From 2d0f2bfb77d3ba257ff61fd50415a1a4a7764685 Mon Sep 17 00:00:00 2001 From: iamjanr Date: Thu, 12 Dec 2024 09:02:05 +0100 Subject: [PATCH] PLT-1330 CMEK, SA & CIDRs --- CHANGELOG.md | 1 + pkg/cluster/internal/validate/gcp.go | 12 ++++++++++++ pkg/commons/cluster.go | 14 ++++++++++++++ 3 files changed, 27 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1e480cd7b7..d2911af637 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## 0.17.0-0.6.1 (upcoming) +* [PLT-1330] CMEK - Service accounts & Secondary CIDR ranges adaption to R4.7 * [Core] Fix [PLT-964] ## 0.17.0-0.6.0 (2024-11-11) diff --git a/pkg/cluster/internal/validate/gcp.go b/pkg/cluster/internal/validate/gcp.go index f8c2991935..0ec82b2f6e 100644 --- a/pkg/cluster/internal/validate/gcp.go +++ b/pkg/cluster/internal/validate/gcp.go @@ -157,6 +157,18 @@ func validateGCP(spec commons.KeosSpec, providerSecrets map[string]string) error } } } + // Validate encryptionKey for managed clusters root volume + isKeyValid := regexp.MustCompile(`^projects/[a-zA-Z0-9-]+/locations/[a-zA-Z0-9-]+/keyRings/[a-zA-Z0-9-]+/cryptoKeys/[a-zA-Z0-9-]+$`).MatchString + for _, wn := range spec.WorkerNodes { + if wn.RootVolume.Encrypted { + if wn.RootVolume.EncryptionKey == "" { + return errors.New("spec.control_plane.root_volume: \"encryption_key\": is required when \"encrypted\" is set to true") + } + if !isKeyValid(wn.RootVolume.EncryptionKey) { + return errors.New("spec.control_plane.root_volume: \"encryption_key\": it must have the format projects/[PROJECT_ID]/locations/[REGION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]") + } + } + } } for _, wn := range spec.WorkerNodes { diff --git a/pkg/commons/cluster.go b/pkg/commons/cluster.go index 8f1a61ed6c..81e10ce557 100644 --- a/pkg/commons/cluster.go +++ b/pkg/commons/cluster.go @@ -180,6 +180,8 @@ type GCPCP struct { MasterAuthorizedNetworksConfig *MasterAuthorizedNetworksConfig `yaml:"master_authorized_networks_config,omitempty"` MonitoringConfig *MonitoringConfig `yaml:"monitoring_config,omitempty"` LoggingConfig *LoggingConfig `yaml:"logging_config,omitempty"` + ClusterIpv4Cidr string `yaml:"cluster_ipv4_cidr,omitempty"` + IPAllocationPolicy IPAllocationPolicy `yaml:"ip_allocation_policy,omitempty"` } type ClusterNetwork struct { @@ -218,6 +220,15 @@ type LoggingConfig struct { Workloads *bool `yaml:"workloads,omitempty"` } +type IPAllocationPolicy struct { + // +kubebuilder:default=true + UseIPAliases bool `yaml:"use_ip_aliases,omitempty"` + ClusterSecondaryRangeName string `yaml:"cluster_secondary_range_name,omitempty"` + ServicesSecondaryRangeName string `yaml:"services_secondary_range_name,omitempty"` + ClusterIpv4CidrBlock string `yaml:"cluster_ipv4_cidr_block,omitempty"` + ServicesIpv4CidrBlock string `yaml:"services_ipv4_cidr_block,omitempty"` +} + type Keos struct { Flavour string `yaml:"flavour,omitempty"` } @@ -259,6 +270,9 @@ type Security struct { AWS struct { CreateIAM bool `yaml:"create_iam" validate:"boolean"` } `yaml:"aws,omitempty"` + GCP struct { + Scopes []string `yaml:"scopes,omitempty"` + } `yaml:"gcp,omitempty"` } type WorkerNodes []struct {