feat: Add support for setting var.istio_auth (terraform-google-modules#462)

* add istio mtls support * docs * fix test * keep istio config flat * lint * fix examples * fix examples

Author: bharathkkb

autogen/main/cluster.tf.tmpl

@@ -147,6 +147,7 @@ resource "google_container_cluster" "primary" {
 
  istio_config {
  disabled = ! var.istio
+ auth = var.istio_auth
  }
 
  dynamic "cloudrun_config" {

autogen/main/variables.tf.tmpl

@@ -393,6 +393,12 @@ variable "istio" {
  default = false
 }
 
+variable "istio_auth" {
+ type = string
+ description = "(Beta) The authentication type between services in Istio."
+ default = "AUTH_MUTUAL_TLS"
+}
+
 variable "database_encryption" {
  description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
  type = list(object({ state = string, key_name = string }))

autogen/safer-cluster/main.tf.tmpl

@@ -116,7 +116,9 @@ module "gke" {
  master_ipv4_cidr_block = var.master_ipv4_cidr_block
 
  // Istio is recommended for pod-to-pod communications.
- istio = var.istio
+ istio = var.istio
+ istio_auth = var.istio_auth
+
  cloudrun = var.cloudrun
 
  default_max_pods_per_node = var.default_max_pods_per_node

autogen/safer-cluster/variables.tf.tmpl

@@ -231,6 +231,12 @@ variable "istio" {
  default = false
 }
 
+variable "istio_auth" {
+ type = string
+ description = "(Beta) The authentication type between services in Istio."
+ default = "AUTH_MUTUAL_TLS"
+}
+
 variable "default_max_pods_per_node" {
  description = "The maximum number of pods to schedule per node"
  default = 110

modules/beta-private-cluster-update-variant/README.md

@@ -187,6 +187,7 @@ Then perform the following commands on the root folder:
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
 | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
 | istio | (Beta) Enable Istio addon | string | `"false"` | no |
+| istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |

modules/beta-private-cluster-update-variant/cluster.tf

@@ -132,6 +132,7 @@ resource "google_container_cluster" "primary" {
 
  istio_config {
  disabled = ! var.istio
+ auth = var.istio_auth
  }
 
  dynamic "cloudrun_config" {

modules/beta-private-cluster-update-variant/variables.tf

@@ -386,6 +386,12 @@ variable "istio" {
  default = false
 }
 
+variable "istio_auth" {
+ type = string
+ description = "(Beta) The authentication type between services in Istio."
+ default = "AUTH_MUTUAL_TLS"
+}
+
 variable "database_encryption" {
  description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
  type = list(object({ state = string, key_name = string }))

modules/beta-private-cluster/README.md

@@ -165,6 +165,7 @@ Then perform the following commands on the root folder:
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
 | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
 | istio | (Beta) Enable Istio addon | string | `"false"` | no |
+| istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |

modules/beta-private-cluster/cluster.tf

@@ -132,6 +132,7 @@ resource "google_container_cluster" "primary" {
 
  istio_config {
  disabled = ! var.istio
+ auth = var.istio_auth
  }
 
  dynamic "cloudrun_config" {

modules/beta-private-cluster/variables.tf

@@ -386,6 +386,12 @@ variable "istio" {
  default = false
 }
 
+variable "istio_auth" {
+ type = string
+ description = "(Beta) The authentication type between services in Istio."
+ default = "AUTH_MUTUAL_TLS"
+}
+
 variable "database_encryption" {
  description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key."
  type = list(object({ state = string, key_name = string }))