Skip to content

Commit

Permalink
Support for GKE intranode visibility
Browse files Browse the repository at this point in the history
Also cleand up some erb syntax
  • Loading branch information
chrisst committed Jun 4, 2019
1 parent b212c06 commit f59b22d
Show file tree
Hide file tree
Showing 3 changed files with 120 additions and 4 deletions.
54 changes: 51 additions & 3 deletions third_party/terraform/resources/resource_container_cluster.go.erb
Original file line number Diff line number Diff line change
Expand Up @@ -299,7 +299,7 @@ func resourceContainerCluster() *schema.Resource {
},

"enable_binary_authorization": {
<% if version.nil? || version == 'ga' -%>
<% if version == 'ga' -%>
Removed: "This field is in beta. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.",
Computed: true,
<% else -%>
Expand All @@ -321,7 +321,7 @@ func resourceContainerCluster() *schema.Resource {
Type: schema.TypeBool,
Optional: true,
ForceNew: true,
<% if version.nil? || version == 'ga' -%>
<% if version == 'ga' -%>
Removed: "This field is in beta. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.",
Computed: true,
<% else -%>
Expand Down Expand Up @@ -523,7 +523,7 @@ func resourceContainerCluster() *schema.Resource {
},

"pod_security_policy_config": {
<% if version.nil? || version == 'ga' -%>
<% if version == 'ga' -%>
// Remove return nil from expand when this is removed for good.
Removed: "This field is in beta. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.",
<% else -%>
Expand Down Expand Up @@ -753,6 +753,16 @@ func resourceContainerCluster() *schema.Resource {
},
},
<% end -%>

"enable_intranode_visibility": {
<% if version == 'ga' -%>
Removed: "This field is in beta. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.",
<% end -%>
Type: schema.TypeBool,
Default: false,
Optional: true,

},
},
}
}
Expand Down Expand Up @@ -836,6 +846,9 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
ForceSendFields: []string{"Enabled"},
},
Autoscaling: expandClusterAutoscaling(d.Get("cluster_autoscaling"), d),
NetworkConfig: &containerBeta.NetworkConfig{
EnableIntraNodeVisibility: d.Get("enable_intranode_visibility").(bool),
},
<% end -%>
MasterAuth: expandMasterAuth(d.Get("master_auth")),
ResourceLabels: expandStringMap(d, "resource_labels"),
Expand Down Expand Up @@ -1085,6 +1098,7 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
if err := d.Set("authenticator_groups_config", flattenAuthenticatorGroupsConfig(cluster.AuthenticatorGroupsConfig)); err != nil {
return err
}
d.Set("enable_intranode_visibility", cluster.NetworkConfig.EnableIntraNodeVisibility)
<% else -%>
if err := d.Set("cluster_autoscaling", nil); err != nil {
return err
Expand Down Expand Up @@ -1249,6 +1263,40 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er

d.SetPartial("cluster_autoscaling")
}

if d.HasChange("enable_intranode_visibility") {
enabled := d.Get("enable_intranode_visibility").(bool)
req := &containerBeta.UpdateClusterRequest{
Update: &containerBeta.ClusterUpdate{
DesiredIntraNodeVisibilityConfig: &containerBeta.IntraNodeVisibilityConfig{
Enabled: enabled,
ForceSendFields: []string{"Enabled"},
},
},
}
updateF := func() error {
log.Println("[DEBUG] updating enable_intranode_visibility")
name := containerClusterFullName(project, location, clusterName)
op, err := config.clientContainerBeta.Projects.Locations.Clusters.Update(name, req).Do()
if err != nil {
return err
}

// Wait until it's updated
err = containerOperationWait(config, op, project, location, "updating GKE Intra Node Visibility", timeoutInMinutes)
log.Println("[DEBUG] done updating enable_intranode_visibility")
return err
}

// Call update serially.
if err := lockedCall(lockKey, updateF); err != nil {
return err
}

log.Printf("[INFO] GKE cluster %s Intra Node Visibility has been updated to %v", d.Id(), enabled)

d.SetPartial("enable_intranode_visibility")
}
<% end -%>

if d.HasChange("maintenance_policy") {
Expand Down
64 changes: 64 additions & 0 deletions third_party/terraform/tests/resource_container_cluster_test.go.erb
Original file line number Diff line number Diff line change
Expand Up @@ -699,6 +699,46 @@ func TestAccContainerCluster_withLegacyAbac(t *testing.T) {
})
}

<% unless version == 'ga' -%>
func TestAccContainerCluster_withIntraNodeVisibility(t *testing.T) {
t.Parallel()

clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10))

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckContainerClusterDestroy,
Steps: []resource.TestStep{
{
Config: testAccContainerCluster_withIntraNodeVisibility(clusterName),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("google_container_cluster.with_intranode_visibility", "enable_intranode_visibility", "true"),
),
},
{
ResourceName: "google_container_cluster.with_intranode_visibility",
ImportStateIdPrefix: "us-central1-a/",
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccContainerCluster_updateIntraNodeVisibility(clusterName),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("google_container_cluster.with_intranode_visibility", "enable_intranode_visibility", "false"),
),
},
{
ResourceName: "google_container_cluster.with_intranode_visibility",
ImportStateIdPrefix: "us-central1-a/",
ImportState: true,
ImportStateVerify: true,
},
},
})
}
<% end -%>

/*
Since GKE disables legacy ABAC by default in Kubernetes version 1.8+, and the default Kubernetes
version for GKE is also 1.8+, this test will ensure that legacy ABAC is disabled by default to be
Expand Down Expand Up @@ -2390,6 +2430,30 @@ resource "google_container_cluster" "with_legacy_abac" {
}`, clusterName)
}

<% unless version == 'ga' -%>

func testAccContainerCluster_withIntraNodeVisibility(clusterName string) string {
return fmt.Sprintf(`
resource "google_container_cluster" "with_intranode_visibility" {
name = "cluster-test-%s"
zone = "us-central1-a"
initial_node_count = 1
enable_intranode_visibility = true
}`, clusterName)
}

func testAccContainerCluster_updateIntraNodeVisibility(clusterName string) string {
return fmt.Sprintf(`
resource "google_container_cluster" "with_intranode_visibility" {
name = "cluster-test-%s"
zone = "us-central1-a"
initial_node_count = 1
enable_intranode_visibility = false
}`, clusterName)
}

<% end -%>

func testAccContainerCluster_withVersion(clusterName string) string {
return fmt.Sprintf(`
data "google_container_engine_versions" "central1a" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -287,9 +287,13 @@ to the datasource. A `region` can have a different set of supported versions tha
* `subnetwork` - (Optional) The name or self_link of the Google Compute Engine subnetwork in
which the cluster's instances are launched.

* `vertical_pod_autoscaling` - Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it.
* `vertical_pod_autoscaling` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html))
Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it.
Structure is documented below.

* `enable_intranode_visibility` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html))
Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network.

The `addons_config` block supports:

* `horizontal_pod_autoscaling` - (Optional) The status of the Horizontal Pod Autoscaling
Expand Down

0 comments on commit f59b22d

Please sign in to comment.