make confidential_nodes GA

DrFaust92 · DrFaust92 · commit ea8fe69c2554 · 2023-12-13T13:46:39.000+02:00
diff --git a/README.md b/README.md
@@ -143,6 +143,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
+| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
@@ -53,14 +53,13 @@ resource "google_container_cluster" "primary" {
       channel = release_channel.value.channel
     }
   }
-{% if beta_cluster %}
+
   dynamic "confidential_nodes" {
     for_each = local.confidential_node_config
     content {
       enabled = confidential_nodes.value.enabled
     }
   }
-{% endif %}
 
   subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}"
 
diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl
@@ -200,6 +200,7 @@ locals {
   cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
   }]
+  confidential_node_config                 = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
 {% if beta_cluster %}
   # BETA features
   cluster_istio_enabled                    = ! local.cluster_output_istio_disabled
@@ -208,7 +209,6 @@ locals {
   cluster_pod_security_policy_enabled      = local.cluster_output_pod_security_policy_enabled
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
-  confidential_node_config                 = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
 
   # /BETA features
 {% endif %}
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
@@ -468,13 +468,13 @@ variable "shadow_firewall_rules_priority" {
   default = 999
 }
 
-{% if beta_cluster %}
 variable "enable_confidential_nodes" {
   type = bool
   description = "An optional flag to enable confidential node config."
   default = false
 }
 
+{% if beta_cluster %}
 variable "disable_default_snat" {
   type        = bool
   description = "Whether to disable the default SNAT to support the private use of public IP addresses"
diff --git a/cluster.tf b/cluster.tf
@@ -48,6 +48,13 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  dynamic "confidential_nodes" {
+    for_each = local.confidential_node_config
+    content {
+      enabled = confidential_nodes.value.enabled
+    }
+  }
+
   subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}"
 
   min_master_version = var.release_channel != null ? null : local.master_version
diff --git a/main.tf b/main.tf
@@ -142,6 +142,7 @@ locals {
   cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
   }]
+  confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
 
   cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : []
   cluster_maintenance_window_is_daily     = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1]
diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf
@@ -39,6 +39,7 @@ resource "google_container_cluster" "primary" {
       channel = release_channel.value.channel
     }
   }
+
   dynamic "confidential_nodes" {
     for_each = local.confidential_node_config
     content {
diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf
@@ -121,14 +121,14 @@ locals {
   cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
   }]
+  confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
   # BETA features
   cluster_istio_enabled                    = !local.cluster_output_istio_disabled
   cluster_dns_cache_enabled                = var.dns_cache
   cluster_telemetry_type_is_set            = var.cluster_telemetry_type != null
   cluster_pod_security_policy_enabled      = local.cluster_output_pod_security_policy_enabled
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
-  confidential_node_config                 = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
 
   # /BETA features
 
diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf
@@ -39,6 +39,7 @@ resource "google_container_cluster" "primary" {
       channel = release_channel.value.channel
     }
   }
+
   dynamic "confidential_nodes" {
     for_each = local.confidential_node_config
     content {
diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf
@@ -120,14 +120,14 @@ locals {
   cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
   }]
+  confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
   # BETA features
   cluster_istio_enabled                    = !local.cluster_output_istio_disabled
   cluster_dns_cache_enabled                = var.dns_cache
   cluster_telemetry_type_is_set            = var.cluster_telemetry_type != null
   cluster_pod_security_policy_enabled      = local.cluster_output_pod_security_policy_enabled
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
-  confidential_node_config                 = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
 
   # /BETA features
 
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -47,6 +47,7 @@ resource "google_container_cluster" "primary" {
       channel = release_channel.value.channel
     }
   }
+
   dynamic "confidential_nodes" {
     for_each = local.confidential_node_config
     content {
diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf
@@ -166,14 +166,14 @@ locals {
   cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
   }]
+  confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
   # BETA features
   cluster_istio_enabled                    = !local.cluster_output_istio_disabled
   cluster_dns_cache_enabled                = var.dns_cache
   cluster_telemetry_type_is_set            = var.cluster_telemetry_type != null
   cluster_pod_security_policy_enabled      = local.cluster_output_pod_security_policy_enabled
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
-  confidential_node_config                 = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
 
   # /BETA features
 
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
@@ -47,6 +47,7 @@ resource "google_container_cluster" "primary" {
       channel = release_channel.value.channel
     }
   }
+
   dynamic "confidential_nodes" {
     for_each = local.confidential_node_config
     content {
diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf
@@ -166,14 +166,14 @@ locals {
   cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
   }]
+  confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
   # BETA features
   cluster_istio_enabled                    = !local.cluster_output_istio_disabled
   cluster_dns_cache_enabled                = var.dns_cache
   cluster_telemetry_type_is_set            = var.cluster_telemetry_type != null
   cluster_pod_security_policy_enabled      = local.cluster_output_pod_security_policy_enabled
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
-  confidential_node_config                 = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
 
   # /BETA features
 
diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf
@@ -47,6 +47,7 @@ resource "google_container_cluster" "primary" {
       channel = release_channel.value.channel
     }
   }
+
   dynamic "confidential_nodes" {
     for_each = local.confidential_node_config
     content {
diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf
@@ -165,14 +165,14 @@ locals {
   cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
   }]
+  confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
   # BETA features
   cluster_istio_enabled                    = !local.cluster_output_istio_disabled
   cluster_dns_cache_enabled                = var.dns_cache
   cluster_telemetry_type_is_set            = var.cluster_telemetry_type != null
   cluster_pod_security_policy_enabled      = local.cluster_output_pod_security_policy_enabled
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
-  confidential_node_config                 = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
 
   # /BETA features
 
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
@@ -47,6 +47,7 @@ resource "google_container_cluster" "primary" {
       channel = release_channel.value.channel
     }
   }
+
   dynamic "confidential_nodes" {
     for_each = local.confidential_node_config
     content {
diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf
@@ -165,14 +165,14 @@ locals {
   cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
   }]
+  confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
   # BETA features
   cluster_istio_enabled                    = !local.cluster_output_istio_disabled
   cluster_dns_cache_enabled                = var.dns_cache
   cluster_telemetry_type_is_set            = var.cluster_telemetry_type != null
   cluster_pod_security_policy_enabled      = local.cluster_output_pod_security_policy_enabled
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
-  confidential_node_config                 = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
 
   # /BETA features
 
diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md
@@ -172,6 +172,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
+| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no |
 | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no |
diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf
@@ -48,6 +48,13 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  dynamic "confidential_nodes" {
+    for_each = local.confidential_node_config
+    content {
+      enabled = confidential_nodes.value.enabled
+    }
+  }
+
   subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}"
 
   min_master_version = var.release_channel != null ? null : local.master_version
diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf
@@ -143,6 +143,7 @@ locals {
   cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
   }]
+  confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
 
   cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : []
   cluster_maintenance_window_is_daily     = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1]
diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf
@@ -414,6 +414,12 @@ variable "shadow_firewall_rules_priority" {
   default     = 999
 }
 
+variable "enable_confidential_nodes" {
+  type        = bool
+  description = "An optional flag to enable confidential node config."
+  default     = false
+}
+
 
 variable "network_policy" {
   type        = bool
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
@@ -150,6 +150,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
+| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no |
 | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no |
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
@@ -48,6 +48,13 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  dynamic "confidential_nodes" {
+    for_each = local.confidential_node_config
+    content {
+      enabled = confidential_nodes.value.enabled
+    }
+  }
+
   subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}"
 
   min_master_version = var.release_channel != null ? null : local.master_version
diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf
@@ -143,6 +143,7 @@ locals {
   cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace
   }]
+  confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : []
 
   cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : []
   cluster_maintenance_window_is_daily     = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1]
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
@@ -414,6 +414,12 @@ variable "shadow_firewall_rules_priority" {
   default     = 999
 }
 
+variable "enable_confidential_nodes" {
+  type        = bool
+  description = "An optional flag to enable confidential node config."
+  default     = false
+}
+
 
 variable "network_policy" {
   type        = bool
diff --git a/variables.tf b/variables.tf
@@ -390,6 +390,12 @@ variable "shadow_firewall_rules_priority" {
   default     = 999
 }
 
+variable "enable_confidential_nodes" {
+  type        = bool
+  description = "An optional flag to enable confidential node config."
+  default     = false
+}
+
 
 variable "network_policy" {
   type        = bool

Original file line number	Diff line number	Diff line change
`@@ -53,14 +53,13 @@ resource "google_container_cluster" "primary" {`
`53`	`53`	`channel = release_channel.value.channel`
`54`	`54`	`}`
`55`	`55`	`}`
`56`		`-{% if beta_cluster %}`
	`56`	`+`
`57`	`57`	`dynamic "confidential_nodes" {`
`58`	`58`	`for_each = local.confidential_node_config`
`59`	`59`	`content {`
`60`	`60`	`enabled = confidential_nodes.value.enabled`
`61`	`61`	`}`
`62`	`62`	`}`
`63`		`-{% endif %}`
`64`	`63`
`65`	`64`	`subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}"`
`66`	`65`
Original file line number	Diff line number	Diff line change
`@@ -468,13 +468,13 @@ variable "shadow_firewall_rules_priority" {`
`468`	`468`	`default = 999`
`469`	`469`	`}`
`470`	`470`
`471`		`-{% if beta_cluster %}`
`472`	`471`	`variable "enable_confidential_nodes" {`
`473`	`472`	`type = bool`
`474`	`473`	`description = "An optional flag to enable confidential node config."`
`475`	`474`	`default = false`
`476`	`475`	`}`
`477`	`476`
	`477`	`+{% if beta_cluster %}`
`478`	`478`	`variable "disable_default_snat" {`
`479`	`479`	`type = bool`
`480`	`480`	`description = "Whether to disable the default SNAT to support the private use of public IP addresses"`
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,13 @@ resource "google_container_cluster" "primary" {`
`48`	`48`	`}`
`49`	`49`	`}`
`50`	`50`
	`51`	`+ dynamic "confidential_nodes" {`
	`52`	`+ for_each = local.confidential_node_config`
	`53`	`+ content {`
	`54`	`+ enabled = confidential_nodes.value.enabled`
	`55`	`+ }`
	`56`	`+ }`
	`57`	`+`
`51`	`58`	`subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}"`
`52`	`59`
`53`	`60`	`min_master_version = var.release_channel != null ? null : local.master_version`
Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,7 @@ resource "google_container_cluster" "primary" {`
`39`	`39`	`channel = release_channel.value.channel`
`40`	`40`	`}`
`41`	`41`	`}`
	`42`	`+`
`42`	`43`	`dynamic "confidential_nodes" {`
`43`	`44`	`for_each = local.confidential_node_config`
`44`	`45`	`content {`
Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,7 @@ resource "google_container_cluster" "primary" {`
`47`	`47`	`channel = release_channel.value.channel`
`48`	`48`	`}`
`49`	`49`	`}`
	`50`	`+`
`50`	`51`	`dynamic "confidential_nodes" {`
`51`	`52`	`for_each = local.confidential_node_config`
`52`	`53`	`content {`