Skip to content

Commit

Permalink
feat(google_container_cluster): support fqdn network policy
Browse files Browse the repository at this point in the history 
Signed-off-by: Tsubasa Nagasawa <toversus2357@gmail.com>
  • Loading branch information
@toVersus
toVersus committed Jul 27, 2023
1 parent 003a824 commit 0deb514
Show file tree
Hide file tree
Showing 3 changed files with 137 additions and 0 deletions.
28 changes: 28 additions & 0 deletions mmv1/third_party/terraform/services/container/resource_container_cluster.go.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1868,6 +1868,12 @@ func ResourceContainerCluster() *schema.Resource {
Description: `Whether multi-networking is enabled for this cluster.`,
Default: false,
},
"enable_fqdn_network_policy": {
Type: schema.TypeBool,
Optional: true,
Description: `Whether FQDN Network Policy is enabled on this cluster.`,
Default: false,
},
<% end -%>
"private_ipv6_google_access": {
Type: schema.TypeString,
Expand Down Expand Up @@ -2112,6 +2118,7 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
GatewayApiConfig: expandGatewayApiConfig(d.Get("gateway_api_config")),
<% unless version == "ga" -%>
EnableMultiNetworking: d.Get("enable_multi_networking").(bool),
EnableFqdnNetworkPolicy: d.Get("enable_fqdn_network_policy").(bool),
<% end -%>
},
MasterAuth: expandMasterAuth(d.Get("master_auth")),
Expand Down Expand Up @@ -2567,6 +2574,9 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
if err := d.Set("enable_multi_networking", cluster.NetworkConfig.EnableMultiNetworking); err != nil {
return fmt.Errorf("Error setting enable_multi_networking: %s", err)
}
if err := d.Set("enable_fqdn_network_policy", cluster.NetworkConfig.EnableFqdnNetworkPolicy); err != nil {
return fmt.Errorf("Error setting enable_fqdn_network_policy: %s", err)
}
<% end -%>
if err := d.Set("private_ipv6_google_access", cluster.NetworkConfig.PrivateIpv6GoogleAccess); err != nil {
return fmt.Errorf("Error setting private_ipv6_google_access: %s", err)
Expand Down Expand Up @@ -3035,6 +3045,24 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
log.Printf("[INFO] GKE cluster %s L4 ILB Subsetting has been updated to %v", d.Id(), enabled)
}

<% unless version == 'ga' -%>
if d.HasChange("enable_fqdn_network_policy") {
enabled := d.Get("enable_fqdn_network_policy").(bool)
req := &container.UpdateClusterRequest{
Update: &container.ClusterUpdate{
DesiredEnableFqdnNetworkPolicy: enabled,
},
}
updateF := updateFunc(req, "updating fqdn network policy")
// Call update serially.
if err := transport_tpg.LockedCall(lockKey, updateF); err != nil {
return err
}

log.Printf("[INFO] GKE cluster %s FQDN Network Policy has been updated to %v", d.Id(), enabled)
}
<% end -%>

if d.HasChange("cost_management_config") {
c := d.Get("cost_management_config")
req := &container.UpdateClusterRequest{
Expand Down
106 changes: 106 additions & 0 deletions mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,49 @@ func TestAccContainerCluster_withMultiNetworking(t *testing.T) {
}
<% end -%>

<% unless version == 'ga' -%>
func TestAccContainerCluster_withFQDNNetworkPolicy(t *testing.T) {
t.Parallel()

clusterName := fmt.Sprintf("tf-test-cluster-%s", acctest.RandString(t, 10))

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckContainerClusterDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccContainerCluster_withFQDNNetworkPolicy(clusterName, false),
},
{
ResourceName: "google_container_cluster.cluster",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"min_master_version"},
},
{
Config: testAccContainerCluster_withFQDNNetworkPolicy(clusterName, true),
},
{
ResourceName: "google_container_cluster.cluster",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"min_master_version"},
},
{
Config: testAccContainerCluster_withFQDNNetworkPolicy(clusterName, false),
},
{
ResourceName: "google_container_cluster.cluster",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"min_master_version"},
},
},
})
}
<% end -%>

func TestAccContainerCluster_withMasterAuthConfig_NoCert(t *testing.T) {
t.Parallel()

Expand Down Expand Up @@ -474,6 +517,69 @@ resource "google_container_cluster" "cluster" {
}
<% end -%>


<% unless version == 'ga' -%>
func testAccContainerCluster_withFQDNNetworkPolicy(clusterName string, enabled bool) string {
return fmt.Sprintf(`
data "google_container_engine_versions" "uscentral1a" {
location = "us-central1-a"
}

resource "google_compute_network" "container_network" {
name = "%s-nw"
auto_create_subnetworks = false
}

resource "google_compute_subnetwork" "container_subnetwork" {
name = google_compute_network.container_network.name
network = google_compute_network.container_network.name
ip_cidr_range = "10.0.36.0/24"
region = "us-central1"
private_ip_google_access = true

secondary_ip_range {
range_name = "pod"
ip_cidr_range = "10.0.0.0/19"
}

secondary_ip_range {
range_name = "svc"
ip_cidr_range = "10.0.32.0/22"
}

secondary_ip_range {
range_name = "another-pod"
ip_cidr_range = "10.1.32.0/22"
}

lifecycle {
ignore_changes = [
# The auto nodepool creates a secondary range which diffs this resource.
secondary_ip_range,
]
}
}

resource "google_container_cluster" "cluster" {
name = "%s"
location = "us-central1-a"
min_master_version = data.google_container_engine_versions.uscentral1a.release_channel_latest_version["STABLE"]
initial_node_count = 1

network = google_compute_network.container_network.name
subnetwork = google_compute_subnetwork.container_subnetwork.name
ip_allocation_policy {
cluster_secondary_range_name = google_compute_subnetwork.container_subnetwork.secondary_ip_range[0].range_name
services_secondary_range_name = google_compute_subnetwork.container_subnetwork.secondary_ip_range[1].range_name
}

enable_fqdn_network_policy = %t
datapath_provider = "ADVANCED_DATAPATH"
}
`, clusterName, clusterName, enabled)
}
<% end -%>

func TestAccContainerCluster_withNetworkPolicyEnabled(t *testing.T) {
t.Parallel()

Expand Down
3 changes: 3 additions & 0 deletions mmv1/third_party/terraform/website/docs/r/container_cluster.html.markdown
View file
Original file line number Diff line number Diff line change
Expand Up @@ -349,6 +349,9 @@ subnetwork in which the cluster's instances are launched.
* `enable_multi_networking` - (Optional) [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html))
Whether multi-networking is enabled for this cluster.

* `enable_fqdn_network_policy` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html))
Whether FQDN Network Policy is enabled on this cluster. Users who enable this feature for existing Standard clusters must restart the GKE Dataplane V2 `anetd` DaemonSet after enabling. See the [Enable FQDN Network Policy in an existing cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/fqdn-network-policies#enable_fqdn_network_policy_in_an_existing_cluster) for more information.

* `private_ipv6_google_access` - (Optional)
The desired state of IPv6 connectivity to Google Services. By default, no private IPv6 access to or from Google Services (all access will be via IPv4).

Expand Down

0 comments on commit 0deb514

Please sign in to comment.