diff --git a/README.md b/README.md index 3d8e091035..3f941e3d2c 100644 --- a/README.md +++ b/README.md @@ -178,6 +178,7 @@ Then perform the following commands on the root folder: | enable\_k8s\_beta\_apis | (Optional) - List of Kubernetes Beta APIs to enable in cluster. | `list(string)` | `[]` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_legacy\_lustre\_port | Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | @@ -215,6 +216,7 @@ Then perform the following commands on the root folder: | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | logging\_variant | (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX\_THROUGHPUT. | `string` | `null` | no | +| lustre\_csi\_driver | The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes | `bool` | `null` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | @@ -436,7 +438,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP][terraform-provider-google] v6.41+ +- [Terraform Provider for GCP][terraform-provider-google] v6.47+ #### gcloud diff --git a/autogen/main/README.md b/autogen/main/README.md index 92a0296679..d8559f66a1 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -319,9 +319,9 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog - [Terraform](https://www.terraform.io/downloads.html) 1.3+ {% if beta_cluster %} -- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.41+ +- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.47+ {% else %} -- [Terraform Provider for GCP][terraform-provider-google] v6.41+ +- [Terraform Provider for GCP][terraform-provider-google] v6.47+ {% endif %} #### gcloud diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index ef9e3282ed..88590e6328 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -401,6 +401,14 @@ resource "google_container_cluster" "primary" { enabled = var.filestore_csi_driver } + dynamic "lustre_csi_driver_config" { + for_each = var.lustre_csi_driver == null ? [] : ["lustre_csi_driver_config"] + content { + enabled = var.lustre_csi_driver + enable_legacy_lustre_port = var.enable_legacy_lustre_port + } + } + {% if autopilot_cluster != true %} network_policy_config { disabled = !var.network_policy diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 87a6e2024b..f70041a524 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -778,6 +778,18 @@ variable "filestore_csi_driver" { default = false } +variable "lustre_csi_driver" { + type = bool + description = "The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes" + default = null +} + +variable "enable_legacy_lustre_port" { + type = bool + description = "Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes" + default = false +} + {% if autopilot_cluster != true %} variable "network_policy" { type = bool diff --git a/cluster.tf b/cluster.tf index 5c8dad2e96..26b9581268 100644 --- a/cluster.tf +++ b/cluster.tf @@ -309,6 +309,14 @@ resource "google_container_cluster" "primary" { enabled = var.filestore_csi_driver } + dynamic "lustre_csi_driver_config" { + for_each = var.lustre_csi_driver == null ? [] : ["lustre_csi_driver_config"] + content { + enabled = var.lustre_csi_driver + enable_legacy_lustre_port = var.enable_legacy_lustre_port + } + } + network_policy_config { disabled = !var.network_policy } diff --git a/docs/upgrading_to_v39.0.md b/docs/upgrading_to_v39.0.md new file mode 100644 index 0000000000..4cde96e53a --- /dev/null +++ b/docs/upgrading_to_v39.0.md @@ -0,0 +1,5 @@ +# Upgrading to v39.0 +The v39.0 release of *kubernetes-engine* is a backwards incompatible release. + +### Google Cloud Platform Provider upgrade +The Terraform Kubernetes Engine Module now requires version 6.47 or higher of the Google Cloud Platform Providers. diff --git a/metadata.display.yaml b/metadata.display.yaml index 7a8f2526d0..257dde893f 100644 --- a/metadata.display.yaml +++ b/metadata.display.yaml @@ -141,6 +141,9 @@ spec: enable_l4_ilb_subsetting: name: enable_l4_ilb_subsetting title: Enable L4 Ilb Subsetting + enable_legacy_lustre_port: + name: enable_legacy_lustre_port + title: Enable Legacy Lustre Port enable_mesh_certificates: name: enable_mesh_certificates title: Enable Mesh Certificates @@ -252,6 +255,9 @@ spec: logging_variant: name: logging_variant title: Logging Variant + lustre_csi_driver: + name: lustre_csi_driver + title: Lustre Csi Driver maintenance_end_time: name: maintenance_end_time title: Maintenance End Time @@ -360,6 +366,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/metadata.yaml b/metadata.yaml index c09de2c34a..91fac188c5 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -601,6 +601,13 @@ spec: description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes varType: bool defaultValue: false + - name: lustre_csi_driver + description: The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes + varType: bool + - name: enable_legacy_lustre_port + description: Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes + varType: bool + defaultValue: false - name: network_policy description: Enable network policy addon varType: bool diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 3715dd1af0..4822535d54 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -98,6 +98,7 @@ Then perform the following commands on the root folder: | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | | enable\_k8s\_beta\_apis | (Optional) - List of Kubernetes Beta APIs to enable in cluster. | `list(string)` | `[]` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_legacy\_lustre\_port | Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes | `bool` | `false` | no | | enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | @@ -129,6 +130,7 @@ Then perform the following commands on the root folder: | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| lustre\_csi\_driver | The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes | `bool` | `null` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | @@ -230,7 +232,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.41+ +- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.47+ #### gcloud diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 2a7c1bd25b..9ef01a88c0 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -236,6 +236,14 @@ resource "google_container_cluster" "primary" { enabled = var.filestore_csi_driver } + dynamic "lustre_csi_driver_config" { + for_each = var.lustre_csi_driver == null ? [] : ["lustre_csi_driver_config"] + content { + enabled = var.lustre_csi_driver + enable_legacy_lustre_port = var.enable_legacy_lustre_port + } + } + dynamic "gke_backup_agent_config" { for_each = local.gke_backup_agent_config diff --git a/modules/beta-autopilot-private-cluster/metadata.display.yaml b/modules/beta-autopilot-private-cluster/metadata.display.yaml index d8ed142100..cdcef34f4a 100644 --- a/modules/beta-autopilot-private-cluster/metadata.display.yaml +++ b/modules/beta-autopilot-private-cluster/metadata.display.yaml @@ -106,6 +106,9 @@ spec: enable_l4_ilb_subsetting: name: enable_l4_ilb_subsetting title: Enable L4 Ilb Subsetting + enable_legacy_lustre_port: + name: enable_legacy_lustre_port + title: Enable Legacy Lustre Port enable_multi_networking: name: enable_multi_networking title: Enable Multi Networking @@ -205,6 +208,9 @@ spec: logging_enabled_components: name: logging_enabled_components title: Logging Enabled Components + lustre_csi_driver: + name: lustre_csi_driver + title: Lustre Csi Driver maintenance_end_time: name: maintenance_end_time title: Maintenance End Time @@ -265,6 +271,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/modules/beta-autopilot-private-cluster/metadata.yaml b/modules/beta-autopilot-private-cluster/metadata.yaml index cf46d32831..478eae471b 100644 --- a/modules/beta-autopilot-private-cluster/metadata.yaml +++ b/modules/beta-autopilot-private-cluster/metadata.yaml @@ -426,6 +426,13 @@ spec: description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes varType: bool defaultValue: false + - name: lustre_csi_driver + description: The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes + varType: bool + - name: enable_legacy_lustre_port + description: Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes + varType: bool + defaultValue: false - name: database_encryption description: "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." varType: list(object({ state = string, key_name = string })) diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 397a1a6985..9e8c533633 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -496,6 +496,18 @@ variable "filestore_csi_driver" { default = false } +variable "lustre_csi_driver" { + type = bool + description = "The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes" + default = null +} + +variable "enable_legacy_lustre_port" { + type = bool + description = "Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes" + default = false +} + variable "database_encryption" { description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." type = list(object({ state = string, key_name = string })) diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index e924a7832e..e3e5287c5f 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -91,6 +91,7 @@ Then perform the following commands on the root folder: | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | | enable\_k8s\_beta\_apis | (Optional) - List of Kubernetes Beta APIs to enable in cluster. | `list(string)` | `[]` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_legacy\_lustre\_port | Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes | `bool` | `false` | no | | enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | @@ -120,6 +121,7 @@ Then perform the following commands on the root folder: | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| lustre\_csi\_driver | The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes | `bool` | `null` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | @@ -216,7 +218,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.41+ +- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.47+ #### gcloud diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index bb3943d06f..9f4abd91be 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -236,6 +236,14 @@ resource "google_container_cluster" "primary" { enabled = var.filestore_csi_driver } + dynamic "lustre_csi_driver_config" { + for_each = var.lustre_csi_driver == null ? [] : ["lustre_csi_driver_config"] + content { + enabled = var.lustre_csi_driver + enable_legacy_lustre_port = var.enable_legacy_lustre_port + } + } + dynamic "gke_backup_agent_config" { for_each = local.gke_backup_agent_config diff --git a/modules/beta-autopilot-public-cluster/metadata.display.yaml b/modules/beta-autopilot-public-cluster/metadata.display.yaml index 589335cf21..8376674a12 100644 --- a/modules/beta-autopilot-public-cluster/metadata.display.yaml +++ b/modules/beta-autopilot-public-cluster/metadata.display.yaml @@ -103,6 +103,9 @@ spec: enable_l4_ilb_subsetting: name: enable_l4_ilb_subsetting title: Enable L4 Ilb Subsetting + enable_legacy_lustre_port: + name: enable_legacy_lustre_port + title: Enable Legacy Lustre Port enable_multi_networking: name: enable_multi_networking title: Enable Multi Networking @@ -196,6 +199,9 @@ spec: logging_enabled_components: name: logging_enabled_components title: Logging Enabled Components + lustre_csi_driver: + name: lustre_csi_driver + title: Lustre Csi Driver maintenance_end_time: name: maintenance_end_time title: Maintenance End Time @@ -247,6 +253,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/modules/beta-autopilot-public-cluster/metadata.yaml b/modules/beta-autopilot-public-cluster/metadata.yaml index a58d16ef8f..f69e5fea69 100644 --- a/modules/beta-autopilot-public-cluster/metadata.yaml +++ b/modules/beta-autopilot-public-cluster/metadata.yaml @@ -404,6 +404,13 @@ spec: description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes varType: bool defaultValue: false + - name: lustre_csi_driver + description: The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes + varType: bool + - name: enable_legacy_lustre_port + description: Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes + varType: bool + defaultValue: false - name: database_encryption description: "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." varType: list(object({ state = string, key_name = string })) diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 6d1a732c0d..a9cdf3c50a 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -460,6 +460,18 @@ variable "filestore_csi_driver" { default = false } +variable "lustre_csi_driver" { + type = bool + description = "The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes" + default = null +} + +variable "enable_legacy_lustre_port" { + type = bool + description = "Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes" + default = false +} + variable "database_encryption" { description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." type = list(object({ state = string, key_name = string })) diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 3695af1b74..38c8717704 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -213,6 +213,7 @@ Then perform the following commands on the root folder: | enable\_k8s\_beta\_apis | (Optional) - List of Kubernetes Beta APIs to enable in cluster. | `list(string)` | `[]` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_legacy\_lustre\_port | Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | @@ -257,6 +258,7 @@ Then perform the following commands on the root folder: | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | logging\_variant | (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX\_THROUGHPUT. | `string` | `null` | no | +| lustre\_csi\_driver | The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes | `bool` | `null` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | @@ -490,7 +492,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.41+ +- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.47+ #### gcloud diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 9ad2f76600..fa26e7531a 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -322,6 +322,14 @@ resource "google_container_cluster" "primary" { enabled = var.filestore_csi_driver } + dynamic "lustre_csi_driver_config" { + for_each = var.lustre_csi_driver == null ? [] : ["lustre_csi_driver_config"] + content { + enabled = var.lustre_csi_driver + enable_legacy_lustre_port = var.enable_legacy_lustre_port + } + } + network_policy_config { disabled = !var.network_policy } diff --git a/modules/beta-private-cluster-update-variant/metadata.display.yaml b/modules/beta-private-cluster-update-variant/metadata.display.yaml index 09b0d202bf..809533e104 100644 --- a/modules/beta-private-cluster-update-variant/metadata.display.yaml +++ b/modules/beta-private-cluster-update-variant/metadata.display.yaml @@ -154,6 +154,9 @@ spec: enable_l4_ilb_subsetting: name: enable_l4_ilb_subsetting title: Enable L4 Ilb Subsetting + enable_legacy_lustre_port: + name: enable_legacy_lustre_port + title: Enable Legacy Lustre Port enable_mesh_certificates: name: enable_mesh_certificates title: Enable Mesh Certificates @@ -286,6 +289,9 @@ spec: logging_variant: name: logging_variant title: Logging Variant + lustre_csi_driver: + name: lustre_csi_driver + title: Lustre Csi Driver maintenance_end_time: name: maintenance_end_time title: Maintenance End Time @@ -403,6 +409,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/modules/beta-private-cluster-update-variant/metadata.yaml b/modules/beta-private-cluster-update-variant/metadata.yaml index 03eb313c5c..0acbe1da9f 100644 --- a/modules/beta-private-cluster-update-variant/metadata.yaml +++ b/modules/beta-private-cluster-update-variant/metadata.yaml @@ -594,6 +594,13 @@ spec: description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes varType: bool defaultValue: false + - name: lustre_csi_driver + description: The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes + varType: bool + - name: enable_legacy_lustre_port + description: Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes + varType: bool + defaultValue: false - name: network_policy description: Enable network policy addon varType: bool diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 903e838710..e7dfcf3c36 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -733,6 +733,18 @@ variable "filestore_csi_driver" { default = false } +variable "lustre_csi_driver" { + type = bool + description = "The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes" + default = null +} + +variable "enable_legacy_lustre_port" { + type = bool + description = "Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes" + default = false +} + variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 5a2f984cc4..4af2ff92f2 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -191,6 +191,7 @@ Then perform the following commands on the root folder: | enable\_k8s\_beta\_apis | (Optional) - List of Kubernetes Beta APIs to enable in cluster. | `list(string)` | `[]` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_legacy\_lustre\_port | Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | @@ -235,6 +236,7 @@ Then perform the following commands on the root folder: | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | logging\_variant | (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX\_THROUGHPUT. | `string` | `null` | no | +| lustre\_csi\_driver | The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes | `bool` | `null` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | @@ -468,7 +470,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.41+ +- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.47+ #### gcloud diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 85902c01ff..d24cdb61e3 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -322,6 +322,14 @@ resource "google_container_cluster" "primary" { enabled = var.filestore_csi_driver } + dynamic "lustre_csi_driver_config" { + for_each = var.lustre_csi_driver == null ? [] : ["lustre_csi_driver_config"] + content { + enabled = var.lustre_csi_driver + enable_legacy_lustre_port = var.enable_legacy_lustre_port + } + } + network_policy_config { disabled = !var.network_policy } diff --git a/modules/beta-private-cluster/metadata.display.yaml b/modules/beta-private-cluster/metadata.display.yaml index f5dc6b1146..a8e2e1c0e1 100644 --- a/modules/beta-private-cluster/metadata.display.yaml +++ b/modules/beta-private-cluster/metadata.display.yaml @@ -154,6 +154,9 @@ spec: enable_l4_ilb_subsetting: name: enable_l4_ilb_subsetting title: Enable L4 Ilb Subsetting + enable_legacy_lustre_port: + name: enable_legacy_lustre_port + title: Enable Legacy Lustre Port enable_mesh_certificates: name: enable_mesh_certificates title: Enable Mesh Certificates @@ -286,6 +289,9 @@ spec: logging_variant: name: logging_variant title: Logging Variant + lustre_csi_driver: + name: lustre_csi_driver + title: Lustre Csi Driver maintenance_end_time: name: maintenance_end_time title: Maintenance End Time @@ -403,6 +409,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/modules/beta-private-cluster/metadata.yaml b/modules/beta-private-cluster/metadata.yaml index f0791d9fed..b9814aa6fd 100644 --- a/modules/beta-private-cluster/metadata.yaml +++ b/modules/beta-private-cluster/metadata.yaml @@ -594,6 +594,13 @@ spec: description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes varType: bool defaultValue: false + - name: lustre_csi_driver + description: The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes + varType: bool + - name: enable_legacy_lustre_port + description: Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes + varType: bool + defaultValue: false - name: network_policy description: Enable network policy addon varType: bool diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 903e838710..e7dfcf3c36 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -733,6 +733,18 @@ variable "filestore_csi_driver" { default = false } +variable "lustre_csi_driver" { + type = bool + description = "The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes" + default = null +} + +variable "enable_legacy_lustre_port" { + type = bool + description = "Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes" + default = false +} + variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index e1b89ce585..e9e9c3c64d 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -206,6 +206,7 @@ Then perform the following commands on the root folder: | enable\_k8s\_beta\_apis | (Optional) - List of Kubernetes Beta APIs to enable in cluster. | `list(string)` | `[]` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_legacy\_lustre\_port | Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | @@ -248,6 +249,7 @@ Then perform the following commands on the root folder: | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | logging\_variant | (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX\_THROUGHPUT. | `string` | `null` | no | +| lustre\_csi\_driver | The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes | `bool` | `null` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | @@ -477,7 +479,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.41+ +- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.47+ #### gcloud diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 19abc02a5c..b968df0e74 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -322,6 +322,14 @@ resource "google_container_cluster" "primary" { enabled = var.filestore_csi_driver } + dynamic "lustre_csi_driver_config" { + for_each = var.lustre_csi_driver == null ? [] : ["lustre_csi_driver_config"] + content { + enabled = var.lustre_csi_driver + enable_legacy_lustre_port = var.enable_legacy_lustre_port + } + } + network_policy_config { disabled = !var.network_policy } diff --git a/modules/beta-public-cluster-update-variant/metadata.display.yaml b/modules/beta-public-cluster-update-variant/metadata.display.yaml index 7d39ce2fc5..727e08023c 100644 --- a/modules/beta-public-cluster-update-variant/metadata.display.yaml +++ b/modules/beta-public-cluster-update-variant/metadata.display.yaml @@ -151,6 +151,9 @@ spec: enable_l4_ilb_subsetting: name: enable_l4_ilb_subsetting title: Enable L4 Ilb Subsetting + enable_legacy_lustre_port: + name: enable_legacy_lustre_port + title: Enable Legacy Lustre Port enable_mesh_certificates: name: enable_mesh_certificates title: Enable Mesh Certificates @@ -277,6 +280,9 @@ spec: logging_variant: name: logging_variant title: Logging Variant + lustre_csi_driver: + name: lustre_csi_driver + title: Lustre Csi Driver maintenance_end_time: name: maintenance_end_time title: Maintenance End Time @@ -385,6 +391,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/modules/beta-public-cluster-update-variant/metadata.yaml b/modules/beta-public-cluster-update-variant/metadata.yaml index eca7455215..1ce6112253 100644 --- a/modules/beta-public-cluster-update-variant/metadata.yaml +++ b/modules/beta-public-cluster-update-variant/metadata.yaml @@ -572,6 +572,13 @@ spec: description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes varType: bool defaultValue: false + - name: lustre_csi_driver + description: The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes + varType: bool + - name: enable_legacy_lustre_port + description: Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes + varType: bool + defaultValue: false - name: network_policy description: Enable network policy addon varType: bool diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 139653566d..a3db7b3def 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -697,6 +697,18 @@ variable "filestore_csi_driver" { default = false } +variable "lustre_csi_driver" { + type = bool + description = "The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes" + default = null +} + +variable "enable_legacy_lustre_port" { + type = bool + description = "Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes" + default = false +} + variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 304d4424ea..397dfea394 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -184,6 +184,7 @@ Then perform the following commands on the root folder: | enable\_k8s\_beta\_apis | (Optional) - List of Kubernetes Beta APIs to enable in cluster. | `list(string)` | `[]` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_legacy\_lustre\_port | Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | @@ -226,6 +227,7 @@ Then perform the following commands on the root folder: | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | logging\_variant | (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX\_THROUGHPUT. | `string` | `null` | no | +| lustre\_csi\_driver | The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes | `bool` | `null` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | @@ -455,7 +457,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.41+ +- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.47+ #### gcloud diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 3892ed0ba0..5669a60f6e 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -322,6 +322,14 @@ resource "google_container_cluster" "primary" { enabled = var.filestore_csi_driver } + dynamic "lustre_csi_driver_config" { + for_each = var.lustre_csi_driver == null ? [] : ["lustre_csi_driver_config"] + content { + enabled = var.lustre_csi_driver + enable_legacy_lustre_port = var.enable_legacy_lustre_port + } + } + network_policy_config { disabled = !var.network_policy } diff --git a/modules/beta-public-cluster/metadata.display.yaml b/modules/beta-public-cluster/metadata.display.yaml index bcec9910d7..6c8998fb4d 100644 --- a/modules/beta-public-cluster/metadata.display.yaml +++ b/modules/beta-public-cluster/metadata.display.yaml @@ -151,6 +151,9 @@ spec: enable_l4_ilb_subsetting: name: enable_l4_ilb_subsetting title: Enable L4 Ilb Subsetting + enable_legacy_lustre_port: + name: enable_legacy_lustre_port + title: Enable Legacy Lustre Port enable_mesh_certificates: name: enable_mesh_certificates title: Enable Mesh Certificates @@ -277,6 +280,9 @@ spec: logging_variant: name: logging_variant title: Logging Variant + lustre_csi_driver: + name: lustre_csi_driver + title: Lustre Csi Driver maintenance_end_time: name: maintenance_end_time title: Maintenance End Time @@ -385,6 +391,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/modules/beta-public-cluster/metadata.yaml b/modules/beta-public-cluster/metadata.yaml index ab13d22f63..4de97d01cc 100644 --- a/modules/beta-public-cluster/metadata.yaml +++ b/modules/beta-public-cluster/metadata.yaml @@ -572,6 +572,13 @@ spec: description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes varType: bool defaultValue: false + - name: lustre_csi_driver + description: The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes + varType: bool + - name: enable_legacy_lustre_port + description: Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes + varType: bool + defaultValue: false - name: network_policy description: Enable network policy addon varType: bool diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 139653566d..a3db7b3def 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -697,6 +697,18 @@ variable "filestore_csi_driver" { default = false } +variable "lustre_csi_driver" { + type = bool + description = "The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes" + default = null +} + +variable "enable_legacy_lustre_port" { + type = bool + description = "Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes" + default = false +} + variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/modules/gke-autopilot-cluster/metadata.yaml b/modules/gke-autopilot-cluster/metadata.yaml index 756a57a226..20d1a50662 100644 --- a/modules/gke-autopilot-cluster/metadata.yaml +++ b/modules/gke-autopilot-cluster/metadata.yaml @@ -569,9 +569,9 @@ spec: roles: - level: Project roles: - - roles/compute.admin - roles/container.admin - roles/iam.serviceAccountUser + - roles/compute.admin services: - compute.googleapis.com - container.googleapis.com diff --git a/modules/gke-standard-cluster/metadata.yaml b/modules/gke-standard-cluster/metadata.yaml index 13ce551921..df408e90b4 100644 --- a/modules/gke-standard-cluster/metadata.yaml +++ b/modules/gke-standard-cluster/metadata.yaml @@ -1008,9 +1008,9 @@ spec: roles: - level: Project roles: - - roles/iam.serviceAccountUser - roles/compute.admin - roles/container.admin + - roles/iam.serviceAccountUser services: - compute.googleapis.com - container.googleapis.com diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 129b8ba126..ff84169cda 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -207,6 +207,7 @@ Then perform the following commands on the root folder: | enable\_k8s\_beta\_apis | (Optional) - List of Kubernetes Beta APIs to enable in cluster. | `list(string)` | `[]` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_legacy\_lustre\_port | Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | @@ -246,6 +247,7 @@ Then perform the following commands on the root folder: | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | logging\_variant | (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX\_THROUGHPUT. | `string` | `null` | no | +| lustre\_csi\_driver | The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes | `bool` | `null` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | @@ -471,7 +473,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP][terraform-provider-google] v6.41+ +- [Terraform Provider for GCP][terraform-provider-google] v6.47+ #### gcloud diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 7bf2019348..753413e199 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -309,6 +309,14 @@ resource "google_container_cluster" "primary" { enabled = var.filestore_csi_driver } + dynamic "lustre_csi_driver_config" { + for_each = var.lustre_csi_driver == null ? [] : ["lustre_csi_driver_config"] + content { + enabled = var.lustre_csi_driver + enable_legacy_lustre_port = var.enable_legacy_lustre_port + } + } + network_policy_config { disabled = !var.network_policy } diff --git a/modules/private-cluster-update-variant/metadata.display.yaml b/modules/private-cluster-update-variant/metadata.display.yaml index 81d8812d39..929f42a28e 100644 --- a/modules/private-cluster-update-variant/metadata.display.yaml +++ b/modules/private-cluster-update-variant/metadata.display.yaml @@ -145,6 +145,9 @@ spec: enable_l4_ilb_subsetting: name: enable_l4_ilb_subsetting title: Enable L4 Ilb Subsetting + enable_legacy_lustre_port: + name: enable_legacy_lustre_port + title: Enable Legacy Lustre Port enable_mesh_certificates: name: enable_mesh_certificates title: Enable Mesh Certificates @@ -262,6 +265,9 @@ spec: logging_variant: name: logging_variant title: Logging Variant + lustre_csi_driver: + name: lustre_csi_driver + title: Lustre Csi Driver maintenance_end_time: name: maintenance_end_time title: Maintenance End Time @@ -379,6 +385,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/modules/private-cluster-update-variant/metadata.yaml b/modules/private-cluster-update-variant/metadata.yaml index 60b5509af9..f0e5a594fd 100644 --- a/modules/private-cluster-update-variant/metadata.yaml +++ b/modules/private-cluster-update-variant/metadata.yaml @@ -583,6 +583,13 @@ spec: description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes varType: bool defaultValue: false + - name: lustre_csi_driver + description: The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes + varType: bool + - name: enable_legacy_lustre_port + description: Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes + varType: bool + defaultValue: false - name: network_policy description: Enable network policy addon varType: bool diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 4291a5d143..39a5443e9e 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -715,6 +715,18 @@ variable "filestore_csi_driver" { default = false } +variable "lustre_csi_driver" { + type = bool + description = "The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes" + default = null +} + +variable "enable_legacy_lustre_port" { + type = bool + description = "Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes" + default = false +} + variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 0fe983b8f7..0d35d0e58c 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -185,6 +185,7 @@ Then perform the following commands on the root folder: | enable\_k8s\_beta\_apis | (Optional) - List of Kubernetes Beta APIs to enable in cluster. | `list(string)` | `[]` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_legacy\_lustre\_port | Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | @@ -224,6 +225,7 @@ Then perform the following commands on the root folder: | logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, KCP\_CONNECTION, KCP\_SSHD, KCP\_HPA, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | logging\_variant | (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX\_THROUGHPUT. | `string` | `null` | no | +| lustre\_csi\_driver | The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes | `bool` | `null` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | @@ -449,7 +451,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP][terraform-provider-google] v6.41+ +- [Terraform Provider for GCP][terraform-provider-google] v6.47+ #### gcloud diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 957c87b591..10c84ef762 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -309,6 +309,14 @@ resource "google_container_cluster" "primary" { enabled = var.filestore_csi_driver } + dynamic "lustre_csi_driver_config" { + for_each = var.lustre_csi_driver == null ? [] : ["lustre_csi_driver_config"] + content { + enabled = var.lustre_csi_driver + enable_legacy_lustre_port = var.enable_legacy_lustre_port + } + } + network_policy_config { disabled = !var.network_policy } diff --git a/modules/private-cluster/metadata.display.yaml b/modules/private-cluster/metadata.display.yaml index f2057b92c4..34b8c925ba 100644 --- a/modules/private-cluster/metadata.display.yaml +++ b/modules/private-cluster/metadata.display.yaml @@ -145,6 +145,9 @@ spec: enable_l4_ilb_subsetting: name: enable_l4_ilb_subsetting title: Enable L4 Ilb Subsetting + enable_legacy_lustre_port: + name: enable_legacy_lustre_port + title: Enable Legacy Lustre Port enable_mesh_certificates: name: enable_mesh_certificates title: Enable Mesh Certificates @@ -262,6 +265,9 @@ spec: logging_variant: name: logging_variant title: Logging Variant + lustre_csi_driver: + name: lustre_csi_driver + title: Lustre Csi Driver maintenance_end_time: name: maintenance_end_time title: Maintenance End Time @@ -379,6 +385,9 @@ spec: ray_operator_config: name: ray_operator_config title: Ray Operator Config + rbac_binding_config: + name: rbac_binding_config + title: Rbac Binding Config region: name: region title: Region diff --git a/modules/private-cluster/metadata.yaml b/modules/private-cluster/metadata.yaml index 32dd01b9d8..cce751e9ec 100644 --- a/modules/private-cluster/metadata.yaml +++ b/modules/private-cluster/metadata.yaml @@ -583,6 +583,13 @@ spec: description: The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes varType: bool defaultValue: false + - name: lustre_csi_driver + description: The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes + varType: bool + - name: enable_legacy_lustre_port + description: Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes + varType: bool + defaultValue: false - name: network_policy description: Enable network policy addon varType: bool diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 4291a5d143..39a5443e9e 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -715,6 +715,18 @@ variable "filestore_csi_driver" { default = false } +variable "lustre_csi_driver" { + type = bool + description = "The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes" + default = null +} + +variable "enable_legacy_lustre_port" { + type = bool + description = "Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes" + default = false +} + variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/test/setup/main.tf b/test/setup/main.tf index 211d890949..bff9990be8 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -72,6 +72,8 @@ module "gke-project-1" { # due to https://github.com/hashicorp/terraform-provider-google/issues/9505 for AP default_service_account = "keep" + deletion_policy = "DELETE" + auto_create_network = true activate_apis = local.apis @@ -95,6 +97,9 @@ module "gke-project-2" { # due to https://github.com/hashicorp/terraform-provider-google/issues/9505 for AP default_service_account = "keep" + deletion_policy = "DELETE" + + activate_apis = local.apis activate_api_identities = [ { @@ -132,6 +137,9 @@ module "gke-project-fleet" { # due to https://github.com/hashicorp/terraform-provider-google/issues/9505 for AP default_service_account = "keep" + deletion_policy = "DELETE" + + activate_apis = local.apis } diff --git a/variables.tf b/variables.tf index 1fc8cff53c..ac1afd2ec0 100644 --- a/variables.tf +++ b/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2022-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -679,6 +679,18 @@ variable "filestore_csi_driver" { default = false } +variable "lustre_csi_driver" { + type = bool + description = "The status of the Lustre CSI driver addon, which allows the usage of a Lustre instances as volumes" + default = null +} + +variable "enable_legacy_lustre_port" { + type = bool + description = "Set it to true for GKE cluster runs a version earlier than 1.33.2-gke.4780000. Allows the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes" + default = false +} + variable "network_policy" { type = bool description = "Enable network policy addon"