Merge pull request #13 from truefoundry/shared-vpc

Added support for shared VPC. Removed pod IPv4 and service IPV4 support
truefoundry · Mar 19, 2024 · 7d9b8d2 · 7d9b8d2
2 parents ba4edf7 + bc27a7b
commit 7d9b8d2
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 36 deletions.
diff --git a/README.md b/README.md
@@ -36,14 +36,13 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_allowed_ip_ranges"></a> [allowed\_ip\_ranges](#input\_allowed\_ip\_ranges) | Allowed IP ranges to connect to master | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_cluster_generic_node_config"></a> [cluster\_generic\_node\_config](#input\_cluster\_generic\_node\_config) | Cluster Generic Node configuration | <pre>object({<br>    disk_size_gb                  = optional(string, "100")<br>    disk_type                     = optional(string, "pd-balanced")<br>    machine_type                  = optional(string, "e2-medium")<br>    enable_secure_boot            = optional(bool, true)<br>    enable_integrity_monitoring   = optional(bool, true)<br>    auto_repair                   = optional(bool, true)<br>    auto_upgrade                  = optional(bool, true)<br>    node_count                    = optional(number, 1)<br>    workload_metadata_config_mode = optional(string, "GKE_METADATA")<br>    service_account               = optional(string, "default")<br>    preemptible                   = optional(bool, false)<br>    spot                          = optional(bool, true)<br>  })</pre> | `{}` | no |
-| <a name="input_cluster_ipv4_cidr_block"></a> [cluster\_ipv4\_cidr\_block](#input\_cluster\_ipv4\_cidr\_block) | The IP address range for the cluster pod IPs. Set to blank to have a range chosen with the default size. Optional with cluster\_ipv4\_cidr\_block | `string` | `""` | no |
 | <a name="input_cluster_master_ipv4_cidr_block"></a> [cluster\_master\_ipv4\_cidr\_block](#input\_cluster\_master\_ipv4\_cidr\_block) | Master nodes ipv4 cidr | `string` | n/a | yes |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the cluster | `string` | n/a | yes |
 | <a name="input_cluster_nap_node_config"></a> [cluster\_nap\_node\_config](#input\_cluster\_nap\_node\_config) | Cluster NAP Node configuration | <pre>object({<br>    disk_size_gb                = optional(string, "300")<br>    disk_type                   = optional(string, "pd-balanced")<br>    enable_secure_boot          = optional(bool, true)<br>    enable_integrity_monitoring = optional(bool, true)<br>    autoscaling_profile         = optional(string, "OPTIMIZE_UTILIZATION")<br>    max_cpu                     = optional(number, 1024)<br>    max_memory                  = optional(number, 8172)<br>    auto_repair                 = optional(bool, true)<br>    auto_upgrade                = optional(bool, true)<br>    max_surge                   = optional(number, 1)<br>    max_unavailable             = optional(number, 0)<br>  })</pre> | `{}` | no |
-| <a name="input_cluster_network_name"></a> [cluster\_network\_name](#input\_cluster\_network\_name) | Network name for the cluster | `string` | n/a | yes |
+| <a name="input_cluster_network_id"></a> [cluster\_network\_id](#input\_cluster\_network\_id) | Network ID for the cluster | `string` | n/a | yes |
 | <a name="input_cluster_networking_mode"></a> [cluster\_networking\_mode](#input\_cluster\_networking\_mode) | Networking mode for the cluster. Values can be VPC\_NATIVE (recommended) or ROUTES. VPC\_NATIVE is default after google-beta 5.0.0 | `string` | `"VPC_NATIVE"` | no |
 | <a name="input_cluster_node_locations"></a> [cluster\_node\_locations](#input\_cluster\_node\_locations) | AZ for nodes - this should match the region | `list(string)` | n/a | yes |
-| <a name="input_cluster_secondary_range_name"></a> [cluster\_secondary\_range\_name](#input\_cluster\_secondary\_range\_name) | VPC Secondary range name for pods | `string` | `"notpods"` | no |
+| <a name="input_cluster_secondary_range_name"></a> [cluster\_secondary\_range\_name](#input\_cluster\_secondary\_range\_name) | VPC Secondary range name for pods | `string` | `""` | no |
 | <a name="input_cluster_subnet_id"></a> [cluster\_subnet\_id](#input\_cluster\_subnet\_id) | Subnetwork name for the cluster. | `string` | n/a | yes |
 | <a name="input_control_plane_enabled"></a> [control\_plane\_enabled](#input\_control\_plane\_enabled) | Whether control plane is enabled or not | `bool` | `false` | no |
 | <a name="input_control_plane_pool_config"></a> [control\_plane\_pool\_config](#input\_control\_plane\_pool\_config) | Control plane node pool config | <pre>object({<br>    disk_size_gb = optional(string, "100")<br>    disk_type    = optional(string, "pd-balanced")<br>    machine_type = optional(string, "e2-medium")<br>    autoscaling = optional(object({<br>      min_node_count  = optional(number, 1)<br>      max_node_count  = optional(number, 2)<br>      location_policy = optional(string, "BALANCED")<br>    }), {})<br>    enable_secure_boot            = optional(bool, true)<br>    enable_integrity_monitoring   = optional(bool, true)<br>    auto_repair                   = optional(bool, true)<br>    auto_upgrade                  = optional(bool, true)<br>    workload_metadata_config_mode = optional(string, "GKE_METADATA")<br>    service_account               = optional(string, "default")<br>    labels = optional(map(string), {<br>      "class.truefoundry.io/component" = "control-plane"<br>    })<br>    taints = optional(object(<br>      {<br>        key    = optional(string, "class.truefoundry.io/component")<br>        value  = optional(string, "control-plane")<br>        effect = optional(string, "NO_SCHEDULE")<br>      }<br>    ), {})<br>    preemptible = optional(bool, false)<br>    spot        = optional(bool, true)<br>  })</pre> | `{}` | no |
@@ -54,8 +53,8 @@ No modules.
 | <a name="input_oauth_scopes"></a> [oauth\_scopes](#input\_oauth\_scopes) | Oauth Scopes to attach to the cluste | `list(string)` | <pre>[<br>  "https://www.googleapis.com/auth/cloud-platform",<br>  "https://www.googleapis.com/auth/devstorage.read_only",<br>  "https://www.googleapis.com/auth/logging.write",<br>  "https://www.googleapis.com/auth/monitoring",<br>  "https://www.googleapis.com/auth/service.management.readonly",<br>  "https://www.googleapis.com/auth/servicecontrol",<br>  "https://www.googleapis.com/auth/trace.append"<br>]</pre> | no |
 | <a name="input_project"></a> [project](#input\_project) | GCP Project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | region | `string` | n/a | yes |
-| <a name="input_services_ipv4_cidr_block"></a> [services\_ipv4\_cidr\_block](#input\_services\_ipv4\_cidr\_block) | The IP address range of the services IPs in this cluster. Set to blank to have a range chosen with the default size. Optional with services\_secondary\_range\_name | `string` | `""` | no |
 | <a name="input_services_secondary_range_name"></a> [services\_secondary\_range\_name](#input\_services\_secondary\_range\_name) | VPC Secondary range name for services | `string` | `""` | no |
+| <a name="input_shared_vpc"></a> [shared\_vpc](#input\_shared\_vpc) | Flag to enable shared VPC | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 
 ## Outputs
@@ -64,9 +63,7 @@ No modules.
 |------|-------------|
 | <a name="output_cluster_endpoint"></a> [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for your Kubernetes API server |
 | <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id) | The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready |
-| <a name="output_cluster_ipv4_cidr_block"></a> [cluster\_ipv4\_cidr\_block](#output\_cluster\_ipv4\_cidr\_block) | IPv4 CIDR block for pods |
 | <a name="output_cluster_master_version"></a> [cluster\_master\_version](#output\_cluster\_master\_version) | Master version for the cluster |
 | <a name="output_cluster_secondary_range_name"></a> [cluster\_secondary\_range\_name](#output\_cluster\_secondary\_range\_name) | Cluster secondary range name for pod IPs |
-| <a name="output_services_ipv4_cidr_block"></a> [services\_ipv4\_cidr\_block](#output\_services\_ipv4\_cidr\_block) | IPv4 CIDR block for service |
 | <a name="output_services_secondary_range_name"></a> [services\_secondary\_range\_name](#output\_services\_secondary\_range\_name) | Cluster secondry range name for service IPs |
 <!-- END_TF_DOCS -->
diff --git a/gke.tf b/gke.tf
@@ -12,7 +12,7 @@ resource "google_container_cluster" "cluster" {
   initial_node_count          = 1
   networking_mode             = var.cluster_networking_mode
   min_master_version          = var.kubernetes_version
-  network                     = var.cluster_network_name
+  network                     = var.cluster_network_id
   subnetwork                  = var.cluster_subnet_id
   enable_shielded_nodes       = true
   enable_intranode_visibility = true
@@ -135,11 +135,8 @@ resource "google_container_cluster" "cluster" {
 
   # Configuration of cluster IP allocation for VPC-native clusters
   ip_allocation_policy {
-    cluster_secondary_range_name  = var.cluster_secondary_range_name != "" ? var.cluster_secondary_range_name : null
-    services_secondary_range_name = var.services_secondary_range_name != "" ? var.services_secondary_range_name : null
-
-    cluster_ipv4_cidr_block  = var.cluster_secondary_range_name == "" ? var.cluster_ipv4_cidr_block : null
-    services_ipv4_cidr_block = var.cluster_secondary_range_name == "" ? var.services_ipv4_cidr_block : null
+    cluster_secondary_range_name  = var.cluster_secondary_range_name
+    services_secondary_range_name = var.services_secondary_range_name
   }
 
   release_channel {
@@ -256,10 +253,11 @@ resource "google_container_node_pool" "control_plane_pool" {
 #  *****************************************/
 resource "google_compute_firewall" "fix_webhooks" {
   # count       = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0
+  count       = var.shared_vpc ? 0 : 1
   name        = "${var.cluster_name}-webhook"
   description = "Allow Nodes access to Control Plane"
   project     = var.project
-  network     = var.cluster_network_name
+  network     = var.cluster_network_id
   priority    = 1000
   direction   = "INGRESS"
 

diff --git a/output.tf b/output.tf
@@ -22,15 +22,8 @@ output "cluster_secondary_range_name" {
   description = "Cluster secondary range name for pod IPs"
   value       = var.cluster_secondary_range_name
 }
+
 output "services_secondary_range_name" {
   description = "Cluster secondry range name for service IPs"
   value       = var.services_secondary_range_name
-}
-output "cluster_ipv4_cidr_block" {
-  description = "IPv4 CIDR block for pods"
-  value       = var.cluster_ipv4_cidr_block
-}
-output "services_ipv4_cidr_block" {
-  description = "IPv4 CIDR block for service"
-  value       = var.services_ipv4_cidr_block
 }
diff --git a/variables.tf b/variables.tf
@@ -137,8 +137,14 @@ variable "control_plane_pool_config" {
 # Network
 ################################################################################
 
-variable "cluster_network_name" {
-  description = "Network name for the cluster"
+variable "shared_vpc" {
+  description = "Flag to enable shared VPC"
+  type        = bool
+  default     = false
+}
+
+variable "cluster_network_id" {
+  description = "Network ID for the cluster"
   type        = string
 }
 
@@ -159,29 +165,17 @@ variable "cluster_master_ipv4_cidr_block" {
 }
 
 variable "cluster_secondary_range_name" {
-  default     = "notpods"
+  default     = ""
   type        = string
   description = "VPC Secondary range name for pods"
 }
 
-variable "cluster_ipv4_cidr_block" {
-  description = "The IP address range for the cluster pod IPs. Set to blank to have a range chosen with the default size. Optional with cluster_ipv4_cidr_block"
-  type        = string
-  default     = ""
-}
-
 variable "services_secondary_range_name" {
   default     = ""
   type        = string
   description = "VPC Secondary range name for services"
 }
 
-variable "services_ipv4_cidr_block" {
-  default     = ""
-  description = "The IP address range of the services IPs in this cluster. Set to blank to have a range chosen with the default size. Optional with services_secondary_range_name"
-  type        = string
-}
-
 variable "allowed_ip_ranges" {
   description = "Allowed IP ranges to connect to master"
   default     = ["0.0.0.0/0"]