Performance Improvements (#173)

* Added Source Repo Name and Control plane type vars
* Updated GW CRDs to v0.5.0

Co-authored-by: Nick Eberts <[email protected]>

Author: knee-berts

cli/cmd/update.go

@@ -42,6 +42,24 @@ var updateCmd = &cobra.Command{
 		}
 		lifecycle.InitTF("cluster_build")
 		lifecycle.ApplyTF("cluster_build")
+
+		// Authenticate Kubernetes client-go to all clusters
+		log.Info("☸️ Generating Kubeconfig...")
+		kc, err := lifecycle.GenerateKubeConfig(conf)
+		if err != nil {
+			log.Errorf("🚨 Failed to generate kube config: %s", err)
+		} else {
+			log.Infof("✅ Kubeconfig generated: %+v", kc)
+		}
+
+		// Verify access to Kubernetes API on all clusters
+		log.Info("☸️  Verifying Kubernetes API access for all clusters...")
+		err = lifecycle.ListNamespaces(kc)
+		if err != nil {
+			log.Errorf("🚨 Failed API access check on clusters: %s", err)
+		} else {
+			log.Info("✅ Clusters API access check passed.")
+		}
 	},
 }
 

cli/pkg/cli_init/cluster_build/main.tf

@@ -2,13 +2,12 @@ module "cluster_build" {
   source                            = "{{.TFModuleRepo}}cluster_build?ref={{.TFModuleBranch}}"
   project_id                        = var.project_id
   governance_project_id             = var.governance_project_id
+  regional_clusters                 = var.regional_clusters
   region                            = var.region
   zones                             = var.zones
   shared_vpc                        = var.shared_vpc
   vpc_name                          = var.vpc_name
   ip_range_pods_name                = var.ip_range_pods_name
-  bastion_members                   = var.bastion_members
-  ip_source_ranges_ssh              = var.ip_source_ranges_ssh
   vpc_project_id                    = var.vpc_project_id
   vpc_ip_range_pods_name            = var.vpc_ip_range_pods_name
   vpc_ip_range_services_name        = var.vpc_ip_range_services_name
@@ -22,6 +21,7 @@ module "cluster_build" {
   private_endpoint                  = var.private_endpoint
   auth_cidr                         = var.auth_cidr
   config_sync                       = var.config_sync
+  config_sync_repo                  = var.config_sync_repo
   policy_controller                 = var.policy_controller
   config_connector                  = var.config_connector
   windows_nodepool                  = var.windows_nodepool
@@ -30,7 +30,7 @@ module "cluster_build" {
   k8s_users                         = var.k8s_users
   multi_cluster_gateway             = var.multi_cluster_gateway
   anthos_service_mesh               = var.anthos_service_mesh
-  acm_tf_module_repo                = "{{.TFModuleRepo}}acm?ref={{.TFModuleBranch}}"
+  gke_module_bypass                 = var.gke_module_bypass
 }
 
 variable "project_id" {
@@ -43,6 +43,12 @@ variable "governance_project_id" {
   description = "The project ID to host governance resources"
 }
 
+variable "regional_clusters" {
+  type        = bool
+  description = "Enable regional control plane."
+  default     = true
+}
+
 variable "region" {
   type        = string
   description = "The region to host the cluster in"
@@ -79,18 +85,6 @@ variable "ip_range_services_name" {
   default     = "ip-range-svc"
 }
 
-variable "bastion_members" {
-  type        = list(string)
-  description = "List of users, groups, SAs who need access to the bastion host"
-  default     = []
-}
-
-variable "ip_source_ranges_ssh" {
-  type        = list(string)
-  description = "Additional source ranges to allow for ssh to bastion host. 35.235.240.0/20 allowed by default for IAP tunnel."
-  default     = []
-}
-
 variable "vpc_project_id" {
   type        = string
   description = "The Share VPC Project ID - This is optional and only valid if a Shared VPC is used"
@@ -161,6 +155,12 @@ variable "config_sync" {
   default     = true
 }
 
+variable "config_sync_repo" {
+  type        = string
+  description = "Name of Cloud Source Repo for Config Sync"
+  default     = "gke-poc-config-sync"
+}
+
 variable "policy_controller" {
   type        = bool
   description = "Enable Policy Controller on all clusters."
@@ -170,7 +170,7 @@ variable "policy_controller" {
 variable "config_connector" {
   type        = bool
   description = "(Beta) Whether ConfigConnector is enabled for this cluster."
-  default     = true
+  default     = false
 }
 
 variable "windows_nodepool" {
@@ -207,4 +207,10 @@ variable "anthos_service_mesh" {
   type        = bool
   description = "Enable Anthos Service Mesh on all clusters."
   default     = true
-}
+}
+
+ variable "gke_module_bypass" {
+  type = bool
+  description = "Experimental: Setting this to true allows you to use the TF GKE resource directly instead of the GKE module"
+  default = false
+ }

cli/pkg/cli_init/samples/default-config.yaml

@@ -6,20 +6,23 @@ terraformState: cloud
 clustersProjectId: "my-project"
 governanceProjectId: "my-project"
 region: "us-central1"
+regionalClusters: true
 enablePreemptibleNodepool: false # Enforced on Linux Node pools only
 enableWindowsNodepool: false
 privateEndpoint: false
 releaseChannel: REGULAR
 defaultNodepoolOS: cos
-initialNodeCount: 1
+initialNodeCount: 10
 maxNodeCount: 10
 minNodeCount: 1
 configSync: true 
+configSyncRepo: "config-sync-repo" 
 policyController: true
 multiClusterGateway: false
 anthosServiceMesh: false
 tfModuleRepo: "github.com/GoogleCloudPlatform/gke-poc-toolkit//terraform/modules/"
 tfModuleBranch: "main"
+gkeModuleBypass: false
 sendAnalytics: false
 vpcConfig:
   vpcName: "gke-poc-toolkit"

cli/pkg/cli_init/samples/module-bypass-multi-clusters-networking-acm-standalone-vpc.yaml

@@ -0,0 +1,50 @@
+terraformState: cloud  # local, cloud
+clustersProjectId: "my-project"
+governanceProjectId: "my-project" 
+regionalClusters: false # Control plane availability
+region: "us-east1" # Region for resources aside from GKE clusters
+enableWindowsNodepool: false 
+enablePreemptibleNodepool: false # Enforced on Linux Node pools only
+privateEndpoint: false
+releaseChannel: REGULAR
+defaultNodepoolOS: cos
+initialNodeCount: 10
+maxNodeCount: 10
+minNodeCount: 1
+configSync: true 
+configSyncRepo: "config-sync-repo" 
+policyController: true
+multiClusterGateway: true
+anthosServiceMesh: true
+tfModuleRepo: "github.com/GoogleCloudPlatform/gke-poc-toolkit//terraform/modules/"
+tfModuleBranch: "main"
+gkeModuleBypass: true
+sendAnalytics: false
+vpcConfig:
+  vpcName: "gke-poc-toolkit"
+  vpcType: "standalone" # standalone, shared 
+  vpcProjectId: "my-host-project"
+  podCIDRName: "mypodcidr"
+  svcCIDRName: "mysvccidr"
+  authCIDR: "0.0.0.0/0" # Change to your workstation public IP
+clustersConfig:  # a list of one or more clusters, each with their own config 
+- clusterName: "gke-central"
+  machineType: "e2-standard-4"
+  region: "us-central1"
+  zones: ["us-central1-b"]
+  subnetName: "us-central1"
+- clusterName: "gke-east"
+  machineType: "e2-standard-4"
+  region: "us-east1"
+  zones: ["us-east1-b"]
+  subnetName: "us-east1"
+- clusterName: "gke-west"
+  machineType: "e2-standard-4"
+  region: "us-west1"
+  zones: ["us-west1-b"]
+  subnetName: "us-west1"
+- clusterName: "gke-eu-north"
+  machineType: "e2-standard-4"
+  region: "europe-north1"
+  zones: ["europe-north1-c"]
+  subnetName: "europe-north1"

cli/pkg/cli_init/samples/multi-clusters-acm-shared-vpc.yaml

@@ -1,30 +1,32 @@
-# sample-config.yaml
 terraformState: cloud  # local, cloud
 clustersProjectId: "my-project"
 governanceProjectId: "my-project" 
+regionalClusters: true # Control plane availability
 region: "us-east1" # Region for resources aside from GKE clusters
 enableWindowsNodepool: false 
 enablePreemptibleNodepool: false # Enforced on Linux Node pools only
 privateEndpoint: false
 releaseChannel: REGULAR
 defaultNodepoolOS: cos
-initialNodeCount: 1
+initialNodeCount: 10
 maxNodeCount: 10
 minNodeCount: 1
 configSync: true 
+configSyncRepo: "config-sync-repo" 
 policyController: true
 multiClusterGateway: false
 anthosServiceMesh: false
 tfModuleRepo: "github.com/GoogleCloudPlatform/gke-poc-toolkit//terraform/modules/"
 tfModuleBranch: "main"
+gkeModuleBypass: false
 sendAnalytics: false
 vpcConfig:
   vpcName: "gke-poc-toolkit"
   vpcType: "shared" # standalone, shared 
-  vpcProjectId: "my-host-project" # Required if you are using a sharedVPC
+  vpcProjectId: "my-host-project"
   podCIDRName: "mypodcidr"
   svcCIDRName: "mysvccidr"
-  authCIDR: "0.0.0.0/0" # only needed if enabling private endpoints for clusters
+  authCIDR: "0.0.0.0/0" # Change to your workstation public IP
 clustersConfig:  # a list of one or more clusters, each with their own config 
 - clusterName: "gke-central"
   machineType: "e2-standard-4"

cli/pkg/cli_init/samples/multi-clusters-acm-standalone-vpc.yaml

@@ -1,30 +1,32 @@
-# sample-config.yaml
 terraformState: cloud  # local, cloud
 clustersProjectId: "my-project"
 governanceProjectId: "my-project" 
+regionalClusters: true # Control plane availability
 region: "us-east1" # Region for resources aside from GKE clusters
 enableWindowsNodepool: false 
 enablePreemptibleNodepool: false # Enforced on Linux Node pools only
 privateEndpoint: false
 releaseChannel: REGULAR
 defaultNodepoolOS: cos
-initialNodeCount: 1
+initialNodeCount: 10
 maxNodeCount: 10
 minNodeCount: 1
 configSync: true 
+configSyncRepo: "config-sync-repo" 
 policyController: true
 multiClusterGateway: false
 anthosServiceMesh: false
 tfModuleRepo: "github.com/GoogleCloudPlatform/gke-poc-toolkit//terraform/modules/"
 tfModuleBranch: "main"
+gkeModuleBypass: false
 sendAnalytics: false
 vpcConfig:
   vpcName: "gke-poc-toolkit"
   vpcType: "standalone" # standalone, shared 
-  vpcProjectId: "my-host-project" # Required if you are using a sharedVPC
+  vpcProjectId: "my-host-project"
   podCIDRName: "mypodcidr"
   svcCIDRName: "mysvccidr"
-  authCIDR: "0.0.0.0/0" # only needed if enabling private endpoints for clusters
+  authCIDR: "0.0.0.0/0" # Change to your workstation public IP
 clustersConfig:  # a list of one or more clusters, each with their own config 
 - clusterName: "gke-central"
   machineType: "e2-standard-4"

cli/pkg/cli_init/samples/multi-clusters-networking-acm-shared-vpc.yaml

@@ -1,30 +1,32 @@
-# multi-cluster.yaml
 terraformState: cloud  # local, cloud
 clustersProjectId: "my-project"
 governanceProjectId: "my-project" 
+regionalClusters: true # Control plane availability
 region: "us-east1" # Region for resources aside from GKE clusters
 enableWindowsNodepool: false 
 enablePreemptibleNodepool: false # Enforced on Linux Node pools only
 privateEndpoint: false
 releaseChannel: REGULAR
 defaultNodepoolOS: cos
-initialNodeCount: 1
+initialNodeCount: 10
 maxNodeCount: 10
 minNodeCount: 1
 configSync: true 
+configSyncRepo: "config-sync-repo" 
 policyController: true
 multiClusterGateway: true
 anthosServiceMesh: true
 tfModuleRepo: "github.com/GoogleCloudPlatform/gke-poc-toolkit//terraform/modules/"
 tfModuleBranch: "main"
+gkeModuleBypass: false
 sendAnalytics: false
 vpcConfig:
   vpcName: "gke-poc-toolkit"
   vpcType: "shared" # standalone, shared 
-  vpcProjectId: "my-host-project" # Required if you are using a sharedVPC
+  vpcProjectId: "my-host-project"
   podCIDRName: "mypodcidr"
   svcCIDRName: "mysvccidr"
-  authCIDR: "0.0.0.0/0" # only needed if enabling private endpoints for clusters
+  authCIDR: "0.0.0.0/0" # Change to your workstation public IP
 clustersConfig:  # a list of one or more clusters, each with their own config 
 - clusterName: "gke-central"
   machineType: "e2-standard-4"

cli/pkg/cli_init/samples/multi-clusters-networking-acm-standalone-vpc.yaml

@@ -1,35 +1,37 @@
-# sample-config.yaml
 terraformState: cloud  # local, cloud
 clustersProjectId: "my-project"
 governanceProjectId: "my-project" 
+regionalClusters: true # Control plane availability
 region: "us-east1" # Region for resources aside from GKE clusters
 enableWindowsNodepool: false 
 enablePreemptibleNodepool: false # Enforced on Linux Node pools only
 privateEndpoint: false
 releaseChannel: REGULAR
 defaultNodepoolOS: cos
-initialNodeCount: 1
+initialNodeCount: 10
 maxNodeCount: 10
 minNodeCount: 1
 configSync: true 
+configSyncRepo: "config-sync-repo" 
 policyController: true
 multiClusterGateway: true
 anthosServiceMesh: true
 tfModuleRepo: "github.com/GoogleCloudPlatform/gke-poc-toolkit//terraform/modules/"
 tfModuleBranch: "main"
+gkeModuleBypass: false
 sendAnalytics: false
 vpcConfig:
   vpcName: "gke-poc-toolkit"
   vpcType: "standalone" # standalone, shared 
-  vpcProjectId: "my-host-project" # Required if you are using a sharedVPC
+  vpcProjectId: "my-host-project"
   podCIDRName: "mypodcidr"
   svcCIDRName: "mysvccidr"
-  authCIDR: "0.0.0.0/0" # only needed if enabling private endpoints for clusters
+  authCIDR: "0.0.0.0/0"  # Change to your workstation public IP
 clustersConfig:  # a list of one or more clusters, each with their own config 
 - clusterName: "gke-central"
   machineType: "e2-standard-4"
-  region: "us-central1" 
-  zones: ["us-central1-a"]
+  region: "us-central1"
+  zones: ["us-central1-b"]
   subnetName: "us-central1"
 - clusterName: "gke-east"
   machineType: "e2-standard-4"

cli/pkg/cli_init/samples/multi-clusters-shared-vpc.yaml

@@ -1,30 +1,32 @@
-# sample-config.yaml
 terraformState: cloud  # local, cloud
 clustersProjectId: "my-project"
 governanceProjectId: "my-project" 
+regionalClusters: true # Control plane availability
 region: "us-east1" # Region for resources aside from GKE clusters
 enableWindowsNodepool: false 
 enablePreemptibleNodepool: false # Enforced on Linux Node pools only
 privateEndpoint: false
 releaseChannel: REGULAR
 defaultNodepoolOS: cos
-initialNodeCount: 1
+initialNodeCount: 10
 maxNodeCount: 10
 minNodeCount: 1
-configSync: false
+configSync: true 
+configSyncRepo: "config-sync-repo" 
 policyController: false
 multiClusterGateway: false
 anthosServiceMesh: false
 tfModuleRepo: "github.com/GoogleCloudPlatform/gke-poc-toolkit//terraform/modules/"
 tfModuleBranch: "main"
+gkeModuleBypass: false
 sendAnalytics: false
 vpcConfig:
   vpcName: "gke-poc-toolkit"
   vpcType: "shared" # standalone, shared 
-  vpcProjectId: "my-host-project" # Required if you are using a sharedVPC
+  vpcProjectId: "my-host-project"
   podCIDRName: "mypodcidr"
   svcCIDRName: "mysvccidr"
-  authCIDR: "0.0.0.0/0" # only needed if enabling private endpoints for clusters
+  authCIDR: "0.0.0.0/0" # Change to your workstation public IP
 clustersConfig:  # a list of one or more clusters, each with their own config 
 - clusterName: "gke-central"
   machineType: "e2-standard-4"