Skip to content

Commit

Permalink
Created test for sandbox (Fix terraform-google-modules#252)
Browse files Browse the repository at this point in the history
  • Loading branch information
paulpalamarchuk committed Oct 21, 2019
1 parent 82653c1 commit 6164046
Show file tree
Hide file tree
Showing 11 changed files with 270 additions and 29 deletions.
7 changes: 7 additions & 0 deletions .kitchen.yml
Original file line number Diff line number Diff line change
Expand Up @@ -131,3 +131,10 @@ suites:
systems:
- name: workload_metadata_config
backend: local
- name: "sandbox_enabled"
driver:
root_module_directory: test/fixtures/sandbox_enabled
verifier:
systems:
- name: sandbox_enabled
backend: local
11 changes: 6 additions & 5 deletions examples/simple_regional_beta/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,22 +2,24 @@

This example illustrates how to create a simple cluster with beta features.

[^]: (autogen_docs_start)

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|:----:|:-----:|:-----:|
| cloudrun | Boolean to enable / disable CloudRun | string | `"true"` | no |
| cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
| compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes |
| credentials\_path | The path to the GCP credentials JSON file | string | n/a | yes |
| ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
| ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes |
| istio | Boolean to enable / disable Istio | string | `"true"` | no |
| network | The VPC network to host the cluster in | string | n/a | yes |
| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no |
| node\_pools | List of maps containing node pools | list(map(string)) | `<list>` | no |
| project\_id | The project ID to host the cluster in | string | n/a | yes |
| region | The region to host the cluster in | string | n/a | yes |
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no |
| subnetwork | The subnetwork to host the cluster in | string | n/a | yes |

## Outputs
Expand All @@ -27,7 +29,6 @@ This example illustrates how to create a simple cluster with beta features.
| ca\_certificate | |
| client\_token | |
| cluster\_name | Cluster name |
| credentials\_path | |
| ip\_range\_pods | The secondary IP range used for pods |
| ip\_range\_services | The secondary IP range used for services |
| kubernetes\_endpoint | |
Expand All @@ -40,7 +41,7 @@ This example illustrates how to create a simple cluster with beta features.
| subnetwork | |
| zones | List of zones in which the cluster resides |

[^]: (autogen_docs_end)
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

To provision this example, run the following from within this directory:
- `terraform init` to get the plugins
Expand Down
35 changes: 19 additions & 16 deletions examples/simple_regional_beta/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -19,25 +19,28 @@ locals {
}

provider "google-beta" {
version = "~> 2.12.0"
credentials = file(var.credentials_path)
region = var.region
version = "~> 2.12.0"
region = var.region
}

module "gke" {
source = "../../modules/beta-public-cluster/"
project_id = var.project_id
name = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
regional = true
region = var.region
network = var.network
subnetwork = var.subnetwork
ip_range_pods = var.ip_range_pods
ip_range_services = var.ip_range_services
create_service_account = false
service_account = var.compute_engine_service_account
istio = var.istio
cloudrun = var.cloudrun
source = "../../modules/beta-public-cluster/"
project_id = var.project_id
name = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
regional = true
region = var.region
network = var.network
subnetwork = var.subnetwork
ip_range_pods = var.ip_range_pods
ip_range_services = var.ip_range_services
create_service_account = false
service_account = var.compute_engine_service_account
istio = var.istio
cloudrun = var.cloudrun
node_metadata = var.node_metadata
sandbox_enabled = var.sandbox_enabled
remove_default_node_pool = var.remove_default_node_pool
node_pools = var.node_pools
}

data "google_client_config" "default" {
Expand Down
4 changes: 0 additions & 4 deletions examples/simple_regional_beta/test_outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,6 @@ output "project_id" {
value = var.project_id
}

output "credentials_path" {
value = var.credentials_path
}

output "region" {
value = module.gke.region
}
Expand Down
33 changes: 29 additions & 4 deletions examples/simple_regional_beta/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,6 @@ variable "project_id" {
description = "The project ID to host the cluster in"
}

variable "credentials_path" {
description = "The path to the GCP credentials JSON file"
}

variable "cluster_name_suffix" {
description = "A suffix to append to the default cluster name"
default = ""
Expand Down Expand Up @@ -60,3 +56,32 @@ variable "cloudrun" {
description = "Boolean to enable / disable CloudRun"
default = true
}

variable "node_metadata" {
description = "Specifies how node metadata is exposed to the workload running on the node"
default = "SECURE"
type = string
}

variable "sandbox_enabled" {
type = bool
description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)."
default = false
}

variable "remove_default_node_pool" {
type = bool
description = "Remove default node pool while setting up the cluster"
default = false
}

variable "node_pools" {
type = list(map(string))
description = "List of maps containing node pools"

default = [
{
name = "default-node-pool"
},
]
}
40 changes: 40 additions & 0 deletions test/fixtures/sandbox_enabled/example.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
/**
* Copyright 2019 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

module "example" {
source = "../../../examples/simple_regional_beta"

project_id = var.project_id
cluster_name_suffix = "-${random_string.suffix.result}"
region = var.region
network = google_compute_network.main.name
subnetwork = google_compute_subnetwork.main.name
ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name
ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name
compute_engine_service_account = var.compute_engine_service_account
istio = false
cloudrun = false
node_metadata = "UNSPECIFIED"
sandbox_enabled = true
remove_default_node_pool = true

node_pools = [
{
name = "default-node-pool"
image_type = "COS_CONTAINERD"
},
]
}
48 changes: 48 additions & 0 deletions test/fixtures/sandbox_enabled/network.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
/**
* Copyright 2019 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

resource "random_string" "suffix" {
length = 4
special = false
upper = false
}

provider "google" {
project = var.project_id
}

resource "google_compute_network" "main" {
name = "cft-gke-test-${random_string.suffix.result}"
auto_create_subnetworks = false
}

resource "google_compute_subnetwork" "main" {
name = "cft-gke-test-${random_string.suffix.result}"
ip_cidr_range = "10.0.0.0/17"
region = var.region
network = google_compute_network.main.self_link

secondary_ip_range {
range_name = "cft-gke-test-pods-${random_string.suffix.result}"
ip_cidr_range = "192.168.0.0/18"
}

secondary_ip_range {
range_name = "cft-gke-test-services-${random_string.suffix.result}"
ip_cidr_range = "192.168.64.0/18"
}
}

1 change: 1 addition & 0 deletions test/fixtures/sandbox_enabled/outputs.tf
1 change: 1 addition & 0 deletions test/fixtures/sandbox_enabled/variables.tf
102 changes: 102 additions & 0 deletions test/integration/sandbox_enabled/controls/gcloud.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

project_id = attribute('project_id')
location = attribute('location')
cluster_name = attribute('cluster_name')

control "gcloud" do
title "Google Compute Engine GKE configuration"
describe command("gcloud --project=#{project_id} container clusters --zone=#{location} describe #{cluster_name} --format=json") do
its(:exit_status) { should eq 0 }
its(:stderr) { should eq '' }

let!(:data) do
if subject.exit_status == 0
JSON.parse(subject.stdout)
else
{}
end
end

describe "cluster" do
it "is running" do
expect(data['status']).to eq 'RUNNING'
end

it "is regional" do
expect(data['location']).to match(/^.*[1-9]$/)
end

it "uses public nodes and master endpoint" do
expect(data['privateClusterConfig']).to eq nil
end

it "has the expected addon settings" do
expect(data['addonsConfig']).to eq({
"horizontalPodAutoscaling" => {},
"httpLoadBalancing" => {},
"kubernetesDashboard" => {
"disabled" => true,
},
"networkPolicyConfig" => {
"disabled" => true,
},
})
end
end

describe "node pool" do
let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" } }

it "is the expected image type" do
expect(node_pools).to include(
including(
"config" => including(
"imageType" => "COS_CONTAINERD",
),
)
)
end

it "has the expected labels" do
expect(node_pools).to include(
including(
"config" => including(
"labels" => including(
"cluster_name" => cluster_name,
"node_pool" => "default-node-pool",
"sandbox.gke.io/runtime" => "gvisor",
),
),
)
)
end

it "has the expected network tags" do
expect(node_pools).to include(
including(
"config" => including(
"tags" => match_array([
"gke-#{cluster_name}",
"gke-#{cluster_name}-default-node-pool",
]),
),
)
)
end

end
end
end
17 changes: 17 additions & 0 deletions test/integration/sandbox_enabled/inspec.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: sandbox_enabled
attributes:
- name: project_id
required: true
type: string
- name: location
required: true
type: string
- name: cluster_name
required: true
type: string
- name: kubernetes_endpoint
required: true
type: string
- name: client_token
required: true
type: string

0 comments on commit 6164046

Please sign in to comment.