enable_mesh_certificates for safer-cluster

Author: bgvdiscord

autogen/main/cluster.tf.tmpl

@@ -516,7 +516,6 @@ resource "google_container_cluster" "primary" {
   }
   {% endif %}
 
-
   dynamic "authenticator_groups_config" {
     for_each = local.cluster_authenticator_security_group
     content {

autogen/main/variables.tf.tmpl

@@ -462,6 +462,14 @@ variable "identity_namespace" {
   default     = "enabled"
 }
 
+{% if autopilot_cluster != true %}
+variable "enable_mesh_certificates" {
+  type = bool
+  default = false
+  description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity."
+}
+{% endif %}
+
 variable "release_channel" {
   type        = string
   description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`."
@@ -753,7 +761,6 @@ variable "enable_pod_security_policy" {
   default     = false
 }
 
-
 variable "enable_l4_ilb_subsetting" {
   type        = bool
   description = "Enable L4 ILB Subsetting on the cluster"
@@ -777,13 +784,6 @@ variable "enable_identity_service" {
   description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."
   default     = false
 }
-
-
-variable "enable_mesh_certificates" {
-  type = bool
-  default = false
-  description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity."
-}
   {% endif %}
 {% endif %}
 

autogen/safer-cluster/main.tf.tmpl

@@ -185,6 +185,9 @@ module "gke" {
   // We enable Workload Identity by default.
   identity_namespace = "${var.project_id}.svc.id.goog"
 
+  // Enabling mesh certificates requires Workload Identity
+  enable_mesh_certificates = var.enable_mesh_certificates
+
   authenticator_security_group = var.authenticator_security_group
 
   enable_shielded_nodes = var.enable_shielded_nodes

autogen/safer-cluster/outputs.tf.tmpl

@@ -122,3 +122,8 @@ output "peering_name" {
   description = "The name of the peering between this cluster and the Google owned VPC."
   value       = module.gke.peering_name
 }
+
+output "enable_mesh_certificates" {
+  description = "Mesh certificate configuration value"
+  value       = var.enable_mesh_certificates
+}

autogen/safer-cluster/variables.tf.tmpl

@@ -484,3 +484,9 @@ variable "timeouts" {
     error_message = "Only create, update, delete timeouts can be specified."
   }
 }
+
+variable "enable_mesh_certificates" {
+  type = bool
+  default = false
+  description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity."
+}