enable_mesh_certificates for autogen/main

bgvdiscord · bgvdiscord · commit 622c2f62bcb9 · 2023-08-17T10:22:19.000-05:00
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
@@ -506,6 +506,17 @@ resource "google_container_cluster" "primary" {
   }
   {% endif %}
 
+  {% if autopilot_cluster != true %}
+  dynamic "mesh_certificates" {
+    for_each = local.cluster_mesh_certificates_config
+
+    content {
+      enable_certificates = mesh_certificates.value.enable_certificates
+    }
+  }
+  {% endif %}
+
+
   dynamic "authenticator_groups_config" {
     for_each = local.cluster_authenticator_security_group
     content {
diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl
@@ -213,7 +213,11 @@ locals {
   workload_identity_enabled                  = ! (var.identity_namespace == null || var.identity_namespace == "null")
   cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
+  }]  
+  cluster_mesh_certificates_config = ! local.workload_identity_enabled ? [] : [{
+    enable_certificates = var.enable_mesh_certificates
   }]
+  
 {% if beta_cluster %}
   # BETA features
   cluster_istio_enabled                    = ! local.cluster_output_istio_disabled
diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl
@@ -170,6 +170,14 @@ output "identity_namespace" {
     google_container_cluster.primary
   ]
 }
+
+output "mesh_certificates_config" {
+  description = "Mesh certificates configuration"
+  value       = local.cluster_mesh_certificates_config
+  depends_on = [
+    google_container_cluster.primary
+  ]
+}
 {% if private_cluster %}
 
 output "master_ipv4_cidr_block" {
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
@@ -777,5 +777,13 @@ variable "enable_identity_service" {
   description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API."
   default     = false
 }
+
+
+variable "enable_mesh_certificates" {
+  type = bool
+  default = false
+  description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity."
+}
   {% endif %}
 {% endif %}
+

Original file line number	Diff line number	Diff line change
`@@ -170,6 +170,14 @@ output "identity_namespace" {`
`170`	`170`	`google_container_cluster.primary`
`171`	`171`	`]`
`172`	`172`	`}`
	`173`	`+`
	`174`	`+output "mesh_certificates_config" {`
	`175`	`+ description = "Mesh certificates configuration"`
	`176`	`+ value = local.cluster_mesh_certificates_config`
	`177`	`+ depends_on = [`
	`178`	`+ google_container_cluster.primary`
	`179`	`+ ]`
	`180`	`+}`
`173`	`181`	`{% if private_cluster %}`
`174`	`182`
`175`	`183`	`output "master_ipv4_cidr_block" {`