From 19c74666d6cb581d6ea9b748338b164433dfeb12 Mon Sep 17 00:00:00 2001 From: The Magician Date: Tue, 7 Jul 2020 08:34:51 -0700 Subject: [PATCH] added support for shielded nodes in container (#3639) (#252) Signed-off-by: Modular Magician --- plugins/modules/gcp_container_cluster.py | 71 +++++++++++++++++++ plugins/modules/gcp_container_cluster_info.py | 23 ++++++ plugins/modules/gcp_container_node_pool.py | 71 +++++++++++++++++++ .../modules/gcp_container_node_pool_info.py | 23 ++++++ 4 files changed, 188 insertions(+) diff --git a/plugins/modules/gcp_container_cluster.py b/plugins/modules/gcp_container_cluster.py index d20a4fd..80a06ca 100644 --- a/plugins/modules/gcp_container_cluster.py +++ b/plugins/modules/gcp_container_cluster.py @@ -232,6 +232,30 @@ options: "NO_EXECUTE"' required: false type: str + shielded_instance_config: + description: + - Shielded Instance options. + required: false + type: dict + version_added: '2.10' + suboptions: + enable_secure_boot: + description: + - Defines whether the instance has Secure Boot enabled. + - Secure Boot helps ensure that the system only runs authentic software + by verifying the digital signature of all boot components, and halting + the boot process if signature verification fails. + required: false + type: bool + enable_integrity_monitoring: + description: + - Defines whether the instance has integrity monitoring enabled. + - Enables monitoring and attestation of the boot integrity of the instance. + - The attestation is performed against the integrity policy baseline. + This baseline is initially derived from the implicitly trusted boot + image when the instance is created. + required: false + type: bool master_auth: description: - The authentication information for accessing the master endpoint. @@ -827,6 +851,29 @@ nodeConfig: - Effect for taint. returned: success type: str + shieldedInstanceConfig: + description: + - Shielded Instance options. + returned: success + type: complex + contains: + enableSecureBoot: + description: + - Defines whether the instance has Secure Boot enabled. + - Secure Boot helps ensure that the system only runs authentic software + by verifying the digital signature of all boot components, and halting + the boot process if signature verification fails. + returned: success + type: bool + enableIntegrityMonitoring: + description: + - Defines whether the instance has integrity monitoring enabled. + - Enables monitoring and attestation of the boot integrity of the instance. + - The attestation is performed against the integrity policy baseline. This + baseline is initially derived from the implicitly trusted boot image when + the instance is created. + returned: success + type: bool masterAuth: description: - The authentication information for accessing the master endpoint. @@ -1335,6 +1382,9 @@ def main(): disk_type=dict(type='str'), min_cpu_platform=dict(type='str'), taints=dict(type='list', elements='dict', options=dict(key=dict(type='str'), value=dict(type='str'), effect=dict(type='str'))), + shielded_instance_config=dict( + type='dict', options=dict(enable_secure_boot=dict(type='bool'), enable_integrity_monitoring=dict(type='bool')) + ), ), ), master_auth=dict( @@ -1732,6 +1782,7 @@ class ClusterNodeconfig(object): u'diskType': self.request.get('disk_type'), u'minCpuPlatform': self.request.get('min_cpu_platform'), u'taints': ClusterTaintsArray(self.request.get('taints', []), self.module).to_request(), + u'shieldedInstanceConfig': ClusterShieldedinstanceconfig(self.request.get('shielded_instance_config', {}), self.module).to_request(), } ) @@ -1752,6 +1803,7 @@ class ClusterNodeconfig(object): u'diskType': self.request.get(u'diskType'), u'minCpuPlatform': self.request.get(u'minCpuPlatform'), u'taints': ClusterTaintsArray(self.request.get(u'taints', []), self.module).from_response(), + u'shieldedInstanceConfig': ClusterShieldedinstanceconfig(self.request.get(u'shieldedInstanceConfig', {}), self.module).from_response(), } ) @@ -1810,6 +1862,25 @@ class ClusterTaintsArray(object): return remove_nones_from_dict({u'key': item.get(u'key'), u'value': item.get(u'value'), u'effect': item.get(u'effect')}) +class ClusterShieldedinstanceconfig(object): + def __init__(self, request, module): + self.module = module + if request: + self.request = request + else: + self.request = {} + + def to_request(self): + return remove_nones_from_dict( + {u'enableSecureBoot': self.request.get('enable_secure_boot'), u'enableIntegrityMonitoring': self.request.get('enable_integrity_monitoring')} + ) + + def from_response(self): + return remove_nones_from_dict( + {u'enableSecureBoot': self.request.get(u'enableSecureBoot'), u'enableIntegrityMonitoring': self.request.get(u'enableIntegrityMonitoring')} + ) + + class ClusterMasterauth(object): def __init__(self, request, module): self.module = module diff --git a/plugins/modules/gcp_container_cluster_info.py b/plugins/modules/gcp_container_cluster_info.py index e2203b3..3581299 100644 --- a/plugins/modules/gcp_container_cluster_info.py +++ b/plugins/modules/gcp_container_cluster_info.py @@ -288,6 +288,29 @@ resources: - Effect for taint. returned: success type: str + shieldedInstanceConfig: + description: + - Shielded Instance options. + returned: success + type: complex + contains: + enableSecureBoot: + description: + - Defines whether the instance has Secure Boot enabled. + - Secure Boot helps ensure that the system only runs authentic software + by verifying the digital signature of all boot components, and halting + the boot process if signature verification fails. + returned: success + type: bool + enableIntegrityMonitoring: + description: + - Defines whether the instance has integrity monitoring enabled. + - Enables monitoring and attestation of the boot integrity of the instance. + - The attestation is performed against the integrity policy baseline. + This baseline is initially derived from the implicitly trusted boot + image when the instance is created. + returned: success + type: bool masterAuth: description: - The authentication information for accessing the master endpoint. diff --git a/plugins/modules/gcp_container_node_pool.py b/plugins/modules/gcp_container_node_pool.py index 024ec6f..af2c354 100644 --- a/plugins/modules/gcp_container_node_pool.py +++ b/plugins/modules/gcp_container_node_pool.py @@ -207,6 +207,30 @@ options: - Effect for taint. required: false type: str + shielded_instance_config: + description: + - Shielded Instance options. + required: false + type: dict + version_added: '2.10' + suboptions: + enable_secure_boot: + description: + - Defines whether the instance has Secure Boot enabled. + - Secure Boot helps ensure that the system only runs authentic software + by verifying the digital signature of all boot components, and halting + the boot process if signature verification fails. + required: false + type: bool + enable_integrity_monitoring: + description: + - Defines whether the instance has integrity monitoring enabled. + - Enables monitoring and attestation of the boot integrity of the instance. + - The attestation is performed against the integrity policy baseline. + This baseline is initially derived from the implicitly trusted boot + image when the instance is created. + required: false + type: bool initial_node_count: description: - The initial node count for the pool. You must ensure that your Compute Engine @@ -528,6 +552,29 @@ config: - Effect for taint. returned: success type: str + shieldedInstanceConfig: + description: + - Shielded Instance options. + returned: success + type: complex + contains: + enableSecureBoot: + description: + - Defines whether the instance has Secure Boot enabled. + - Secure Boot helps ensure that the system only runs authentic software + by verifying the digital signature of all boot components, and halting + the boot process if signature verification fails. + returned: success + type: bool + enableIntegrityMonitoring: + description: + - Defines whether the instance has integrity monitoring enabled. + - Enables monitoring and attestation of the boot integrity of the instance. + - The attestation is performed against the integrity policy baseline. This + baseline is initially derived from the implicitly trusted boot image when + the instance is created. + returned: success + type: bool initialNodeCount: description: - The initial node count for the pool. You must ensure that your Compute Engine @@ -695,6 +742,9 @@ def main(): disk_type=dict(type='str'), min_cpu_platform=dict(type='str'), taints=dict(type='list', elements='dict', options=dict(key=dict(type='str'), value=dict(type='str'), effect=dict(type='str'))), + shielded_instance_config=dict( + type='dict', options=dict(enable_secure_boot=dict(type='bool'), enable_integrity_monitoring=dict(type='bool')) + ), ), ), initial_node_count=dict(required=True, type='int'), @@ -926,6 +976,7 @@ class NodePoolConfig(object): u'diskType': self.request.get('disk_type'), u'minCpuPlatform': self.request.get('min_cpu_platform'), u'taints': NodePoolTaintsArray(self.request.get('taints', []), self.module).to_request(), + u'shieldedInstanceConfig': NodePoolShieldedinstanceconfig(self.request.get('shielded_instance_config', {}), self.module).to_request(), } ) @@ -946,6 +997,7 @@ class NodePoolConfig(object): u'diskType': self.request.get(u'diskType'), u'minCpuPlatform': self.request.get(u'minCpuPlatform'), u'taints': NodePoolTaintsArray(self.request.get(u'taints', []), self.module).from_response(), + u'shieldedInstanceConfig': NodePoolShieldedinstanceconfig(self.request.get(u'shieldedInstanceConfig', {}), self.module).from_response(), } ) @@ -1004,6 +1056,25 @@ class NodePoolTaintsArray(object): return remove_nones_from_dict({u'key': item.get(u'key'), u'value': item.get(u'value'), u'effect': item.get(u'effect')}) +class NodePoolShieldedinstanceconfig(object): + def __init__(self, request, module): + self.module = module + if request: + self.request = request + else: + self.request = {} + + def to_request(self): + return remove_nones_from_dict( + {u'enableSecureBoot': self.request.get('enable_secure_boot'), u'enableIntegrityMonitoring': self.request.get('enable_integrity_monitoring')} + ) + + def from_response(self): + return remove_nones_from_dict( + {u'enableSecureBoot': self.request.get(u'enableSecureBoot'), u'enableIntegrityMonitoring': self.request.get(u'enableIntegrityMonitoring')} + ) + + class NodePoolAutoscaling(object): def __init__(self, request, module): self.module = module diff --git a/plugins/modules/gcp_container_node_pool_info.py b/plugins/modules/gcp_container_node_pool_info.py index 03914bb..8d2eb8c 100644 --- a/plugins/modules/gcp_container_node_pool_info.py +++ b/plugins/modules/gcp_container_node_pool_info.py @@ -272,6 +272,29 @@ resources: - Effect for taint. returned: success type: str + shieldedInstanceConfig: + description: + - Shielded Instance options. + returned: success + type: complex + contains: + enableSecureBoot: + description: + - Defines whether the instance has Secure Boot enabled. + - Secure Boot helps ensure that the system only runs authentic software + by verifying the digital signature of all boot components, and halting + the boot process if signature verification fails. + returned: success + type: bool + enableIntegrityMonitoring: + description: + - Defines whether the instance has integrity monitoring enabled. + - Enables monitoring and attestation of the boot integrity of the instance. + - The attestation is performed against the integrity policy baseline. + This baseline is initially derived from the implicitly trusted boot + image when the instance is created. + returned: success + type: bool initialNodeCount: description: - The initial node count for the pool. You must ensure that your Compute Engine