mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-10-03 01:01:06 +00:00
Adding private_cluster (#1250)
* Updated google.golang.org/api/container/v1beta1 * Added support for private_cluster and master_ipv4_cidr This is to implement #1174. See https://groups.google.com/forum/#!topic/google-cloud-sdk-announce/GGW3SQSANIc * Added simple test for private_cluster and master_ipv4_cidr * Review replies * Added some documentation for private_cluster
This commit is contained in:
parent
d15ff4e93d
commit
1840363c74
@ -23,6 +23,8 @@ var (
|
||||
{Version: v1beta1, Item: "pod_security_policy_config"},
|
||||
{Version: v1beta1, Item: "node_config.*.taint"},
|
||||
{Version: v1beta1, Item: "node_config.*.workload_metadata_config"},
|
||||
{Version: v1beta1, Item: "private_cluster"},
|
||||
{Version: v1beta1, Item: "master_ipv4_cidr_block"},
|
||||
}
|
||||
|
||||
networkConfig = &schema.Resource{
|
||||
@ -426,6 +428,20 @@ func resourceContainerCluster() *schema.Resource {
|
||||
Type: schema.TypeBool,
|
||||
Optional: true,
|
||||
},
|
||||
|
||||
"private_cluster": {
|
||||
Type: schema.TypeBool,
|
||||
Optional: true,
|
||||
ForceNew: true,
|
||||
Default: false,
|
||||
},
|
||||
|
||||
"master_ipv4_cidr_block": {
|
||||
Type: schema.TypeString,
|
||||
Optional: true,
|
||||
ForceNew: true,
|
||||
ValidateFunc: validation.CIDRNetwork(28, 28),
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
@ -576,6 +592,21 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
|
||||
cluster.PodSecurityPolicyConfig = expandPodSecurityPolicyConfig(v)
|
||||
}
|
||||
|
||||
if v, ok := d.GetOk("master_ipv4_cidr_block"); ok {
|
||||
cluster.MasterIpv4CidrBlock = v.(string)
|
||||
}
|
||||
|
||||
if v, ok := d.GetOk("private_cluster"); ok {
|
||||
if cluster.PrivateCluster = v.(bool); cluster.PrivateCluster {
|
||||
if cluster.MasterIpv4CidrBlock == "" {
|
||||
return fmt.Errorf("master_ipv4_cidr_block is mandatory when private_cluster=true")
|
||||
}
|
||||
if cluster.IpAllocationPolicy == nil {
|
||||
return fmt.Errorf("ip_allocation_policy is mandatory when private_cluster=true")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
req := &containerBeta.CreateClusterRequest{
|
||||
Cluster: cluster,
|
||||
}
|
||||
@ -762,6 +793,9 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
|
||||
}
|
||||
}
|
||||
|
||||
d.Set("private_cluster", cluster.PrivateCluster)
|
||||
d.Set("master_ipv4_cidr_block", cluster.MasterIpv4CidrBlock)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -1431,8 +1465,11 @@ func flattenMaintenancePolicy(mp *containerBeta.MaintenancePolicy) []map[string]
|
||||
}
|
||||
|
||||
func flattenMasterAuthorizedNetworksConfig(c *containerBeta.MasterAuthorizedNetworksConfig) []map[string]interface{} {
|
||||
if len(c.CidrBlocks) == 0 {
|
||||
return nil
|
||||
}
|
||||
result := make(map[string]interface{})
|
||||
if c.Enabled && len(c.CidrBlocks) > 0 {
|
||||
if c.Enabled {
|
||||
cidrBlocks := make([]interface{}, 0, len(c.CidrBlocks))
|
||||
for _, v := range c.CidrBlocks {
|
||||
cidrBlocks = append(cidrBlocks, map[string]interface{}{
|
||||
|
@ -301,6 +301,35 @@ func TestAccContainerCluster_withKubernetesAlpha(t *testing.T) {
|
||||
})
|
||||
}
|
||||
|
||||
func TestAccContainerCluster_withPrivateCluster(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10))
|
||||
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
CheckDestroy: testAccCheckContainerClusterDestroy,
|
||||
Steps: []resource.TestStep{
|
||||
{
|
||||
Config: testAccContainerCluster_withPrivateCluster(clusterName),
|
||||
Check: resource.ComposeTestCheckFunc(
|
||||
resource.TestCheckResourceAttr("google_container_cluster.with_private_cluster", "private_cluster", "true"),
|
||||
),
|
||||
},
|
||||
{
|
||||
ResourceName: "google_container_cluster.with_private_cluster",
|
||||
ImportStateIdPrefix: "us-central1-a/",
|
||||
ImportState: true,
|
||||
ImportStateVerify: true,
|
||||
ImportStateVerifyIgnore: []string{
|
||||
"private_cluster",
|
||||
"master_ipv4_cidr_block"},
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func TestAccContainerCluster_withLegacyAbac(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
@ -1812,3 +1841,45 @@ resource "google_container_cluster" "with_pod_security_policy" {
|
||||
}
|
||||
}`, clusterName, enabled)
|
||||
}
|
||||
|
||||
func testAccContainerCluster_withPrivateCluster(clusterName string) string {
|
||||
return fmt.Sprintf(`
|
||||
resource "google_compute_network" "container_network" {
|
||||
name = "container-net-%s"
|
||||
auto_create_subnetworks = false
|
||||
}
|
||||
|
||||
resource "google_compute_subnetwork" "container_subnetwork" {
|
||||
name = "${google_compute_network.container_network.name}"
|
||||
network = "${google_compute_network.container_network.name}"
|
||||
ip_cidr_range = "10.0.36.0/24"
|
||||
region = "us-central1"
|
||||
private_ip_google_access = true
|
||||
|
||||
secondary_ip_range {
|
||||
range_name = "pod"
|
||||
ip_cidr_range = "10.0.0.0/19"
|
||||
}
|
||||
|
||||
secondary_ip_range {
|
||||
range_name = "svc"
|
||||
ip_cidr_range = "10.0.32.0/22"
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_container_cluster" "with_private_cluster" {
|
||||
name = "cluster-test-%s"
|
||||
zone = "us-central1-a"
|
||||
initial_node_count = 1
|
||||
|
||||
network = "${google_compute_network.container_network.name}"
|
||||
subnetwork = "${google_compute_subnetwork.container_subnetwork.name}"
|
||||
|
||||
private_cluster = true
|
||||
master_ipv4_cidr_block = "10.42.0.0/28"
|
||||
ip_allocation_policy {
|
||||
cluster_secondary_range_name = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.0.range_name}"
|
||||
services_secondary_range_name = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.1.range_name}"
|
||||
}
|
||||
}`, clusterName, clusterName)
|
||||
}
|
||||
|
384
vendor/google.golang.org/api/container/v1beta1/container-api.json
generated
vendored
384
vendor/google.golang.org/api/container/v1beta1/container-api.json
generated
vendored
File diff suppressed because it is too large
Load Diff
692
vendor/google.golang.org/api/container/v1beta1/container-gen.go
generated
vendored
692
vendor/google.golang.org/api/container/v1beta1/container-gen.go
generated
vendored
File diff suppressed because it is too large
Load Diff
6
vendor/vendor.json
vendored
6
vendor/vendor.json
vendored
@ -1292,10 +1292,10 @@
|
||||
"revisionTime": "2017-10-21T00:03:56Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "zYRNW2YMajEwmcwdj24eELyw9Ro=",
|
||||
"checksumSHA1": "Bwdk1H9PYdjqw6l/1To/9ql0eII=",
|
||||
"path": "google.golang.org/api/container/v1beta1",
|
||||
"revision": "ab90adb3efa287b869ecb698db42f923cc734972",
|
||||
"revisionTime": "2018-02-22T00:05:01Z"
|
||||
"revision": "24928b980e6919be4c72647aacd53ebcbb8c4bab",
|
||||
"revisionTime": "2018-03-16T22:16:32Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "pxXDGWhDrfcAOCQCjgxLfZA4NOw=",
|
||||
|
@ -117,6 +117,10 @@ output "cluster_ca_certificate" {
|
||||
for master authorized networks. Omit the nested `cidr_blocks` attribute to disallow
|
||||
external access (except the cluster node IPs, which GKE automatically whitelists).
|
||||
|
||||
* `master_ipv4_cidr_block` - (Optional, [Beta](/docs/providers/google/index.html#beta-features)) Specifies a private
|
||||
[RFC1918](https://tools.ietf.org/html/rfc1918) block for the master's VPC. The master range must not overlap with any subnet in your cluster's VPC.
|
||||
The master and your cluster use VPC peering. Must be specified in CIDR notation and must be `/28` subnet.
|
||||
|
||||
* `min_master_version` - (Optional) The minimum version of the master. GKE
|
||||
will auto-update the master to new versions, so this does not guarantee the
|
||||
current master version--use the read-only `master_version` field to obtain that.
|
||||
@ -152,6 +156,11 @@ output "cluster_ca_certificate" {
|
||||
[PodSecurityPolicy](https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies) feature.
|
||||
Structure is documented below.
|
||||
|
||||
* `private_cluster` - (Optional, [Beta](/docs/providers/google/index.html#beta-features)) If true, a
|
||||
[private cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters) will be created, which makes
|
||||
the master inaccessible from the public internet and nodes do not get public IP addresses either. It is mandatory to specify
|
||||
`master_ipv4_cidr_block` and `ip_allocation_policy` with this option.
|
||||
|
||||
* `project` - (Optional) The ID of the project in which the resource belongs. If it
|
||||
is not provided, the provider project is used.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user