From a1a419f4259955e71509d38b2d611aebe49e0deb Mon Sep 17 00:00:00 2001 From: Nathan McKinley Date: Thu, 15 Mar 2018 14:50:24 -0700 Subject: [PATCH] Add network policy config. (#1200) --- google/resource_container_cluster.go | 31 ++++++++++++++++++ google/resource_container_cluster_test.go | 32 ++++++++++++++++++- .../docs/r/container_cluster.html.markdown | 5 ++- 3 files changed, 66 insertions(+), 2 deletions(-) diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go index 30cee83997a..2fa1f35aa9e 100644 --- a/google/resource_container_cluster.go +++ b/google/resource_container_cluster.go @@ -179,6 +179,20 @@ func resourceContainerCluster() *schema.Resource { }, }, }, + "network_policy_config": { + Type: schema.TypeList, + Optional: true, + Computed: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "disabled": { + Type: schema.TypeBool, + Optional: true, + }, + }, + }, + }, }, }, }, @@ -1228,6 +1242,15 @@ func expandClusterAddonsConfig(configured interface{}) *containerBeta.AddonsConf ForceSendFields: []string{"Disabled"}, } } + + if v, ok := config["network_policy_config"]; ok && len(v.([]interface{})) > 0 { + addon := v.([]interface{})[0].(map[string]interface{}) + ac.NetworkPolicyConfig = &containerBeta.NetworkPolicyConfig{ + Disabled: addon["disabled"].(bool), + ForceSendFields: []string{"Disabled"}, + } + } + return ac } @@ -1345,6 +1368,14 @@ func flattenClusterAddonsConfig(c *containerBeta.AddonsConfig) []map[string]inte }, } } + if c.NetworkPolicyConfig != nil { + result["network_policy_config"] = []map[string]interface{}{ + { + "disabled": c.NetworkPolicyConfig.Disabled, + }, + } + } + return []map[string]interface{}{result} } diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go index 4d640b058e5..f2df7e3ea7a 100644 --- a/google/resource_container_cluster_test.go +++ b/google/resource_container_cluster_test.go @@ -146,7 +146,16 @@ func TestAccContainerCluster_withNetworkPolicyEnabled(t *testing.T) { ), }, { - Config: testAccContainerCluster_withNetworkPolicyDisabled(clusterName), + Config: testAccContainerCluster_withNetworkPolicyConfigDisabled(clusterName), + Check: resource.ComposeTestCheckFunc( + testAccCheckContainerCluster( + "google_container_cluster.with_network_policy_enabled"), + resource.TestCheckResourceAttr("google_container_cluster.with_network_policy_enabled", + "addons_config.0.network_policy_config.0.disabled", "true"), + ), + }, + { + Config: testAccContainerCluster_withNetworkPolicyConfigDisabled(clusterName), PlanOnly: true, ExpectNonEmptyPlan: false, }, @@ -1142,6 +1151,11 @@ resource "google_container_cluster" "with_network_policy_enabled" { enabled = true provider = "CALICO" } + addons_config { + network_policy_config { + disabled = false + } + } }`, clusterName) } @@ -1165,6 +1179,22 @@ resource "google_container_cluster" "with_network_policy_enabled" { }`, clusterName) } +func testAccContainerCluster_withNetworkPolicyConfigDisabled(clusterName string) string { + return fmt.Sprintf(` +resource "google_container_cluster" "with_network_policy_enabled" { + name = "%s" + zone = "us-central1-a" + initial_node_count = 1 + + network_policy = {} + addons_config { + network_policy_config { + disabled = true + } + } +}`, clusterName) +} + func testAccContainerCluster_withMasterAuthorizedNetworksConfig(clusterName string, cidrs []string) string { cidrBlocks := "" diff --git a/website/docs/r/container_cluster.html.markdown b/website/docs/r/container_cluster.html.markdown index ee60bcffc5b..852e7f26a4a 100644 --- a/website/docs/r/container_cluster.html.markdown +++ b/website/docs/r/container_cluster.html.markdown @@ -169,10 +169,13 @@ The `addons_config` block supports: * `http_load_balancing` - (Optional) The status of the HTTP (L7) load balancing controller addon, which makes it easy to set up HTTP load balancers for services in a cluster. It is enabled by default; set `disabled = true` to disable. - * `kubernetes_dashboard` - (Optional) The status of the Kubernetes Dashboard add-on, which controls whether the Kubernetes Dashboard is enabled for this cluster. It is enabled by default; set `disabled = true` to disable. +* `network_policy_config` - (Optional) Whether we should enable the network policy addon + for the master. This must be enabled in order to enable network policy for the nodes. + It can only be disabled if the nodes already do not have network policies enabled. + Set `disabled = true` to disable. This example `addons_config` disables two addons: