Skip to content

Latest commit

 

History

History
347 lines (323 loc) · 12.9 KB

File metadata and controls

347 lines (323 loc) · 12.9 KB

GKE hub module

This module allows simplified creation and management of a GKE Hub object and its features for a given set of clusters. The given list of clusters will be registered inside the Hub and all the configured features will be activated.

To use this module you must ensure the following APIs are enabled in the target project:

"gkehub.googleapis.com"
"gkeconnect.googleapis.com"
"anthosconfigmanagement.googleapis.com"
"multiclusteringress.googleapis.com"
"multiclusterservicediscovery.googleapis.com"
"mesh.googleapis.com"

Full GKE Hub example

module "project" {
  source          = "./fabric/modules/project"
  billing_account = var.billing_account_id
  name            = "gkehub-test"
  parent          = "folders/12345"
  services = [
    "anthosconfigmanagement.googleapis.com",
    "container.googleapis.com",
    "gkeconnect.googleapis.com",
    "gkehub.googleapis.com",
    "multiclusteringress.googleapis.com",
    "multiclusterservicediscovery.googleapis.com",
    "mesh.googleapis.com"
  ]
}

module "vpc" {
  source     = "./fabric/modules/net-vpc"
  project_id = module.project.project_id
  name       = "network"
  subnets = [{
    ip_cidr_range = "10.0.0.0/24"
    name          = "cluster-1"
    region        = "europe-west1"
    secondary_ip_range = {
      pods     = "10.1.0.0/16"
      services = "10.2.0.0/24"
    }
  }]
}

module "cluster_1" {
  source                   = "./fabric/modules/gke-cluster"
  project_id               = module.project.project_id
  name                     = "cluster-1"
  location                 = "europe-west1-b"
  network                  = module.vpc.self_link
  subnetwork               = module.vpc.subnet_self_links["europe-west1/cluster-1"]
  secondary_range_pods     = "pods"
  secondary_range_services = "services"
  enable_dataplane_v2      = true
  master_authorized_ranges = { rfc1918_10_8 = "10.0.0.0/8" }
  private_cluster_config = {
    enable_private_nodes    = true
    enable_private_endpoint = true
    master_ipv4_cidr_block  = "192.168.0.0/28"
    master_global_access    = false
  }
}

module "hub" {
  source     = "./fabric/modules/gke-hub"
  project_id = module.project.project_id
  clusters = {
    cluster-1 = module.cluster_1.id
  }
  features = {
    appdevexperience             = false
    configmanagement             = true
    identityservice              = false
    multiclusteringress          = null
    servicemesh                  = false
    multiclusterservicediscovery = false
  }
  configmanagement_templates = {
    default = {
      binauthz = false
      config_sync = {
        git = {
          gcp_service_account_email = null
          https_proxy               = null
          policy_dir                = "configsync"
          secret_type               = "none"
          source_format             = "hierarchy"
          sync_branch               = "main"
          sync_repo                 = "https://github.com/danielmarzini/configsync-platform-example"
          sync_rev                  = null
          sync_wait_secs            = null
        }
        prevent_drift = false
        source_format = "hierarchy"
      }
      hierarchy_controller = {
        enable_hierarchical_resource_quota = true
        enable_pod_tree_labels             = true
      }
      policy_controller = {
        audit_interval_seconds     = 120
        exemptable_namespaces      = []
        log_denies_enabled         = true
        referential_rules_enabled  = true
        template_library_installed = true
      }
      version = "v1"
    }
  }
  configmanagement_clusters = {
    "default" = [ "cluster-1" ]
  }
}

# tftest modules=4 resources=15

Multi-cluster mesh on GKE

module "project" {
  source          = "./fabric/modules/project"
  billing_account = "123-456-789"
  name            = "gkehub-test"
  parent          = "folders/12345"
  services = [
    "anthos.googleapis.com",
    "container.googleapis.com",
    "gkehub.googleapis.com",
    "gkeconnect.googleapis.com",
    "mesh.googleapis.com",
    "meshconfig.googleapis.com",
    "meshca.googleapis.com"
  ]
}

module "vpc" {
  source     = "./fabric/modules/net-vpc"
  project_id = module.project.project_id
  name       = "vpc"
  mtu        = 1500
  subnets = [
    {
      ip_cidr_range = "10.0.1.0/24"
      name          = "subnet-cluster-1"
      region        = "europe-west1"
      secondary_ip_range = {
        pods     = "10.1.0.0/16"
        services = "10.2.0.0/24"
      }
    },
    {
      ip_cidr_range = "10.0.2.0/24"
      name          = "subnet-cluster-2"
      region        = "europe-west4"
      secondary_ip_range = {
        pods     = "10.3.0.0/16"
        services = "10.4.0.0/24"
      }
    },
    {
      ip_cidr_range      = "10.0.0.0/28"
      name               = "subnet-mgmt"
      region             = "europe-west1"
      secondary_ip_range = null
    }
  ]
}

module "firewall" {
  source     = "./fabric/modules/net-vpc-firewall"
  project_id = module.project.project_id
  network    = module.vpc.name
  custom_rules = { 
    allow-mesh = {
      description          = "Allow mesh"
      direction            = "INGRESS"
      action               = "allow"
      sources              = []
      ranges               = ["10.1.0.0/16", "10.3.0.0/16"]
      targets              = ["cluster-1-node", "cluster-2-node"]
      use_service_accounts = false
      rules = [{ protocol = "tcp", ports = null },
        { protocol = "udp", ports = null },
        { protocol = "icmp", ports = null },
        { protocol = "esp", ports = null },
        { protocol = "ah", ports = null },
      { protocol = "sctp", ports = null }]
      extra_attributes = {
        priority = 900
      }
    }, 
    "allow-cluster-1-istio" = {
      description          = "Allow istio sidecar injection, istioctl version and istioctl ps"
      direction            = "INGRESS"
      action               = "allow"
      sources              = []
      ranges               = [ "192.168.1.0/28" ]
      targets              = ["cluster-1-node"]
      use_service_accounts = false
      rules                = [{ protocol = "tcp", ports = [8080, 15014, 15017] }]
      extra_attributes = {
        priority = 1000
      }
    },
    "allow-cluster-2-istio" = {
      description          = "Allow istio sidecar injection, istioctl version and istioctl ps"
      direction            = "INGRESS"
      action               = "allow"
      sources              = []
      ranges               = [ "192.168.2.0/28" ]
      targets              = ["cluster-2-node"]
      use_service_accounts = false
      rules                = [{ protocol = "tcp", ports = [8080, 15014, 15017] }]
      extra_attributes = {
        priority = 1000
      }
    }
  }
}

module "cluster_1" {
  source                   = "./fabric/modules/gke-cluster"
  project_id               = module.project.project_id
  name                     = "cluster-1"
  location                 = "europe-wes1"
  network                  = module.vpc.self_link
  subnetwork               = module.vpc.subnet_self_links["europe-west1/subnet-cluster-1"]
  secondary_range_pods     = "pods"
  secondary_range_services = "services"
  private_cluster_config = {
    enable_private_nodes    = true
    enable_private_endpoint = false
    master_ipv4_cidr_block  = "192.168.1.0/28"
    master_global_access    = true
  }
  master_authorized_ranges = {
    mgmt           = "10.0.0.0/28"
    pods-cluster-1 =  "10.3.0.0/16"
  }
  enable_autopilot  = false
  release_channel   = "REGULAR"
  workload_identity = true
  labels = {
    mesh_id = "proj-${module.project.number}"
  }
}

module "cluster_1_nodepool" {
  source                      = "./fabric/modules/gke-nodepool"
  project_id                  = module.project.project_id
  cluster_name                = module.cluster_1.name
  location                    = "europe-west1"
  name                        = "nodepool"
  node_service_account_create = true
  initial_node_count          = 1
  node_machine_type           = "e2-standard-4"
  node_tags                   = ["cluster-1-node"]
}

module "cluster_2" {
  source                   = "./fabric/modules/gke-cluster"
  project_id               = module.project.project_id
  name                     = "cluster-1"
  location                 = "europe-wes1"
  network                  = module.vpc.self_link
  subnetwork               = module.vpc.subnet_self_links["europe-west4/subnet-cluster-2"]
  secondary_range_pods     = "pods"
  secondary_range_services = "services"
  private_cluster_config = {
    enable_private_nodes    = true
    enable_private_endpoint = false
    master_ipv4_cidr_block  = "192.168.2.0/28"
    master_global_access    = true
  }
  master_authorized_ranges = {
    mgmt           = "10.0.0.0/28"
    pods-cluster-1 = "10.1.0.0/16"
  }
  enable_autopilot  = false
  release_channel   = "REGULAR"
  workload_identity = true
  labels = {
    mesh_id = "proj-${module.project.number}"
  }
}

module "cluster_2_nodepool" {
  source                      = "./fabric/modules/gke-nodepool"
  project_id                  = module.project.project_id
  cluster_name                = module.cluster_2.name
  location                    = "europe-west4"
  name                        = "nodepool"
  node_service_account_create = true
  initial_node_count          = 1
  node_machine_type           = "e2-standard-4"
  node_tags                   = ["cluster-2-node"]
}


module "hub" {
  source     = "./fabric/modules/gke-hub"
  project_id = module.project.project_id
  clusters = { 
    cluster-1 = module.cluster_1.id
    cluster-2 = module.cluster_2.id
  }
  features = {
    appdevexperience             = false
    configmanagement             = false
    identityservice              = false
    multiclusteringress          = null
    servicemesh                  = true
    multiclusterservicediscovery = false
  }
  workload_identity_clusters = [
    "cluster-1",
    "cluster-2"
  ]
}
# tftest modules=8 resources=28

Variables

name description type required default
project_id GKE hub project ID. string
clusters Clusters members of this GKE Hub in name => id format. map(string) {}
configmanagement_clusters Config management features enabled on specific sets of member clusters, in config name => [cluster name] format. map(list(string)) {}
configmanagement_templates Sets of config management configurations that can be applied to member clusters, in config name => {options} format. map(object({…})) {}
features Enable and configue fleet features. object({…}) {…}
workload_identity_clusters Clusters that will use Fleet Workload Identity. list(string) []

Outputs

name description sensitive
cluster_ids