Merge branch 'main' into huge_pages

Author: apeabody

Diff for: CHANGELOG.md

@@ -6,6 +6,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Extending the adopted spec, each change should have a link to its corresponding pull request appended.
 
+## [36.1.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v36.0.2...v36.1.0) (2025-03-10)
+
+
+### Features
+
+* add confidential nodes example ([#2227](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2227)) ([2ae739b](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/2ae739be0e7a3f71c2e613260c096d46eeaebed7))
+* add enterprise config ([#2298](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2298)) ([adaabbf](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/adaabbfbc2e6449719e19402f73886e906f45f86))
+* add node_affinity ([#2295](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2295)) ([0e7a249](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/0e7a2493e74721cd3a8e946ba30248904b180825))
+* Add possibility to setup private nodes pool if global configuration is different ([#2290](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2290)) ([aadc860](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/aadc8605be10db5d50b06b943573adb9df0d5dce))
+* Make autoscaling resource limits optional ([#2301](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2301)) ([99fc4ce](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/99fc4ced63cde4793db69425e7126db1396a64f1))
+* workload_identity - add image pull secrets ([#2276](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2276)) ([8d5c9a4](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/8d5c9a4c9e434438af86aca64fd58ee3f96ef3a4))
+
+
+### Bug Fixes
+
+* network_config with just enable_private_nodes ([#2292](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2292)) ([d49c3bf](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/d49c3bf156365c0bf8ba6525197cafd930e0da15))
+
 ## [36.0.2](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v36.0.1...v36.0.2) (2025-02-11)
 
 

Diff for: README.md

@@ -145,7 +145,7 @@ Then perform the following commands on the root folder:
 | additive\_vpc\_scope\_dns\_domain | This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster\_dns = `CLOUD_DNS` and cluster\_dns\_scope = `CLUSTER_SCOPE` must both be set as well. | `string` | `""` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
 | boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no |
-| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | <pre>object({<br>    enabled                     = bool<br>    autoscaling_profile         = string<br>    min_cpu_cores               = number<br>    max_cpu_cores               = number<br>    min_memory_gb               = number<br>    max_memory_gb               = number<br>    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))<br>    auto_repair                 = bool<br>    auto_upgrade                = bool<br>    disk_size                   = optional(number)<br>    disk_type                   = optional(string)<br>    image_type                  = optional(string)<br>    strategy                    = optional(string)<br>    max_surge                   = optional(number)<br>    max_unavailable             = optional(number)<br>    node_pool_soak_duration     = optional(string)<br>    batch_soak_duration         = optional(string)<br>    batch_percentage            = optional(number)<br>    batch_node_count            = optional(number)<br>    enable_secure_boot          = optional(bool, false)<br>    enable_integrity_monitoring = optional(bool, true)<br>  })</pre> | <pre>{<br>  "auto_repair": true,<br>  "auto_upgrade": true,<br>  "autoscaling_profile": "BALANCED",<br>  "disk_size": 100,<br>  "disk_type": "pd-standard",<br>  "enable_integrity_monitoring": true,<br>  "enable_secure_boot": false,<br>  "enabled": false,<br>  "gpu_resources": [],<br>  "image_type": "COS_CONTAINERD",<br>  "max_cpu_cores": 0,<br>  "max_memory_gb": 0,<br>  "min_cpu_cores": 0,<br>  "min_memory_gb": 0<br>}</pre> | no |
+| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | <pre>object({<br>    enabled                     = bool<br>    autoscaling_profile         = string<br>    min_cpu_cores               = optional(number)<br>    max_cpu_cores               = optional(number)<br>    min_memory_gb               = optional(number)<br>    max_memory_gb               = optional(number)<br>    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))<br>    auto_repair                 = bool<br>    auto_upgrade                = bool<br>    disk_size                   = optional(number)<br>    disk_type                   = optional(string)<br>    image_type                  = optional(string)<br>    strategy                    = optional(string)<br>    max_surge                   = optional(number)<br>    max_unavailable             = optional(number)<br>    node_pool_soak_duration     = optional(string)<br>    batch_soak_duration         = optional(string)<br>    batch_percentage            = optional(number)<br>    batch_node_count            = optional(number)<br>    enable_secure_boot          = optional(bool, false)<br>    enable_integrity_monitoring = optional(bool, true)<br>  })</pre> | <pre>{<br>  "auto_repair": true,<br>  "auto_upgrade": true,<br>  "autoscaling_profile": "BALANCED",<br>  "disk_size": 100,<br>  "disk_type": "pd-standard",<br>  "enable_integrity_monitoring": true,<br>  "enable_secure_boot": false,<br>  "enabled": false,<br>  "gpu_resources": [],<br>  "image_type": "COS_CONTAINERD",<br>  "max_cpu_cores": 0,<br>  "max_memory_gb": 0,<br>  "min_cpu_cores": 0,<br>  "min_memory_gb": 0<br>}</pre> | no |
 | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no |
 | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no |
 | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no |
@@ -161,6 +161,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
+| dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
@@ -180,6 +181,7 @@ Then perform the following commands on the root folder:
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
 | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
+| enterprise\_config | (Optional) Enable or disable GKE enterprise. Valid values are STANDARD and ENTERPRISE. | `string` | `null` | no |
 | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
@@ -358,6 +360,7 @@ The node_pools variable takes the following parameters:
 | placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired |  | Optional |
 | pod_range |  The name of the secondary range for pod IPs. |  | Optional |
 | enable_private_nodes |  Whether nodes have internal IP addresses only. |  | Optional |
+| node_affinity | The node affinty in the format `"{\"key\": \"compute.googleapis.com/node-group-name\", \"operator\": \"IN\", \"values\": [\"node-group-name\"]}"`. |  | Optional |
 | node_count | The number of nodes in the nodepool when autoscaling is false. Otherwise defaults to 1. Only valid for non-autoscaling clusters |  | Required |
 | node_locations | The list of zones in which the cluster's nodes are located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. Defaults to cluster level node locations if nothing is specified | " " | Optional |
 | node_metadata | Options to expose the node metadata to the workload running on the node | | Optional |

Diff for: autogen/main/README.md

@@ -245,6 +245,7 @@ The node_pools variable takes the following parameters:
 {% if not private_cluster %}
 | enable_private_nodes |  Whether nodes have internal IP addresses only. |  | Optional |
 {% endif %}
+| node_affinity | The node affinty in the format `"{\"key\": \"compute.googleapis.com/node-group-name\", \"operator\": \"IN\", \"values\": [\"node-group-name\"]}"`. |  | Optional |
 | node_count | The number of nodes in the nodepool when autoscaling is false. Otherwise defaults to 1. Only valid for non-autoscaling clusters |  | Required |
 | node_locations | The list of zones in which the cluster's nodes are located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. Defaults to cluster level node locations if nothing is specified | " " | Optional |
 | node_metadata | Options to expose the node metadata to the workload running on the node | | Optional |

Diff for: autogen/main/cluster.tf.tmpl

@@ -260,6 +260,13 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  dynamic "enterprise_config" {
+    for_each = var.enterprise_config != null ? [1] : []
+      content {
+        desired_tier = var.enterprise_config
+    }
+  }
+
   enable_fqdn_network_policy = var.enable_fqdn_network_policy
 {% if autopilot_cluster %}
   enable_autopilot = true
@@ -529,6 +536,7 @@ resource "google_container_cluster" "primary" {
       machine_type                = lookup(var.node_pools[0], "machine_type", "e2-medium")
       min_cpu_platform            = lookup(var.node_pools[0], "min_cpu_platform", "")
       enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false)
+      disk_type                   = lookup(var.node_pools[0], "disk_type", null)
       dynamic "gcfs_config" {
         for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : []
         content {
@@ -565,6 +573,21 @@ resource "google_container_cluster" "primary" {
         }
       }
 
+      dynamic "sole_tenant_config" {
+        # node_affinity is currently the only member of sole_tenant_config
+        for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [true] : []
+        content {
+          dynamic "node_affinity" {
+            for_each = lookup(var.node_pools[0], "node_affinity", null) != null ? [lookup(var.node_pools[0], "node_affinity", null)] : []
+            content {
+              key = lookup(jsondecode(node_affinity.value), "key", null)
+              operator = lookup(jsondecode(node_affinity.value), "operator", null)
+              values = lookup(jsondecode(node_affinity.value), "values", [])
+            }
+          }
+        }
+      }
+
       service_account = lookup(var.node_pools[0], "service_account", local.service_account)
 
       tags = concat(
@@ -644,15 +667,20 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+{% endif %}
   dynamic "control_plane_endpoints_config" {
-    for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : []
+    for_each = var.dns_allow_external_traffic != null {% if private_cluster %}|| (var.enable_private_endpoint && var.deploy_using_private_endpoint) {% endif %}? [1] : []
     content {
       dns_endpoint_config {
-        allow_external_traffic = var.deploy_using_private_endpoint
+ {% if private_cluster %}
+        # TODO: Migrate to only dns_allow_external_traffic in next breaking release
+        allow_external_traffic = var.dns_allow_external_traffic == true || var.deploy_using_private_endpoint
+{% else %}
+        allow_external_traffic = var.dns_allow_external_traffic
+{% endif %}
       }
     }
   }
-{% endif %}
 
   {% if autopilot_cluster != true %}
   remove_default_node_pool = var.remove_default_node_pool
@@ -876,11 +904,11 @@ resource "google_container_node_pool" "windows_pools" {
   }
 
   dynamic "network_config" {
-    for_each = length(lookup(each.value, "pod_range", "")) > 0  ? [each.value] : []
+    for_each = length(lookup(each.value, "pod_range", "")) > 0 || lookup(each.value, "enable_private_nodes", null) != null ? [each.value] : []
     content {
       pod_range            = lookup(network_config.value, "pod_range", null)
       {% if private_cluster %}
-      enable_private_nodes = var.enable_private_nodes
+      enable_private_nodes = lookup(network_config.value, "enable_private_nodes", var.enable_private_nodes)
       {% else %}
       enable_private_nodes = lookup(network_config.value, "enable_private_nodes", null)
       {% endif %}
@@ -1094,6 +1122,21 @@ resource "google_container_node_pool" "windows_pools" {
         pod_pids_limit                         = lookup(each.value, "pod_pids_limit", null)
       }
     }
+
+    dynamic "sole_tenant_config" {
+      # node_affinity is currently the only member of sole_tenant_config
+      for_each = lookup(each.value, "node_affinity", null) != null ? [true] : []
+      content {
+        dynamic "node_affinity" {
+          for_each = lookup(each.value, "node_affinity", null) != null ? [lookup(each.value, "node_affinity", null)] : []
+          content {
+            key = lookup(jsondecode(node_affinity.value), "key", null)
+            operator = lookup(jsondecode(node_affinity.value), "operator", null)
+            values = lookup(jsondecode(node_affinity.value), "values", [])
+          }
+        }
+      }
+    }
     {% if beta_cluster %}
 
     dynamic "sandbox_config" {

Diff for: autogen/main/variables.tf.tmpl

@@ -300,10 +300,10 @@ variable "cluster_autoscaling" {
   type = object({
     enabled                     = bool
     autoscaling_profile         = string
-    min_cpu_cores               = number
-    max_cpu_cores               = number
-    min_memory_gb               = number
-    max_memory_gb               = number
+    min_cpu_cores               = optional(number)
+    max_cpu_cores               = optional(number)
+    min_memory_gb               = optional(number)
+    max_memory_gb               = optional(number)
     gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
     auto_repair                 = bool
     auto_upgrade                = bool
@@ -1059,3 +1059,19 @@ variable "monitoring_metric_writer_role" {
     error_message = "The monitoring_metric_writer_role must be either a predefined role (roles/*) or a custom role (projects/*/roles/*)."
   }
 }
+
+variable "enterprise_config" {
+  description = "(Optional) Enable or disable GKE enterprise. Valid values are STANDARD and ENTERPRISE."
+  type        = string
+  default     = null
+  validation {
+    condition     = var.enterprise_config == null ? true : contains(["STANDARD", "ENTERPRISE"], var.enterprise_config)
+    error_message = "The enterprise_config variable must be either null, STANDARD, or ENTERPRISE."
+  }
+}
+
+variable "dns_allow_external_traffic" {
+  description = "(Optional) Controls whether external traffic is allowed over the dns endpoint."
+  type        = bool
+  default     = null
+}

Diff for: autogen/main/versions.tf.tmpl

@@ -63,6 +63,6 @@ terraform {
     }
   }
   provider_meta "{% if beta_cluster %}google-beta{% else %}google{% endif %}" {
-    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v36.0.2"
+    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v36.1.0"
   }
 }

Diff for: autogen/safer-cluster/main.tf.tmpl

@@ -107,8 +107,10 @@ module "gke" {
   logging_service    = var.logging_service
   monitoring_service = var.monitoring_service
 
-  monitoring_enable_managed_prometheus = var.monitoring_enable_managed_prometheus
-  monitoring_enabled_components        = var.monitoring_enabled_components
+  monitoring_enable_managed_prometheus    = var.monitoring_enable_managed_prometheus
+  monitoring_enable_observability_metrics = var.monitoring_enable_observability_metrics
+  monitoring_enable_observability_relay   = var.monitoring_enable_observability_relay
+  monitoring_enabled_components           = var.monitoring_enabled_components
 
   enable_confidential_nodes = var.enable_confidential_nodes
 

Diff for: autogen/safer-cluster/variables.tf.tmpl

@@ -280,6 +280,18 @@ variable "monitoring_enable_managed_prometheus" {
   default     = false
 }
 
+variable "monitoring_enable_observability_metrics" {
+  type        = bool
+  description = "Whether or not the advanced datapath metrics are enabled."
+  default     = false
+}
+
+variable "monitoring_enable_observability_relay" {
+  type        = bool
+  description = "Whether or not the advanced datapath relay is enabled."
+  default     = false
+}
+
 variable "monitoring_enabled_components" {
   type        = list(string)
   description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration."

Diff for: autogen/safer-cluster/versions.tf.tmpl

@@ -23,6 +23,6 @@ terraform {
   required_version = ">=1.3"
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v36.0.2"
+    module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v36.1.0"
   }
 }