feat(safer-cluster): add some missing variables

bergemalm · bergemalm · commit 49f136dde7e3 · 2025-09-03T08:45:20.000+02:00
- node_pools_resource_manager_tags
- node_pools_linux_node_configs_sysctls
- node_pools_cgroup_mode
- node_pools_hugepage_size_2m
- node_pools_hugepage_size_1g
- enable_secret_manager_addon
diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl
@@ -89,13 +89,18 @@ module "gke" {
   // If removing the default node pool, initial_node_count should be at least 1.
   initial_node_count = (var.initial_node_count == 0) ? 1 : var.initial_node_count
 
-  node_pools                 = var.node_pools
-  windows_node_pools         = var.windows_node_pools
-  node_pools_labels          = var.node_pools_labels
-  node_pools_resource_labels = var.node_pools_resource_labels
-  node_pools_metadata        = var.node_pools_metadata
-  node_pools_taints          = var.node_pools_taints
-  node_pools_tags            = var.node_pools_tags
+  node_pools                            = var.node_pools
+  windows_node_pools                    = var.windows_node_pools
+  node_pools_labels                     = var.node_pools_labels
+  node_pools_resource_labels            = var.node_pools_resource_labels
+  node_pools_resource_manager_tags      = var.node_pools_resource_manager_tags
+  node_pools_metadata                   = var.node_pools_metadata
+  node_pools_linux_node_configs_sysctls = var.node_pools_linux_node_configs_sysctls
+  node_pools_cgroup_mode                = var.node_pools_cgroup_mode
+  node_pools_hugepage_size_2m           = var.node_pools_hugepage_size_2m
+  node_pools_hugepage_size_1g           = var.node_pools_hugepage_size_1g
+  node_pools_taints                     = var.node_pools_taints
+  node_pools_tags                       = var.node_pools_tags
 
   node_pools_oauth_scopes = var.node_pools_oauth_scopes
 
@@ -216,6 +221,8 @@ module "gke" {
 
   enable_gcfs = var.enable_gcfs
 
+  enable_secret_manager_addon = var.enable_secret_manager_addon
+
   // Enabling vulnerability and audit for workloads
   workload_vulnerability_mode = var.workload_vulnerability_mode
   workload_config_audit_mode  = var.workload_config_audit_mode
diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl
@@ -185,6 +185,16 @@ variable "node_pools_resource_labels" {
   }
 }
 
+variable "node_pools_resource_manager_tags" {
+  type        = map(map(string))
+  description = "Map of maps containing resource manager tags by node-pool name"
+
+  default = {
+    all               = {}
+    default-node-pool = {}
+  }
+}
+
 variable "node_pools_metadata" {
   type        = map(map(string))
   description = "Map of maps containing node metadata by node-pool name"
@@ -195,6 +205,50 @@ variable "node_pools_metadata" {
   }
 }
 
+variable "node_pools_linux_node_configs_sysctls" {
+  type        = map(map(string))
+  description = "Map of maps containing linux node config sysctls by node-pool name"
+
+  # Default is being set in variables_defaults.tf
+  default = {
+    all               = {}
+    default-node-pool = {}
+  }
+}
+
+variable "node_pools_cgroup_mode" {
+  type        = map(string)
+  description = "Map of strings containing cgroup node config by node-pool name"
+
+  # Default is being set in variables_defaults.tf
+  default = {
+    all               = ""
+    default-node-pool = ""
+  }
+}
+
+variable "node_pools_hugepage_size_2m" {
+  type        = map(string)
+  description = "Map of strings containing hugepage size 2m node config by node-pool name"
+
+  # Default is being set in variables_defaults.tf
+  default = {
+    all               = ""
+    default-node-pool = ""
+  }
+}
+
+variable "node_pools_hugepage_size_1g" {
+  type        = map(string)
+  description = "Map of strings containing hugepage size 1g config by node-pool name"
+
+  # Default is being set in variables_defaults.tf
+  default = {
+    all               = ""
+    default-node-pool = ""
+  }
+}
+
 variable "node_pools_taints" {
   type        = map(list(object({ key = string, value = string, effect = string })))
   description = "Map of lists containing node taints by node-pool name"
@@ -540,6 +594,12 @@ variable "enable_gcfs" {
   default     = false
 }
 
+variable "enable_secret_manager_addon" {
+  description = "Enable the Secret Manager add-on for this cluster"
+  type        = bool
+  default     = false
+}
+
 variable "enable_mesh_certificates" {
   type = bool
   default = false
diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md
@@ -227,6 +227,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no |
 | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no |
+| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
 | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |
@@ -261,10 +262,15 @@ For simplicity, we suggest using `roles/container.admin` and
 | network | The VPC network to host the cluster in | `string` | n/a | yes |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | node\_pools | List of maps containing node pools | `list(map(string))` | <pre>[<br>  {<br>    "name": "default-node-pool"<br>  }<br>]</pre> | no |
+| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
+| node\_pools\_hugepage\_size\_1g | Map of strings containing hugepage size 1g config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
+| node\_pools\_hugepage\_size\_2m | Map of strings containing hugepage size 2m node config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
 | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
+| node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
 | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
 | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | <pre>{<br>  "all": [<br>    "https://www.googleapis.com/auth/cloud-platform"<br>  ],<br>  "default-node-pool": []<br>}</pre> | no |
 | node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
+| node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
 | node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | <pre>{<br>  "all": [],<br>  "default-node-pool": []<br>}</pre> | no |
 | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | <pre>{<br>  "all": [],<br>  "default-node-pool": []<br>}</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf
@@ -85,13 +85,18 @@ module "gke" {
   // If removing the default node pool, initial_node_count should be at least 1.
   initial_node_count = (var.initial_node_count == 0) ? 1 : var.initial_node_count
 
-  node_pools                 = var.node_pools
-  windows_node_pools         = var.windows_node_pools
-  node_pools_labels          = var.node_pools_labels
-  node_pools_resource_labels = var.node_pools_resource_labels
-  node_pools_metadata        = var.node_pools_metadata
-  node_pools_taints          = var.node_pools_taints
-  node_pools_tags            = var.node_pools_tags
+  node_pools                            = var.node_pools
+  windows_node_pools                    = var.windows_node_pools
+  node_pools_labels                     = var.node_pools_labels
+  node_pools_resource_labels            = var.node_pools_resource_labels
+  node_pools_resource_manager_tags      = var.node_pools_resource_manager_tags
+  node_pools_metadata                   = var.node_pools_metadata
+  node_pools_linux_node_configs_sysctls = var.node_pools_linux_node_configs_sysctls
+  node_pools_cgroup_mode                = var.node_pools_cgroup_mode
+  node_pools_hugepage_size_2m           = var.node_pools_hugepage_size_2m
+  node_pools_hugepage_size_1g           = var.node_pools_hugepage_size_1g
+  node_pools_taints                     = var.node_pools_taints
+  node_pools_tags                       = var.node_pools_tags
 
   node_pools_oauth_scopes = var.node_pools_oauth_scopes
 
@@ -212,6 +217,8 @@ module "gke" {
 
   enable_gcfs = var.enable_gcfs
 
+  enable_secret_manager_addon = var.enable_secret_manager_addon
+
   // Enabling vulnerability and audit for workloads
   workload_vulnerability_mode = var.workload_vulnerability_mode
   workload_config_audit_mode  = var.workload_config_audit_mode
diff --git a/modules/safer-cluster-update-variant/metadata.display.yaml b/modules/safer-cluster-update-variant/metadata.display.yaml
@@ -106,6 +106,9 @@ spec:
         enable_private_endpoint:
           name: enable_private_endpoint
           title: Enable Private Endpoint
+        enable_secret_manager_addon:
+          name: enable_secret_manager_addon
+          title: Enable Secret Manager Addon
         enable_shielded_nodes:
           name: enable_shielded_nodes
           title: Enable Shielded Nodes
@@ -208,9 +211,21 @@ spec:
         node_pools:
           name: node_pools
           title: Node Pools
+        node_pools_cgroup_mode:
+          name: node_pools_cgroup_mode
+          title: Node Pools Cgroup Mode
+        node_pools_hugepage_size_1g:
+          name: node_pools_hugepage_size_1g
+          title: Node Pools Hugepage Size 1G
+        node_pools_hugepage_size_2m:
+          name: node_pools_hugepage_size_2m
+          title: Node Pools Hugepage Size 2M
         node_pools_labels:
           name: node_pools_labels
           title: Node Pools Labels
+        node_pools_linux_node_configs_sysctls:
+          name: node_pools_linux_node_configs_sysctls
+          title: Node Pools Linux Node Configs Sysctls
         node_pools_metadata:
           name: node_pools_metadata
           title: Node Pools Metadata
@@ -220,6 +235,9 @@ spec:
         node_pools_resource_labels:
           name: node_pools_resource_labels
           title: Node Pools Resource Labels
+        node_pools_resource_manager_tags:
+          name: node_pools_resource_manager_tags
+          title: Node Pools Resource Manager Tags
         node_pools_tags:
           name: node_pools_tags
           title: Node Pools Tags
diff --git a/modules/safer-cluster-update-variant/metadata.yaml b/modules/safer-cluster-update-variant/metadata.yaml
@@ -236,12 +236,42 @@ spec:
         defaultValue:
           all: {}
           default-node-pool: {}
+      - name: node_pools_resource_manager_tags
+        description: Map of maps containing resource manager tags by node-pool name
+        varType: map(map(string))
+        defaultValue:
+          all: {}
+          default-node-pool: {}
       - name: node_pools_metadata
         description: Map of maps containing node metadata by node-pool name
         varType: map(map(string))
         defaultValue:
           all: {}
           default-node-pool: {}
+      - name: node_pools_linux_node_configs_sysctls
+        description: Map of maps containing linux node config sysctls by node-pool name
+        varType: map(map(string))
+        defaultValue:
+          all: {}
+          default-node-pool: {}
+      - name: node_pools_cgroup_mode
+        description: Map of strings containing cgroup node config by node-pool name
+        varType: map(string)
+        defaultValue:
+          all: ""
+          default-node-pool: ""
+      - name: node_pools_hugepage_size_2m
+        description: Map of strings containing hugepage size 2m node config by node-pool name
+        varType: map(string)
+        defaultValue:
+          all: ""
+          default-node-pool: ""
+      - name: node_pools_hugepage_size_1g
+        description: Map of strings containing hugepage size 1g config by node-pool name
+        varType: map(string)
+        defaultValue:
+          all: ""
+          default-node-pool: ""
       - name: node_pools_taints
         description: Map of lists containing node taints by node-pool name
         varType: map(list(object({ key = string, value = string, effect = string })))
@@ -476,6 +506,10 @@ spec:
         description: Enable image streaming on cluster level.
         varType: bool
         defaultValue: false
+      - name: enable_secret_manager_addon
+        description: Enable the Secret Manager add-on for this cluster
+        varType: bool
+        defaultValue: false
       - name: enable_mesh_certificates
         description: Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity.
         varType: bool
diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf
@@ -185,6 +185,16 @@ variable "node_pools_resource_labels" {
   }
 }
 
+variable "node_pools_resource_manager_tags" {
+  type        = map(map(string))
+  description = "Map of maps containing resource manager tags by node-pool name"
+
+  default = {
+    all               = {}
+    default-node-pool = {}
+  }
+}
+
 variable "node_pools_metadata" {
   type        = map(map(string))
   description = "Map of maps containing node metadata by node-pool name"
@@ -195,6 +205,50 @@ variable "node_pools_metadata" {
   }
 }
 
+variable "node_pools_linux_node_configs_sysctls" {
+  type        = map(map(string))
+  description = "Map of maps containing linux node config sysctls by node-pool name"
+
+  # Default is being set in variables_defaults.tf
+  default = {
+    all               = {}
+    default-node-pool = {}
+  }
+}
+
+variable "node_pools_cgroup_mode" {
+  type        = map(string)
+  description = "Map of strings containing cgroup node config by node-pool name"
+
+  # Default is being set in variables_defaults.tf
+  default = {
+    all               = ""
+    default-node-pool = ""
+  }
+}
+
+variable "node_pools_hugepage_size_2m" {
+  type        = map(string)
+  description = "Map of strings containing hugepage size 2m node config by node-pool name"
+
+  # Default is being set in variables_defaults.tf
+  default = {
+    all               = ""
+    default-node-pool = ""
+  }
+}
+
+variable "node_pools_hugepage_size_1g" {
+  type        = map(string)
+  description = "Map of strings containing hugepage size 1g config by node-pool name"
+
+  # Default is being set in variables_defaults.tf
+  default = {
+    all               = ""
+    default-node-pool = ""
+  }
+}
+
 variable "node_pools_taints" {
   type        = map(list(object({ key = string, value = string, effect = string })))
   description = "Map of lists containing node taints by node-pool name"
@@ -540,6 +594,12 @@ variable "enable_gcfs" {
   default     = false
 }
 
+variable "enable_secret_manager_addon" {
+  description = "Enable the Secret Manager add-on for this cluster"
+  type        = bool
+  default     = false
+}
+
 variable "enable_mesh_certificates" {
   type        = bool
   default     = false
diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md
@@ -227,6 +227,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no |
 | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no |
+| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
 | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |
@@ -261,10 +262,15 @@ For simplicity, we suggest using `roles/container.admin` and
 | network | The VPC network to host the cluster in | `string` | n/a | yes |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | node\_pools | List of maps containing node pools | `list(map(string))` | <pre>[<br>  {<br>    "name": "default-node-pool"<br>  }<br>]</pre> | no |
+| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
+| node\_pools\_hugepage\_size\_1g | Map of strings containing hugepage size 1g config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
+| node\_pools\_hugepage\_size\_2m | Map of strings containing hugepage size 2m node config by node-pool name | `map(string)` | <pre>{<br>  "all": "",<br>  "default-node-pool": ""<br>}</pre> | no |
 | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
+| node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
 | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
 | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | <pre>{<br>  "all": [<br>    "https://www.googleapis.com/auth/cloud-platform"<br>  ],<br>  "default-node-pool": []<br>}</pre> | no |
 | node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
+| node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | <pre>{<br>  "all": {},<br>  "default-node-pool": {}<br>}</pre> | no |
 | node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | <pre>{<br>  "all": [],<br>  "default-node-pool": []<br>}</pre> | no |
 | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | <pre>{<br>  "all": [],<br>  "default-node-pool": []<br>}</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf
diff --git a/modules/safer-cluster/metadata.display.yaml b/modules/safer-cluster/metadata.display.yaml
diff --git a/modules/safer-cluster/metadata.yaml b/modules/safer-cluster/metadata.yaml
diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf
