/terraform-spotinst-ocean-gke

A Terraform module to create a Google Kubernetes Engine (GKE) cluster with Spot Ocean.

Primary LanguageHCLApache License 2.0Apache-2.0

Spot Ocean GKE Terraform Module

A Terraform module to create a Google Kubernetes Engine (GKE) cluster with Spot Ocean. The module will install the Ocean Controller into the cluster.

Table of Contents

Prerequisites

For kubectl to connect and interface properly with your Google Kubernetes Engine (GKE) cluster, you have to install the gcloud CLI. gcloud can be installed as a part of the Google Cloud SDK. Furthermore, for GCP, at least Editor permissions are needed to import an existing cluster. Instructions on how to install the following components can be found below:

Usage

module "ocean-gke" {
  source = "spotinst/ocean-gke/spotinst"

  # Credentials.
  spotinst_token   = var.spotinst_token
  spotinst_account = var.spotinst_account

  # Configuration.
  project_id             = var.project_id
  cluster_name           = var.cluster_name
  regional               = var.regional
  region                 = var.region
  zones                  = var.zones
  network                = var.network
  subnetwork             = var.subnetwork
  ip_range_pods          = var.ip_range_pods
  ip_range_services      = var.ip_range_services
  service_account        = var.service_account
  create_service_account = var.create_service_account
}

Examples

Requirements

Name Version
terraform >= 0.13.0
google >= 3.39.0, <4.0.0
kubernetes ~> 1.10, != 1.11.0
spotinst >= 1.39.0

Providers

Name Version
google >= 3.39.0, <4.0.0
spotinst >= 1.39.0

Modules

Name Source Version
gke terraform-google-modules/kubernetes-engine/google >= 14.1.0
ocean-controller spotinst/ocean-controller/spotinst 0.19.0

Resources

Name Type
spotinst_ocean_gke_import.this resource
spotinst_ocean_gke_launch_spec_import.this resource
google_client_config.default data source

Inputs

Name Description Type Default Required
add_cluster_firewall_rules Create additional firewall rules bool false no
basic_auth_password The password to be used with Basic Authentication string "" no
basic_auth_username The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration string "" no
cluster_ipv4_cidr The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR any null no
cluster_name The name of the cluster (required) string n/a yes
cluster_resource_labels The GCE resource labels (a map of key/value pairs) to be applied to the cluster map(string) {} no
configure_ip_masq Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server bool false no
controller_image Set the Docker image name for the Ocean Controller that should be deployed string "gcr.io/spotinst-artifacts/kubernetes-cluster-controller" no
create_ocean Controls whether Ocean should be created (it affects all Ocean resources) bool true no
create_service_account Defines if service account specified to run nodes should be created bool true no
database_encryption Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key list(object({ state = string, key_name = string }))
[
{
"key_name": "",
"state": "DECRYPTED"
}
]
no
default_max_pods_per_node The maximum number of pods to schedule per node number 110 no
description The description of the cluster string "" no
desired_capacity The number of worker nodes to launch and maintain in the Ocean cluster number 1 no
disable_legacy_metadata_endpoints Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated bool true no
enable_binary_authorization Enable BinAuthZ Admission controller bool false no
enable_network_egress_export Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic bool false no
enable_resource_consumption_export Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export bool true no
firewall_inbound_ports List of TCP ports for admission/webhook controllers list(string)
[
"8443",
"9443",
"15017"
]
no
firewall_priority Priority rule for firewall rules number 1000 no
gcloud_upgrade Whether to upgrade gcloud at runtime bool false no
grant_registry_access Grants created cluster-specific service account storage.objectViewer role bool false no
horizontal_pod_autoscaling Enable horizontal pod autoscaling addon bool true no
http_load_balancing Enable httpload balancer addon bool true no
identity_namespace Workload Identity namespace. (Default value of enabled automatically sets project based namespace [project_id].svc.id.goog) string "enabled" no
image_pull_policy Image pull policy (one of: Always, Never, IfNotPresent) string "Always" no
initial_node_count The number of nodes to create in this cluster's default node pool number 0 no
instance_types A list of instance types list(string) [] no
ip_masq_link_local Whether to masquerade traffic to the link-local prefix (169.254.0.0/16) bool false no
ip_masq_resync_interval The interval at which the agent attempts to sync its ConfigMap file from the disk string "60s" no
ip_range_pods The name of the secondary subnet ip range to use for pods string n/a yes
ip_range_services The name of the secondary subnet range to use for services string n/a yes
issue_client_certificate Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! bool false no
kubernetes_version The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region string "latest" no
logging_service The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none string "logging.googleapis.com/kubernetes" no
maintenance_start_time Time window specified for daily or recurring maintenance operations in RFC3339 format string "05:00" no
master_authorized_networks List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists) list(object({ cidr_block = string, display_name = string })) [] no
max_size The upper limit of worker nodes the Ocean cluster can scale up to number null no
min_size The lower limit of worker nodes the Ocean cluster can scale down to number null no
monitoring_service The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none string "monitoring.googleapis.com/kubernetes" no
network The VPC network to host the cluster in (required) string n/a yes
network_policy Enable network policy addon bool true no
network_policy_provider The network policy provider string "CALICO" no
network_project_id The project ID of the shared VPC's host (for shared vpc support) string "" no
node_metadata Specifies how node metadata is exposed to the workload running on the node string "GKE_METADATA_SERVER" no
node_pools List of maps containing node pools list(map(string))
[
{
"autoscaling": false,
"name": "default-node-pool",
"node_count": 0
}
]
no
node_pools_labels Map of maps containing node labels by node-pool name map(map(string))
{
"all": {},
"default-node-pool": {}
}
no
node_pools_metadata Map of maps containing node metadata by node-pool name map(map(string))
{
"all": {},
"default-node-pool": {}
}
no
node_pools_oauth_scopes Map of lists containing node oauth scopes by node-pool name map(list(string))
{
"all": [],
"default-node-pool": []
}
no
node_pools_tags Map of lists containing node network tags by node-pool name map(list(string))
{
"all": [],
"default-node-pool": []
}
no
node_pools_taints Map of lists containing node taints by node-pool name map(list(object({ key = string, value = string, effect = string })))
{
"all": [],
"default-node-pool": []
}
no
non_masquerade_cidrs List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading list(string)
[
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16"
]
no
project_id The project ID to host the cluster in (required) string n/a yes
region The region to host the cluster in (optional if zonal cluster / required if regional) string null no
regional Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) bool true no
registry_project_ids Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the grant_registry_access variable is set to true, the storage.objectViewer role is assigned on these projects list(string) [] no
release_channel The release channel of this cluster. Accepted values are UNSPECIFIED, RAPID, REGULAR and STABLE. Defaults to UNSPECIFIED string null no
remove_default_node_pool Remove default node pool while setting up the cluster bool true no
resource_usage_export_dataset_id The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export string "" no
service_account The service account to run nodes as if not overridden in node_pools. The create_service_account variable default value (true) will cause a cluster-specific service account to be created string "" no
skip_provisioners Flag to skip all local-exec provisioners. It breaks stub_domains and upstream_nameservers variables functionality bool false no
spotinst_account Spot account ID string n/a yes
spotinst_token Spot Personal Access token string n/a yes
stub_domains Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server map(list(string)) {} no
subnetwork The subnetwork to host the cluster in (required) string n/a yes
upstream_nameservers If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf list(string) [] no
zones The zones to host the cluster in (optional if regional cluster / required if zonal) list(string) [] no

Outputs

Name Description
cluster_ca_certificate Cluster CA certificate (base64 encoded)
cluster_endpoint Cluster endpoint
cluster_horizontal_pod_autoscaling_enabled Whether horizontal pod autoscaling enabled
cluster_http_load_balancing_enabled Whether http load balancing enabled
cluster_location Cluster location (region if regional cluster, zone if zonal cluster)
cluster_logging_service Logging service used
cluster_master_version Current master kubernetes version
cluster_min_master_version Minimum master kubernetes version
cluster_monitoring_service Monitoring service used
cluster_name Cluster name
cluster_network_policy_enabled Whether network policy enabled
cluster_node_pools_names List of node pools names
cluster_node_pools_versions List of node pools versions
cluster_region Cluster region
cluster_token OAuth2 access token used by the client to authenticate against the Google Cloud API
cluster_type Cluster type (regional / zonal)
cluster_zones List of zones in which the cluster resides
identity_namespace Workload Identity namespace
master_authorized_networks_config Networks from which access to master is permitted
ocean_cluster_id The ID of the Ocean cluster
ocean_controller_id The ID of the Ocean controller
release_channel The release channel of this cluster
service_account The service account to default running nodes as if not overridden in node_pools

Documentation

If you're new to Spot and want to get started, please checkout our Getting Started guide, available on the Spot Documentation website.

Getting Help

We use GitHub issues for tracking bugs and feature requests. Please use these community resources for getting help:

Community

Contributing

Please see the contribution guidelines.

License

Code is licensed under the Apache License 2.0.