feat: add example for GKE confidential nodes with GPU #2426
Conversation
arthurlapertosa
requested review from
a team,
apeabody and
ericyz
as code owners
|
@apeabody could you please run the build for this PR? |
|
/gcbrun |
|
@apeabody I don't have access to the GCP cloud build project. Could you please send me the error? |
|
|
@apeabody could you please re-run the build? |
|
/gcbrun |
|
@apeabody I think the build wasn't properly triggered, could you please take a look? |
|
/gcbrun |
Might have been too quick after the merge, it's running now. |
| content { | ||
| enabled = confidential_nodes.value.enabled | ||
| {% if autopilot_cluster != true %} | ||
| confidential_instance_type = lookup(var.node_pools[0], "confidential_instance_type", null) |
There was a problem hiding this comment.
Please document any new node_pool parameters in https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/main/autogen/main/README.md?plain=1#L190
|
/gemini review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new example for creating a GKE cluster with confidential nodes and GPUs. This is a valuable addition. The changes include modifications to several Terraform modules to support confidential_instance_type and guest_accelerator configurations, along with the new example files and corresponding integration tests. The implementation is mostly correct, but I've found a few issues related to version constraints, external dependencies, and a bug in the for_each logic that need to be addressed.
| enabled = confidential_nodes.enabled | ||
| confidential_instance_type = confidential_nodes.confidential_instance_type |
There was a problem hiding this comment.
There seems to be an issue with accessing the values from the for_each iterator. The iterator for a dynamic block is named after the block itself (confidential_nodes in this case), and you should use .value to access the current item. The correct way to access the properties of the object in the for_each list would be confidential_nodes.value.enabled and confidential_nodes.value.confidential_instance_type.
This issue is present in multiple files where this pattern is repeated, including cluster.tf and various cluster.tf files under modules/.
enabled = confidential_nodes.value.enabled
confidential_instance_type = confidential_nodes.value.confidential_instance_type
| kubectl_create_command = "kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/container-engine-accelerators/refs/heads/master/nvidia-driver-installer/cos/daemonset-confidential.yaml" | ||
| kubectl_destroy_command = "kubectl delete -f https://raw.githubusercontent.com/GoogleCloudPlatform/container-engine-accelerators/refs/heads/master/nvidia-driver-installer/cos/daemonset-confidential.yaml" |
There was a problem hiding this comment.
The kubectl_create_command and kubectl_destroy_command use a URL pointing to the master branch of GoogleCloudPlatform/container-engine-accelerators. This is not a stable reference and can change at any time, which can break this example. It is a best practice to use a permalink to a specific commit hash or tag to ensure reproducibility and security.
kubectl_create_command = "kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/container-engine-accelerators/e0368140228308253634173809140953c0721245/nvidia-driver-installer/cos/daemonset-confidential.yaml"
kubectl_destroy_command = "kubectl delete -f https://raw.githubusercontent.com/GoogleCloudPlatform/container-engine-accelerators/e0368140228308253634173809140953c0721245/nvidia-driver-installer/cos/daemonset-confidential.yaml"
2 participants
No description provided.