[GKE Hub]: Add Fleet binary authorization config

[sandmman]

Adds binary authorization fields to the default cluster config of the GKEHub resource "Fleet."

b/296461330

If this PR is for Terraform, I acknowledge that I have:

• Searched through the issue tracker for an open issue that this either resolves or contributes to, commented on it to claim it, and written "fixes {url}" or "part of {url}" in this PR description. If there were no relevant open issues, I opened one and commented that I would like to work on it (not necessary for very small changes).
• Ensured that all new fields I added that can be set by a user appear in at least one example (for generated resources) or third_party test (for handwritten resources or update tests).
• Generated Terraform providers, and ran make test and make lint in the generated providers to ensure it passes unit and linter tests.
• Ran relevant acceptance tests using my own Google Cloud project and credentials (If the acceptance tests do not yet pass or you are unable to run them, please let your reviewer know).
• Read Write release notes before writing my release note below.

Release Note Template for Downstream PRs (will be copied)

gkehub: added `binary_authorization_config` to `google_gke_hub_fleet`

[modular-magician]

Hello! I am a robot. It looks like you are a: Community Contributor Googler Core Contributor. Tests will run automatically.

@ScottSuarez, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look.

You can help make sure that review is quick by doing a self-review and by running impacted tests locally.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 3 files changed, 173 insertions(+))
Terraform Beta: Diff ( 3 files changed, 173 insertions(+))
TF Conversion: Diff ( 1 file changed, 63 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_gke_hub_fleet (0 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_gke_hub_fleet" "primary" {
  default_cluster_config {
    binary_authorization_config {
      evaluation_mode = # value needed
      policy_bindings {
        name = # value needed
      }
    }
  }
}

[sandmman]

FYI, in #9389 (review) we accidentally submitted 1 enum field that's not supported yet.

Based on go/terraform-releases#schedule, we should have a week before the release is cut so removing that here rather than reverting.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 3 files changed, 176 insertions(+), 3 deletions(-))
Terraform Beta: Diff ( 3 files changed, 176 insertions(+), 3 deletions(-))
TF Conversion: Diff ( 1 file changed, 63 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_gke_hub_fleet (0 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_gke_hub_fleet" "primary" {
  default_cluster_config {
    binary_authorization_config {
      evaluation_mode = # value needed
      policy_bindings {
        name = # value needed
      }
    }
  }
}

[modular-magician]

Tests analytics

Total tests: 3246
Passed tests 2914
Skipped tests: 331
Affected tests: 1

Action taken

Found 1 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccGKEHub2Fleet_gkehubFleetBasicExample_update

Get to know how VCR tests work

[modular-magician]

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccGKEHub2Fleet_gkehubFleetBasicExample_update[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 3 files changed, 176 insertions(+), 3 deletions(-))
Terraform Beta: Diff ( 3 files changed, 176 insertions(+), 3 deletions(-))
TF Conversion: Diff ( 1 file changed, 63 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_gke_hub_fleet (0 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_gke_hub_fleet" "primary" {
  default_cluster_config {
    binary_authorization_config {
      evaluation_mode = # value needed
      policy_bindings {
        name = # value needed
      }
    }
  }
}

[modular-magician]

Tests analytics

Total tests: 3246
Passed tests 2914
Skipped tests: 331
Affected tests: 1

Action taken

Found 1 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccGKEHub2Fleet_gkehubFleetBasicExample_update

Get to know how VCR tests work

[modular-magician]

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccGKEHub2Fleet_gkehubFleetBasicExample_update[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test

[ScottSuarez]

string doesn't close

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 3 files changed, 176 insertions(+), 3 deletions(-))
Terraform Beta: Diff ( 3 files changed, 176 insertions(+), 3 deletions(-))
TF Conversion: Diff ( 1 file changed, 63 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_gke_hub_fleet (0 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_gke_hub_fleet" "primary" {
  default_cluster_config {
    binary_authorization_config {
      evaluation_mode = # value needed
      policy_bindings {
        name = # value needed
      }
    }
  }
}

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 3 files changed, 176 insertions(+), 3 deletions(-))
Terraform Beta: Diff ( 3 files changed, 176 insertions(+), 3 deletions(-))
TF Conversion: Diff ( 1 file changed, 63 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_gke_hub_fleet (0 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_gke_hub_fleet" "primary" {
  default_cluster_config {
    binary_authorization_config {
      evaluation_mode = # value needed
      policy_bindings {
        name = # value needed
      }
    }
  }
}

[modular-magician]

Tests analytics

Total tests: 3254
Passed tests 2920
Skipped tests: 331
Affected tests: 3

Action taken

Found 3 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccDataprocClusterIamPolicy|TestAccGKEHub2Fleet_gkehubFleetBasicExample_update|TestAccDataSourceGoogleServiceAccountAccessToken_basic

Get to know how VCR tests work

[modular-magician]

$\textcolor{green}{\textsf{Tests passed during RECORDING mode:}}$
TestAccDataprocClusterIamPolicy[Debug log]
TestAccDataSourceGoogleServiceAccountAccessToken_basic[Debug log]

Rerun these tests in REPLAYING mode to catch issues

$\textcolor{green}{\textsf{No issues found for passed tests after REPLAYING rerun.}}$

---

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccGKEHub2Fleet_gkehubFleetBasicExample_update[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 3 files changed, 176 insertions(+), 3 deletions(-))
Terraform Beta: Diff ( 3 files changed, 176 insertions(+), 3 deletions(-))
TF Conversion: Diff ( 1 file changed, 63 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_gke_hub_fleet (0 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_gke_hub_fleet" "primary" {
  default_cluster_config {
    binary_authorization_config {
      evaluation_mode = # value needed
      policy_bindings {
        name = # value needed
      }
    }
  }
}

[modular-magician]

Tests analytics

Total tests: 3255
Passed tests 2920
Skipped tests: 331
Affected tests: 4

Action taken

Found 4 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccGKEHub2Fleet_gkehubFleetBasicExample_update|TestAccLoggingProjectSink_updatePreservesCustomWriter|TestAccDataSourceGoogleServiceAccountAccessToken_basic|TestAccDataSourceGoogleServiceAccountJwt

Get to know how VCR tests work

[modular-magician]

$\textcolor{green}{\textsf{Tests passed during RECORDING mode:}}$
TestAccGKEHub2Fleet_gkehubFleetBasicExample_update[Debug log]
TestAccDataSourceGoogleServiceAccountAccessToken_basic[Debug log]
TestAccDataSourceGoogleServiceAccountJwt[Debug log]

Rerun these tests in REPLAYING mode to catch issues

$\textcolor{red}{\textsf{Tests failed when rerunning REPLAYING mode:}}$
TestAccGKEHub2Fleet_gkehubFleetBasicExample_update[Error message] [Debug log]

Tests failed due to non-determinism or randomness when the VCR replayed the response after the HTTP request was made.

Please fix these to complete your PR. If you believe these test failures to be incorrect or unrelated to your change, or if you have any questions, please raise the concern with your reviewer.

---

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccLoggingProjectSink_updatePreservesCustomWriter[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 3 files changed, 177 insertions(+), 4 deletions(-))
Terraform Beta: Diff ( 3 files changed, 177 insertions(+), 4 deletions(-))
TF Conversion: Diff ( 1 file changed, 63 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_gke_hub_fleet (0 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_gke_hub_fleet" "primary" {
  default_cluster_config {
    binary_authorization_config {
      evaluation_mode = # value needed
      policy_bindings {
        name = # value needed
      }
    }
  }
}

[ScottSuarez]

Any idea why we are getting test failures? Anything I can help with ?

[modular-magician]

Tests analytics

Total tests: 3255
Passed tests 2922
Skipped tests: 331
Affected tests: 2

Action taken

Found 2 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccGKEHub2Fleet_gkehubFleetBasicExample_update|TestAccLoggingProjectSink_updatePreservesCustomWriter

Get to know how VCR tests work

[modular-magician]

$\textcolor{green}{\textsf{Tests passed during RECORDING mode:}}$
TestAccGKEHub2Fleet_gkehubFleetBasicExample_update[Debug log]

Rerun these tests in REPLAYING mode to catch issues

$\textcolor{green}{\textsf{No issues found for passed tests after REPLAYING rerun.}}$

---

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccLoggingProjectSink_updatePreservesCustomWriter[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test

[sandmman]

@ScottSuarez The errors on my test were due to my own typo in one case and an API enablement flakiness error. I've seen that many times in the last 6 months.

It seems to be resolved, but there some flakiness in another test.

[ScottSuarez]

One more ask, can we have a new test where binary_authorization_config is absent from the terraform code?

[sandmman]

One more ask, can we have a new test where binary_authorization_config is absent from the terraform code?

What exactly do you want test coverage for? Is adding an additional test step sufficient? So we have:

1. Create resource with all fields set
2. Update all fields
3. Update with absent default_cluster_config

Running every parameter combination through an E2E test doesn't seem ideal.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 3 files changed, 196 insertions(+), 4 deletions(-))
Terraform Beta: Diff ( 3 files changed, 196 insertions(+), 4 deletions(-))
TF Conversion: Diff ( 1 file changed, 63 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_gke_hub_fleet (0 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_gke_hub_fleet" "primary" {
  default_cluster_config {
    binary_authorization_config {
      evaluation_mode = # value needed
      policy_bindings {
        name = # value needed
      }
    }
  }
}

[modular-magician]

Tests analytics

Total tests: 3255
Passed tests 2921
Skipped tests: 331
Affected tests: 3

Action taken

Found 3 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccDataprocClusterIamPolicy|TestAccGKEHub2Fleet_gkehubFleetBasicExample_update|TestAccLoggingProjectSink_updatePreservesCustomWriter

Get to know how VCR tests work

[modular-magician]

$\textcolor{green}{\textsf{Tests passed during RECORDING mode:}}$
TestAccDataprocClusterIamPolicy[Debug log]
TestAccGKEHub2Fleet_gkehubFleetBasicExample_update[Debug log]

Rerun these tests in REPLAYING mode to catch issues

$\textcolor{green}{\textsf{No issues found for passed tests after REPLAYING rerun.}}$

---

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccLoggingProjectSink_updatePreservesCustomWriter[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 3 files changed, 196 insertions(+), 4 deletions(-))
Terraform Beta: Diff ( 3 files changed, 196 insertions(+), 4 deletions(-))
TF Conversion: Diff ( 1 file changed, 63 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_gke_hub_fleet (0 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_gke_hub_fleet" "primary" {
  default_cluster_config {
    binary_authorization_config {
      evaluation_mode = # value needed
      policy_bindings {
        name = # value needed
      }
    }
  }
}

[ScottSuarez]

One more ask, can we have a new test where binary_authorization_config is absent from the terraform code?

What exactly do you want test coverage for? Is adding an additional test step sufficient? So we have:

1. Create resource with all fields set
2. Update all fields
3. Update with absent default_cluster_config

Running every parameter combination through an E2E test doesn't seem ideal.

I want to ensure that the resource still works without binary_authoritzation_config set on the resource. Since we changed existing tests we not long can guarantee existing deployments by customers continue to work. This is my concern.

[modular-magician]

Tests analytics

Total tests: 3258
Passed tests 2925
Skipped tests: 331
Affected tests: 2

Action taken

Found 2 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccLoggingProjectSink_updatePreservesCustomWriter|TestAccSpannerDatabaseIamPolicy

Get to know how VCR tests work

[modular-magician]

$\textcolor{green}{\textsf{Tests passed during RECORDING mode:}}$
TestAccSpannerDatabaseIamPolicy[Debug log]

Rerun these tests in REPLAYING mode to catch issues

$\textcolor{green}{\textsf{No issues found for passed tests after REPLAYING rerun.}}$

---

$\textcolor{red}{\textsf{Tests failed during RECORDING mode:}}$
TestAccLoggingProjectSink_updatePreservesCustomWriter[Error message] [Debug log]

$\textcolor{red}{\textsf{Please fix these to complete your PR.}}$
View the build log or the debug log for each test