* Add ILBs, broadly following the AWS model. The following new
capabilities are added for clusters in GCP:
* Cluster's spec.api.loadBalancer can be set to 'type: internal' on
GCP.
* Therefore, GCP can now create:
* regional backend services
* regional (non-legacy) healthchecks
* firewall rules with "internal" load-balancing scheme
* firewall rules with dot-notation-specified IP addresses
* Cluster's spec.api.loadBalancer's 'subnets' field functions
as in the AWS model.
A few incidental changes are included, either because this change
touched the relevant code or because my use case happened to trigger the
issues that are fixed here.
* Cluster's spec.networkID field can be prefixed by project to use
GCP's common cross-project networking model.
* The presumption is that all specified subnets belong to this
network and therefore this project.
* Add missing operation wait on forwarding rule creation.
* Some Terraform output improvements:
* Permit no-ACL files in GCS buckets in Terraform output.
* Enable marginally better cross-resource reference in Terraform outputs
* Add project to network + subnetwork literals in Terraform output.
* Add terraform output to backend services and health checks.
Testing:
* Add mocks for backend services and health checks.
* Add minimal integration test - copied from gce_private and ilb added.
* Add update cluster goldens.
Co-authored-by: Travis Reid <travis_reid@apple.com>
If we're using a cluster-level service-account, we shouldn't try to
set bucket permissions on a per-IG level.
For compatibility with the existing behavior, we simply don't set any
permissions in this case.
We discover the kops-controller in gossip mode using seeding code that
calls into the GCE API, just like gossip itself does.
We refactor the gossip code into a shared gcediscovery library with
minimal dependencies.
Empty or "nat" now defaults to creating a per-subnet NAT router for
private topologies. "external" will assume that egress is configured
outside of kOps.
We need to open up the ipip protocol, which wasn't previously enabled.
Future work could construct the firewall rules in a common library,
and then adapt them to the various clouds.
Supporting IPv6 values where they can be set by the user, and ensuring
that IPv4 and IPv6 firewall rules are split because on GCP they cannot
be in the same rule.
This should be much easier to start and to get under testing; it only
works with a load balancer, it sets the apiserver into anonymous-auth
allowed, it grants the anonymous auth user permission to read our jwks
tokens. But it shouldn't need a second bucket or anything of that
nature.
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
Ciprian Hacman