Add network policy resource with support for 1.8+ fields

[pdecat]

This is basically the same as #113 but with support for k8s 1.8+ Network Policy fields: egress, ip_block and policy_types.

This requires #117 for up to date k8s 1.9 client libraries.
Up to date k8s 1.10 client libraries provided by #162

TODO:

• Rebase on master
• Fix egress with single empty map on first apply
• Add documentation for the new fields

[pdecat]

Unit tests results

# make test                                                                                    
==> Checking that code complies with gofmt requirements...        
go test -i $(go list ./... |grep -v 'vendor') || exit 1           
echo $(go list ./... |grep -v 'vendor') | \
        xargs -t -n4 go test  -timeout=30s -parallel=4
go test -timeout=30s -parallel=4 github.com/terraform-providers/terraform-provider-kubernetes github.com/terraform-providers/terraform-provider-kubernetes/kubernetes 
?       github.com/terraform-providers/terraform-provider-kubernetes    [no test files]
ok      github.com/terraform-providers/terraform-provider-kubernetes/kubernetes 0.027s

[pdecat]

Acceptance tests results

# make testacc TEST=./kubernetes/ TESTARGS='-run=TestAccKubernetesNetworkPolicy_.*'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./kubernetes/ -v -run=TestAccKubernetesNetworkPolicy_.* -timeout 120m
=== RUN   TestAccKubernetesNetworkPolicy_basic
--- PASS: TestAccKubernetesNetworkPolicy_basic (0.47s)
=== RUN   TestAccKubernetesNetworkPolicy_importBasic
--- PASS: TestAccKubernetesNetworkPolicy_importBasic (0.12s)
PASS
ok      github.com/terraform-providers/terraform-provider-kubernetes/kubernetes 0.606s

[pdecat]

There is a bug that requires applying the configuration twice when egress contains a single empty map:

resource "kubernetes_network_policy" "allow-all-egress" {
  metadata {
    name = "allow-all-egress"
  }

  spec {
    pod_selector = {}

    ingress = [] # no rule at all to deny all ingress traffic

    egress = [{}] # single empty rule to allow all egress traffic
  }
}

After first apply, the following diff is still there:

  ~ kubernetes_network_policy.allow-all-egress                    
      spec.0.egress.#: "0" => "1"                                                                      

On second apply, it is gone.

[pdecat]

The issue when the Network Policy has an egress at creation is resolved.

[pdecat]

Acceptance tests results

make testacc TEST=./kubernetes TESTARGS='-run=TestAccKubernetesNetworkPolicy_.*'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./kubernetes -v -run=TestAccKubernetesNetworkPolicy_.* -timeout 120m
=== RUN   TestAccKubernetesNetworkPolicy_basic
--- PASS: TestAccKubernetesNetworkPolicy_basic (0.40s)
=== RUN   TestAccKubernetesNetworkPolicy_withEgressAtCreation
--- PASS: TestAccKubernetesNetworkPolicy_withEgressAtCreation (0.11s)
=== RUN   TestAccKubernetesNetworkPolicy_importBasic
--- PASS: TestAccKubernetesNetworkPolicy_importBasic (0.11s)
PASS
ok      github.com/terraform-providers/terraform-provider-kubernetes/kubernetes

[pdecat]

Acceptance tests results with policy_types assertions

make testacc TEST=./kubernetes TESTARGS='-run=TestAccKubernetesNetworkPolicy_.*'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./kubernetes -v -run=TestAccKubernetesNetworkPolicy_.* -timeout 120m
=== RUN   TestAccKubernetesNetworkPolicy_basic                                                                                                      
--- PASS: TestAccKubernetesNetworkPolicy_basic (0.40s)                         
=== RUN   TestAccKubernetesNetworkPolicy_withEgressAtCreation                                 
--- PASS: TestAccKubernetesNetworkPolicy_withEgressAtCreation (0.12s)                                                                               
=== RUN   TestAccKubernetesNetworkPolicy_importBasic
--- PASS: TestAccKubernetesNetworkPolicy_importBasic (0.10s)                                                                                                               
PASS                                                                                                                                                                     
ok      github.com/terraform-providers/terraform-provider-kubernetes/kubernetes 0.647s                                         

[pdecat]

Note

I've made the policy_types property required because the default value is only evaluated server side on resource creation.

During the initial creation, a default value is determined and stored, then PolicyTypes is no longer considered unset, it will stick to that value on further updates unless explicitly overridden.

Leaving the policy_types property optional here would prevent further updates adding egress rules after the initial resource creation without egress rules nor policy_types from working as expected as PolicyTypes will stick to Ingress server side.

Edit: I initially considered leaving it optional and overriding the default behavior client side but this started to make it overly complicated.

[pdecat]

Rebased on master to use k8s 1.10 clients libraries.

[pdecat]

Acceptance tests results

New run after rebase on master that provides k8s 1.10 client libs with local minikube 0.29/kubernetes 1.10.0:

# make testacc TEST=./kubernetes TESTARGS='-run=TestAccKubernetesNetworkPolicy_.*'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./kubernetes -v -run=TestAccKubernetesNetworkPolicy_.* -timeout 120m
=== RUN   TestAccKubernetesNetworkPolicy_basic
--- PASS: TestAccKubernetesNetworkPolicy_basic (0.55s)
=== RUN   TestAccKubernetesNetworkPolicy_withEgressAtCreation
--- PASS: TestAccKubernetesNetworkPolicy_withEgressAtCreation (0.13s)
=== RUN   TestAccKubernetesNetworkPolicy_importBasic
--- PASS: TestAccKubernetesNetworkPolicy_importBasic (0.11s)
PASS
ok      github.com/terraform-providers/terraform-provider-kubernetes/kubernetes 0.839s

[pdecat]

I've added the documentation for the k8s 1.8+ fields.

[pdecat]

Acceptance tests results

New run with local minikube 0.30 / kubernetes 1.12.1:

# make testacc TEST=./kubernetes TESTARGS='-run=TestAccKubernetesNetworkPolicy_.*'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./kubernetes -v -run=TestAccKubernetesNetworkPolicy_.* -timeout 120m
=== RUN   TestAccKubernetesNetworkPolicy_basic
--- PASS: TestAccKubernetesNetworkPolicy_basic (0.48s)
=== RUN   TestAccKubernetesNetworkPolicy_withEgressAtCreation
--- PASS: TestAccKubernetesNetworkPolicy_withEgressAtCreation (0.15s)
=== RUN   TestAccKubernetesNetworkPolicy_importBasic
--- PASS: TestAccKubernetesNetworkPolicy_importBasic (0.11s)
PASS
ok      github.com/terraform-providers/terraform-provider-kubernetes/kubernetes 0.786s

[pdecat]

Hi @alexsomesan, would you mind having a look at this PR? I believe it would be a good candidate for the v1.4.0 milestone.

[pdecat]

Rebased on master.

[pdecat]

Acceptance tests results:

# make testacc TEST=./kubernetes TESTARGS='-run=TestAccKubernetesNetworkPolicy_.* -count=1'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./kubernetes -v -run=TestAccKubernetesNetworkPolicy_.* -count=1 -timeout 120m
=== RUN   TestAccKubernetesNetworkPolicy_basic
--- PASS: TestAccKubernetesNetworkPolicy_basic (5.30s)
=== RUN   TestAccKubernetesNetworkPolicy_withEgressAtCreation
--- PASS: TestAccKubernetesNetworkPolicy_withEgressAtCreation (1.26s)
=== RUN   TestAccKubernetesNetworkPolicy_importBasic
--- PASS: TestAccKubernetesNetworkPolicy_importBasic (1.33s)
PASS
ok      github.com/terraform-providers/terraform-provider-kubernetes/kubernetes 7.937s

[alexsomesan]

This looks very nice overall.

Just one small thing: please remove the d.SetId("") in the Delete function, then we're good to go.

Did you test build this with Go 1.11.x?

[alexsomesan]

Nice idea!

[pdecat]

All recent builds and tests done with:

# go version
go version go1.11.4 linux/amd64

[pdecat]

Acceptance tests results:

# make testacc TEST=./kubernetes TESTARGS='-run=TestAccKubernetesNetworkPolicy_.* -count=1'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./kubernetes -v -run=TestAccKubernetesNetworkPolicy_.* -count=1 -timeout 120m
=== RUN   TestAccKubernetesNetworkPolicy_basic
--- PASS: TestAccKubernetesNetworkPolicy_basic (5.28s)
=== RUN   TestAccKubernetesNetworkPolicy_withEgressAtCreation
--- PASS: TestAccKubernetesNetworkPolicy_withEgressAtCreation (1.25s)
=== RUN   TestAccKubernetesNetworkPolicy_importBasic
--- PASS: TestAccKubernetesNetworkPolicy_importBasic (1.34s)
PASS
ok      github.com/terraform-providers/terraform-provider-kubernetes/kubernetes 7.912s

[alexsomesan]

LGTM

[pdecat]

Thank you so much @alexsomesan !

[pdecat]

@alexsomesan I should probably have put FEATURES before IMPROVEMENTS and BUG FIXES