Add support for binary authorization in GKE (#1884)

* revendor container/v1beta1 * add support for binauthz in gke * update description
hashicorp · Aug 17, 2018 · d1bf585 · d1bf585
1 parent 92afc9c
commit d1bf585
Show file tree

Hide file tree

Showing 6 changed files with 487 additions and 30 deletions.
diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go
@@ -196,6 +196,12 @@ func resourceContainerCluster() *schema.Resource {
 				ForceNew: true,
 			},
 
+			"enable_binary_authorization": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+
 			"enable_kubernetes_alpha": {
 				Type:     schema.TypeBool,
 				Optional: true,
@@ -650,6 +656,11 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
 		cluster.ResourceLabels = m
 	}
 
+	cluster.BinaryAuthorization = &containerBeta.BinaryAuthorization{
+		Enabled:         d.Get("enable_binary_authorization").(bool),
+		ForceSendFields: []string{"Enabled"},
+	}
+
 	req := &containerBeta.CreateClusterRequest{
 		Cluster: cluster,
 	}
@@ -750,14 +761,14 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
 	d.Set("monitoring_service", cluster.MonitoringService)
 	d.Set("network", cluster.NetworkConfig.Network)
 	d.Set("subnetwork", cluster.NetworkConfig.Subnetwork)
+	d.Set("enable_binary_authorization", cluster.BinaryAuthorization.Enabled)
 	if err := d.Set("node_config", flattenNodeConfig(cluster.NodeConfig)); err != nil {
 		return err
 	}
 	d.Set("project", project)
 	if err := d.Set("addons_config", flattenClusterAddonsConfig(cluster.AddonsConfig)); err != nil {
-
+		return err
 	}
-
 	nps, err := flattenClusterNodePools(d, config, cluster.NodePools)
 	if err != nil {
 		return err
@@ -911,6 +922,28 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
 		}
 	}
 
+	if d.HasChange("enable_binary_authorization") {
+		enabled := d.Get("enable_binary_authorization").(bool)
+		req := &containerBeta.UpdateClusterRequest{
+			Update: &containerBeta.ClusterUpdate{
+				DesiredBinaryAuthorization: &containerBeta.BinaryAuthorization{
+					Enabled:         enabled,
+					ForceSendFields: []string{"Enabled"},
+				},
+			},
+		}
+
+		updateF := updateFunc(req, "updating GKE binary authorization")
+		// Call update serially.
+		if err := lockedCall(lockKey, updateF); err != nil {
+			return err
+		}
+
+		log.Printf("[INFO] GKE cluster %s's binary authorization has been updated to %v", d.Id(), enabled)
+
+		d.SetPartial("enable_binary_authorization")
+	}
+
 	if d.HasChange("maintenance_policy") {
 		var req *containerBeta.SetMaintenancePolicyRequest
 		if mp, ok := d.GetOk("maintenance_policy"); ok {

diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go
@@ -1261,6 +1261,38 @@ func TestAccContainerCluster_withResourceLabelsUpdate(t *testing.T) {
 	})
 }
 
+func TestAccContainerCluster_withBinaryAuthorization(t *testing.T) {
+	t.Parallel()
+
+	clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckContainerClusterDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccContainerCluster_withBinaryAuthorization(clusterName, true),
+			},
+			{
+				ResourceName:        "google_container_cluster.with_binary_authorization",
+				ImportStateIdPrefix: "us-central1-a/",
+				ImportState:         true,
+				ImportStateVerify:   true,
+			},
+			{
+				Config: testAccContainerCluster_withBinaryAuthorization(clusterName, false),
+			},
+			{
+				ResourceName:        "google_container_cluster.with_binary_authorization",
+				ImportStateIdPrefix: "us-central1-a/",
+				ImportState:         true,
+				ImportStateVerify:   true,
+			},
+		},
+	})
+}
+
 func testAccCheckContainerClusterDestroy(s *terraform.State) error {
 	config := testAccProvider.Meta().(*Config)
 
@@ -2420,3 +2452,15 @@ resource "google_container_cluster" "with_resource_labels" {
 }
 `, clusterName)
 }
+
+func testAccContainerCluster_withBinaryAuthorization(clusterName string, enabled bool) string {
+	return fmt.Sprintf(`
+resource "google_container_cluster" "with_binary_authorization" {
+	name = "%s"
+	zone = "us-central1-a"
+	initial_node_count = 1
+
+	enable_binary_authorization = %v
+}
+`, clusterName, enabled)
+}