From a5ce97e43725e59e2dc8964cadc6145ce173c583 Mon Sep 17 00:00:00 2001 From: Mikael Bergemalm Date: Fri, 29 Aug 2025 08:52:34 +0200 Subject: [PATCH] feat(safer-cluster): add some missing variables - node_pools_resource_manager_tags - node_pools_cgroup_mode - node_pools_hugepage_size_2m - enable_secret_manager_addon --- autogen/safer-cluster/main.tf.tmpl | 19 ++++++---- autogen/safer-cluster/variables.tf.tmpl | 38 +++++++++++++++++++ metadata.display.yaml | 3 ++ .../metadata.display.yaml | 3 ++ .../metadata.display.yaml | 3 ++ .../metadata.display.yaml | 3 ++ .../beta-public-cluster/metadata.display.yaml | 3 ++ .../metadata.display.yaml | 3 ++ modules/private-cluster/metadata.display.yaml | 3 ++ .../safer-cluster-update-variant/README.md | 4 ++ modules/safer-cluster-update-variant/main.tf | 19 ++++++---- .../metadata.display.yaml | 18 +++++++++ .../metadata.yaml | 22 +++++++++++ .../safer-cluster-update-variant/variables.tf | 38 +++++++++++++++++++ modules/safer-cluster/README.md | 4 ++ modules/safer-cluster/main.tf | 19 ++++++---- modules/safer-cluster/metadata.display.yaml | 18 +++++++++ modules/safer-cluster/metadata.yaml | 22 +++++++++++ modules/safer-cluster/variables.tf | 38 +++++++++++++++++++ 19 files changed, 259 insertions(+), 21 deletions(-) diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index 8415104812..e1b48c7ba3 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -89,13 +89,16 @@ module "gke" { // If removing the default node pool, initial_node_count should be at least 1. initial_node_count = (var.initial_node_count == 0) ? 1 : var.initial_node_count - node_pools = var.node_pools - windows_node_pools = var.windows_node_pools - node_pools_labels = var.node_pools_labels - node_pools_resource_labels = var.node_pools_resource_labels - node_pools_metadata = var.node_pools_metadata - node_pools_taints = var.node_pools_taints - node_pools_tags = var.node_pools_tags + node_pools = var.node_pools + windows_node_pools = var.windows_node_pools + node_pools_labels = var.node_pools_labels + node_pools_resource_labels = var.node_pools_resource_labels + node_pools_resource_manager_tags = var.node_pools_resource_manager_tags + node_pools_metadata = var.node_pools_metadata + node_pools_cgroup_mode = var.node_pools_cgroup_mode + node_pools_hugepage_size_2m = var.node_pools_hugepage_size_2m + node_pools_taints = var.node_pools_taints + node_pools_tags = var.node_pools_tags node_pools_oauth_scopes = var.node_pools_oauth_scopes @@ -216,6 +219,8 @@ module "gke" { enable_gcfs = var.enable_gcfs + enable_secret_manager_addon = var.enable_secret_manager_addon + // Enabling vulnerability and audit for workloads workload_vulnerability_mode = var.workload_vulnerability_mode workload_config_audit_mode = var.workload_config_audit_mode diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 4627cb489f..5a6c29c1e1 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -185,6 +185,16 @@ variable "node_pools_resource_labels" { } } +variable "node_pools_resource_manager_tags" { + type = map(map(string)) + description = "Map of maps containing resource manager tags by node-pool name" + + default = { + all = {} + default-node-pool = {} + } +} + variable "node_pools_metadata" { type = map(map(string)) description = "Map of maps containing node metadata by node-pool name" @@ -195,6 +205,28 @@ variable "node_pools_metadata" { } } +variable "node_pools_cgroup_mode" { + type = map(string) + description = "Map of strings containing cgroup node config by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = "" + default-node-pool = "" + } +} + +variable "node_pools_hugepage_size_2m" { + type = map(string) + description = "Map of strings containing hugepage size 2m node config by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = "" + default-node-pool = "" + } +} + variable "node_pools_taints" { type = map(list(object({ key = string, value = string, effect = string }))) description = "Map of lists containing node taints by node-pool name" @@ -540,6 +572,12 @@ variable "enable_gcfs" { default = false } +variable "enable_secret_manager_addon" { + description = "Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} + variable "enable_mesh_certificates" { type = bool default = false diff --git a/metadata.display.yaml b/metadata.display.yaml index 9c6accecb8..84b4287225 100644 --- a/metadata.display.yaml +++ b/metadata.display.yaml @@ -285,6 +285,9 @@ spec: master_authorized_networks: name: master_authorized_networks title: Master Authorized Networks + monitoring_auto_monitoring_config_scope: + name: monitoring_auto_monitoring_config_scope + title: Monitoring Auto Monitoring Config Scope monitoring_enable_managed_prometheus: name: monitoring_enable_managed_prometheus title: Monitoring Enable Managed Prometheus diff --git a/modules/beta-private-cluster-update-variant/metadata.display.yaml b/modules/beta-private-cluster-update-variant/metadata.display.yaml index 30cad10e2c..5cdde2a436 100644 --- a/modules/beta-private-cluster-update-variant/metadata.display.yaml +++ b/modules/beta-private-cluster-update-variant/metadata.display.yaml @@ -325,6 +325,9 @@ spec: master_ipv4_cidr_block: name: master_ipv4_cidr_block title: Master Ipv4 Cidr Block + monitoring_auto_monitoring_config_scope: + name: monitoring_auto_monitoring_config_scope + title: Monitoring Auto Monitoring Config Scope monitoring_enable_managed_prometheus: name: monitoring_enable_managed_prometheus title: Monitoring Enable Managed Prometheus diff --git a/modules/beta-private-cluster/metadata.display.yaml b/modules/beta-private-cluster/metadata.display.yaml index e301bb7457..01b740db5f 100644 --- a/modules/beta-private-cluster/metadata.display.yaml +++ b/modules/beta-private-cluster/metadata.display.yaml @@ -325,6 +325,9 @@ spec: master_ipv4_cidr_block: name: master_ipv4_cidr_block title: Master Ipv4 Cidr Block + monitoring_auto_monitoring_config_scope: + name: monitoring_auto_monitoring_config_scope + title: Monitoring Auto Monitoring Config Scope monitoring_enable_managed_prometheus: name: monitoring_enable_managed_prometheus title: Monitoring Enable Managed Prometheus diff --git a/modules/beta-public-cluster-update-variant/metadata.display.yaml b/modules/beta-public-cluster-update-variant/metadata.display.yaml index 750662d7e9..0c8d7973e8 100644 --- a/modules/beta-public-cluster-update-variant/metadata.display.yaml +++ b/modules/beta-public-cluster-update-variant/metadata.display.yaml @@ -310,6 +310,9 @@ spec: master_authorized_networks: name: master_authorized_networks title: Master Authorized Networks + monitoring_auto_monitoring_config_scope: + name: monitoring_auto_monitoring_config_scope + title: Monitoring Auto Monitoring Config Scope monitoring_enable_managed_prometheus: name: monitoring_enable_managed_prometheus title: Monitoring Enable Managed Prometheus diff --git a/modules/beta-public-cluster/metadata.display.yaml b/modules/beta-public-cluster/metadata.display.yaml index 52d77d1eb8..fb617f1d87 100644 --- a/modules/beta-public-cluster/metadata.display.yaml +++ b/modules/beta-public-cluster/metadata.display.yaml @@ -310,6 +310,9 @@ spec: master_authorized_networks: name: master_authorized_networks title: Master Authorized Networks + monitoring_auto_monitoring_config_scope: + name: monitoring_auto_monitoring_config_scope + title: Monitoring Auto Monitoring Config Scope monitoring_enable_managed_prometheus: name: monitoring_enable_managed_prometheus title: Monitoring Enable Managed Prometheus diff --git a/modules/private-cluster-update-variant/metadata.display.yaml b/modules/private-cluster-update-variant/metadata.display.yaml index 91fe12d026..2071965764 100644 --- a/modules/private-cluster-update-variant/metadata.display.yaml +++ b/modules/private-cluster-update-variant/metadata.display.yaml @@ -301,6 +301,9 @@ spec: master_ipv4_cidr_block: name: master_ipv4_cidr_block title: Master Ipv4 Cidr Block + monitoring_auto_monitoring_config_scope: + name: monitoring_auto_monitoring_config_scope + title: Monitoring Auto Monitoring Config Scope monitoring_enable_managed_prometheus: name: monitoring_enable_managed_prometheus title: Monitoring Enable Managed Prometheus diff --git a/modules/private-cluster/metadata.display.yaml b/modules/private-cluster/metadata.display.yaml index 91aa9c970b..cce94e43e8 100644 --- a/modules/private-cluster/metadata.display.yaml +++ b/modules/private-cluster/metadata.display.yaml @@ -301,6 +301,9 @@ spec: master_ipv4_cidr_block: name: master_ipv4_cidr_block title: Master Ipv4 Cidr Block + monitoring_auto_monitoring_config_scope: + name: monitoring_auto_monitoring_config_scope + title: Monitoring Auto Monitoring Config Scope monitoring_enable_managed_prometheus: name: monitoring_enable_managed_prometheus title: Monitoring Enable Managed Prometheus diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index e38cac18ac..ef3afc2b00 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -227,6 +227,7 @@ For simplicity, we suggest using `roles/container.admin` and | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | +| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | @@ -261,10 +262,13 @@ For simplicity, we suggest using `roles/container.admin` and | network | The VPC network to host the cluster in | `string` | n/a | yes | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | | node\_pools | List of maps containing node pools | `list(map(string))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | +| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | +| node\_pools\_hugepage\_size\_2m | Map of strings containing hugepage size 2m node config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | 
{
  "all": [
    "https://www.googleapis.com/auth/cloud-platform"
  ],
  "default-node-pool": []
}
| no | | node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index cdd03b9f53..9cd09b9bb5 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -85,13 +85,16 @@ module "gke" { // If removing the default node pool, initial_node_count should be at least 1. initial_node_count = (var.initial_node_count == 0) ? 1 : var.initial_node_count - node_pools = var.node_pools - windows_node_pools = var.windows_node_pools - node_pools_labels = var.node_pools_labels - node_pools_resource_labels = var.node_pools_resource_labels - node_pools_metadata = var.node_pools_metadata - node_pools_taints = var.node_pools_taints - node_pools_tags = var.node_pools_tags + node_pools = var.node_pools + windows_node_pools = var.windows_node_pools + node_pools_labels = var.node_pools_labels + node_pools_resource_labels = var.node_pools_resource_labels + node_pools_resource_manager_tags = var.node_pools_resource_manager_tags + node_pools_metadata = var.node_pools_metadata + node_pools_cgroup_mode = var.node_pools_cgroup_mode + node_pools_hugepage_size_2m = var.node_pools_hugepage_size_2m + node_pools_taints = var.node_pools_taints + node_pools_tags = var.node_pools_tags node_pools_oauth_scopes = var.node_pools_oauth_scopes @@ -212,6 +215,8 @@ module "gke" { enable_gcfs = var.enable_gcfs + enable_secret_manager_addon = var.enable_secret_manager_addon + // Enabling vulnerability and audit for workloads workload_vulnerability_mode = var.workload_vulnerability_mode workload_config_audit_mode = var.workload_config_audit_mode diff --git a/modules/safer-cluster-update-variant/metadata.display.yaml b/modules/safer-cluster-update-variant/metadata.display.yaml index 19faf805d4..77de285e45 100644 --- a/modules/safer-cluster-update-variant/metadata.display.yaml +++ b/modules/safer-cluster-update-variant/metadata.display.yaml @@ -106,6 +106,9 @@ spec: enable_private_endpoint: name: enable_private_endpoint title: Enable Private Endpoint + enable_secret_manager_addon: + name: enable_secret_manager_addon + title: Enable Secret Manager Addon enable_shielded_nodes: name: enable_shielded_nodes title: Enable Shielded Nodes @@ -208,9 +211,21 @@ spec: node_pools: name: node_pools title: Node Pools + node_pools_cgroup_mode: + name: node_pools_cgroup_mode + title: Node Pools Cgroup Mode + node_pools_hugepage_size_1g: + name: node_pools_hugepage_size_1g + title: Node Pools Hugepage Size 1G + node_pools_hugepage_size_2m: + name: node_pools_hugepage_size_2m + title: Node Pools Hugepage Size 2M node_pools_labels: name: node_pools_labels title: Node Pools Labels + node_pools_linux_node_configs_sysctls: + name: node_pools_linux_node_configs_sysctls + title: Node Pools Linux Node Configs Sysctls node_pools_metadata: name: node_pools_metadata title: Node Pools Metadata @@ -220,6 +235,9 @@ spec: node_pools_resource_labels: name: node_pools_resource_labels title: Node Pools Resource Labels + node_pools_resource_manager_tags: + name: node_pools_resource_manager_tags + title: Node Pools Resource Manager Tags node_pools_tags: name: node_pools_tags title: Node Pools Tags diff --git a/modules/safer-cluster-update-variant/metadata.yaml b/modules/safer-cluster-update-variant/metadata.yaml index b5b3db4e03..6ffd5d5144 100644 --- a/modules/safer-cluster-update-variant/metadata.yaml +++ b/modules/safer-cluster-update-variant/metadata.yaml @@ -238,12 +238,30 @@ spec: defaultValue: all: {} default-node-pool: {} + - name: node_pools_resource_manager_tags + description: Map of maps containing resource manager tags by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} - name: node_pools_metadata description: Map of maps containing node metadata by node-pool name varType: map(map(string)) defaultValue: all: {} default-node-pool: {} + - name: node_pools_cgroup_mode + description: Map of strings containing cgroup node config by node-pool name + varType: map(string) + defaultValue: + all: "" + default-node-pool: "" + - name: node_pools_hugepage_size_2m + description: Map of strings containing hugepage size 2m node config by node-pool name + varType: map(string) + defaultValue: + all: "" + default-node-pool: "" - name: node_pools_taints description: Map of lists containing node taints by node-pool name varType: map(list(object({ key = string, value = string, effect = string }))) @@ -478,6 +496,10 @@ spec: description: Enable image streaming on cluster level. varType: bool defaultValue: false + - name: enable_secret_manager_addon + description: Enable the Secret Manager add-on for this cluster + varType: bool + defaultValue: false - name: enable_mesh_certificates description: Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. varType: bool diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 93717ebcaf..83a3a992aa 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -185,6 +185,16 @@ variable "node_pools_resource_labels" { } } +variable "node_pools_resource_manager_tags" { + type = map(map(string)) + description = "Map of maps containing resource manager tags by node-pool name" + + default = { + all = {} + default-node-pool = {} + } +} + variable "node_pools_metadata" { type = map(map(string)) description = "Map of maps containing node metadata by node-pool name" @@ -195,6 +205,28 @@ variable "node_pools_metadata" { } } +variable "node_pools_cgroup_mode" { + type = map(string) + description = "Map of strings containing cgroup node config by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = "" + default-node-pool = "" + } +} + +variable "node_pools_hugepage_size_2m" { + type = map(string) + description = "Map of strings containing hugepage size 2m node config by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = "" + default-node-pool = "" + } +} + variable "node_pools_taints" { type = map(list(object({ key = string, value = string, effect = string }))) description = "Map of lists containing node taints by node-pool name" @@ -540,6 +572,12 @@ variable "enable_gcfs" { default = false } +variable "enable_secret_manager_addon" { + description = "Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} + variable "enable_mesh_certificates" { type = bool default = false diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index e38cac18ac..ef3afc2b00 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -227,6 +227,7 @@ For simplicity, we suggest using `roles/container.admin` and | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | +| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | @@ -261,10 +262,13 @@ For simplicity, we suggest using `roles/container.admin` and | network | The VPC network to host the cluster in | `string` | n/a | yes | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | | node\_pools | List of maps containing node pools | `list(map(string))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | +| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | +| node\_pools\_hugepage\_size\_2m | Map of strings containing hugepage size 2m node config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | 
{
  "all": [
    "https://www.googleapis.com/auth/cloud-platform"
  ],
  "default-node-pool": []
}
| no | | node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 9f372c607c..7f25484c13 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -85,13 +85,16 @@ module "gke" { // If removing the default node pool, initial_node_count should be at least 1. initial_node_count = (var.initial_node_count == 0) ? 1 : var.initial_node_count - node_pools = var.node_pools - windows_node_pools = var.windows_node_pools - node_pools_labels = var.node_pools_labels - node_pools_resource_labels = var.node_pools_resource_labels - node_pools_metadata = var.node_pools_metadata - node_pools_taints = var.node_pools_taints - node_pools_tags = var.node_pools_tags + node_pools = var.node_pools + windows_node_pools = var.windows_node_pools + node_pools_labels = var.node_pools_labels + node_pools_resource_labels = var.node_pools_resource_labels + node_pools_resource_manager_tags = var.node_pools_resource_manager_tags + node_pools_metadata = var.node_pools_metadata + node_pools_cgroup_mode = var.node_pools_cgroup_mode + node_pools_hugepage_size_2m = var.node_pools_hugepage_size_2m + node_pools_taints = var.node_pools_taints + node_pools_tags = var.node_pools_tags node_pools_oauth_scopes = var.node_pools_oauth_scopes @@ -212,6 +215,8 @@ module "gke" { enable_gcfs = var.enable_gcfs + enable_secret_manager_addon = var.enable_secret_manager_addon + // Enabling vulnerability and audit for workloads workload_vulnerability_mode = var.workload_vulnerability_mode workload_config_audit_mode = var.workload_config_audit_mode diff --git a/modules/safer-cluster/metadata.display.yaml b/modules/safer-cluster/metadata.display.yaml index 0111bf9135..0363384281 100644 --- a/modules/safer-cluster/metadata.display.yaml +++ b/modules/safer-cluster/metadata.display.yaml @@ -106,6 +106,9 @@ spec: enable_private_endpoint: name: enable_private_endpoint title: Enable Private Endpoint + enable_secret_manager_addon: + name: enable_secret_manager_addon + title: Enable Secret Manager Addon enable_shielded_nodes: name: enable_shielded_nodes title: Enable Shielded Nodes @@ -208,9 +211,21 @@ spec: node_pools: name: node_pools title: Node Pools + node_pools_cgroup_mode: + name: node_pools_cgroup_mode + title: Node Pools Cgroup Mode + node_pools_hugepage_size_1g: + name: node_pools_hugepage_size_1g + title: Node Pools Hugepage Size 1G + node_pools_hugepage_size_2m: + name: node_pools_hugepage_size_2m + title: Node Pools Hugepage Size 2M node_pools_labels: name: node_pools_labels title: Node Pools Labels + node_pools_linux_node_configs_sysctls: + name: node_pools_linux_node_configs_sysctls + title: Node Pools Linux Node Configs Sysctls node_pools_metadata: name: node_pools_metadata title: Node Pools Metadata @@ -220,6 +235,9 @@ spec: node_pools_resource_labels: name: node_pools_resource_labels title: Node Pools Resource Labels + node_pools_resource_manager_tags: + name: node_pools_resource_manager_tags + title: Node Pools Resource Manager Tags node_pools_tags: name: node_pools_tags title: Node Pools Tags diff --git a/modules/safer-cluster/metadata.yaml b/modules/safer-cluster/metadata.yaml index 00399f4d0e..406fbfe878 100644 --- a/modules/safer-cluster/metadata.yaml +++ b/modules/safer-cluster/metadata.yaml @@ -238,12 +238,30 @@ spec: defaultValue: all: {} default-node-pool: {} + - name: node_pools_resource_manager_tags + description: Map of maps containing resource manager tags by node-pool name + varType: map(map(string)) + defaultValue: + all: {} + default-node-pool: {} - name: node_pools_metadata description: Map of maps containing node metadata by node-pool name varType: map(map(string)) defaultValue: all: {} default-node-pool: {} + - name: node_pools_cgroup_mode + description: Map of strings containing cgroup node config by node-pool name + varType: map(string) + defaultValue: + all: "" + default-node-pool: "" + - name: node_pools_hugepage_size_2m + description: Map of strings containing hugepage size 2m node config by node-pool name + varType: map(string) + defaultValue: + all: "" + default-node-pool: "" - name: node_pools_taints description: Map of lists containing node taints by node-pool name varType: map(list(object({ key = string, value = string, effect = string }))) @@ -478,6 +496,10 @@ spec: description: Enable image streaming on cluster level. varType: bool defaultValue: false + - name: enable_secret_manager_addon + description: Enable the Secret Manager add-on for this cluster + varType: bool + defaultValue: false - name: enable_mesh_certificates description: Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. varType: bool diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 93717ebcaf..83a3a992aa 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -185,6 +185,16 @@ variable "node_pools_resource_labels" { } } +variable "node_pools_resource_manager_tags" { + type = map(map(string)) + description = "Map of maps containing resource manager tags by node-pool name" + + default = { + all = {} + default-node-pool = {} + } +} + variable "node_pools_metadata" { type = map(map(string)) description = "Map of maps containing node metadata by node-pool name" @@ -195,6 +205,28 @@ variable "node_pools_metadata" { } } +variable "node_pools_cgroup_mode" { + type = map(string) + description = "Map of strings containing cgroup node config by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = "" + default-node-pool = "" + } +} + +variable "node_pools_hugepage_size_2m" { + type = map(string) + description = "Map of strings containing hugepage size 2m node config by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = "" + default-node-pool = "" + } +} + variable "node_pools_taints" { type = map(list(object({ key = string, value = string, effect = string }))) description = "Map of lists containing node taints by node-pool name" @@ -540,6 +572,12 @@ variable "enable_gcfs" { default = false } +variable "enable_secret_manager_addon" { + description = "Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} + variable "enable_mesh_certificates" { type = bool default = false