Skip to content

Commit b861e89

Browse files
KagashinoKagashino
authored
feat: tke - support security group for cluster internet (#1177)
* feat: tke - support security group for cluster internet * fix: tke sg testcase * fix: tke - endpoint status
1 parent 2540d08 commit b861e89

7 files changed

+166
-156
lines changed

tencentcloud/resource_tc_kubernetes_cluster.go

Lines changed: 50 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -1058,6 +1058,11 @@ func resourceTencentCloudTkeCluster() *schema.Resource {
10581058
" If this field is set 'true', the field below `worker_config` must be set." +
10591059
" Because only cluster with node is allowed enable access endpoint.",
10601060
},
1061+
"cluster_internet_security_group": {
1062+
Type: schema.TypeString,
1063+
Optional: true,
1064+
Description: "Specify security group, NOTE: This argument must not be empty if cluster internet enabled.",
1065+
},
10611066
"managed_cluster_internet_security_policies": {
10621067
Type: schema.TypeList,
10631068
Optional: true,
@@ -1845,17 +1850,18 @@ func resourceTencentCloudTkeClusterCreate(d *schema.ResourceData, meta interface
18451850
ctx := context.WithValue(context.TODO(), logIdKey, logId)
18461851

18471852
var (
1848-
basic ClusterBasicSetting
1849-
advanced ClusterAdvancedSettings
1850-
cvms RunInstancesForNode
1851-
iAdvanced InstanceAdvancedSettings
1852-
iDiskMountSettings []*tke.InstanceDataDiskMountSetting
1853-
cidrSet ClusterCidrSettings
1854-
securityPolicies []string
1855-
extensionAddons []*tke.ExtensionAddon
1856-
clusterInternet = d.Get("cluster_internet").(bool)
1857-
clusterIntranet = d.Get("cluster_intranet").(bool)
1858-
intranetSubnetId = d.Get("cluster_intranet_subnet_id").(string)
1853+
basic ClusterBasicSetting
1854+
advanced ClusterAdvancedSettings
1855+
cvms RunInstancesForNode
1856+
iAdvanced InstanceAdvancedSettings
1857+
iDiskMountSettings []*tke.InstanceDataDiskMountSetting
1858+
cidrSet ClusterCidrSettings
1859+
securityPolicies []string
1860+
extensionAddons []*tke.ExtensionAddon
1861+
clusterInternet = d.Get("cluster_internet").(bool)
1862+
clusterIntranet = d.Get("cluster_intranet").(bool)
1863+
intranetSubnetId = d.Get("cluster_intranet_subnet_id").(string)
1864+
clusterInternetSecurityGroup = d.Get("cluster_internet_security_group").(string)
18591865
)
18601866

18611867
if temp, ok := d.GetOkExists("managed_cluster_internet_security_policies"); ok {
@@ -2189,7 +2195,7 @@ func resourceTencentCloudTkeClusterCreate(d *schema.ResourceData, meta interface
21892195
//intranet
21902196
if clusterIntranet {
21912197
err = resource.Retry(writeRetryTimeout, func() *resource.RetryError {
2192-
inErr := service.CreateClusterEndpoint(ctx, id, intranetSubnetId, false)
2198+
inErr := service.CreateClusterEndpoint(ctx, id, intranetSubnetId, clusterInternetSecurityGroup, false)
21932199
if inErr != nil {
21942200
return retryError(inErr)
21952201
}
@@ -2199,7 +2205,7 @@ func resourceTencentCloudTkeClusterCreate(d *schema.ResourceData, meta interface
21992205
return err
22002206
}
22012207
err = resource.Retry(2*readRetryTimeout, func() *resource.RetryError {
2202-
status, message, inErr := service.DescribeClusterEndpointStatus(ctx, id)
2208+
status, message, inErr := service.DescribeClusterEndpointStatus(ctx, id, false)
22032209
if inErr != nil {
22042210
return retryError(inErr)
22052211
}
@@ -2221,7 +2227,7 @@ func resourceTencentCloudTkeClusterCreate(d *schema.ResourceData, meta interface
22212227
//TKE_DEPLOY_TYPE_MANAGED Open the internet
22222228
if clusterDeployType == TKE_DEPLOY_TYPE_MANAGED && clusterInternet {
22232229
err = resource.Retry(writeRetryTimeout, func() *resource.RetryError {
2224-
inErr := service.CreateClusterEndpointVip(ctx, id, securityPolicies)
2230+
inErr := service.CreateClusterEndpointVip(ctx, id, clusterInternetSecurityGroup)
22252231
if inErr != nil {
22262232
return retryError(inErr)
22272233
}
@@ -2231,7 +2237,7 @@ func resourceTencentCloudTkeClusterCreate(d *schema.ResourceData, meta interface
22312237
return err
22322238
}
22332239
err = resource.Retry(2*readRetryTimeout, func() *resource.RetryError {
2234-
status, message, inErr := service.DescribeClusterEndpointVipStatus(ctx, id)
2240+
status, message, inErr := service.DescribeClusterEndpointVipStatus(ctx, id, true)
22352241
if inErr != nil {
22362242
return retryError(inErr)
22372243
}
@@ -2253,7 +2259,7 @@ func resourceTencentCloudTkeClusterCreate(d *schema.ResourceData, meta interface
22532259
//TKE_DEPLOY_TYPE_INDEPENDENT Open the internet
22542260
if clusterDeployType == TKE_DEPLOY_TYPE_INDEPENDENT && clusterInternet {
22552261
err = resource.Retry(writeRetryTimeout, func() *resource.RetryError {
2256-
inErr := service.CreateClusterEndpoint(ctx, id, "", true)
2262+
inErr := service.CreateClusterEndpoint(ctx, id, "", clusterInternetSecurityGroup, true)
22572263
if inErr != nil {
22582264
return retryError(inErr)
22592265
}
@@ -2263,7 +2269,7 @@ func resourceTencentCloudTkeClusterCreate(d *schema.ResourceData, meta interface
22632269
return err
22642270
}
22652271
err = resource.Retry(2*readRetryTimeout, func() *resource.RetryError {
2266-
status, message, inErr := service.DescribeClusterEndpointStatus(ctx, id)
2272+
status, message, inErr := service.DescribeClusterEndpointStatus(ctx, id, true)
22672273
if inErr != nil {
22682274
return retryError(inErr)
22692275
}
@@ -2504,19 +2510,19 @@ func resourceTencentCloudTkeClusterRead(d *schema.ResourceData, meta interface{}
25042510
_ = d.Set("pgw_endpoint", emptyStrFunc(securityRet.Response.PgwEndpoint))
25052511
_ = d.Set("security_policy", policies)
25062512

2507-
if v, ok := d.GetOk("worker_config"); ok && len(v.([]interface{})) > 0 {
2508-
if emptyStrFunc(securityRet.Response.ClusterExternalEndpoint) == "" {
2509-
_ = d.Set("cluster_internet", false)
2510-
} else {
2511-
_ = d.Set("cluster_internet", true)
2512-
}
2513-
2514-
if emptyStrFunc(securityRet.Response.PgwEndpoint) == "" {
2515-
_ = d.Set("cluster_intranet", false)
2516-
} else {
2517-
_ = d.Set("cluster_intranet", true)
2518-
}
2519-
}
2513+
//if v, ok := d.GetOk("worker_config"); ok && len(v.([]interface{})) > 0 {
2514+
// if emptyStrFunc(securityRet.Response.ClusterExternalEndpoint) == "" {
2515+
// _ = d.Set("cluster_internet", false)
2516+
// } else {
2517+
// _ = d.Set("cluster_internet", true)
2518+
// }
2519+
//
2520+
// if emptyStrFunc(securityRet.Response.PgwEndpoint) == "" {
2521+
// _ = d.Set("cluster_intranet", false)
2522+
// } else {
2523+
// _ = d.Set("cluster_intranet", true)
2524+
// }
2525+
//}
25202526

25212527
var globalConfig *tke.ClusterAsGroupOption
25222528
err = resource.Retry(readRetryTimeout, func() *resource.RetryError {
@@ -2577,10 +2583,11 @@ func resourceTencentCloudTkeClusterUpdate(d *schema.ResourceData, meta interface
25772583
}
25782584

25792585
var (
2580-
securityPolicies []string
2581-
clusterInternet = d.Get("cluster_internet").(bool)
2582-
clusterIntranet = d.Get("cluster_intranet").(bool)
2583-
intranetSubnetId = d.Get("cluster_intranet_subnet_id").(string)
2586+
securityPolicies []string
2587+
clusterInternet = d.Get("cluster_internet").(bool)
2588+
clusterIntranet = d.Get("cluster_intranet").(bool)
2589+
intranetSubnetId = d.Get("cluster_intranet_subnet_id").(string)
2590+
clusterInternetSecurityGroup = d.Get("cluster_internet_security_group").(string)
25842591
)
25852592

25862593
if temp, ok := d.GetOkExists("managed_cluster_internet_security_policies"); ok {
@@ -2608,7 +2615,7 @@ func resourceTencentCloudTkeClusterUpdate(d *schema.ResourceData, meta interface
26082615
//open intranet
26092616
if clusterIntranet {
26102617
err := resource.Retry(writeRetryTimeout, func() *resource.RetryError {
2611-
inErr := tkeService.CreateClusterEndpoint(ctx, id, intranetSubnetId, false)
2618+
inErr := tkeService.CreateClusterEndpoint(ctx, id, intranetSubnetId, clusterInternetSecurityGroup, false)
26122619
if inErr != nil {
26132620
return retryError(inErr)
26142621
}
@@ -2618,7 +2625,7 @@ func resourceTencentCloudTkeClusterUpdate(d *schema.ResourceData, meta interface
26182625
return err
26192626
}
26202627
err = resource.Retry(2*readRetryTimeout, func() *resource.RetryError {
2621-
status, message, inErr := tkeService.DescribeClusterEndpointStatus(ctx, id)
2628+
status, message, inErr := tkeService.DescribeClusterEndpointStatus(ctx, id, false)
26222629
if inErr != nil {
26232630
return retryError(inErr)
26242631
}
@@ -2648,7 +2655,7 @@ func resourceTencentCloudTkeClusterUpdate(d *schema.ResourceData, meta interface
26482655
return err
26492656
}
26502657
err = resource.Retry(2*readRetryTimeout, func() *resource.RetryError {
2651-
status, message, inErr := tkeService.DescribeClusterEndpointStatus(ctx, id)
2658+
status, message, inErr := tkeService.DescribeClusterEndpointStatus(ctx, id, false)
26522659
if inErr != nil {
26532660
return retryError(inErr)
26542661
}
@@ -2675,7 +2682,7 @@ func resourceTencentCloudTkeClusterUpdate(d *schema.ResourceData, meta interface
26752682
//TKE_DEPLOY_TYPE_INDEPENDENT open internet
26762683
if clusterDeployType == TKE_DEPLOY_TYPE_INDEPENDENT && clusterInternet {
26772684
err := resource.Retry(writeRetryTimeout, func() *resource.RetryError {
2678-
inErr := tkeService.CreateClusterEndpoint(ctx, id, "", true)
2685+
inErr := tkeService.CreateClusterEndpoint(ctx, id, "", clusterInternetSecurityGroup, true)
26792686
if inErr != nil {
26802687
return retryError(inErr)
26812688
}
@@ -2685,7 +2692,7 @@ func resourceTencentCloudTkeClusterUpdate(d *schema.ResourceData, meta interface
26852692
return err
26862693
}
26872694
err = resource.Retry(2*readRetryTimeout, func() *resource.RetryError {
2688-
status, message, inErr := tkeService.DescribeClusterEndpointStatus(ctx, id)
2695+
status, message, inErr := tkeService.DescribeClusterEndpointStatus(ctx, id, true)
26892696
if inErr != nil {
26902697
return retryError(inErr)
26912698
}
@@ -2717,7 +2724,7 @@ func resourceTencentCloudTkeClusterUpdate(d *schema.ResourceData, meta interface
27172724
return err
27182725
}
27192726
err = resource.Retry(2*readRetryTimeout, func() *resource.RetryError {
2720-
status, message, inErr := tkeService.DescribeClusterEndpointStatus(ctx, id)
2727+
status, message, inErr := tkeService.DescribeClusterEndpointStatus(ctx, id, true)
27212728
if inErr != nil {
27222729
return retryError(inErr)
27232730
}
@@ -2739,7 +2746,7 @@ func resourceTencentCloudTkeClusterUpdate(d *schema.ResourceData, meta interface
27392746
//TKE_DEPLOY_TYPE_MANAGED open internet
27402747
if clusterDeployType == TKE_DEPLOY_TYPE_MANAGED && clusterInternet {
27412748
err := resource.Retry(writeRetryTimeout, func() *resource.RetryError {
2742-
inErr := tkeService.CreateClusterEndpointVip(ctx, id, securityPolicies)
2749+
inErr := tkeService.CreateClusterEndpointVip(ctx, id, clusterInternetSecurityGroup)
27432750
if inErr != nil {
27442751
return retryError(inErr)
27452752
}
@@ -2749,7 +2756,7 @@ func resourceTencentCloudTkeClusterUpdate(d *schema.ResourceData, meta interface
27492756
return err
27502757
}
27512758
err = resource.Retry(2*readRetryTimeout, func() *resource.RetryError {
2752-
status, message, inErr := tkeService.DescribeClusterEndpointVipStatus(ctx, id)
2759+
status, message, inErr := tkeService.DescribeClusterEndpointVipStatus(ctx, id, true)
27532760
if inErr != nil {
27542761
return retryError(inErr)
27552762
}
@@ -2781,7 +2788,7 @@ func resourceTencentCloudTkeClusterUpdate(d *schema.ResourceData, meta interface
27812788
return err
27822789
}
27832790
err = resource.Retry(2*readRetryTimeout, func() *resource.RetryError {
2784-
status, message, inErr := tkeService.DescribeClusterEndpointVipStatus(ctx, id)
2791+
status, message, inErr := tkeService.DescribeClusterEndpointVipStatus(ctx, id, true)
27852792
if inErr != nil {
27862793
return retryError(inErr)
27872794
}

tencentcloud/resource_tc_kubernetes_cluster_endpoint.go

Lines changed: 31 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,11 @@ func resourceTencentCloudTkeClusterEndpoint() *schema.Resource {
7474
Optional: true,
7575
Description: "Open intranet access or not.",
7676
},
77+
"cluster_internet_security_group": {
78+
Type: schema.TypeString,
79+
Optional: true,
80+
Description: "Specify security group, NOTE: This argument must not be empty if cluster internet enabled.",
81+
},
7782
"managed_cluster_internet_security_policies": {
7883
Type: schema.TypeList,
7984
Optional: true,
@@ -161,13 +166,13 @@ func resourceTencentCloudTkeClusterEndpointRead(d *schema.ResourceData, meta int
161166
}
162167

163168
var (
164-
security = response.Response
165-
clusterInternet = security.ClusterExternalEndpoint != nil && *security.ClusterExternalEndpoint != ""
166-
clusterIntranet = security.PgwEndpoint != nil && *security.PgwEndpoint != ""
169+
security = response.Response
170+
//clusterInternet = security.ClusterExternalEndpoint != nil && *security.ClusterExternalEndpoint != ""
171+
//clusterIntranet = security.PgwEndpoint != nil && *security.PgwEndpoint != ""
167172
)
168173

169-
_ = d.Set("cluster_internet", clusterInternet)
170-
_ = d.Set("cluster_intranet", clusterIntranet)
174+
//_ = d.Set("cluster_internet", clusterInternet)
175+
//_ = d.Set("cluster_intranet", clusterIntranet)
171176
_ = d.Set("user_name", security.UserName)
172177
_ = d.Set("password", security.Password)
173178
_ = d.Set("certification_authority", security.CertificationAuthority)
@@ -192,12 +197,13 @@ func resourceTencentCloudTkeClusterEndpointCreate(d *schema.ResourceData, meta i
192197

193198
id := d.Get("cluster_id").(string)
194199
var (
195-
err error
196-
isManagedCluster bool
197-
securityPolicies []string
198-
clusterInternet = d.Get("cluster_internet").(bool)
199-
clusterIntranet = d.Get("cluster_intranet").(bool)
200-
intranetSubnetId = d.Get("cluster_intranet_subnet_id").(string)
200+
err error
201+
isManagedCluster bool
202+
securityPolicies []string
203+
clusterInternet = d.Get("cluster_internet").(bool)
204+
clusterIntranet = d.Get("cluster_intranet").(bool)
205+
intranetSubnetId = d.Get("cluster_intranet_subnet_id").(string)
206+
clusterInternetSecurityGroup = d.Get("cluster_internet_security_group").(string)
201207
)
202208

203209
clusterInfo, has, err := service.DescribeCluster(ctx, id)
@@ -234,11 +240,11 @@ func resourceTencentCloudTkeClusterEndpointCreate(d *schema.ResourceData, meta i
234240

235241
//TKE_DEPLOY_TYPE_INDEPENDENT Open the internet
236242
if clusterInternet {
237-
err := tencentCloudClusterInternetSwitch(ctx, &service, id, true, isManagedCluster, securityPolicies)
243+
err := tencentCloudClusterInternetSwitch(ctx, &service, id, true, isManagedCluster, clusterInternetSecurityGroup, securityPolicies)
238244
if err != nil {
239245
return err
240246
}
241-
err = waitForClusterEndpointFinish(ctx, &service, id, true, isManagedCluster)
247+
err = waitForClusterEndpointFinish(ctx, &service, id, true, isManagedCluster, true)
242248
if err != nil {
243249
return err
244250
}
@@ -268,12 +274,13 @@ func resourceTencentCloudTkeClusterEndpointUpdate(d *schema.ResourceData, meta i
268274

269275
if d.HasChange("cluster_internet") {
270276
clusterInternet := d.Get("cluster_internet").(bool)
277+
clusterInternetSecurityGroup := d.Get("cluster_internet_security_group").(string)
271278
policies := helper.InterfacesStrings(d.Get("managed_cluster_internet_security_policies").([]interface{}))
272-
err = tencentCloudClusterInternetSwitch(ctx, &service, id, clusterInternet, isManagedCluster, policies)
279+
err = tencentCloudClusterInternetSwitch(ctx, &service, id, clusterInternet, isManagedCluster, clusterInternetSecurityGroup, policies)
273280
if err != nil {
274281
return err
275282
}
276-
err = waitForClusterEndpointFinish(ctx, &service, id, clusterInternet, isManagedCluster)
283+
err = waitForClusterEndpointFinish(ctx, &service, id, clusterInternet, isManagedCluster, true)
277284
if err != nil {
278285
return err
279286
}
@@ -321,11 +328,11 @@ func resourceTencentCloudTkeClusterEndpointDelete(d *schema.ResourceData, meta i
321328
)
322329

323330
if clusterInternet {
324-
err = tencentCloudClusterInternetSwitch(ctx, &service, id, false, isManagedCluster, nil)
331+
err = tencentCloudClusterInternetSwitch(ctx, &service, id, false, isManagedCluster, "", nil)
325332
if err != nil {
326333
errs = *multierror.Append(err)
327334
} else {
328-
taskErr := waitForClusterEndpointFinish(ctx, &service, id, false, isManagedCluster)
335+
taskErr := waitForClusterEndpointFinish(ctx, &service, id, false, isManagedCluster, true)
329336
if taskErr != nil {
330337
errs = *multierror.Append(taskErr)
331338
}
@@ -342,7 +349,7 @@ func resourceTencentCloudTkeClusterEndpointDelete(d *schema.ResourceData, meta i
342349
return errs.ErrorOrNil()
343350
}
344351

345-
func waitForClusterEndpointFinish(ctx context.Context, service *TkeService, id string, enabled bool, isManagedCluster bool) (err error) {
352+
func waitForClusterEndpointFinish(ctx context.Context, service *TkeService, id string, enabled bool, isManagedCluster bool, isInternet bool) (err error) {
346353
return resource.Retry(2*readRetryTimeout, func() *resource.RetryError {
347354
var (
348355
status string
@@ -357,11 +364,8 @@ func waitForClusterEndpointFinish(ctx context.Context, service *TkeService, id s
357364
finishStates = []string{TkeInternetStatusNotfound, TkeInternetStatusDeleted}
358365
}
359366

360-
if isManagedCluster {
361-
status, message, inErr = service.DescribeClusterEndpointVipStatus(ctx, id)
362-
} else {
363-
status, message, inErr = service.DescribeClusterEndpointStatus(ctx, id)
364-
}
367+
status, message, inErr = service.DescribeClusterEndpointStatus(ctx, id, isInternet)
368+
365369
if inErr != nil {
366370
return retryError(inErr)
367371
}
@@ -377,13 +381,13 @@ func waitForClusterEndpointFinish(ctx context.Context, service *TkeService, id s
377381
})
378382
}
379383

380-
func tencentCloudClusterInternetSwitch(ctx context.Context, service *TkeService, id string, enable, isManagedCluster bool, policies []string) (err error) {
384+
func tencentCloudClusterInternetSwitch(ctx context.Context, service *TkeService, id string, enable, isManagedCluster bool, sg string, policies []string) (err error) {
381385
err = resource.Retry(writeRetryTimeout, func() *resource.RetryError {
382386
if enable {
383387
if isManagedCluster {
384-
err = service.CreateClusterEndpointVip(ctx, id, policies)
388+
err = service.CreateClusterEndpointVip(ctx, id, sg)
385389
} else {
386-
err = service.CreateClusterEndpoint(ctx, id, "", true)
390+
err = service.CreateClusterEndpoint(ctx, id, "", sg, true)
387391
}
388392
if err != nil {
389393
return retryError(err, tke.RESOURCEUNAVAILABLE_CLUSTERSTATE)
@@ -409,7 +413,7 @@ func tencentCloudClusterInternetSwitch(ctx context.Context, service *TkeService,
409413
func tencentCloudClusterIntranetSwitch(ctx context.Context, service *TkeService, id, subnetId string, enable bool) (err error) {
410414
err = resource.Retry(writeRetryTimeout, func() *resource.RetryError {
411415
if enable {
412-
err = service.CreateClusterEndpoint(ctx, id, subnetId, false)
416+
err = service.CreateClusterEndpoint(ctx, id, subnetId, "", false)
413417
if err != nil {
414418
return retryError(err, tke.RESOURCEUNAVAILABLE_CLUSTERSTATE)
415419
}

0 commit comments

Comments
 (0)