GCE dualstack support

This PR introduces a dedicated terraform config for GCE with IPv6 enabled Signed-off-by: Artiom Diomin <[email protected]>
kubermatic · Jan 2, 2025 · fa50958 · fa50958
1 parent 8b8d794
commit fa50958
Show file tree

Hide file tree

Showing 14 changed files with 645 additions and 12 deletions.
diff --git a/examples/terraform/gce-ipv6/README.md b/examples/terraform/gce-ipv6/README.md
@@ -0,0 +1,94 @@
+# GCE Quickstart Terraform configs
+
+The GCE Quickstart Terraform configs can be used to create the needed
+infrastructure for a Kubernetes HA cluster. Check out the following
+[Creating Infrastructure guide][docs-infrastructure] to learn more about how to
+use the configs and how to provision a Kubernetes cluster using KubeOne.
+
+[docs-infrastructure]: https://docs.kubermatic.com/kubeone/v1.9/guides/using-terraform-configs/
+
+## GCE Provider configuration
+
+### Credentials
+
+Per <https://www.terraform.io/docs/providers/google/provider_reference.html#configuration-reference>
+either of the following ENV variables should be accessible:
+
+* `GOOGLE_CREDENTIALS`
+* `GOOGLE_CLOUD_KEYFILE_JSON`
+* `GCLOUD_KEYFILE_JSON`
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 6 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | ~> 6 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_compute_address.lb_ip](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_address) | resource |
+| [google_compute_firewall.common](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource |
+| [google_compute_firewall.control_plane](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource |
+| [google_compute_firewall.internal](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource |
+| [google_compute_firewall.nodeports](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource |
+| [google_compute_forwarding_rule.control_plane](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_forwarding_rule) | resource |
+| [google_compute_http_health_check.control_plane](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_http_health_check) | resource |
+| [google_compute_instance.control_plane](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) | resource |
+| [google_compute_target_pool.control_plane_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_pool) | resource |
+| [google_compute_image.control_plane_image](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_image) | data source |
+| [google_compute_network.network](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_network) | data source |
+| [google_compute_subnetwork.subnet](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_subnetwork) | data source |
+| [google_compute_zones.available](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_zones) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_apiserver_alternative_names"></a> [apiserver\_alternative\_names](#input\_apiserver\_alternative\_names) | subject alternative names for the API Server signing cert. | `list(string)` | `[]` | no |
+| <a name="input_bastion_host_key"></a> [bastion\_host\_key](#input\_bastion\_host\_key) | Bastion SSH host public key | `string` | `null` | no |
+| <a name="input_cluster_autoscaler_max_replicas"></a> [cluster\_autoscaler\_max\_replicas](#input\_cluster\_autoscaler\_max\_replicas) | maximum number of replicas per MachineDeployment (requires cluster-autoscaler) | `number` | `0` | no |
+| <a name="input_cluster_autoscaler_min_replicas"></a> [cluster\_autoscaler\_min\_replicas](#input\_cluster\_autoscaler\_min\_replicas) | minimum number of replicas per MachineDeployment (requires cluster-autoscaler) | `number` | `0` | no |
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the cluster | `string` | n/a | yes |
+| <a name="input_control_plane_image_family"></a> [control\_plane\_image\_family](#input\_control\_plane\_image\_family) | Image family to use for provisioning instances | `string` | `"ubuntu-2404-lts-amd64"` | no |
+| <a name="input_control_plane_image_project"></a> [control\_plane\_image\_project](#input\_control\_plane\_image\_project) | Project of the image to use for provisioning instances | `string` | `"ubuntu-os-cloud"` | no |
+| <a name="input_control_plane_target_pool_members_count"></a> [control\_plane\_target\_pool\_members\_count](#input\_control\_plane\_target\_pool\_members\_count) | n/a | `number` | `3` | no |
+| <a name="input_control_plane_type"></a> [control\_plane\_type](#input\_control\_plane\_type) | GCE instance type | `string` | `"n1-standard-2"` | no |
+| <a name="input_control_plane_vm_count"></a> [control\_plane\_vm\_count](#input\_control\_plane\_vm\_count) | number of control plane instances | `number` | `3` | no |
+| <a name="input_control_plane_volume_size"></a> [control\_plane\_volume\_size](#input\_control\_plane\_volume\_size) | Size of the boot volume, in GB | `number` | `100` | no |
+| <a name="input_disable_kubeapi_loadbalancer"></a> [disable\_kubeapi\_loadbalancer](#input\_disable\_kubeapi\_loadbalancer) | E2E tests specific variable to disable usage of any loadbalancer in front of kubeapi-server | `bool` | `false` | no |
+| <a name="input_google_compute_network"></a> [google\_compute\_network](#input\_google\_compute\_network) | if given, will be used as a network | `string` | `"default"` | no |
+| <a name="input_google_compute_subnetwork"></a> [google\_compute\_subnetwork](#input\_google\_compute\_subnetwork) | if given, will be used as a subnet | `string` | `"default"` | no |
+| <a name="input_initial_machinedeployment_operating_system_profile"></a> [initial\_machinedeployment\_operating\_system\_profile](#input\_initial\_machinedeployment\_operating\_system\_profile) | Name of operating system profile for MachineDeployments, only applicable if operating-system-manager addon is enabled.<br>If not specified, the default value will be added by machine-controller addon. | `string` | `""` | no |
+| <a name="input_initial_machinedeployment_replicas"></a> [initial\_machinedeployment\_replicas](#input\_initial\_machinedeployment\_replicas) | Number of replicas per MachineDeployment | `number` | `2` | no |
+| <a name="input_network_tier"></a> [network\_tier](#input\_network\_tier) | The service-level to be provided for IPv6 traffic when the subnet has an external subnet.<br>    Only PREMIUM or STANDARD tier is valid for IPv6. | `string` | `"PREMIUM"` | no |
+| <a name="input_project"></a> [project](#input\_project) | Project to be used for all resources | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | GCP region to speak to | `string` | `"europe-west3"` | no |
+| <a name="input_ssh_agent_socket"></a> [ssh\_agent\_socket](#input\_ssh\_agent\_socket) | SSH Agent socket, default to grab from $SSH\_AUTH\_SOCK | `string` | `"env:SSH_AUTH_SOCK"` | no |
+| <a name="input_ssh_hosts_keys"></a> [ssh\_hosts\_keys](#input\_ssh\_hosts\_keys) | A list of SSH hosts public keys to verify | `list(string)` | `null` | no |
+| <a name="input_ssh_port"></a> [ssh\_port](#input\_ssh\_port) | SSH port to be used to provision instances | `number` | `22` | no |
+| <a name="input_ssh_private_key_file"></a> [ssh\_private\_key\_file](#input\_ssh\_private\_key\_file) | SSH private key file used to access instances | `string` | `""` | no |
+| <a name="input_ssh_public_key_file"></a> [ssh\_public\_key\_file](#input\_ssh\_public\_key\_file) | SSH public key file | `string` | `"~/.ssh/id_rsa.pub"` | no |
+| <a name="input_ssh_username"></a> [ssh\_username](#input\_ssh\_username) | SSH user, used only in output | `string` | `"root"` | no |
+| <a name="input_worker_os"></a> [worker\_os](#input\_worker\_os) | OS to run on worker machines | `string` | `"ubuntu"` | no |
+| <a name="input_workers_type"></a> [workers\_type](#input\_workers\_type) | GCE instance type | `string` | `"n1-standard-2"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_kubeone_api"></a> [kubeone\_api](#output\_kubeone\_api) | kube-apiserver LB endpoint |
+| <a name="output_kubeone_hosts"></a> [kubeone\_hosts](#output\_kubeone\_hosts) | Control plane endpoints to SSH to |
+| <a name="output_kubeone_workers"></a> [kubeone\_workers](#output\_kubeone\_workers) | Workers definitions, that will be transformed into MachineDeployment object |
diff --git a/examples/terraform/gce-ipv6/README.md.in b/examples/terraform/gce-ipv6/README.md.in
@@ -0,0 +1,20 @@
+# GCE Quickstart Terraform configs
+
+The GCE Quickstart Terraform configs can be used to create the needed
+infrastructure for a Kubernetes HA cluster. Check out the following
+[Creating Infrastructure guide][docs-infrastructure] to learn more about how to
+use the configs and how to provision a Kubernetes cluster using KubeOne.
+
+[docs-infrastructure]: https://docs.kubermatic.com/kubeone/v1.9/guides/using-terraform-configs/
+
+## GCE Provider configuration
+
+### Credentials
+
+Per <https://www.terraform.io/docs/providers/google/provider_reference.html#configuration-reference>
+either of the following ENV variables should be accessible:
+
+* `GOOGLE_CREDENTIALS`
+* `GOOGLE_CLOUD_KEYFILE_JSON`
+* `GCLOUD_KEYFILE_JSON`
+
diff --git a/examples/terraform/gce-ipv6/main.tf b/examples/terraform/gce-ipv6/main.tf
@@ -0,0 +1,203 @@
+/*
+Copyright 2019 The KubeOne Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+provider "google" {
+  region  = var.region
+  project = var.project
+}
+
+locals {
+  zones_count        = length(data.google_compute_zones.available.names)
+  zone_first         = data.google_compute_zones.available.names[0]
+  kubeapi_endpoint   = var.disable_kubeapi_loadbalancer ? google_compute_instance.control_plane.0.network_interface.0.network_ip : google_compute_address.lb_ip.0.address
+  loadbalancer_count = var.disable_kubeapi_loadbalancer ? 0 : 1
+
+  cluster_autoscaler_min_replicas = var.cluster_autoscaler_min_replicas > 0 ? var.cluster_autoscaler_min_replicas : var.initial_machinedeployment_replicas
+  cluster_autoscaler_max_replicas = var.cluster_autoscaler_max_replicas > 0 ? var.cluster_autoscaler_max_replicas : var.initial_machinedeployment_replicas
+}
+
+data "google_compute_zones" "available" {
+}
+
+data "google_compute_image" "control_plane_image" {
+  family  = var.control_plane_image_family
+  project = var.control_plane_image_project
+}
+
+data "google_compute_network" "network" {
+  name = var.google_compute_network
+}
+
+data "google_compute_subnetwork" "subnet" {
+  name   = var.google_compute_subnetwork
+  region = var.region
+}
+
+resource "google_compute_firewall" "common" {
+  name    = "${var.cluster_name}-common"
+  network = data.google_compute_network.network.self_link
+
+  allow {
+    protocol = "tcp"
+    ports    = [var.ssh_port]
+  }
+
+  source_ranges = [
+    "0.0.0.0/0",
+  ]
+}
+
+resource "google_compute_firewall" "control_plane" {
+  name    = "${var.cluster_name}-control-plane"
+  network = data.google_compute_network.network.self_link
+
+  allow {
+    protocol = "tcp"
+    ports    = ["6443"]
+  }
+
+  source_ranges = [
+    "0.0.0.0/0",
+  ]
+}
+
+resource "google_compute_firewall" "internal" {
+  name    = "${var.cluster_name}-internal"
+  network = data.google_compute_network.network.self_link
+
+  allow {
+    protocol = "tcp"
+    ports    = ["0-65535"]
+  }
+
+  allow {
+    protocol = "udp"
+    ports    = ["0-65535"]
+  }
+
+  allow {
+    protocol = "icmp"
+  }
+
+  source_ranges = [
+    data.google_compute_subnetwork.subnet.ip_cidr_range,
+  ]
+}
+
+resource "google_compute_firewall" "nodeports" {
+  name    = "${var.cluster_name}-nodeports"
+  network = data.google_compute_network.network.self_link
+
+  allow {
+    protocol = "tcp"
+    ports    = ["30000-32767"]
+  }
+
+  source_ranges = [
+    "0.0.0.0/0",
+  ]
+}
+
+
+resource "google_compute_address" "lb_ip" {
+  count = local.loadbalancer_count
+
+  name = "${var.cluster_name}-lb-ip"
+}
+
+resource "google_compute_http_health_check" "control_plane" {
+  name = "${var.cluster_name}-control-plane-health"
+
+  port         = 10256
+  request_path = "/healthz"
+
+  timeout_sec        = 3
+  check_interval_sec = 5
+}
+
+resource "google_compute_target_pool" "control_plane_pool" {
+  name = "${var.cluster_name}-control-plane"
+
+  instances = slice(
+    google_compute_instance.control_plane.*.self_link,
+    0,
+    var.control_plane_target_pool_members_count,
+  )
+
+  health_checks = [
+    google_compute_http_health_check.control_plane.self_link,
+  ]
+}
+
+resource "google_compute_forwarding_rule" "control_plane" {
+  count = local.loadbalancer_count
+
+  name       = "${var.cluster_name}-apiserver"
+  target     = google_compute_target_pool.control_plane_pool.self_link
+  port_range = "6443-6443"
+  ip_address = google_compute_address.lb_ip.0.address
+}
+
+resource "google_compute_instance" "control_plane" {
+  count = var.control_plane_vm_count
+
+  name         = "${var.cluster_name}-control-plane-${count.index + 1}"
+  machine_type = var.control_plane_type
+  zone         = data.google_compute_zones.available.names[count.index % local.zones_count]
+
+  # Changing the machine_type, min_cpu_platform, or service_account on an
+  # instance requires stopping it. To acknowledge this,
+  # allow_stopping_for_update = true is required
+  allow_stopping_for_update = true
+
+  boot_disk {
+    initialize_params {
+      size  = var.control_plane_volume_size
+      image = data.google_compute_image.control_plane_image.self_link
+    }
+  }
+
+  network_interface {
+    subnetwork = data.google_compute_subnetwork.subnet.self_link
+
+    access_config {
+      nat_ip = ""
+    }
+
+    ipv6_access_config {
+      network_tier = var.network_tier
+    }
+
+    stack_type = "IPV4_IPV6"
+  }
+
+  metadata = {
+    sshKeys = "${var.ssh_username}:${file(var.ssh_public_key_file)}"
+  }
+
+  # https://cloud.google.com/sdk/gcloud/reference/alpha/compute/instances/set-scopes#--scopes
+  # listing of possible scopes
+  service_account {
+    scopes = [
+      "compute-rw",
+      "logging-write",
+      "monitoring-write",
+      "service-control",
+      "service-management",
+      "storage-ro",
+    ]
+  }
+}