feat: add confidential nodes example (#2227)

Co-authored-by: Andrew Peabody <[email protected]>

Author: arthurlapertosa

autogen/safer-cluster/main.tf.tmpl

@@ -110,6 +110,8 @@ module "gke" {
   monitoring_enable_managed_prometheus = var.monitoring_enable_managed_prometheus
   monitoring_enabled_components        = var.monitoring_enabled_components
 
+  enable_confidential_nodes = var.enable_confidential_nodes
+
   // We never use the default service account for the cluster. The default
   // project/editor permissions can create problems if nodes were to be ever
   // compromised.

autogen/safer-cluster/variables.tf.tmpl

@@ -544,3 +544,9 @@ variable "deletion_protection" {
   description = "Whether or not to allow Terraform to destroy the cluster."
   default     = true
 }
+
+variable "enable_confidential_nodes" {
+  type        = bool
+  description = "An optional flag to enable confidential node config."
+  default     = false
+}

build/int.cloudbuild.yaml

@@ -466,6 +466,21 @@ steps:
     - verify simple-fleet-app-operator-permissions
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestSimpleFleetAppOperatorPermissions --stage teardown --verbose']
+- id: apply test-confidential-safer-cluster
+  waitFor:
+    - init-all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestConfidentialSaferCluster --stage apply --verbose']
+- id: verify test-confidential-safer-cluster
+  waitFor:
+    - apply test-confidential-safer-cluster
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestConfidentialSaferCluster --stage verify --verbose']
+- id: teardown test-confidential-safer-cluster
+  waitFor:
+    - verify test-confidential-safer-cluster
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestConfidentialSaferCluster --stage teardown --verbose']
 tags:
 - 'ci'
 - 'integration'

examples/confidential_safer_cluster/README.md

@@ -0,0 +1,40 @@
+# Confidential Safer GKE Cluster
+
+This example illustrates how to instantiate the Safer Cluster module
+with confidential nodes enabled and database encrypted with KMS key.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| project\_id | The project ID to host the cluster in. | `string` | n/a | yes |
+| region | The region to host the cluster in. | `string` | `"us-central1"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| ca\_certificate | The cluster ca certificate (base64 encoded). |
+| client\_token | The bearer token for auth. |
+| cluster\_name | Cluster name. |
+| explicit\_k8s\_version | Explicit version used for cluster creation. |
+| keyring | The name of the keyring. |
+| kms\_key\_name | KMS Key Name. |
+| kubernetes\_endpoint | The cluster endpoint. |
+| location | n/a |
+| master\_kubernetes\_version | Kubernetes version of the master. |
+| network\_name | The name of the VPC being created. |
+| project\_id | The project ID the cluster is in. |
+| region | The region in which the cluster resides. |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
+| subnet\_names | The names of the subnet being created. |
+| zones | List of zones in which the cluster resides. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/confidential_safer_cluster/kms.tf

@@ -0,0 +1,41 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  key_name = "gke-key-${random_string.suffix.result}"
+}
+
+module "kms" {
+  source          = "terraform-google-modules/kms/google"
+  version         = "~> 3.0"
+  project_id      = var.project_id
+  location        = var.region
+  keyring         = "gke-keyring-${random_string.suffix.result}"
+  keys            = [local.key_name]
+  prevent_destroy = false
+}
+
+resource "google_project_service_identity" "container_identity" {
+  provider = google-beta
+  project  = var.project_id
+  service  = "container.googleapis.com"
+}
+
+resource "google_kms_crypto_key_iam_member" "sm_sa_encrypter_decrypter" {
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member        = google_project_service_identity.container_identity.member
+  crypto_key_id = module.kms.keys[local.key_name]
+}

examples/confidential_safer_cluster/main.tf

@@ -0,0 +1,102 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "random_string" "suffix" {
+  length  = 4
+  special = false
+  upper   = false
+}
+
+locals {
+  cluster_type           = "confidential-safer"
+  network_name           = "confidential-safer-network-${random_string.suffix.result}"
+  subnet_name            = "confidential-safer-subnet"
+  master_auth_subnetwork = "confidential-safer-master-subnet"
+  pods_range_name        = "ip-range-pods-${random_string.suffix.result}"
+  svc_range_name         = "ip-range-svc-${random_string.suffix.result}"
+  subnet_names           = [for subnet_self_link in module.gcp-network.subnets_self_links : split("/", subnet_self_link)[length(split("/", subnet_self_link)) - 1]]
+}
+
+data "google_client_config" "default" {}
+
+provider "kubernetes" {
+  host                   = "https://${module.gke.endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+}
+
+// A random valid k8s version is retrived
+// to specify as an explicit version.
+data "google_container_engine_versions" "current" {
+  project  = var.project_id
+  location = var.region
+}
+
+resource "random_shuffle" "version" {
+  input        = data.google_container_engine_versions.current.valid_master_versions
+  result_count = 1
+}
+
+module "gke" {
+  source  = "terraform-google-modules/kubernetes-engine/google//modules/safer-cluster"
+  version = "~> 35.0"
+
+  project_id                 = var.project_id
+  name                       = "${local.cluster_type}-cluster-${random_string.suffix.result}"
+  regional                   = true
+  region                     = var.region
+  network                    = module.gcp-network.network_name
+  subnetwork                 = local.subnet_names[index(module.gcp-network.subnets_names, local.subnet_name)]
+  ip_range_pods              = local.pods_range_name
+  ip_range_services          = local.svc_range_name
+  master_ipv4_cidr_block     = "172.16.0.0/28"
+  add_cluster_firewall_rules = true
+  firewall_inbound_ports     = ["9443", "15017"]
+  kubernetes_version         = random_shuffle.version.result[0]
+  release_channel            = "UNSPECIFIED"
+  deletion_protection        = false
+  enable_private_endpoint    = true
+  enable_confidential_nodes  = true
+
+  master_authorized_networks = [
+    {
+      cidr_block   = "10.60.0.0/17"
+      display_name = "VPC"
+    },
+  ]
+
+  database_encryption = [
+    {
+      "key_name" : module.kms.keys[local.key_name],
+      "state" : "ENCRYPTED"
+    }
+  ]
+
+  node_pools = [
+    {
+      name               = "default"
+      machine_type       = "n2d-standard-2"
+      enable_secure_boot = true
+    },
+  ]
+
+  notification_config_topic = google_pubsub_topic.updates.id
+}
+
+resource "google_pubsub_topic" "updates" {
+  name    = "cluster-updates-${random_string.suffix.result}"
+  project = var.project_id
+}

examples/confidential_safer_cluster/network.tf

@@ -0,0 +1,52 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "gcp-network" {
+  source  = "terraform-google-modules/network/google"
+  version = "~> 10.0"
+
+  project_id   = var.project_id
+  network_name = local.network_name
+  routing_mode = "GLOBAL"
+
+  subnets = [
+    {
+      subnet_name           = local.subnet_name
+      subnet_ip             = "10.0.0.0/17"
+      subnet_region         = var.region
+      subnet_private_access = true
+    },
+    {
+      subnet_name           = local.master_auth_subnetwork
+      subnet_ip             = "10.60.0.0/17"
+      subnet_region         = var.region
+      subnet_private_access = true
+    },
+  ]
+
+  secondary_ranges = {
+    (local.subnet_name) = [
+      {
+        range_name    = local.pods_range_name
+        ip_cidr_range = "192.168.0.0/18"
+      },
+      {
+        range_name    = local.svc_range_name
+        ip_cidr_range = "192.168.64.0/18"
+      },
+    ]
+  }
+}

examples/confidential_safer_cluster/outputs.tf

@@ -0,0 +1,91 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "kubernetes_endpoint" {
+  description = "The cluster endpoint."
+  sensitive   = true
+  value       = module.gke.endpoint
+}
+
+output "cluster_name" {
+  description = "Cluster name."
+  value       = module.gke.name
+}
+
+output "location" {
+  value = module.gke.location
+}
+
+output "master_kubernetes_version" {
+  description = "Kubernetes version of the master."
+  value       = module.gke.master_version
+}
+
+output "client_token" {
+  description = "The bearer token for auth."
+  sensitive   = true
+  value       = base64encode(data.google_client_config.default.access_token)
+}
+
+output "ca_certificate" {
+  description = "The cluster ca certificate (base64 encoded)."
+  value       = module.gke.ca_certificate
+}
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value       = module.gke.service_account
+}
+
+output "network_name" {
+  description = "The name of the VPC being created."
+  value       = module.gcp-network.network_name
+}
+
+output "subnet_names" {
+  description = "The names of the subnet being created."
+  value       = module.gcp-network.subnets_names
+}
+
+output "region" {
+  description = "The region in which the cluster resides."
+  value       = module.gke.region
+}
+
+output "zones" {
+  description = "List of zones in which the cluster resides."
+  value       = module.gke.zones
+}
+
+output "project_id" {
+  description = "The project ID the cluster is in."
+  value       = var.project_id
+}
+
+output "explicit_k8s_version" {
+  description = "Explicit version used for cluster creation."
+  value       = random_shuffle.version.result[0]
+}
+
+output "keyring" {
+  description = "The name of the keyring."
+  value       = module.kms.keyring
+}
+
+output "kms_key_name" {
+  description = "KMS Key Name."
+  value       = module.kms.keys[local.key_name]
+}

examples/confidential_safer_cluster/variables.tf

@@ -0,0 +1,26 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  type        = string
+  description = "The project ID to host the cluster in."
+}
+
+variable "region" {
+  type        = string
+  description = "The region to host the cluster in."
+  default     = "us-central1"
+}