Enable cloud-nat for GCP

controllers/provider-gcp/charts/internal/gcp-infra/templates/main.tf

@@ -31,6 +31,29 @@ resource "google_compute_subnetwork" "subnetwork-nodes" {
   region        = "{{ required "google.region is required" .Values.google.region }}"
 }
 
+resource "google_compute_router" "router"{
+  name    = "{{ required "clusterName is required" .Values.clusterName }}-cloud-router"
+  region  = "{{ required "google.region is required" .Values.google.region }}"
+  network = "{{ required "vpc.name is required" .Values.vpc.name }}"
+
+  bgp {
+    asn = 64514
+  }
+}
+
+resource "google_compute_router_nat" "nat" {
+  name                               = "{{ required "clusterName is required" .Values.clusterName }}-cloud-nat"
+  router                             = "${google_compute_router.router.name}"
+  region                             = "{{ required "google.region is required" .Values.google.region }}"
+  nat_ip_allocate_option             = "AUTO_ONLY"
+  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
+
+  log_config {
+    enable = true
+    filter = "ERRORS_ONLY"
+  }
+}
+
 {{ if .Values.networks.internal -}}
 resource "google_compute_subnetwork" "subnetwork-internal" {
   name          = "{{ required "clusterName is required" .Values.clusterName }}-internal"
@@ -39,6 +62,8 @@ resource "google_compute_subnetwork" "subnetwork-internal" {
   region        = "{{ required "google.region is required" .Values.google.region }}"
 }
 {{- end}}
+
+
 //=====================================================================
 //= Firewall
 //=====================================================================
@@ -121,6 +146,14 @@ output "{{ .Values.outputKeys.vpcName }}" {
   value = "{{ required "vpc.name is required" .Values.vpc.name }}"
 }
 
+output "{{ .Values.outputKeys.cloudRouter }}" {
+  value = "${google_compute_router.router.name}"
+}
+
+output "{{ .Values.outputKeys.cloudNAT }}" {
+  value = "${google_compute_router_nat.nat.name}"
+}
+
 output "{{ .Values.outputKeys.serviceAccountEmail }}" {
   value = "${google_service_account.serviceaccount.email}"
 }

controllers/provider-gcp/charts/internal/gcp-infra/values.yaml

@@ -18,6 +18,8 @@ networks:
 
 outputKeys:
   vpcName: vpc_name
+  cloudNAT: cloud_nat
+  cloudRouter: cloud_router
   subnetNodes: subnet_nodes
   serviceAccountEmail: service_account_email
   subnetInternal: subnet_internal

controllers/provider-gcp/charts/internal/machineclass/templates/machineclass.yaml

@@ -19,6 +19,7 @@ metadata:
   namespace: {{ $.Release.Namespace }}
 spec:
   canIpForward: {{ $machineClass.canIpForward }}
+  disableExternalIP: {{ $machineClass.disableExternalIP }}
   deletionProtection: {{ $machineClass.deletionProtection }}
   description: {{ $machineClass.description }}
   disks:

controllers/provider-gcp/charts/internal/machineclass/values.yaml

@@ -3,6 +3,7 @@ machineClasses:
   region: europe-west1
   zone: europe-west1-b
   canIpForward: true
+  disableExternalIP: true
   deletionProtection: false
   description: An optional description for machines created by that class.
   disks:

controllers/provider-gcp/pkg/controller/worker/machines.go

@@ -123,6 +123,7 @@ func (w *workerDelegate) generateMachineConfig(ctx context.Context) error {
 				"region":             w.worker.Spec.Region,
 				"zone":               zone,
 				"canIpForward":       true,
+				"disableExternalIP":  true,
 				"deletionProtection": false,
 				"description":        fmt.Sprintf("Machine of Shoot %s created by machine-controller-manager.", w.worker.Name),
 				"disks": []map[string]interface{}{

controllers/provider-gcp/pkg/controller/worker/machines_test.go

@@ -262,6 +262,7 @@ var _ = Describe("Machines", func() {
 				var (
 					defaultMachineClass = map[string]interface{}{
 						"region":             region,
+						"disableExternalIP":  true,
 						"canIpForward":       true,
 						"deletionProtection": false,
 						"description":        fmt.Sprintf("Machine of Shoot %s created by machine-controller-manager.", name),

controllers/provider-gcp/pkg/internal/infrastructure/terraform.go

@@ -37,6 +37,10 @@ const (
 
 	// TerraformerOutputKeyVPCName is the name of the vpc_name terraform output variable.
 	TerraformerOutputKeyVPCName = "vpc_name"
+	// TerraformOutputKeyCloudNAT is the name of the cloud_nat terraform output variable.
+	TerraformOutputKeyCloudNAT = "cloud_nat"
+	// TerraformOutputKeyCloudRouter is the name of the cloud_router terraform output variable.
+	TerraformOutputKeyCloudRouter = "cloud_router"
 	// TerraformerOutputKeyServiceAccountEmail is the name of the service_account_email terraform output variable.
 	TerraformerOutputKeyServiceAccountEmail = "service_account_email"
 	// TerraformerOutputKeySubnetNodes is the name of the subnet_nodes terraform output variable.
@@ -90,6 +94,8 @@ func ComputeTerraformerChartValues(
 		},
 		"outputKeys": map[string]interface{}{
 			"vpcName":             TerraformerOutputKeyVPCName,
+			"cloudNAT":            TerraformOutputKeyCloudNAT,
+			"cloudRouter":         TerraformOutputKeyCloudRouter,
 			"serviceAccountEmail": TerraformerOutputKeyServiceAccountEmail,
 			"subnetNodes":         TerraformerOutputKeySubnetNodes,
 			"subnetInternal":      TerraformerOutputKeySubnetInternal,

controllers/provider-gcp/pkg/internal/infrastructure/terraform_test.go

@@ -114,6 +114,8 @@ var _ = Describe("Terraform", func() {
 				},
 				"outputKeys": map[string]interface{}{
 					"vpcName":             TerraformerOutputKeyVPCName,
+					"cloudNAT":            TerraformOutputKeyCloudNAT,
+					"cloudRouter":         TerraformOutputKeyCloudRouter,
 					"serviceAccountEmail": TerraformerOutputKeyServiceAccountEmail,
 					"subnetNodes":         TerraformerOutputKeySubnetNodes,
 					"subnetInternal":      TerraformerOutputKeySubnetInternal,
@@ -145,6 +147,8 @@ var _ = Describe("Terraform", func() {
 				},
 				"outputKeys": map[string]interface{}{
 					"vpcName":             TerraformerOutputKeyVPCName,
+					"cloudNAT":            TerraformOutputKeyCloudNAT,
+					"cloudRouter":         TerraformOutputKeyCloudRouter,
 					"serviceAccountEmail": TerraformerOutputKeyServiceAccountEmail,
 					"subnetNodes":         TerraformerOutputKeySubnetNodes,
 					"subnetInternal":      TerraformerOutputKeySubnetInternal,