): false
   #+ Enable GKE Cluster HTTP load balancing addon.
 
+  #. enable_binary_authorization (optional): false
+  #+ Enable GKE Cluster BinAuthZ Admission controller.
+
+  #. enable_cloudrun (optional): false
+  #+ Enable GKE Cluster Cloud Run for Anthos addon.
+
+  #. enable_istio (optional): false
+  #+ Enable GKE Cluster Istio addon.
+
   ###
   # Node pools
   ###
@@ -163,6 +175,15 @@ module "gke" {
     },
   ]
 
+  #. enable_shielded_nodes (optional): true
+  #+ Enable GKE Cluster Shielded Nodes features on all nodes.
+
+  #. enable_sandbox (optional): false
+  #+ Enable GKE Sandbox (Do not forget to set image_type = COS_CONTAINERD and node_version = 1.12.7-gke.17 or later to use it).
+
+  #. default_max_pods_per_node (optional): 110
+  #+ The maximum number of pods to schedule per node.
+
   ###
   # Required (should probably not be touched)
   ###

terraform/module-gke/control_plane.tf

@@ -13,9 +13,11 @@ module "gcp-gke" {
   region     = var.gcp_region
 
   name               = var.cluster_name
+  description        = "${var.cluster_name} GKE Cluster deployed via the cycloid.io GKE stack. Customer: ${var.customer}, Project: ${var.project}, Env: ${var.env}."
   regional           = var.cluster_regional
   zones              = local.gcp_available_zones
   kubernetes_version = var.cluster_version
+  release_channel    = var.cluster_release_channel
 
   // This craziness gets a plain network name from the reference link which is the
   // only way to force cluster creation to wait on network creation without a
@@ -26,17 +28,34 @@ module "gcp-gke" {
   ip_range_pods           = var.pods_ip_range
   ip_range_services       = var.services_ip_range
 
+  # security
   create_service_account            = true
   enable_private_endpoint           = var.enable_only_private_endpoint
   grant_registry_access             = var.grant_registry_access
+  disable_legacy_metadata_endpoints = var.disable_legacy_metadata_endpoints
+  enable_intranode_visibility       = var.enable_intranode_visibility
+  enable_shielded_nodes             = var.enable_shielded_nodes
+  node_metadata                     = "SECURE"
+  sandbox_enabled                   = var.enable_sandbox
+
+  # { state = "ENCRYPTED", key_name = "" }
+  # database_encryption
+
+  # addons
   network_policy                    = var.enable_network_policy
+  network_policy_provider           = var.network_policy_provider
   horizontal_pod_autoscaling        = var.enable_horizontal_pod_autoscaling
+  enable_vertical_pod_autoscaling   = var.enable_vertical_pod_autoscaling
   http_load_balancing               = var.enable_http_load_balancing
-  disable_legacy_metadata_endpoints = var.disable_legacy_metadata_endpoints
   enable_binary_authorization       = var.enable_binary_authorization
-
-  logging_service    = "logging.googleapis.com/kubernetes"
-  monitoring_service = "monitoring.googleapis.com/kubernetes"
+  cloudrun                          = var.enable_cloudrun
+  istio                             = var.enable_istio
+
+  # settings
+  default_max_pods_per_node         = var.default_max_pods_per_node
+  maintenance_start_time            = var.maintenance_start_time
+  logging_service                   = "logging.googleapis.com/kubernetes"
+  monitoring_service                = "monitoring.googleapis.com/kubernetes"
 
   master_ipv4_cidr_block     = var.master_cidr
   master_authorized_networks = concat(

terraform/module-gke/outputs.tf

@@ -28,16 +28,26 @@ output "cluster_master_version" {
   value       = module.gcp-gke.master_version
 }
 
-output "control_plane_endpoint" {
+output "cluster_release_channel" {
+  description = "GKE Cluster release channel."
+  value       = module.gcp-gke.release_channel
+}
+
+output "cluster_endpoint" {
   description = "GKE Cluster endpoint."
   value       = "https://${module.gcp-gke.endpoint}"
 }
 
-output "control_plane_ca" {
+output "cluster_ca" {
   description = "GKE Cluster certificate authority."
   value       = module.gcp-gke.ca_certificate
 }
 
+output "cluster_master_authorized_networks_config" {
+  description = "GKE Cluster networks from which access to master is permitted."
+  value       = module.gcp-gke.master_authorized_networks_config
+}
+
 output "node_pools_names" {
   description = "GKE Cluster node pools names."
   value       = module.gcp-gke.node_pools_names

terraform/module-gke/variables.tf

@@ -87,6 +87,11 @@ variable "cluster_version" {
   default     = "latest"
 }
 
+variable "cluster_release_channel" {
+  description = "GKE Cluster release channel to use. Accepted values are UNSPECIFIED, RAPID, REGULAR and STABLE. Defaults to STABLE."
+  default     = "STABLE"
+}
+
 variable "cluster_regional" {
   description = "If the GKE Cluster must be regional or zonal. Be careful, this setting is destructive."
   default     = false
@@ -112,11 +117,21 @@ variable "enable_network_policy" {
   default     = true
 }
 
+variable "network_policy_provider" {
+  description = "The GKE Cluster network policies addon provider."
+  default     = "CALICO"
+}
+
 variable "enable_horizontal_pod_autoscaling" {
   description = "Enable GKE Cluster horizontal pod autoscaling addon."
   default     = true
 }
 
+variable "enable_vertical_pod_autoscaling" {
+  description = "Enable GKE Cluster vertical pod autoscaling addon. Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it."
+  default     = false
+}
+
 variable "enable_http_load_balancing" {
   description = "Enable GKE Cluster HTTP load balancing addon."
   default     = false
@@ -132,11 +147,46 @@ variable "enable_binary_authorization" {
   default     = false
 }
 
+variable "enable_cloudrun" {
+  description = "Enable GKE Cluster Cloud Run for Anthos addon."
+  default     = false
+}
+
+variable "enable_istio" {
+  description = "Enable GKE Cluster Istio addon."
+  default     = false
+}
+
+variable "maintenance_start_time" {
+  description = "Time window specified for daily maintenance operations in RFC3339 format."
+  default     = "05:00"
+}
+
 #
 # Node pools
 #
 
 variable "node_pools" {
   description = "GKE Cluster node pools to create."
   default     = []
+}
+
+variable "enable_shielded_nodes" {
+  description = "Enable GKE Cluster Shielded Nodes features on all nodes."
+  default     = true
+}
+
+variable "enable_sandbox" {
+  description = "Enable GKE Sandbox (Do not forget to set image_type = COS_CONTAINERD and node_version = 1.12.7-gke.17 or later to use it)."
+  default     = false
+}
+
+variable "default_max_pods_per_node" {
+  description = "The maximum number of pods to schedule per node."
+  default     = "110"
+}
+
+variable "enable_intranode_visibility" {
+  description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network."
+  default     = false
 }

terraform/outputs.tf

@@ -66,14 +66,24 @@ output "cluster_master_version" {
   value       = module.gke.cluster_master_version
 }
 
-output "control_plane_endpoint" {
+output "cluster_release_channel" {
+  description = "GKE Cluster release channel."
+  value       = module.gke.cluster_release_channel
+}
+
+output "cluster_master_authorized_networks_config" {
+  description = "GKE Cluster networks from which access to master is permitted."
+  value       = module.gke.cluster_master_authorized_networks_config
+}
+
+output "cluster_endpoint" {
   description = "GKE Cluster endpoint."
-  value       = module.gke.control_plane_endpoint
+  value       = module.gke.cluster_endpoint
 }
 
-output "control_plane_ca" {
+output "cluster_ca" {
   description = "GKE Cluster certificate authority."
-  value       = module.gke.control_plane_ca
+  value       = module.gke.cluster_ca
 }
 
 output "node_pools_names" {

terraform/provider.tf

@@ -12,8 +12,8 @@ data "google_client_config" "default" {
 }
 
 provider "kubernetes" {
-  host                   = "https://${module.gke.control_plane_endpoint}"
-  cluster_ca_certificate = base64decode(module.gke.control_plane_ca)
+  host                   = module.gke.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.gke.cluster_ca)
   token                  = data.google_client_config.default.access_token
   load_config_file       = false
 }