From 9a50b8ae5ba892c0a94dd0717dde3c421607a95a Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Tue, 19 May 2026 17:43:38 -0700 Subject: [PATCH 1/2] feat: expose additional_pod_range_names for GKE additional secondary pod ranges --- README.md | 7 +++++-- main.tf | 1 + variables.tf | 6 ++++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 271a75c..5a9a888 100644 --- a/README.md +++ b/README.md @@ -39,8 +39,8 @@ tf apply | Name | Version | |------|---------| -| [google](#provider\_google) | 5.45.0 | -| [kubernetes](#provider\_kubernetes) | 2.35.1 | +| [google](#provider\_google) | >= 5.40.0, < 7 | +| [kubernetes](#provider\_kubernetes) | ~> 2.10 | ## Modules @@ -69,6 +69,8 @@ tf apply | [add\_cluster\_firewall\_rules](#input\_add\_cluster\_firewall\_rules) | Creates additional firewall rules on the cluster. | `bool` | `false` | no | | [add\_master\_webhook\_firewall\_rules](#input\_add\_master\_webhook\_firewall\_rules) | Create master\_webhook firewall rules for ports defined in firewall\_inbound\_ports. | `bool` | `false` | no | | [add\_shadow\_firewall\_rules](#input\_add\_shadow\_firewall\_rules) | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | +| [additional\_pod\_range\_names](#input\_additional\_pod\_range\_names) | Names of additional secondary IP ranges (declared on the subnet) to attach to the cluster via additional\_pod\_ranges\_config. Use this to extend pod IP capacity beyond the primary secondary range. | `list(string)` | `[]` | no | +| [additional\_tags](#input\_additional\_tags) | Additional labels to apply to GKE node pool resources. | `map(string)` | `{}` | no | | [additive\_vpc\_scope\_dns\_domain](#input\_additive\_vpc\_scope\_dns\_domain) | This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster\_dns = `CLOUD_DNS` and cluster\_dns\_scope = `CLUSTER_SCOPE` must both be set as well. | `string` | `""` | no | | [authenticator\_security\_group](#input\_authenticator\_security\_group) | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | [cluster\_autoscaling\_config](#input\_cluster\_autoscaling\_config) | Cluster autoscaling configuration for node auto-provisioning. This is disabled for our configuration, since we typically want to scale existing node pools rather than add new ones to the cluster | 
object({
    enabled             = bool
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair         = bool
    auto_upgrade        = bool
    autoscaling_profile = string
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": false,
  "autoscaling_profile": "BALANCED",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": null,
  "max_memory_gb": null,
  "min_cpu_cores": null,
  "min_memory_gb": null
}
| no | @@ -83,6 +85,7 @@ tf apply | [datapath\_provider](#input\_datapath\_provider) | the datapath provider to use, in the future, the default of this should be ADVANCED\_DATAPATH | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | | [default\_max\_pods\_per\_node](#input\_default\_max\_pods\_per\_node) | the number of pods per node, defaults to GKE default of 110, but in smaller CIDRs we want to tune this | `number` | `110` | no | | [deletion\_protection](#input\_deletion\_protection) | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no | +| [dns\_cache](#input\_dns\_cache) | The status of the NodeLocal DNSCache addon | `bool` | `false` | no | | [enable\_database\_encryption](#input\_enable\_database\_encryption) | Enables etcd encryption via Google KMS. | `bool` | `false` | no | | [enable\_func\_pool](#input\_enable\_func\_pool) | Enable an additional dedicated pool for Pulsar Functions. Enabled by default. | `bool` | `true` | no | | [enable\_l4\_ilb\_subsetting](#input\_enable\_l4\_ilb\_subsetting) | Enable L4 ILB Subsetting on the cluster, this cannot be disabled once it has been enabled. | `bool` | `false` | no | diff --git a/main.tf b/main.tf index 415711c..0992d85 100644 --- a/main.tf +++ b/main.tf @@ -166,6 +166,7 @@ module "gke" { datapath_provider = var.datapath_provider http_load_balancing = var.cluster_http_load_balancing ip_range_pods = var.secondary_ip_range_pods + additional_ip_range_pods = var.additional_pod_range_names ip_range_services = var.secondary_ip_range_services firewall_inbound_ports = var.firewall_inbound_ports kubernetes_version = var.kubernetes_version diff --git a/variables.tf b/variables.tf index d22f1a4..093d417 100644 --- a/variables.tf +++ b/variables.tf @@ -459,6 +459,12 @@ variable "secondary_ip_range_pods" { type = string } +variable "additional_pod_range_names" { + default = [] + description = "Names of additional secondary IP ranges (declared on the subnet) to attach to the cluster via additional_pod_ranges_config. Use this to extend pod IP capacity beyond the primary secondary range." + type = list(string) +} + variable "secondary_ip_range_pods_cidr" { default = null description = "The cidr of the secondary range, required when using cillium" From 73d257516f6e9ba230a8fc2b5d5c5d2be7446c23 Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Tue, 19 May 2026 18:51:50 -0700 Subject: [PATCH 2/2] feat: support per-node-pool pod_range override via node_pool_pod_range_mapping --- README.md | 1 + main.tf | 6 +++--- variables.tf | 6 ++++++ 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5a9a888..d934b3b 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,7 @@ tf apply | [node\_pool\_machine\_type](#input\_node\_pool\_machine\_type) | The machine type to use for worker nodes in the default node pool. Defaults to "n2-standard-8". | `string` | `"n2-standard-8"` | no | | [node\_pool\_max\_pods\_per\_node](#input\_node\_pool\_max\_pods\_per\_node) | the number of pods per node | `number` | `110` | no | | [node\_pool\_name](#input\_node\_pool\_name) | The name of the default node pool. Defaults to "sn-node-pool". | `string` | `"default-node-pool"` | no | +| [node\_pool\_pod\_range\_mapping](#input\_node\_pool\_pod\_range\_mapping) | Map of node-pool name to secondary pod range name. Overrides the pod\_range for each named pool. Pools not in the map fall back to secondary\_ip\_range\_pods (the primary). Values should reference either secondary\_ip\_range\_pods or one of additional\_pod\_range\_names. | `map(string)` | `{}` | no | | [node\_pool\_secure\_boot](#input\_node\_pool\_secure\_boot) | enable the node pool secure boot setting | `bool` | `false` | no | | [node\_pool\_service\_account](#input\_node\_pool\_service\_account) | The service account email address to use for the default node pool. If create\_service\_account is set to true, it will use the the output from the module. | `string` | `""` | no | | [node\_pool\_ssd\_count](#input\_node\_pool\_ssd\_count) | The number of SSDs to attach to each node in the default node pool | `number` | `0` | no | diff --git a/main.tf b/main.tf index 0992d85..b5aef42 100644 --- a/main.tf +++ b/main.tf @@ -57,7 +57,7 @@ locals { initial_node_count = var.node_pool_autoscaling_initial_count local_ssd_count = var.node_pool_ssd_count machine_type = var.node_pool_machine_type - pod_range = var.secondary_ip_range_pods + pod_range = lookup(var.node_pool_pod_range_mapping, var.node_pool_name, var.secondary_ip_range_pods) enable_private_nodes = var.enable_private_nodes max_pods_per_node = var.node_pool_max_pods_per_node max_count = var.node_pool_autoscaling_max_size @@ -79,7 +79,7 @@ locals { initial_node_count = var.func_pool_autoscaling_initial_count local_ssd_count = var.func_pool_ssd_count machine_type = var.func_pool_machine_type - pod_range = var.secondary_ip_range_pods + pod_range = lookup(var.node_pool_pod_range_mapping, var.func_pool_name, var.secondary_ip_range_pods) enable_private_nodes = var.enable_private_nodes max_pods_per_node = var.func_pool_max_pods_per_node max_count = var.func_pool_autoscaling_max_size @@ -198,7 +198,7 @@ module "gke" { cluster_dns_provider = var.cluster_dns_provider cluster_dns_scope = var.cluster_dns_scope cluster_dns_domain = var.cluster_dns_domain - dns_cache = var.dns_cache + dns_cache = var.dns_cache additive_vpc_scope_dns_domain = var.additive_vpc_scope_dns_domain fleet_project = var.fleet_project diff --git a/variables.tf b/variables.tf index 093d417..5b5dbff 100644 --- a/variables.tf +++ b/variables.tf @@ -465,6 +465,12 @@ variable "additional_pod_range_names" { type = list(string) } +variable "node_pool_pod_range_mapping" { + default = {} + description = "Map of node-pool name to secondary pod range name. Overrides the pod_range for each named pool. Pools not in the map fall back to secondary_ip_range_pods (the primary). Values should reference either secondary_ip_range_pods or one of additional_pod_range_names." + type = map(string) +} + variable "secondary_ip_range_pods_cidr" { default = null description = "The cidr of the secondary range, required when using cillium"