Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add allow_net_admin field to google_container_cluster resource #8323

Merged
merged 10 commits into from
Jul 24, 2023
Merged

Add allow_net_admin field to google_container_cluster resource #8323

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
5b147ff
add net_admin field to container cluster for autopilot clusters
jeperetz Jul 6, 2023
ebb62de
add allow_net_admin tests
jeperetz Jul 6, 2023
f799ff3
tweak param name
jeperetz Jul 10, 2023
94cdd6a
fix net_admin test format string
jeperetz Jul 10, 2023
1f5ec62
fix syntax bug
jeperetz Jul 11, 2023
5dc28c0
fix api field typo
jeperetz Jul 11, 2023
7a0c37b
version safety and ImportStateVerifyIgnore for min_master_version in …
jeperetz Jul 12, 2023
6c46273
comment change
jeperetz Jul 12, 2023
d9717ec
Add documentation and remove provider-side validation
jeperetz Jul 19, 2023
2a7afab
add update test
jeperetz Jul 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 40 additions & 2 deletions mmv1/third_party/terraform/services/container/resource_container_cluster.go.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -886,6 +886,12 @@ func ResourceContainerCluster() *schema.Resource {
// ConflictsWith: many fields, see https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview#comparison. The conflict is only set one-way, on other fields w/ this field.
},

"allow_net_admin": {
Type: schema.TypeBool,
Optional: true,
Description: `Enable NET_ADMIN for this cluster.`,
},

"authenticator_groups_config": {
Type: schema.TypeList,
Optional: true,
Expand Down Expand Up @@ -2048,6 +2054,13 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
return err
}

var workloadPolicyConfig *container.WorkloadPolicyConfig
if allowed := d.Get("allow_net_admin").(bool); allowed {
workloadPolicyConfig = &container.WorkloadPolicyConfig{
AllowNetAdmin: allowed,
}
}

cluster := &container.Cluster{
Name: clusterName,
InitialNodeCount: int64(d.Get("initial_node_count").(int)),
Expand All @@ -2073,6 +2086,7 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
BinaryAuthorization: expandBinaryAuthorization(d.Get("binary_authorization"), d.Get("enable_binary_authorization").(bool)),
Autopilot: &container.Autopilot{
Enabled: d.Get("enable_autopilot").(bool),
WorkloadPolicyConfig: workloadPolicyConfig,
ForceSendFields: []string{"Enabled"},
},
ReleaseChannel: expandReleaseChannel(d.Get("release_channel")),
Expand Down Expand Up @@ -2493,10 +2507,15 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
return err
}
}
if cluster.Autopilot != nil {
if err := d.Set("enable_autopilot", cluster.Autopilot.Enabled); err != nil {
if autopilot := cluster.Autopilot; autopilot != nil {
if err := d.Set("enable_autopilot", autopilot.Enabled); err != nil {
return fmt.Errorf("Error setting enable_autopilot: %s", err)
}
if autopilot.WorkloadPolicyConfig != nil {
if err := d.Set("allow_net_admin", autopilot.WorkloadPolicyConfig.AllowNetAdmin); err != nil {
return fmt.Errorf("Error setting allow_net_admin: %s", err)
}
}
}
if cluster.ShieldedNodes != nil {
if err := d.Set("enable_shielded_nodes", cluster.ShieldedNodes.Enabled); err != nil {
Expand Down Expand Up @@ -2750,6 +2769,25 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
log.Printf("[INFO] GKE cluster %s's cluster-wide autoscaling has been updated", d.Id())
}

if d.HasChange("allow_net_admin") {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this field updatable? If so can you add an update test?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes the field is updatable. I added update steps to the test to toggle the feature off and on again.

allowed := d.Get("allow_net_admin").(bool)
req := &container.UpdateClusterRequest{
Update: &container.ClusterUpdate{
DesiredAutopilotWorkloadPolicyConfig: &container.WorkloadPolicyConfig{
AllowNetAdmin: allowed,
},
},
}

updateF := updateFunc(req, "updating net admin for GKE autopilot workload policy config")
// Call update serially.
if err := transport_tpg.LockedCall(lockKey, updateF); err != nil {
return err
}

log.Printf("[INFO] GKE cluster %s's autopilot workload policy config allow_net_admin has been set to %v", d.Id(), allowed)
}

if d.HasChange("enable_binary_authorization") {
enabled := d.Get("enable_binary_authorization").(bool)
req := &container.UpdateClusterRequest{
Expand Down
51 changes: 51 additions & 0 deletions mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3677,6 +3677,46 @@ func TestAccContainerCluster_autopilot_minimal(t *testing.T) {
})
}

func TestAccContainerCluster_autopilot_net_admin(t *testing.T) {
t.Parallel()

clusterName := fmt.Sprintf("tf-test-cluster-%s", acctest.RandString(t, 10))
acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckContainerClusterDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccContainerCluster_autopilot_net_admin(clusterName, true),
},
{
ResourceName: "google_container_cluster.primary",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"min_master_version"},
},
{
Config: testAccContainerCluster_autopilot_net_admin(clusterName, false),
},
{
ResourceName: "google_container_cluster.primary",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"min_master_version"},
},
{
Config: testAccContainerCluster_autopilot_net_admin(clusterName, true),
},
{
ResourceName: "google_container_cluster.primary",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"min_master_version"},
},
},
})
}

func testAccContainerCluster_masterAuthorizedNetworksDisabled(t *testing.T, resource_name string) resource.TestCheckFunc {
return func(s *terraform.State) error {
rs, ok := s.RootModule().Resources[resource_name]
Expand Down Expand Up @@ -7618,3 +7658,14 @@ resource "google_container_cluster" "primary" {
enable_autopilot = true
}`, name)
}

func testAccContainerCluster_autopilot_net_admin(name string, enabled bool) string {
return fmt.Sprintf(`
resource "google_container_cluster" "primary" {
name = "%s"
location = "us-central1"
enable_autopilot = true
allow_net_admin = %t
min_master_version = 1.27
}`, name, enabled)
}
4 changes: 4 additions & 0 deletions mmv1/third_party/terraform/website/docs/r/container_cluster.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,10 @@ preferred.
* `addons_config` - (Optional) The configuration for addons supported by GKE.
Structure is [documented below](#nested_addons_config).

* `allow_net_admin` - (Optional) Enable NET_ADMIN for the cluster. Defaults to
`false`. This field should only be enabled for Autopilot clusters (`enable_autopilot`
set to `true`).

* `cluster_ipv4_cidr` - (Optional) The IP address range of the Kubernetes pods
in this cluster in CIDR notation (e.g. `10.96.0.0/14`). Leave blank to have one
automatically chosen or specify a `/14` block in `10.0.0.0/8`. This field will
Expand Down