Skip to content

Commit 8c2a474

Browse files
committed
add support for rbac_binding_config
Signed-off-by: drfaust92 <[email protected]>
1 parent 16ba236 commit 8c2a474

File tree

38 files changed

+87
-29
lines changed

38 files changed

+87
-29
lines changed

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -250,7 +250,7 @@ Then perform the following commands on the root folder:
250250
| parallelstore\_csi\_driver | Whether the Parallelstore CSI driver Addon is enabled for this cluster. | `bool` | `null` | no |
251251
| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
252252
| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | <pre>object({<br> enabled = bool<br> logging_enabled = optional(bool, false)<br> monitoring_enabled = optional(bool, false)<br> })</pre> | <pre>{<br> "enabled": false,<br> "logging_enabled": false,<br> "monitoring_enabled": false<br>}</pre> | no |
253-
| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | <pre>object({<br> enable_insecure_binding_system_unauthenticated = optional(bool, null)<br> enable_insecure_binding_system_authenticated = optional(bool, null)<br> })</pre> | n/a | yes |
253+
| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | <pre>object({<br> enable_insecure_binding_system_unauthenticated = optional(bool, null)<br> enable_insecure_binding_system_authenticated = optional(bool, null)<br> })</pre> | <pre>{<br> "enable_insecure_binding_system_authenticated": null,<br> "enable_insecure_binding_system_unauthenticated": null<br>}</pre> | no |
254254
| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
255255
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
256256
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |

autogen/main/cluster.tf.tmpl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -275,7 +275,7 @@ resource "google_container_cluster" "primary" {
275275
}
276276

277277
dynamic "rbac_binding_config" {
278-
for_each = var.rbac_binding_config
278+
for_each = var.rbac_binding_config.enable_insecure_binding_system_unauthenticated != null || var.rbac_binding_config.enable_insecure_binding_system_authenticated != null ? [var.rbac_binding_config] : []
279279
content {
280280
enable_insecure_binding_system_unauthenticated = rbac_binding_config.value["enable_insecure_binding_system_unauthenticated"]
281281
enable_insecure_binding_system_authenticated = rbac_binding_config.value["enable_insecure_binding_system_authenticated"]

autogen/main/variables.tf.tmpl

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1151,9 +1151,13 @@ variable "ip_endpoints_enabled" {
11511151
}
11521152

11531153
variable "rbac_binding_config" {
1154-
type = object({
1154+
type = object({
11551155
enable_insecure_binding_system_unauthenticated = optional(bool, null)
11561156
enable_insecure_binding_system_authenticated = optional(bool, null)
11571157
})
11581158
description = "RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created."
1159+
default = {
1160+
enable_insecure_binding_system_unauthenticated = null
1161+
enable_insecure_binding_system_authenticated = null
1162+
}
11591163
}

cluster.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -214,7 +214,7 @@ resource "google_container_cluster" "primary" {
214214
}
215215

216216
dynamic "rbac_binding_config" {
217-
for_each = var.rbac_binding_config
217+
for_each = var.rbac_binding_config.enable_insecure_binding_system_unauthenticated != null || var.rbac_binding_config.enable_insecure_binding_system_authenticated != null ? [var.rbac_binding_config] : []
218218
content {
219219
enable_insecure_binding_system_unauthenticated = rbac_binding_config.value["enable_insecure_binding_system_unauthenticated"]
220220
enable_insecure_binding_system_authenticated = rbac_binding_config.value["enable_insecure_binding_system_authenticated"]

metadata.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -761,7 +761,9 @@ spec:
761761
enable_insecure_binding_system_unauthenticated = optional(bool, null)
762762
enable_insecure_binding_system_authenticated = optional(bool, null)
763763
})
764-
required: true
764+
defaultValue:
765+
enable_insecure_binding_system_authenticated: null
766+
enable_insecure_binding_system_unauthenticated: null
765767
outputs:
766768
- name: ca_certificate
767769
description: Cluster ca certificate (base64 encoded)

modules/beta-autopilot-private-cluster/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -147,7 +147,7 @@ Then perform the following commands on the root folder:
147147
| private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no |
148148
| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
149149
| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | <pre>object({<br> enabled = bool<br> logging_enabled = optional(bool, false)<br> monitoring_enabled = optional(bool, false)<br> })</pre> | <pre>{<br> "enabled": false,<br> "logging_enabled": false,<br> "monitoring_enabled": false<br>}</pre> | no |
150-
| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | <pre>object({<br> enable_insecure_binding_system_unauthenticated = optional(bool, null)<br> enable_insecure_binding_system_authenticated = optional(bool, null)<br> })</pre> | n/a | yes |
150+
| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | <pre>object({<br> enable_insecure_binding_system_unauthenticated = optional(bool, null)<br> enable_insecure_binding_system_authenticated = optional(bool, null)<br> })</pre> | <pre>{<br> "enable_insecure_binding_system_authenticated": null,<br> "enable_insecure_binding_system_unauthenticated": null<br>}</pre> | no |
151151
| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
152152
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
153153
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |

modules/beta-autopilot-private-cluster/cluster.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -134,7 +134,7 @@ resource "google_container_cluster" "primary" {
134134
}
135135

136136
dynamic "rbac_binding_config" {
137-
for_each = var.rbac_binding_config
137+
for_each = var.rbac_binding_config.enable_insecure_binding_system_unauthenticated != null || var.rbac_binding_config.enable_insecure_binding_system_authenticated != null ? [var.rbac_binding_config] : []
138138
content {
139139
enable_insecure_binding_system_unauthenticated = rbac_binding_config.value["enable_insecure_binding_system_unauthenticated"]
140140
enable_insecure_binding_system_authenticated = rbac_binding_config.value["enable_insecure_binding_system_authenticated"]

modules/beta-autopilot-private-cluster/metadata.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -504,7 +504,9 @@ spec:
504504
enable_insecure_binding_system_unauthenticated = optional(bool, null)
505505
enable_insecure_binding_system_authenticated = optional(bool, null)
506506
})
507-
required: true
507+
defaultValue:
508+
enable_insecure_binding_system_authenticated: null
509+
enable_insecure_binding_system_unauthenticated: null
508510
outputs:
509511
- name: ca_certificate
510512
description: Cluster ca certificate (base64 encoded)

modules/beta-autopilot-private-cluster/variables.tf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -669,4 +669,8 @@ variable "rbac_binding_config" {
669669
enable_insecure_binding_system_authenticated = optional(bool, null)
670670
})
671671
description = "RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created."
672+
default = {
673+
enable_insecure_binding_system_unauthenticated = null
674+
enable_insecure_binding_system_authenticated = null
675+
}
672676
}

modules/beta-autopilot-public-cluster/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -135,7 +135,7 @@ Then perform the following commands on the root folder:
135135
| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no |
136136
| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
137137
| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | <pre>object({<br> enabled = bool<br> logging_enabled = optional(bool, false)<br> monitoring_enabled = optional(bool, false)<br> })</pre> | <pre>{<br> "enabled": false,<br> "logging_enabled": false,<br> "monitoring_enabled": false<br>}</pre> | no |
138-
| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | <pre>object({<br> enable_insecure_binding_system_unauthenticated = optional(bool, null)<br> enable_insecure_binding_system_authenticated = optional(bool, null)<br> })</pre> | n/a | yes |
138+
| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | <pre>object({<br> enable_insecure_binding_system_unauthenticated = optional(bool, null)<br> enable_insecure_binding_system_authenticated = optional(bool, null)<br> })</pre> | <pre>{<br> "enable_insecure_binding_system_authenticated": null,<br> "enable_insecure_binding_system_unauthenticated": null<br>}</pre> | no |
139139
| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
140140
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
141141
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |

0 commit comments

Comments
 (0)