Merge branch 'master' into fix_ci_tests_node_pool_deploy_service

Author: paulpalamarchuk

CHANGELOG.md

@@ -8,6 +8,10 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 ## [Unreleased]
 
+### Added
+
+* Support for Shielded Nodes beta feature via `enabled_shielded_nodes` variable. [#300]
+
 ## [v5.1.1] - 2019-10-25
 
 ### Fixed

autogen/cluster.tf

@@ -65,6 +65,7 @@ resource "google_container_cluster" "primary" {
   enable_binary_authorization = var.enable_binary_authorization
   enable_intranode_visibility = var.enable_intranode_visibility
   default_max_pods_per_node   = var.default_max_pods_per_node
+  enable_shielded_nodes       = var.enable_shielded_nodes
 
   vertical_pod_autoscaling {
     enabled = var.enable_vertical_pod_autoscaling

autogen/outputs.tf

@@ -154,4 +154,12 @@ output "release_channel" {
   description = "The release channel of this cluster"
   value       = var.release_channel
 }
+
+output "identity_namespace" {
+  description = "Workload Identity namespace"
+  value       = var.identity_namespace
+  depends_on = [
+    "google_container_cluster.primary"
+  ]
+}
 {% endif %}

autogen/variables.tf

@@ -427,4 +427,10 @@ variable "release_channel" {
   description = "(Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`."
   default     = null
 }
+
+variable "enable_shielded_nodes" {
+  type = bool
+  description = "Enable Shielded Nodes features on all nodes in this cluster"
+  default = false
+}
 {% endif %}

autogen/versions.tf

@@ -16,4 +16,12 @@
 
 terraform {
   required_version = ">= 0.12"
+
+  required_providers {
+{% if beta_cluster %}
+    google-beta = "~> 2.18.0"
+{% else %}
+    google = "~> 2.18.0"
+{% endif %}
+  }
 }

examples/deploy_service/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.12.0"
+  version = "~> 2.18.0"
   region  = var.region
 }
 

examples/disable_client_cert/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.12.0"
+  version = "~> 2.18.0"
   region  = var.region
 }
 

examples/node_pool_update_variant/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.12.0"
+  version = "~> 2.18.0"
   region  = var.region
 }
 

examples/shared_vpc/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.12.0"
+  version = "~> 2.18.0"
   region  = var.region
 }
 

examples/simple_regional/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.12.0"
+  version = "~> 2.18.0"
   region  = var.region
 }
 

examples/simple_regional_private/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.12.0"
+  version = "~> 2.18.0"
   region  = var.region
 }
 

examples/simple_zonal/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.12.0"
+  version = "~> 2.18.0"
   region  = var.region
 }
 

examples/simple_zonal_private/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.12.0"
+  version = "~> 2.18.0"
   region  = var.region
 }
 

examples/stub_domains/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.12.0"
+  version = "~> 2.18.0"
   region  = var.region
 }
 

examples/stub_domains_private/main.tf

@@ -15,14 +15,10 @@
  */
 
 provider "google" {
-  version = "~> 2.12.0"
+  version = "~> 2.18.0"
   region  = var.region
 }
 
-provider "random" {
-  version = "~> 2.1"
-}
-
 data "google_compute_subnetwork" "subnetwork" {
   name    = var.subnetwork
   project = var.project_id

examples/stub_domains_upstream_nameservers/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.12.0"
+  version = "~> 2.18.0"
   region  = var.region
 }
 

examples/upstream_nameservers/main.tf

@@ -19,7 +19,7 @@ locals {
 }
 
 provider "google" {
-  version = "~> 2.12.0"
+  version = "~> 2.18.0"
   region  = var.region
 }
 

modules/beta-private-cluster-update-variant/README.md

@@ -153,6 +153,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no |
 | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no |
+| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"false"` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
@@ -211,6 +212,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | endpoint | Cluster endpoint |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |
+| identity\_namespace | Workload Identity namespace |
 | intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
 | istio\_enabled | Whether Istio is enabled |
 | kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled |

modules/beta-private-cluster-update-variant/cluster.tf

@@ -58,6 +58,7 @@ resource "google_container_cluster" "primary" {
   enable_binary_authorization = var.enable_binary_authorization
   enable_intranode_visibility = var.enable_intranode_visibility
   default_max_pods_per_node   = var.default_max_pods_per_node
+  enable_shielded_nodes       = var.enable_shielded_nodes
 
   vertical_pod_autoscaling {
     enabled = var.enable_vertical_pod_autoscaling

modules/beta-private-cluster-update-variant/outputs.tf

@@ -153,3 +153,11 @@ output "release_channel" {
   description = "The release channel of this cluster"
   value       = var.release_channel
 }
+
+output "identity_namespace" {
+  description = "Workload Identity namespace"
+  value       = var.identity_namespace
+  depends_on = [
+    "google_container_cluster.primary"
+  ]
+}

modules/beta-private-cluster-update-variant/variables.tf

@@ -422,3 +422,9 @@ variable "release_channel" {
   description = "(Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`."
   default     = null
 }
+
+variable "enable_shielded_nodes" {
+  type        = bool
+  description = "Enable Shielded Nodes features on all nodes in this cluster"
+  default     = false
+}

modules/beta-private-cluster-update-variant/versions.tf

@@ -16,4 +16,8 @@
 
 terraform {
   required_version = ">= 0.12"
+
+  required_providers {
+    google-beta = "~> 2.18.0"
+  }
 }

modules/beta-private-cluster/README.md

@@ -153,6 +153,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no |
 | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no |
+| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"false"` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
@@ -211,6 +212,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | endpoint | Cluster endpoint |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |
+| identity\_namespace | Workload Identity namespace |
 | intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
 | istio\_enabled | Whether Istio is enabled |
 | kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled |

modules/beta-private-cluster/cluster.tf

@@ -58,6 +58,7 @@ resource "google_container_cluster" "primary" {
   enable_binary_authorization = var.enable_binary_authorization
   enable_intranode_visibility = var.enable_intranode_visibility
   default_max_pods_per_node   = var.default_max_pods_per_node
+  enable_shielded_nodes       = var.enable_shielded_nodes
 
   vertical_pod_autoscaling {
     enabled = var.enable_vertical_pod_autoscaling

modules/beta-private-cluster/outputs.tf

@@ -153,3 +153,11 @@ output "release_channel" {
   description = "The release channel of this cluster"
   value       = var.release_channel
 }
+
+output "identity_namespace" {
+  description = "Workload Identity namespace"
+  value       = var.identity_namespace
+  depends_on = [
+    "google_container_cluster.primary"
+  ]
+}

modules/beta-private-cluster/variables.tf

@@ -422,3 +422,9 @@ variable "release_channel" {
   description = "(Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`."
   default     = null
 }
+
+variable "enable_shielded_nodes" {
+  type        = bool
+  description = "Enable Shielded Nodes features on all nodes in this cluster"
+  default     = false
+}

modules/beta-private-cluster/versions.tf

@@ -16,4 +16,8 @@
 
 terraform {
   required_version = ">= 0.12"
+
+  required_providers {
+    google-beta = "~> 2.18.0"
+  }
 }

modules/beta-public-cluster/README.md

@@ -145,6 +145,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no |
+| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"false"` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
@@ -202,6 +203,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | endpoint | Cluster endpoint |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |
+| identity\_namespace | Workload Identity namespace |
 | intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
 | istio\_enabled | Whether Istio is enabled |
 | kubernetes\_dashboard\_enabled | Whether kubernetes dashboard enabled |

modules/beta-public-cluster/cluster.tf

@@ -58,6 +58,7 @@ resource "google_container_cluster" "primary" {
   enable_binary_authorization = var.enable_binary_authorization
   enable_intranode_visibility = var.enable_intranode_visibility
   default_max_pods_per_node   = var.default_max_pods_per_node
+  enable_shielded_nodes       = var.enable_shielded_nodes
 
   vertical_pod_autoscaling {
     enabled = var.enable_vertical_pod_autoscaling

modules/beta-public-cluster/outputs.tf

@@ -153,3 +153,11 @@ output "release_channel" {
   description = "The release channel of this cluster"
   value       = var.release_channel
 }
+
+output "identity_namespace" {
+  description = "Workload Identity namespace"
+  value       = var.identity_namespace
+  depends_on = [
+    "google_container_cluster.primary"
+  ]
+}

modules/beta-public-cluster/variables.tf

@@ -398,3 +398,9 @@ variable "release_channel" {
   description = "(Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`."
   default     = null
 }
+
+variable "enable_shielded_nodes" {
+  type        = bool
+  description = "Enable Shielded Nodes features on all nodes in this cluster"
+  default     = false
+}

modules/beta-public-cluster/versions.tf

@@ -16,4 +16,8 @@
 
 terraform {
   required_version = ">= 0.12"
+
+  required_providers {
+    google-beta = "~> 2.18.0"
+  }
 }

modules/private-cluster-update-variant/versions.tf

@@ -16,4 +16,8 @@
 
 terraform {
   required_version = ">= 0.12"
+
+  required_providers {
+    google = "~> 2.18.0"
+  }
 }

modules/private-cluster/versions.tf

@@ -16,4 +16,8 @@
 
 terraform {
   required_version = ">= 0.12"
+
+  required_providers {
+    google = "~> 2.18.0"
+  }
 }

versions.tf

@@ -16,4 +16,8 @@
 
 terraform {
   required_version = ">= 0.12"
+
+  required_providers {
+    google = "~> 2.18.0"
+  }
 }