Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Promote Confidential GKE Nodes to GA #10531

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/5344.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
container: promoted `confidential_nodes` field in `google_container_cluster` to GA
```
48 changes: 46 additions & 2 deletions google/resource_container_cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -550,6 +550,25 @@ func resourceContainerCluster() *schema.Resource {
},
},

"confidential_nodes": {
Type: schema.TypeList,
Optional: true,
Computed: true,
ForceNew: true,
MaxItems: 1,
Description: `Configuration for the confidential nodes feature, which makes nodes run on confidential VMs. Warning: This configuration can't be changed (or added/removed) after cluster creation without deleting and recreating the entire cluster.`,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"enabled": {
Type: schema.TypeBool,
Required: true,
ForceNew: true,
Description: `Whether Confidential Nodes feature is enabled for all nodes in this cluster.`,
},
},
},
},

"master_auth": {
Type: schema.TypeList,
Optional: true,
Expand Down Expand Up @@ -1157,8 +1176,9 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
DatapathProvider: d.Get("datapath_provider").(string),
PrivateIpv6GoogleAccess: d.Get("private_ipv6_google_access").(string),
},
MasterAuth: expandMasterAuth(d.Get("master_auth")),
ResourceLabels: expandStringMap(d, "resource_labels"),
MasterAuth: expandMasterAuth(d.Get("master_auth")),
ConfidentialNodes: expandConfidentialNodes(d.Get("confidential_nodes")),
ResourceLabels: expandStringMap(d, "resource_labels"),
}

v := d.Get("enable_shielded_nodes")
Expand Down Expand Up @@ -1497,6 +1517,9 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
if err := d.Set("release_channel", flattenReleaseChannel(cluster.ReleaseChannel)); err != nil {
return err
}
if err := d.Set("confidential_nodes", flattenConfidentialNodes(cluster.ConfidentialNodes)); err != nil {
return err
}
if err := d.Set("enable_tpu", cluster.EnableTpu); err != nil {
return fmt.Errorf("Error setting enable_tpu: %s", err)
}
Expand Down Expand Up @@ -2710,6 +2733,17 @@ func expandAuthenticatorGroupsConfig(configured interface{}) *container.Authenti
return result
}

func expandConfidentialNodes(configured interface{}) *container.ConfidentialNodes {
l := configured.([]interface{})
if len(l) == 0 || l[0] == nil {
return nil
}
config := l[0].(map[string]interface{})
return &container.ConfidentialNodes{
Enabled: config["enabled"].(bool),
}
}

func expandMasterAuth(configured interface{}) *container.MasterAuth {
l := configured.([]interface{})
if len(l) == 0 || l[0] == nil {
Expand Down Expand Up @@ -2932,6 +2966,16 @@ func expandMonitoringConfig(configured interface{}) *container.MonitoringConfig
}
}

func flattenConfidentialNodes(c *container.ConfidentialNodes) []map[string]interface{} {
result := []map[string]interface{}{}
if c != nil {
result = append(result, map[string]interface{}{
"enabled": c.Enabled,
})
}
return result
}

func flattenNetworkPolicy(c *container.NetworkPolicy) []map[string]interface{} {
result := []map[string]interface{}{}
if c != nil {
Expand Down
87 changes: 87 additions & 0 deletions google/resource_container_cluster_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,45 @@ func TestAccContainerCluster_withAddons(t *testing.T) {
})
}

func TestAccContainerCluster_withConfidentialNodes(t *testing.T) {
t.Parallel()

clusterName := fmt.Sprintf("tf-test-cluster-%s", randString(t, 10))
npName := fmt.Sprintf("tf-test-cluster-nodepool-%s", randString(t, 10))

vcrTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckContainerClusterDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccContainerCluster_withConfidentialNodes(clusterName, npName),
},
{
ResourceName: "google_container_cluster.confidential_nodes",
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccContainerCluster_disableConfidentialNodes(clusterName, npName),
},
{
ResourceName: "google_container_cluster.confidential_nodes",
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccContainerCluster_withConfidentialNodes(clusterName, npName),
},
{
ResourceName: "google_container_cluster.confidential_nodes",
ImportState: true,
ImportStateVerify: true,
},
},
})
}

func TestAccContainerCluster_withMasterAuthConfig_NoCert(t *testing.T) {
t.Parallel()

Expand Down Expand Up @@ -2035,6 +2074,54 @@ resource "google_container_cluster" "primary" {
`, projectID, clusterName)
}

func testAccContainerCluster_withConfidentialNodes(clusterName string, npName string) string {
return fmt.Sprintf(`
resource "google_container_cluster" "confidential_nodes" {
name = "%s"
location = "us-central1-a"
release_channel {
channel = "RAPID"
}

node_pool {
name = "%s"
initial_node_count = 1
node_config {
machine_type = "n2d-standard-2" // can't be e2 because Confidential Nodes require AMD CPUs
}
}

confidential_nodes {
enabled = true
}
}
`, clusterName, npName)
}

func testAccContainerCluster_disableConfidentialNodes(clusterName string, npName string) string {
return fmt.Sprintf(`
resource "google_container_cluster" "confidential_nodes" {
name = "%s"
location = "us-central1-a"
release_channel {
channel = "RAPID"
}

node_pool {
name = "%s"
initial_node_count = 1
node_config {
machine_type = "n2d-standard-2"
}
}

confidential_nodes {
enabled = false
}
}
`, clusterName, npName)
}

func testAccContainerCluster_withNetworkPolicyEnabled(clusterName string) string {
return fmt.Sprintf(`
resource "google_container_cluster" "with_network_policy_enabled" {
Expand Down
6 changes: 6 additions & 0 deletions website/docs/r/container_cluster.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,8 @@ region are guaranteed to support the same version.

* `notification_config` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Configuration for the [cluster upgrade notifications](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-upgrade-notifications) feature. Structure is [documented below](#nested_notification_config).

* `confidential_nodes` - Configuration for [Confidential Nodes](https://cloud.google.com/kubernetes-engine/docs/how-to/confidential-gke-nodes) feature. Structure is documented below [documented below](#nested_confidential_nodes).

* `pod_security_policy_config` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Configuration for the
[PodSecurityPolicy](https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies) feature.
Structure is [documented below](#nested_pod_security_policy_config).
Expand Down Expand Up @@ -780,6 +782,10 @@ notification_config {
}
```

<a name="nested_confidential_nodes"></a> The `confidential_nodes` block supports:

* `enabled` (Required) - Enable Confidential Nodes for this cluster.

<a name="nested_pod_security_policy_config"></a>The `pod_security_policy_config` block supports:

* `enabled` (Required) - Enable the PodSecurityPolicy controller for this cluster.
Expand Down