Skip to content

TaitoUnited/terraform-google-kubernetes

BranchesTags

Repository files navigation

Google Cloud Kubernetes

Example usage:

provider "google" {
  project      = "my-infrastructure"
  region       = "europe-west1"
  zone         = "europe-west1-b"
}

# Enable Google APIs

resource "google_project_service" "compute" {
  service      = "compute.googleapis.com"
}

resource "google_project_service" "cloudkms" {
  service      = "cloudkms.googleapis.com"
}

resource "google_project_service" "container" {
  service      = "container.googleapis.com"
}

resource "google_project_service" "containerregistry" {
  service      = "containerregistry.googleapis.com"
}

# Kubernetes

module "kubernetes" {
  source              = "TaitoUnited/kubernetes/google"
  version             = "2.5.0"
  depends_on          = [
    google_project_service.compute,
    google_project_service.cloudkms,
    google_project_service.container,
    google_project_service.containerregistry,
  ]

  email                      = "devops@mydomain.com"

  # Network
  network                    = module.network.network
  subnetwork                 = module.network.subnet_names[0]
  pods_ip_range_name         = module.network.pods_ip_range_name
  services_ip_range_name     = module.network.services_ip_range_name

  # Permissions
  permissions                = yamldecode(
    file("${path.root}/../infra.yaml")
  )["permissions"]

  # Kubernetes
  kubernetes                 = yamldecode(
    file("${path.root}/../infra.yaml")
  )["kubernetes"]

  # Registry
  create_registry            = true
  grant_registry_access      = false  # Should be false on the first run, then true

  # Helm infrastructure apps
  helm_enabled               = false  # Should be false on the first run, then true
  generate_ingress_dhparam   = false
  use_kubernetes_as_db_proxy = true
  postgresql_cluster_names   = [ "my-postgresql-1" ]
  mysql_cluster_names        = [ "my-mysql-1" ]
}

Example YAML:

# Permissions
permissions:

  # Cluster-wide permissions
  clusterRoles:
    - name: taito-iam-admin
      subjects:
        - group:admins@mydomain.com
    - name: taito-status-viewer
      subjects:
        - group:staff@mydomain.com

  # Namespace specific permissions
  namespaces:
    - name: common
      clusterRoles:
        - name: taito-secret-viewer
          subjects:
            - group:developers@mydomain.com
            - user:cicd-tester@${taito_zone}.iam.gserviceaccount.com
    - name: db-proxy
      clusterRoles:
        - name: taito-pod-portforwarder
          subjects:
            - group:developers@mydomain.com
            - user:cicd-tester@${taito_zone}.iam.gserviceaccount.com
    - name: my-namespace
      clusterRoles:
        - name: taito-developer
          subjects:
            - user:john.doe@mydomain.com
            - user:jane.doe@mydomain.com
    - name: another-namespace
      clusterRoles:
        - name: taito-developer
          subjects:
            - user:john.doe@mydomain.com
            - user:jane.doe@mydomain.com

# For Kubernetes setting descriptions, see
# https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/latest/submodules/private-cluster
kubernetes:
  name: zone1-common-kube1
  context: zone1
  releaseChannel: STABLE
  maintenanceStartTime: 02:00
  registryProjectId: ""
  authenticatorSecurityGroup: "" # gke-security-groups@yourdomain.com
  addClusterFirewallRules: true
  enablePrivateEndpoint: false
  deployUsingPrivateEndpoint: false
  masterGlobalAccessEnabled: true
  enablePrivateNodes: true
  enableShieldedNodes: true
  enableConfidentialNodes: false
  sandboxEnabled: false
  securityPostureMode: DISABLED
  securityPostureVulnerabilityMode: VULNERABILITY_DISABLED
  workloadVulnerabilityMode: DISABLED
  networkPolicy: false
  enableFqdnNetworkPolicy: false
  enableCiliumClusterwideNetworkPolicy: false
  datapathProvider: ADVANCED_DATAPATH
  dbEncryptionEnabled: false
  enableVerticalPodAutoscaling: true
  dnsCache: true
  gatewayApiChannel: CHANNEL_DISABLED
  gcePdCsiDriver: true
  gcsFuseCsiDriver: false
  filestoreCsiDriver: false
  enableResourceConsumptionExport: false
  resourceUsageExportDatasetId: ""
  enableNetworkEgressExport: false
  enableBinaryAuthorization: false
  enableIntranodeVisibility: false
  configConnector: false
  monitoringEnableManagedPrometheus: false
  gkeBackupAgentConfig: false
  region: europe-west1
  regional: false
  zones: [ "europe-west1-b", "europe-west1-c", "europe-west1-d" ]

  masterIpv4CidrBlock: 172.16.0.0/28
  masterAuthorizedNetworks:
    - 0.0.0.0/0

  # Node pools
  nodePools:
    - name: pool-1
      machineType: n1-standard-1
      acceleratorType:
      acceleratorCount: 0
      secureBootEnabled: true
      diskSizeGb: 100
      locations: "" # Leave empty or specify zones, example: europe-west1-b,europe-west1-c
      # NOTE: On Google Cloud total number of nodes = node_count * num_of_zones
      minNodeCount: 1
      maxNodeCount: 1
    - name: gpu-pool-1
      machineType: n1-standard-1
      acceleratorType: NVIDIA_TESLA_T4
      acceleratorCount: 1
      secureBootEnabled: true
      diskSizeGb: 100
      locations: # Leave empty or specify zones: us-central1-b,us-central1-c
      # NOTE: On Google Cloud total number of nodes = node_count * num_of_zones
      minNodeCount: 1
      maxNodeCount: 1

  # Certificate managers
  certManager:
    enabled: true

  # Ingress controllers
  ingressNginxControllers:
    - name: ingress-nginx
      class: nginx
      replicas: 3
      metricsEnabled: true
      # MaxMind license key for GeoIP2: https://support.maxmind.com/account-faq/license-keys/how-do-i-generate-a-license-key/
      maxmindLicenseKey:
      # Map TCP/UDP connections to services
      tcpServices:
        3000: my-namespace/my-tcp-service:9000
      udpServices:
        3001: my-namespace/my-udp-service:9001
      # See https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
      configMap:
        # Hardening
        # See https://kubernetes.github.io/ingress-nginx/deploy/hardening-guide/
        keep-alive: 10
        custom-http-errors: 403,404,503,500
        server-snippet: >
          location ~ /\.(?!well-known).* {
            deny all;
            access_log off;
            log_not_found off;
            return 404;
          }
        hide-headers: Server,X-Powered-By
        ssl-ciphers: EECDH+AESGCM:EDH+AESGCM
        enable-ocsp: true
        hsts-preload: true
        ssl-session-tickets: false
        client-header-timeout: 10
        client-body-timeout: 10
        large-client-header-buffers: 2 1k
        client-body-buffer-size: 1k
        proxy-body-size: 1k
        # Firewall and access control
        enable-modsecurity: true
        enable-owasp-modsecurity-crs: true
        use-geoip: false
        use-geoip2: true
        enable-real-ip: false
        whitelist-source-range: ""
        block-cidrs: ""
        block-user-agents: ""
        block-referers: ""

  # TIP: You can install more infrastructure apps on your Kubernetes with:
  # https://github.com/TaitoUnited/infra-apps-template

YAML attributes:

  • See variables.tf for all the supported YAML attributes.
  • See kubernetes-engine for attribute descriptions.
  • See Cluster Roles of kubernetes-admin Helm Chart for all predefined role definitions (e.g. taito-developer, taito-status-viewer, taito-secret-viewer).

Combine with the following modules to get a complete infrastructure defined by YAML:

TIP: Similar modules are also available for AWS, Azure, and DigitalOcean. All modules are used by infrastructure templates of Taito CLI. See also Google Cloud project resources, Full Stack Helm Chart, and full-stack-template.

Contributions are welcome!

About

registry.terraform.io/modules/TaitoUnited/kubernetes/google/latest

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

63 tags

Packages

No packages published

Languages