All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
Extending the adopted spec, each change should have a link to its corresponding pull request appended.
14.3.0 (2021-05-05)
- Introduce add_master_webhook_firewall_rules flag to add webhooks (#882) (8a5dcb8)
- workload-identity: add entire GSA in output (#887) (734ce5d)
- Add cluster ID to outputs (#886) (fc34eb6)
- Remove data google_client_config from all modules as it is no longer used within modules (#875) (687dc71)
- Remove unused local kubectl wrapper scripts (#876) (110adb6)
14.2.0 (2021-04-16)
14.1.0 (2021-04-01)
14.0.1 (2021-03-12)
14.0.0 (2021-03-09)
- Added support for multi-project GKE Hub registration (#840)
- The
network_policy
variable now defaults tofalse
. - Replaced
registry_project_id
withregistry_project_ids
list. - Add support for asm v1.8 to the asm module (#824)
- Add dataplane-v2 provisioning support (#753) (d1fbef4)
- Add new property to explicitly return GKE private_endpoint for auth module (#841) (1b99c07)
- Add support for asm v1.8 to the asm module (#824) (923eff4)
- Added support for multi-project GKE Hub registration (#840) (6dc1eb1)
- Require actively enabling network policy (#809) (3354205)
- Fix attribution for safer cluster modules (#830) (bb7c3ce)
- Remove deprecated variable "registry_project_id" (#832) (83eae98)
13.1.0 (2021-02-16)
- Add support for creating "shadow" firewall rules for logging purposes (#741) (259dbfb)
- Add support for multiple registry projects (#815) (5562cd6)
- Add support for TPUs on beta clusters (#810) (fff0078)
13.0.0 (2021-01-29)
- Minimum Terraform core version increased to 0.13.
- dynamic operator yaml (#693)
- Using in-cluster features now requires additional provider configuration. See the upgrade guide for details.
- Add maintenance exclusions support (#781) (0abbf41)
- Add nodepool taints to keepers for update-variant (#717) (372a11c)
- add support for Linux node config (#782) (98826e6)
- Add Terraform 0.13 constraint and module attribution (#792) (32db990)
- Add the option to disable Kubernetes SA annotation in workload-identity. (#787) (4e4ce02)
- dynamic operator yaml (#693) (b1cce30)
- Hub registration using kubeconfig and labels support (#785) (6a29e62)
- remove wait for cluster script (#801) (356ed6d)
- Set auto-provisioned node pools to use configured service account (#639) (4a61f76)
- Support for ACM for non GKE clusters (#786) (aa551d5)
- Move provider version constraint to required_providers block (#774) (825f287)
- Remove provider config from module to be TF 0.13 compatible (#777) (81b0a94)
12.3.0 (2020-12-09)
- Add instance_group_urls output (#618) (5623d51)
- Enable vertical autoscaling in GA modules (#758) (2e4f36a)
12.2.0 (2020-12-04)
- Add option for CPU manager policy (#749) (721f846)
- added notification_config block to beta submodules (#752) (4a85321)
- Enable ACM feature on hub (#722) (c199dae)
- Grant roles/artifactregistry.reader to created service account when grant_registry_access is true (#748) (166fb24)
- Make bash scripts more portable by referencing
/usr/bin/env
(#756) (24d6af6) - Remove max Terraform version constraint, allowing 0.14 compatibility (#757) (eb95de9)
12.1.0 (2020-11-10)
- Add cluster_telemetry var to beta submodules (#728) (e8291f0)
- Add support for Cloud Run load balancer configuration (#740) (685a2db)
- Support service account impersonation for wait-for-cluster script (#729) (75a56f1)
- fallback to name if location is not set (#736) (63d7f5e)
- multiple cluster wait-for-cluster.sh (#734) (6682911)
- Updating the Binary Authorization submodule to allow Terraform 0.13 (#726) (df98cf9)
12.0.0 (2020-10-16)
- This is a backwards-incompatible release. See the upgrade guide for details.
- GKE Hub functionality has been removed from ASM module(#665). Users can leverage Hub module for this functionality.
- Removed the gcloud_skip_download variable and defaulted to never downloading gcloud. (#712) (f84e838)
- ACM - Wait for gatekeeper & Hub: expose module_depends_on (#689) (26ea28d)
- add node_pool_taints to all the modules (#705) (68e8eec)
- allow passing roles to created Workload Identity service account (#708) (e761dce)
- Expose service account variable on ASM submodule (#658) (182dded)
- hub make decode work with -d or --decode (#671) (0b5bd3d)
- Hub submodule - add option to use existing service account to register clusters. (#678) (9f84cec)
- Promote previously beta features to GA modules (#709) (2cb4fae), closes #708
- ACM: fix bug when not using
ssh
secret type for ACM submodule (#679) (716867c) - make wait-for-cluster more robust (#676) (dffb047)
- Correct WI module source in docs (#701) (f31b1f4)
- Enable auto-upgrade in beta clusters with a release channel (#682) (21f95db)
- Fix broken link in README.md (#691) (6f0e749)
- Fix skip_provisioners enabled flag for wait_for_cluster (#669) (e293a43)
- remove hub from asm module (#670) (6f419c3)
- set project number for ASM install (#692) (c5d1e4d)
- Shorten GSA account_id if necessary (#666) (0225458)
11.1.0 (2020-09-04)
- Add variable disable_default_snat (#625) (19a9e9c)
- Update fields for ACM and Config Sync to bring them to feature parity (#635) (7fc3b48)
11.0.0 (2020-08-10)
- In-cluster resources have been updated to use the kubectl wrapper module. See the upgrade guide for details.
- Add support for enabling master_global_access, which is turned on by default. (#601) (8a9f904)
- Allow user to customize ASM install with different directories and versions (#620) (d542c5c)
- Update modules to use new kubectl module (#602) (794da61)
10.0.0 (2020-07-10)
See the upgrade guide for details.
- The default machine type has been changed to
e2-medium
. If you want the old default, you should specify it explicitly:machine_type = "n1-standard-2"
. - Pod security policy enablement has been changed to use a simple boolean flag (
var. enable_pod_security_policy
)
- add configconnector to safer variant (#581) (4b3f609)
- Added variable for service dependency in binary_authorization sub module (#584) (e3e5458)
- Changed default node pool machine type to e2-medium (#597) (1de41ef)
- Compatibility for new asm release with 299.0.0 (#589) (a5213c4)
- Explicitly specify VPC-native clusters for beta modules. (#598) (d9f7782)
- Simplified pod security policy interface. (6069ece)
- Typo in autogen/safer-cluster/README.md (#596) (ebdf57d)
9.4.0 (2020-06-25)
- Add ASM install submodule (#538) (6ff27f9)
- Add bool option for automount_service_account_token (#571) (002cfb1)
- Add firewall support safer-cluster modules (#570) (7ce3c49)
- Enhance WI module usability with existing KSA (#557) (cf3273d)
- Restore gcloud wait_for_cluster (#568) (0bcf3ca)
- Use gcloud module for scripts, closes #401 (#404) (65172de)
9.3.0 (2020-06-11)
- Add Beta Public Module Update Variant (#546) (d9f1ea8)
- Add ConfigConnector configuration option (beta) (#547) (672adf9)
9.2.0 (2020-05-27)
- Add submodule for creating a binary authentication attestor (#530) (cc30fbb)
- Add support for KALM config (#528) (6bf1178)
9.1.0 (2020-05-15)
- Add boot disk kms key variable (#516) (9195f0f)
- Expose gce_pd_csi_driver for Safer Cluster modules #503 (#514) (d4e7dc6)
9.0.0 (2020-05-07)
See the upgrade guide for details.
- Beta clusters have changed the default to use the GKE_METADATA_SERVER, to use the old option set
node_metadata = "SECURE"
. - Minimum provider change increased to 3.19.
- The ACM module has been refactored and resources will be recreated. This will show up in Terraform plans but is a safe no-op for Kubernetes.
- For the safer cluster module, you must now specify
release_channel
instead ofkubernetes_version
.
- [safer-cluster] Replace "kubernetes_version" with "release_channel" (#487) (5791ac1)
- Add an
auth
submodule outputting akubeconfig
(#469) (a5ace36) - Add config sync module (#493) (c090d5b)
- Add fully configurable resource usage export block in GA and upgrade GCP provider (#491) (54eca6b)
- Add GCE PD CSI Driver beta support (#497) (d96afa7)
- Add support for setting firewall rules (#470) (16bdd6e)
- Enable GKE_METADATA_SERVER as default node_metadata for beta-clusters (#490) (#512) (8e14762)
- Expose the grant_registry_access variable in safer-cluster (#509) (0961613)
8.1.0 (2020-04-10)
- Add peering_name output for private clusters and increase minimum provider version to 3.14 (#484) (ff6b5cc)
- Add support for enabling Nodelocal dns cache (var.dns_cache) (#477) (de8e1d5)
8.0.0 (2020-04-07)
v8.0.0 is a backwards-incompatible release. Please see the upgrading guide.
- Beta clusters now have Workload Identity enabled by default. To disable Workload Identity, set
identity_namespace = null
- Beta clusters now have shielded nodes enabled by default. To disable, set
enable_shielded_nodes = false
.
- Add support for setting var.istio_auth (#462) (fff4272)
- Added support for specifying autoscaling_profile in var.cluster_autoscaling (#456) (1ac2c5c)
- Enable WI and shielded nodes by default in beta clusters (#441) (704962b)
- Rollout default_max_pods_per_node setting to GA modules (#439) (36ddbbb)
- Correct bug in passing var.zones for safer cluster modules (#474) (7660b51)
- Fix CI for Workload Identity (#460) (025f8b7)
- Remove unused variable
service_account
in safer-cluster to avoid confusion (#448) (a30e7cd) - update and pin kubernetes provider to >= 1.11.1 (#453) (418d9b3)
- Use gcloud module for ACM submodule, will force reinstall of ACM (#442) (9737190), closes #454
7.3.0 (2020-02-19)
7.2.0 (2020-02-11)
- Add master_ipv4_cidr_block output for private clusters (#427) (2cc64c8)
- Allow workload identity submodule to update existing k8s SA. (#430) (51fba38)
7.1.0 (2020-02-07)
- Change for_each splat syntax on update variants, closes #414 (#415) (a20425f)
- If release_channel is active, set min_master_version to null (#412) (4c7b399)
- Prevents "Invalid index" when creating private cluster (#422) (cc53d1c), closes #419
- Stop warning about deprecated external references from destroy provisioners. (#420) (c8fde26)
7.0.0 (2020-01-29)
- Minimum beta provider version increased to 3.1 to allow surge upgrades.
- Beta clusters now have surge upgrades turned on by default. This behavior can be tuned using the max_surge and max_unavailable inputs.
- Moves node pool state location to allow using for_each on them, see the upgrade guide for details.
- Add a service activation module (#146) (658ea51)
- Enable Surge Upgrades by specifying max_surge and max_unavailable (Beta) (#394) (e4abe78)
- Move to using for_each for node pools (#257) (7d0c9aa)
- Change pod_security_policy_config type to list(object()) (#408) (a99352a)
- Removed dependency on jq from wait-for-cluster.sh script (#402) (d2a5e28)
v6.2.0 - 2019-12-27
- Breaking: Changed default logging and monitoring providers to new Stackdriver versions. #384
- Updated to support Google Provider version 3.x #381
v6.1.1 - 2019-12-04
- Fix endpoint output for private clusters where
private_nodes=false
. #365
v6.1.0 - 2019-12-03
- Support for using a pre-existing Service Account with the ACM submodule. #346
- Compute region output for zonal clusters. #362
v6.0.1 - 2019-12-02
- The required Google provider constraint has been relaxed to
~> 2.18
(>= 2.18, <3.0). #359
v6.0.0 - 2019-11-28
v6.0.0 is a backwards-incompatible release. Please see the upgrading guide.
- Support for Shielded Nodes beta feature via
enabled_shielded_nodes
variable. #300 - Support for setting node_locations on node pools. #303
- Fix for specifying
node_count
on node pools when autoscaling is disabled. #311 - Added submodule for installing Anthos Config Management. #268
- Support for
local_ssd_count
in node pool configuration. #339 - Wait for cluster to be ready before returning endpoint. #340
safer-cluster
submodule. #315simple_regional_with_networking
example. #195release_channel
variable for beta submodules. #271- The
node_locations
attribute to thenode_pools
object for beta submodules. #290 private_zonal_with_networking
example. #308regional_private_node_pool_oauth_scopes
example. #321- The
cluster_autoscaling
variable for beta submodules. #93 - The
master_authorized_networks
variable. #354
- The
node_pool_labels
,node_pool_tags
, andnode_pool_taints
variables have defaults and can be overridden within thenode_pools
object. #3 upstream_nameservers
variable is typed as a list of strings. #350- The
network_policy
variable defaults totrue
. #138
- Breaking: Removed support for enabling the Kubernetes dashboard, as this is deprecated on GKE. #337
- Breaking: Removed support for versions of the Google provider and the Google Beta provider older than 2.18. #261
- Breaking: Removed the
master_authorized_networks_config
variable. #354
identity_namespace
output depends on thegoogle_container_cluster.primary
resource. #301- Idempotency of the beta submodules. #326
v5.1.1 - 2019-10-25
- Fixed bug with setting up sandboxing on nodes. #286
v5.1.0 - 2019-10-24
- Added ability to skip local-exec provisioners. #258
- Added private and beta private variants which allow node pools to be created before being destroyed. #256
- Add a parameter
registry_project_id
to allow connecting to registries in other projects. #273
- Made
region
variable optional for zonal clusters. #247 - Made default metadata, labels, and tags optional. #282
v5.0.0 - 2019-09-25
v5.0.0 is a backwards-incompatible release. Please see the upgrading guide.
The v5.0.0 module requires using the 2.12 version of the Google provider.
- Breaking: Enabled metadata-concealment by default #248
- All beta functionality removed from non-beta clusters, moved
node_pool_taints
to beta modules #228
- Added support for resource usage export config #238
- Added
sandbox_enabled
variable to use GKE Sandbox #241 - Added
grant_registry_access
variable to grant Container Registry access to created SA #236 - Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features #216
- Support for Workload Identity beta feature #234
- Support for Google Groups based RBAC beta feature #217
- Support for disabling node pool autoscaling by setting
autoscaling
tofalse
within the node pool variable. #250
- Fixed issue with passing a dynamically created Service Account to the module. #27
v4.1.0 2019-07-24
- Support for GCE cluster resource_labels. #210
endpoint
output depends on cluster and node pool resources to avoid a race condition. #214
v4.0.0 2019-07-12
- Supported version of Terraform is 0.12. #177
v3.0.0 - 2019-07-08
v3.0.0 is a breaking release. Refer to the Upgrading to v3.0 guide for details.
- Add configuration flag for enable BinAuthZ Admission controller #160 #188
- Add configuration flag for
pod_security_policy_config
#163 #188 - Support for a guest accelerator in node pool configuration. #197
- Support to scale the default node cluster. #149
- Support for configuring the network policy provider. #159
- Support for database encryption. #165
- Submodules for public and private clusters with beta features. #124 #188 #203
- Support for configuring cluster IPv4 CIDRs. #193
- Support for configuring IP Masquerade. #187
- Support for v2.9 of the Google providers. #198
- Support for upstreamNameservers. #207
- Dropped support for versions of the Google provider earlier than v2.9; these versions multiple incompatibilities with the module. #198
v2.1.0 - 2019-05-30
- Support for v2.6 and v2.7 of the Google providers. #152
deploy_using_private_endpoint
variable onprivate-cluster
submodule. #136
- The dependency on jq has been documented in the README. #151
v2.0.1 - 2019-05-01
- Explicitly pinned supported version of Terraform Google provider to 2.3. #148
v2.0.0 - 2019-04-12
v2.0.0 is a breaking release. Refer to the Upgrading to v2.0 guide for details.
- Add
basic_auth_username
set to""
by default. #40 - Add
basic_auth_password
set to""
by default. #40 - Add
issue_client_certificate
set tofalse
by default. #40 - Add
node_pool_oauth_scopes
which enables overriding the default node pool OAuth scopes. #94
- The
service_account
variable defaults to"create"
which causes a cluster-specific service account to be created. - Disabled Basic Authentication by default. #40
v1.0.1 - 2019-04-04
- Note about using Terraform with private clusters. #121
- Optimized dependency between node pools and primary cluster. #77
- Removed
credentials_path
variables from examples. #89
- Fix empty zone list. #132
v1.0.0 - 2019-03-25
Version 1.0.0 of this module introduces a breaking change: adding the disable-legacy-endpoints
metadata field to all node pools. This metadata is required by GKE and determines whether the /0.1/
and /v1beta1/
paths are available in the nodes' metadata server. If your applications do not require access to the node's metadata server, you can leave the default value of true
provided by the module. If your applications require access to the metadata server, be sure to read the linked documentation to see if you need to set the value for this field to false
to allow your applications access to the above metadata server paths.
In either case, upgrading to module version v1.0.0
will trigger a recreation of all node pools in the cluster.
- Allow creation of service accounts. #80
- Add support for private clusters via submodule. #69
- Add
remove_default_node_pool
set tofalse
by default. Fixes #15. #55 - Allow arbitrary key-value pairs to be set on node pool metadata. #52
- Add
initial_node_count
parameter to node_pool block. #60 - Added
disable_legacy_metadata_endpoints
parameter. [#114]
- Set
horizontal_pod_autoscaling
totrue
by default. Fixes #42. #54 - Update simple-zonal example GKE version to supported version. #49
- Drop explicit version from simple_zonal example. #74
- Remove explicit versions from test cases and examples. #62
- Set up submodule structure for public and private clusters. #61
- Update the google and google-beta providers to v2.2 #106
- Zonal clusters can now accept a single zone. Fixes #43. #50
- Fix link to "configure a service account" #73
- Fix issue with regional cluster roll outs causing version skews #108
- Fix permanent metadata skew due to disable-legacy-endpoints keys [#114]
v0.4.0 - 2018-12-19
- Updated default version to
1.10.6
. #31
region
argument on google_compute_subnetwork caused errors. #22- Added check to wait for GKE cluster to be
READY
before completing. #46
v0.3.0 - 2018-10-10
- Updated network/subnetwork lookup to use data source. #16
- Make zone configuration optional when creating a regional cluster. #19
v0.2.0 - 2018-09-26
- Support for configuring master authorized networks. #10
- Support specifying monitoring and logging services. #9
- Initial release of module.