Merge branch 'main' into nap-cgroup-mode

Author: apeabody

README.md

@@ -162,6 +162,7 @@ Then perform the following commands on the root folder:
 | deletion\_protection | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no |
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
+| disable\_l4\_lb\_firewall\_reconciliation | Disable L4 Load Balancer firewall reconciliation | `bool` | `null` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
 | dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
@@ -414,7 +415,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 #### Terraform and Plugins
 
 - [Terraform](https://www.terraform.io/downloads.html) 1.3+
-- [Terraform Provider for GCP][terraform-provider-google] v6.27+
+- [Terraform Provider for GCP][terraform-provider-google] v6.28+
 
 #### gcloud
 

autogen/main/README.md

@@ -306,9 +306,9 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 
 - [Terraform](https://www.terraform.io/downloads.html) 1.3+
 {% if beta_cluster %}
-- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.27+
+- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.28+
 {% else %}
-- [Terraform Provider for GCP][terraform-provider-google] v6.27+
+- [Terraform Provider for GCP][terraform-provider-google] v6.28+
 {% endif %}
 
 #### gcloud

autogen/main/cluster.tf.tmpl

@@ -251,6 +251,8 @@ resource "google_container_cluster" "primary" {
 
   enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
 
+  disable_l4_lb_firewall_reconciliation = var.disable_l4_lb_firewall_reconciliation
+
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   dynamic "secret_manager_config" {

autogen/main/variables.tf.tmpl

@@ -979,6 +979,12 @@ variable "enable_l4_ilb_subsetting" {
   description = "Enable L4 ILB Subsetting on the cluster"
   default     = false
 }
+
+variable "disable_l4_lb_firewall_reconciliation" {
+  type        = bool
+  description = "Disable L4 Load Balancer firewall reconciliation"
+  default     = null
+}
 {% if beta_cluster %}
   {% if autopilot_cluster != true %}
 

autogen/main/versions.tf.tmpl

@@ -24,33 +24,33 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.27.0, < 7"
+      version = ">= 6.28.0, < 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.27.0, < 7"
+      version = ">= 6.28.0, < 7"
     }
 {% elif beta_cluster and autopilot_cluster %}
   required_providers {
     google = {
       source = "hashicorp/google"
-      version = ">= 6.27.0, < 7"
+      version = ">= 6.28.0, < 7"
     }
     google-beta = {
       source = "hashicorp/google-beta"
-      version = ">= 6.27.0, < 7"
+      version = ">= 6.28.0, < 7"
     }
 {% elif autopilot_cluster  %}
   required_providers {
     google = {
       source = "hashicorp/google"
-      version = ">= 6.27.0, < 7"
+      version = ">= 6.28.0, < 7"
     }
 {% else %}
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.27.0, < 7"
+      version = ">= 6.28.0, < 7"
     }
 {% endif %}
     kubernetes = {

cluster.tf

@@ -190,6 +190,8 @@ resource "google_container_cluster" "primary" {
 
   enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
 
+  disable_l4_lb_firewall_reconciliation = var.disable_l4_lb_firewall_reconciliation
+
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   dynamic "secret_manager_config" {

metadata.display.yaml

@@ -93,6 +93,9 @@ spec:
         disable_default_snat:
           name: disable_default_snat
           title: Disable Default Snat
+        disable_l4_lb_firewall_reconciliation:
+          name: disable_l4_lb_firewall_reconciliation
+          title: Disable L4 Lb Firewall Reconciliation
         disable_legacy_metadata_endpoints:
           name: disable_legacy_metadata_endpoints
           title: Disable Legacy Metadata Endpoints

metadata.yaml

@@ -689,6 +689,9 @@ spec:
         description: Enable L4 ILB Subsetting on the cluster
         varType: bool
         defaultValue: false
+      - name: disable_l4_lb_firewall_reconciliation
+        description: Disable L4 Load Balancer firewall reconciliation
+        varType: bool
       - name: enable_identity_service
         description: (Optional) Enable the Identity Service component, which allows customers to use external identity providers with the K8S API.
         varType: bool

modules/beta-autopilot-private-cluster/README.md

@@ -90,6 +90,7 @@ Then perform the following commands on the root folder:
 | deploy\_using\_private\_endpoint | A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no |
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
+| disable\_l4\_lb\_firewall\_reconciliation | Disable L4 Load Balancer firewall reconciliation | `bool` | `null` | no |
 | dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
@@ -227,7 +228,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 #### Terraform and Plugins
 
 - [Terraform](https://www.terraform.io/downloads.html) 1.3+
-- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.27+
+- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.28+
 
 #### gcloud
 

modules/beta-autopilot-private-cluster/cluster.tf

@@ -110,6 +110,8 @@ resource "google_container_cluster" "primary" {
 
   enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
 
+  disable_l4_lb_firewall_reconciliation = var.disable_l4_lb_firewall_reconciliation
+
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   dynamic "secret_manager_config" {

modules/beta-autopilot-private-cluster/metadata.display.yaml

@@ -76,6 +76,9 @@ spec:
         disable_default_snat:
           name: disable_default_snat
           title: Disable Default Snat
+        disable_l4_lb_firewall_reconciliation:
+          name: disable_l4_lb_firewall_reconciliation
+          title: Disable L4 Lb Firewall Reconciliation
         dns_allow_external_traffic:
           name: dns_allow_external_traffic
           title: Dns Allow External Traffic

modules/beta-autopilot-private-cluster/metadata.yaml

@@ -473,6 +473,9 @@ spec:
         description: Enable L4 ILB Subsetting on the cluster
         varType: bool
         defaultValue: false
+      - name: disable_l4_lb_firewall_reconciliation
+        description: Disable L4 Load Balancer firewall reconciliation
+        varType: bool
       - name: allow_net_admin
         description: (Optional) Enable NET_ADMIN for the cluster.
         varType: bool

modules/beta-autopilot-private-cluster/variables.tf

@@ -604,6 +604,12 @@ variable "enable_l4_ilb_subsetting" {
   default     = false
 }
 
+variable "disable_l4_lb_firewall_reconciliation" {
+  type        = bool
+  description = "Disable L4 Load Balancer firewall reconciliation"
+  default     = null
+}
+
 variable "allow_net_admin" {
   description = "(Optional) Enable NET_ADMIN for the cluster."
   type        = bool

modules/beta-autopilot-private-cluster/versions.tf

@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.27.0, < 7"
+      version = ">= 6.28.0, < 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.27.0, < 7"
+      version = ">= 6.28.0, < 7"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-autopilot-public-cluster/README.md

@@ -83,6 +83,7 @@ Then perform the following commands on the root folder:
 | deletion\_protection | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no |
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
+| disable\_l4\_lb\_firewall\_reconciliation | Disable L4 Load Balancer firewall reconciliation | `bool` | `null` | no |
 | dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
@@ -213,7 +214,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 #### Terraform and Plugins
 
 - [Terraform](https://www.terraform.io/downloads.html) 1.3+
-- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.27+
+- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.28+
 
 #### gcloud
 

modules/beta-autopilot-public-cluster/cluster.tf

@@ -110,6 +110,8 @@ resource "google_container_cluster" "primary" {
 
   enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
 
+  disable_l4_lb_firewall_reconciliation = var.disable_l4_lb_firewall_reconciliation
+
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   dynamic "secret_manager_config" {

modules/beta-autopilot-public-cluster/metadata.display.yaml

@@ -73,6 +73,9 @@ spec:
         disable_default_snat:
           name: disable_default_snat
           title: Disable Default Snat
+        disable_l4_lb_firewall_reconciliation:
+          name: disable_l4_lb_firewall_reconciliation
+          title: Disable L4 Lb Firewall Reconciliation
         dns_allow_external_traffic:
           name: dns_allow_external_traffic
           title: Dns Allow External Traffic

modules/beta-autopilot-public-cluster/metadata.yaml

@@ -451,6 +451,9 @@ spec:
         description: Enable L4 ILB Subsetting on the cluster
         varType: bool
         defaultValue: false
+      - name: disable_l4_lb_firewall_reconciliation
+        description: Disable L4 Load Balancer firewall reconciliation
+        varType: bool
       - name: allow_net_admin
         description: (Optional) Enable NET_ADMIN for the cluster.
         varType: bool

modules/beta-autopilot-public-cluster/variables.tf

@@ -568,6 +568,12 @@ variable "enable_l4_ilb_subsetting" {
   default     = false
 }
 
+variable "disable_l4_lb_firewall_reconciliation" {
+  type        = bool
+  description = "Disable L4 Load Balancer firewall reconciliation"
+  default     = null
+}
+
 variable "allow_net_admin" {
   description = "(Optional) Enable NET_ADMIN for the cluster."
   type        = bool

modules/beta-autopilot-public-cluster/versions.tf

@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.27.0, < 7"
+      version = ">= 6.28.0, < 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.27.0, < 7"
+      version = ">= 6.28.0, < 7"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-private-cluster-update-variant/README.md

@@ -197,6 +197,7 @@ Then perform the following commands on the root folder:
 | deploy\_using\_private\_endpoint | A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no |
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
+| disable\_l4\_lb\_firewall\_reconciliation | Disable L4 Load Balancer firewall reconciliation | `bool` | `null` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
 | dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
@@ -469,7 +470,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 #### Terraform and Plugins
 
 - [Terraform](https://www.terraform.io/downloads.html) 1.3+
-- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.27+
+- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.28+
 
 #### gcloud
 

modules/beta-private-cluster-update-variant/cluster.tf

@@ -203,6 +203,8 @@ resource "google_container_cluster" "primary" {
 
   enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
 
+  disable_l4_lb_firewall_reconciliation = var.disable_l4_lb_firewall_reconciliation
+
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   dynamic "secret_manager_config" {

modules/beta-private-cluster-update-variant/metadata.display.yaml

@@ -106,6 +106,9 @@ spec:
         disable_default_snat:
           name: disable_default_snat
           title: Disable Default Snat
+        disable_l4_lb_firewall_reconciliation:
+          name: disable_l4_lb_firewall_reconciliation
+          title: Disable L4 Lb Firewall Reconciliation
         disable_legacy_metadata_endpoints:
           name: disable_legacy_metadata_endpoints
           title: Disable Legacy Metadata Endpoints

modules/beta-private-cluster-update-variant/metadata.yaml

@@ -692,6 +692,9 @@ spec:
         description: Enable L4 ILB Subsetting on the cluster
         varType: bool
         defaultValue: false
+      - name: disable_l4_lb_firewall_reconciliation
+        description: Disable L4 Load Balancer firewall reconciliation
+        varType: bool
       - name: istio
         description: (Beta) Enable Istio addon
         varType: bool

modules/beta-private-cluster-update-variant/variables.tf

@@ -923,6 +923,12 @@ variable "enable_l4_ilb_subsetting" {
   default     = false
 }
 
+variable "disable_l4_lb_firewall_reconciliation" {
+  type        = bool
+  description = "Disable L4 Load Balancer firewall reconciliation"
+  default     = null
+}
+
 variable "istio" {
   description = "(Beta) Enable Istio addon"
   type        = bool

modules/beta-private-cluster-update-variant/versions.tf

@@ -21,11 +21,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.27.0, < 7"
+      version = ">= 6.28.0, < 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.27.0, < 7"
+      version = ">= 6.28.0, < 7"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

modules/beta-private-cluster/README.md

@@ -175,6 +175,7 @@ Then perform the following commands on the root folder:
 | deploy\_using\_private\_endpoint | A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no |
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
+| disable\_l4\_lb\_firewall\_reconciliation | Disable L4 Load Balancer firewall reconciliation | `bool` | `null` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
 | dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
@@ -447,7 +448,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 #### Terraform and Plugins
 
 - [Terraform](https://www.terraform.io/downloads.html) 1.3+
-- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.27+
+- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v6.28+
 
 #### gcloud
 

modules/beta-private-cluster/cluster.tf

@@ -203,6 +203,8 @@ resource "google_container_cluster" "primary" {
 
   enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
 
+  disable_l4_lb_firewall_reconciliation = var.disable_l4_lb_firewall_reconciliation
+
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   dynamic "secret_manager_config" {

modules/beta-private-cluster/metadata.display.yaml

@@ -106,6 +106,9 @@ spec:
         disable_default_snat:
           name: disable_default_snat
           title: Disable Default Snat
+        disable_l4_lb_firewall_reconciliation:
+          name: disable_l4_lb_firewall_reconciliation
+          title: Disable L4 Lb Firewall Reconciliation
         disable_legacy_metadata_endpoints:
           name: disable_legacy_metadata_endpoints
           title: Disable Legacy Metadata Endpoints

modules/beta-private-cluster/metadata.yaml

@@ -692,6 +692,9 @@ spec:
         description: Enable L4 ILB Subsetting on the cluster
         varType: bool
         defaultValue: false
+      - name: disable_l4_lb_firewall_reconciliation
+        description: Disable L4 Load Balancer firewall reconciliation
+        varType: bool
       - name: istio
         description: (Beta) Enable Istio addon
         varType: bool

modules/beta-private-cluster/variables.tf

@@ -923,6 +923,12 @@ variable "enable_l4_ilb_subsetting" {
   default     = false
 }
 
+variable "disable_l4_lb_firewall_reconciliation" {
+  type        = bool
+  description = "Disable L4 Load Balancer firewall reconciliation"
+  default     = null
+}
+
 variable "istio" {
   description = "(Beta) Enable Istio addon"
   type        = bool