From 5866e3a4f52cf4c50cf9c34c2e5f37f3f48e8ede Mon Sep 17 00:00:00 2001 From: Devan Patel Date: Tue, 20 Aug 2019 17:19:37 +0100 Subject: [PATCH 1/3] Add authenticator_security_group --- autogen/cluster.tf | 7 +++++++ autogen/main.tf | 4 ++++ autogen/variables.tf | 5 +++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 7 +++++++ modules/beta-private-cluster/main.tf | 4 ++++ modules/beta-private-cluster/variables.tf | 5 +++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 7 +++++++ modules/beta-public-cluster/main.tf | 4 ++++ modules/beta-public-cluster/variables.tf | 5 +++++ 11 files changed, 50 insertions(+) diff --git a/autogen/cluster.tf b/autogen/cluster.tf index 21dfdeb93c..664de67855 100644 --- a/autogen/cluster.tf +++ b/autogen/cluster.tf @@ -189,6 +189,13 @@ resource "google_container_cluster" "primary" { identity_namespace = workload_identity_config.value.identity_namespace } } + + dynamic "authenticator_groups_config" { + for_each = local.cluster_authenticator_security_group + content { + security_group = authenticator_groups_config.value.security_group + } + } {% endif %} } diff --git a/autogen/main.tf b/autogen/main.tf index cf67bd9e08..bec1db35ca 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -71,6 +71,10 @@ locals { node_metadata = var.node_metadata }] + cluster_authenticator_security_group = var.authenticator_security_group == "" ? [] : [{ + security_group = var.authenticator_security_group + }] + {% endif %} cluster_output_name = google_container_cluster.primary.name diff --git a/autogen/variables.tf b/autogen/variables.tf index 59f8408b2f..28a94d47c2 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -383,5 +383,10 @@ variable "identity_namespace" { default = "" } +variable "authenticator_security_group" { + type = string + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = "" +} {% endif %} diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index f2cd8c925a..20bc92e088 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -136,6 +136,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `""` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 4ccffeb4ec..d887d332ed 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -176,6 +176,13 @@ resource "google_container_cluster" "primary" { identity_namespace = workload_identity_config.value.identity_namespace } } + + dynamic "authenticator_groups_config" { + for_each = local.cluster_authenticator_security_group + content { + security_group = authenticator_groups_config.value.security_group + } + } } /****************************************** diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 16da0d4ee9..cd84411a75 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -66,6 +66,10 @@ locals { node_metadata = var.node_metadata }] + cluster_authenticator_security_group = var.authenticator_security_group == "" ? [] : [{ + security_group = var.authenticator_security_group + }] + cluster_output_name = google_container_cluster.primary.name cluster_output_location = google_container_cluster.primary.location diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index cd8b420c1a..1e2570df58 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -380,4 +380,9 @@ variable "identity_namespace" { default = "" } +variable "authenticator_security_group" { + type = string + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = "" +} diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 7240337192..37e20da9f8 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -131,6 +131,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `""` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 802bcd25e9..c26d85ff50 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -171,6 +171,13 @@ resource "google_container_cluster" "primary" { identity_namespace = workload_identity_config.value.identity_namespace } } + + dynamic "authenticator_groups_config" { + for_each = local.cluster_authenticator_security_group + content { + security_group = authenticator_groups_config.value.security_group + } + } } /****************************************** diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index f99d4d9056..6f30b50bc4 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -66,6 +66,10 @@ locals { node_metadata = var.node_metadata }] + cluster_authenticator_security_group = var.authenticator_security_group == "" ? [] : [{ + security_group = var.authenticator_security_group + }] + cluster_output_name = google_container_cluster.primary.name cluster_output_location = google_container_cluster.primary.location diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 8699854665..48578c94cc 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -356,4 +356,9 @@ variable "identity_namespace" { default = "" } +variable "authenticator_security_group" { + type = string + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = "" +} From 7982705eff718419e074379a41467db1c2a812c2 Mon Sep 17 00:00:00 2001 From: Devan Patel Date: Wed, 21 Aug 2019 12:27:48 +0100 Subject: [PATCH 2/3] Changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 61d6432d64..bc8100810d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ Extending the adopted spec, each change should have a link to its corresponding * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216] * Support for Workload Identity beta feature [#234] +* Support for Google Groups based RBAC beta feature [#217] ## [v4.1.0] 2019-07-24 From 25aed4187743da7581342a89b8d8650b4861b6ba Mon Sep 17 00:00:00 2001 From: Devan Patel Date: Wed, 21 Aug 2019 12:30:42 +0100 Subject: [PATCH 3/3] Change default value to null --- autogen/main.tf | 2 +- autogen/variables.tf | 2 +- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/main.tf | 2 +- modules/beta-private-cluster/variables.tf | 2 +- modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/main.tf | 2 +- modules/beta-public-cluster/variables.tf | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/autogen/main.tf b/autogen/main.tf index bec1db35ca..9d6476b916 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -71,7 +71,7 @@ locals { node_metadata = var.node_metadata }] - cluster_authenticator_security_group = var.authenticator_security_group == "" ? [] : [{ + cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group }] diff --git a/autogen/variables.tf b/autogen/variables.tf index 28a94d47c2..3a9ab150e0 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -386,7 +386,7 @@ variable "identity_namespace" { variable "authenticator_security_group" { type = string description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" - default = "" + default = null } {% endif %} diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 20bc92e088..05953da8cd 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -136,7 +136,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `""` | no | +| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index cd84411a75..43fea3b6dc 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -66,7 +66,7 @@ locals { node_metadata = var.node_metadata }] - cluster_authenticator_security_group = var.authenticator_security_group == "" ? [] : [{ + cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group }] diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 1e2570df58..b7bcdc6254 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -383,6 +383,6 @@ variable "identity_namespace" { variable "authenticator_security_group" { type = string description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" - default = "" + default = null } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 37e20da9f8..f0c94af027 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -131,7 +131,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `""` | no | +| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 6f30b50bc4..db5138e99f 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -66,7 +66,7 @@ locals { node_metadata = var.node_metadata }] - cluster_authenticator_security_group = var.authenticator_security_group == "" ? [] : [{ + cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group }] diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 48578c94cc..ec4e5fdb8d 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -359,6 +359,6 @@ variable "identity_namespace" { variable "authenticator_security_group" { type = string description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" - default = "" + default = null }