Refactored workloads and Kubernetes manifest actions (#119)

Author: arueth

.github/workflows/dictionary/terraform.txt

@@ -1,5 +1,6 @@
 abspath
 cidrhost
+direxists
 endfor
 filemd
 fileset

platforms/gke/base/_shared_config/cluster_variables.tf

@@ -18,11 +18,9 @@
 #
 
 locals {
-  cluster_credentials_command_private = "gcloud container clusters get-credentials ${local.cluster_name} --internal-ip --location ${var.cluster_region} --project ${var.cluster_project_id}"
-  cluster_credentials_command_public  = "gcloud container clusters get-credentials ${local.cluster_name} --location ${var.cluster_region} --project ${var.cluster_project_id}"
-  cluster_credentials_command_gke     = var.cluster_enable_private_endpoint ? local.cluster_credentials_command_private : local.cluster_credentials_command_public
-  cluster_credentials_command_gkee    = "gcloud container fleet memberships get-credentials ${local.cluster_name} --project ${var.cluster_project_id}"
-  cluster_credentials_command         = var.cluster_use_connect_gateway ? local.cluster_credentials_command_gkee : local.cluster_credentials_command_gke
+  cluster_credentials_command_gke  = "gcloud container clusters get-credentials ${local.cluster_name} --dns-endpoint --location ${var.cluster_region} --project ${var.cluster_project_id}"
+  cluster_credentials_command_gkee = "gcloud container fleet memberships get-credentials ${local.cluster_name} --project ${var.cluster_project_id}"
+  cluster_credentials_command      = var.cluster_use_connect_gateway ? local.cluster_credentials_command_gkee : local.cluster_credentials_command_gke
 
   cluster_name = local.unique_identifier_prefix
 
@@ -31,9 +29,6 @@ locals {
   cluster_node_pool_service_account_id         = var.cluster_node_pool_default_service_account_id != null ? var.cluster_node_pool_default_service_account_id : "vm-${local.cluster_name}"
   cluster_node_pool_service_account_project_id = var.cluster_node_pool_default_service_account_project_id != null ? var.cluster_node_pool_default_service_account_project_id : var.cluster_project_id
 
-  kubeconfig_directory = abspath("${path.module}/../kubeconfig")
-  kubeconfig_file      = abspath("${local.kubeconfig_directory}/${var.cluster_project_id}-${local.unique_identifier_prefix}")
-
   # Minimal roles for nodepool SA https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa
   cluster_sa_roles = [
     "roles/artifactregistry.reader",
@@ -44,6 +39,8 @@ locals {
     "roles/serviceusage.serviceUsageConsumer",
     "roles/stackdriver.resourceMetadata.writer",
   ]
+
+  kubeconfig_file_name = "${var.cluster_project_id}-${local.cluster_name}"
 }
 
 variable "cluster_binary_authorization_evaluation_mode" {
@@ -231,7 +228,7 @@ variable "cluster_system_node_pool_machine_type" {
 }
 
 variable "cluster_use_connect_gateway" {
-  default     = true
-  description = "Use Connect gateway to connect to the cluster, require GKE Enterprise. (https://cloud.google.com/kubernetes-engine/enterprise/multicluster-management/gateway)"
+  default     = false
+  description = "Use Connect gateway to connect to the cluster, requires GKE Enterprise. (https://cloud.google.com/kubernetes-engine/enterprise/multicluster-management/gateway)"
   type        = bool
 }

platforms/gke/base/_shared_config/scripts/link_shared_config.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+#
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SHARED_CONFIG_DIRECTORY=${1}
+SHARED_CONFIG_NAME=${2}
+
+if [[ ${SHARED_CONFIG_DIRECTORY} != \.* ]]; then
+  echo "The shared config directory path must be a relative path!"
+  exit 1
+fi
+
+if test ! -d "${SHARED_CONFIG_DIRECTORY}"; then
+  echo "Shared config directory '${SHARED_CONFIG_DIRECTORY}' does not exist!"
+  exit 2
+fi
+
+if test ! -f "${SHARED_CONFIG_DIRECTORY}/${SHARED_CONFIG_NAME}_variables.tf"; then
+  echo "Shared config '${SHARED_CONFIG_NAME}' does not exist in '${SHARED_CONFIG_DIRECTORY}'!"
+  exit 3
+fi
+
+ln -s ${SHARED_CONFIG_DIRECTORY}/${SHARED_CONFIG_NAME}_variables.tf _${SHARED_CONFIG_NAME}_variables.tf
+ln -s ${SHARED_CONFIG_DIRECTORY}/${SHARED_CONFIG_NAME}.auto.tfvars _${SHARED_CONFIG_NAME}.auto.tfvars
+
+echo "Successfully linked shared config '${SHARED_CONFIG_NAME}' from '${SHARED_CONFIG_DIRECTORY}'."

platforms/gke/base/_shared_config/workloads_variables.tf

@@ -17,11 +17,11 @@
 #
 
 locals {
-  manifests_directory = abspath("${path.module}/../manifests")
+  manifests_directory_root = "${path.module}/../../../kubernetes/manifests"
 }
 
 variable "kueue_version" {
-  default     = "0.10.0"
+  default     = "0.10.2"
   description = "Version of Kueue (https://kueue.sigs.k8s.io/) to install."
   type        = string
 }

platforms/gke/base/core/deploy.sh

@@ -35,6 +35,7 @@ else
     "gke_enterprise/fleet_membership"
     # Disable gke_enterprise/servicemesh due to b/376312292
     # "gke_enterprise/servicemesh"
+    "workloads/cluster_credentials"
     "workloads/kueue"
   )
 fi

platforms/gke/base/core/workloads/cluster_credentials/.terraform.lock.hcl

@@ -0,0 +1 @@
+../../../_shared_config/cluster.auto.tfvars

platforms/gke/base/core/workloads/cluster_credentials/_cluster.auto.tfvars

@@ -0,0 +1 @@
+../../../_shared_config/cluster_variables.tf

platforms/gke/base/core/workloads/cluster_credentials/_cluster_variables.tf

@@ -0,0 +1 @@
+../../../_shared_config/platform.auto.tfvars

platforms/gke/base/core/workloads/cluster_credentials/_platform.auto.tfvars

@@ -0,0 +1 @@
+../../../_shared_config/platform_variables.tf

platforms/gke/base/core/workloads/cluster_credentials/_platform_variables.tf

@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,24 +12,34 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-resource "null_resource" "cluster_credentials" {
+locals {
+  kubeconfig_directory = "${path.module}/../../../kubernetes/kubeconfig"
+  kubeconfig_file      = "${local.kubeconfig_directory}/${local.kubeconfig_file_name}"
+}
+
+resource "terraform_data" "cluster_credentials" {
+  input = {
+    cluster_credentials_command = local.cluster_credentials_command
+    kubeconfig_file             = local.kubeconfig_file
+  }
+
   provisioner "local-exec" {
     command     = <<EOT
-KUBECONFIG=${self.triggers.kubeconfig_file} ${local.cluster_credentials_command} 
+mkdir -p $(dirname ${self.input.kubeconfig_file})
+KUBECONFIG=${self.input.kubeconfig_file} ${self.input.cluster_credentials_command} 
 EOT
     interpreter = ["bash", "-c"]
     working_dir = path.module
   }
 
   provisioner "local-exec" {
-    command     = "rm -rf ${self.triggers.kubeconfig_file}"
+    command     = "rm -rf ${self.input.kubeconfig_file}"
     interpreter = ["bash", "-c"]
     when        = destroy
     working_dir = path.module
   }
 
-  triggers = {
-    always_run      = timestamp()
-    kubeconfig_file = local.kubeconfig_file
+  triggers_replace = {
+    always_run = timestamp()
   }
 }

platforms/gke/base/core/workloads/kueue/container_cluster.tf renamed to platforms/gke/base/core/workloads/cluster_credentials/main.tf

@@ -0,0 +1,24 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_version = ">= 1.5.7"
+
+  required_providers {
+  }
+
+  provider_meta "google" {
+    module_name = "cloud-solutions/acp_gke_base_core_workloads_cluster-credentials_deploy-v1"
+  }
+}