Add GKE NetworkPolicy support

kahun · kahun · commit 541c60e8c556 · 2024-02-07T10:07:37.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -52,6 +52,9 @@ manager_pull_policy.yaml-e
 # junit files
 junit.*.xml
 
+# asdf
+.tool-versions
+
 .DS_Store
 
 # Tilt files.
diff --git a/cloud/services/container/clusters/reconcile.go b/cloud/services/container/clusters/reconcile.go
@@ -268,6 +268,9 @@ func (s *Service) createCluster(ctx context.Context, log *logr.Logger) error {
 	if !s.scope.IsAutopilotCluster() {
 		cluster.NodePools = scope.ConvertToSdkNodePools(nodePools, machinePools, isRegional, cluster.Name)
 	}
+	if s.scope.GCPManagedControlPlane.Spec.NetworkPolicy != nil {
+		cluster.NetworkPolicy = convertToSdkNetworkPolicy(s.scope.GCPManagedControlPlane.Spec.NetworkPolicy)
+	}
 
 	createClusterRequest := &containerpb.CreateClusterRequest{
 		Cluster: cluster,
@@ -366,6 +369,24 @@ func convertToSdkMasterAuthorizedNetworksConfig(config *infrav1exp.MasterAuthori
 	}
 }
 
+// convertToSdkNetworkPolicy converts NetworkPolicy config to a value that is used by GCP SDK.
+func convertToSdkNetworkPolicy(networkPolicy *infrav1exp.NetworkPolicy) *containerpb.NetworkPolicy {
+	sdkNetworkPolicy := containerpb.NetworkPolicy{}
+	sdkNetworkPolicy.Provider = convertToSdkProvider(*networkPolicy.Provider)
+	if networkPolicy.Enabled != nil {
+		sdkNetworkPolicy.Enabled = *networkPolicy.Enabled
+	}
+	return &sdkNetworkPolicy
+}
+
+// convertToSdkProvider converts NetworkPolicyProvider to a value that is used by GCP SDK.
+func convertToSdkProvider(provider infrav1exp.NetworkPolicyProvider) containerpb.NetworkPolicy_Provider {
+	if provider == infrav1exp.Calico {
+		return containerpb.NetworkPolicy_CALICO
+	}
+	return containerpb.NetworkPolicy_PROVIDER_UNSPECIFIED
+}
+
 func (s *Service) checkDiffAndPrepareUpdate(existingCluster *containerpb.Cluster, log *logr.Logger) (bool, *containerpb.UpdateClusterRequest) {
 	log.V(4).Info("Checking diff and preparing update.")
 
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanes.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanes.yaml
@@ -117,6 +117,20 @@ spec:
                       Public IP addresses.
                     type: boolean
                 type: object
+              networkPolicy:
+                description: NetworkPolicy represents configuration options for NetworkPolicy
+                  feature of the GKE cluster. This feature is disabled if this field
+                  is not specified.
+                properties:
+                  enabled:
+                    description: Whether network policy is enabled on the cluster.
+                    type: boolean
+                  provider:
+                    description: The selected network policy provider.
+                    enum:
+                    - calico
+                    type: string
+                type: object
               project:
                 description: Project is the name of the project to deploy the cluster
                   to.
diff --git a/exp/api/v1beta1/gcpmanagedcontrolplane_types.go b/exp/api/v1beta1/gcpmanagedcontrolplane_types.go
@@ -57,6 +57,10 @@ type GCPManagedControlPlaneSpec struct {
 	// This feature is disabled if this field is not specified.
 	// +optional
 	MasterAuthorizedNetworksConfig *MasterAuthorizedNetworksConfig `json:"master_authorized_networks_config,omitempty"`
+	// NetworkPolicy represents configuration options for NetworkPolicy feature of the GKE cluster.
+	// This feature is disabled if this field is not specified.
+	// +optional
+	NetworkPolicy *NetworkPolicy `json:"networkPolicy,omitempty"`
 }
 
 // GCPManagedControlPlaneStatus defines the observed state of GCPManagedControlPlane.
@@ -142,6 +146,25 @@ type MasterAuthorizedNetworksConfigCidrBlock struct {
 	CidrBlock string `json:"cidr_block,omitempty"`
 }
 
+// NetworkPolicy represents configuration options for NetworkPolicy feature of the GKE cluster.
+type NetworkPolicy struct {
+	// The selected network policy provider.
+	// +optional
+	Provider *NetworkPolicyProvider `json:"provider,omitempty"`
+	// Whether network policy is enabled on the cluster.
+	// +optional
+	Enabled *bool `json:"enabled,omitempty"`
+}
+
+// Allowed Network Policy providers.
+// +kubebuilder:validation:Enum=calico
+type NetworkPolicyProvider string
+
+const (
+	// Tigera (Calico Felix).
+	Calico NetworkPolicyProvider = "calico"
+)
+
 // GetConditions returns the control planes conditions.
 func (r *GCPManagedControlPlane) GetConditions() clusterv1.Conditions {
 	return r.Status.Conditions
diff --git a/exp/api/v1beta1/gcpmanagedcontrolplane_webhook.go b/exp/api/v1beta1/gcpmanagedcontrolplane_webhook.go
@@ -130,6 +130,13 @@ func (r *GCPManagedControlPlane) ValidateUpdate(oldRaw runtime.Object) (admissio
 		)
 	}
 
+	if !cmp.Equal(r.Spec.NetworkPolicy, old.Spec.NetworkPolicy) {
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("spec", "NetworkPolicy"),
+				r.Spec.NetworkPolicy, "field is immutable"),
+		)
+	}
+
 	if len(allErrs) == 0 {
 		return nil, nil
 	}
diff --git a/exp/api/v1beta1/zz_generated.deepcopy.go b/exp/api/v1beta1/zz_generated.deepcopy.go

Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,13 @@ func (r *GCPManagedControlPlane) ValidateUpdate(oldRaw runtime.Object) (admissio`
`130`	`130`	`)`
`131`	`131`	`}`
`132`	`132`
	`133`	`+ if !cmp.Equal(r.Spec.NetworkPolicy, old.Spec.NetworkPolicy) {`
	`134`	`+ allErrs = append(allErrs,`
	`135`	`+ field.Invalid(field.NewPath("spec", "NetworkPolicy"),`
	`136`	`+ r.Spec.NetworkPolicy, "field is immutable"),`
	`137`	`+ )`
	`138`	`+ }`
	`139`	`+`
`133`	`140`	`if len(allErrs) == 0 {`
`134`	`141`	`return nil, nil`
`135`	`142`	`}`