From 172405b8a6c99e2370b1c594fddcb53166d3f1b5 Mon Sep 17 00:00:00 2001 From: Aaron Lane Date: Tue, 4 Jun 2019 12:40:49 -0400 Subject: [PATCH 1/4] Remove redundant Kitchen configuration --- .kitchen.yml | 57 ++-------------------------------------------------- 1 file changed, 2 insertions(+), 55 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index 7da9695cbb..f42b6c4fba 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -30,93 +30,54 @@ platforms: suites: - name: "deploy_service" driver: - name: "terraform" - command_timeout: 1800 root_module_directory: test/fixtures/deploy_service verifier: - name: terraform - color: false systems: - name: deploy_service backend: local lifecycle: pre_verify: - - sleep 10 - provisioner: - name: terraform + - echo "Sleeping for 60 seconds to allow resources to converge" + - sleep 60 - name: "disable_client_cert" driver: - name: "terraform" - command_timeout: 1800 root_module_directory: test/fixtures/disable_client_cert verifier: - name: terraform - color: false systems: - name: disable_client_cert backend: local - provisioner: - name: terraform - name: "node_pool" driver: - name: "terraform" - command_timeout: 1800 root_module_directory: test/fixtures/node_pool verifier: - name: terraform - color: false systems: - name: node_pool backend: local - provisioner: - name: terraform - name: "shared_vpc" driver: - name: "terraform" - command_timeout: 1800 root_module_directory: test/fixtures/shared_vpc verifier: - name: terraform - color: false systems: - name: shared_vpc backend: local - provisioner: - name: terraform - name: "simple_regional" driver: - name: "terraform" - command_timeout: 1800 root_module_directory: test/fixtures/simple_regional verifier: - name: terraform - color: false systems: - name: simple_regional backend: local - provisioner: - name: terraform - name: "simple_regional_private" driver: - name: "terraform" - command_timeout: 1800 root_module_directory: test/fixtures/simple_regional_private verifier: - name: terraform - color: false systems: - name: simple_regional_private backend: local - provisioner: - name: terraform - name: "simple_zonal" driver: - name: "terraform" - command_timeout: 1800 root_module_directory: test/fixtures/simple_zonal verifier: - name: terraform - color: false systems: - name: gcloud backend: local @@ -126,34 +87,20 @@ suites: backend: gcp controls: - gcp - provisioner: - name: terraform - name: "simple_zonal_private" driver: - name: "terraform" - command_timeout: 1800 root_module_directory: test/fixtures/simple_zonal_private verifier: - name: terraform - color: false systems: - name: simple_zonal_private backend: local - provisioner: - name: terraform - name: "stub_domains" driver: - name: "terraform" - command_timeout: 1800 root_module_directory: test/fixtures/stub_domains verifier: - name: terraform - color: false systems: - name: stub_domains backend: local - provisioner: - name: terraform - name: stub_domains_private driver: root_module_directory: test/fixtures/stub_domains_private From 64399df3f624102523d4ffed5496f463442f453f Mon Sep 17 00:00:00 2001 From: Aaron Lane Date: Tue, 4 Jun 2019 14:39:54 -0400 Subject: [PATCH 2/4] Remove second converge from tests --- .kitchen.yml | 4 ---- test/ci_integration.sh | 1 - 2 files changed, 5 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index f42b6c4fba..d024d0c5e9 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -35,10 +35,6 @@ suites: systems: - name: deploy_service backend: local - lifecycle: - pre_verify: - - echo "Sleeping for 60 seconds to allow resources to converge" - - sleep 60 - name: "disable_client_cert" driver: root_module_directory: test/fixtures/disable_client_cert diff --git a/test/ci_integration.sh b/test/ci_integration.sh index ba92fd5558..365ed3862e 100755 --- a/test/ci_integration.sh +++ b/test/ci_integration.sh @@ -61,7 +61,6 @@ main() { # Execute the test lifecycle kitchen create "$SUITE" kitchen converge "$SUITE" - kitchen converge "$SUITE" kitchen verify "$SUITE" } From 9bee25678a0a264a6f5b46fbf5fa76524406ebaa Mon Sep 17 00:00:00 2001 From: Aaron Lane Date: Tue, 4 Jun 2019 17:13:35 -0400 Subject: [PATCH 3/4] Add network_policy to google_container_cluster This fixes the issue with the network_policy_config starting as disabled. https://github.com/terraform-providers/terraform-provider-google/issues/3673 --- README.md | 1 + autogen/cluster_regional.tf | 8 +++++++- autogen/cluster_zonal.tf | 8 +++++++- autogen/variables.tf | 5 +++++ cluster_regional.tf | 8 +++++++- cluster_zonal.tf | 8 +++++++- modules/private-cluster/README.md | 1 + modules/private-cluster/cluster_regional.tf | 8 +++++++- modules/private-cluster/cluster_zonal.tf | 8 +++++++- modules/private-cluster/variables.tf | 5 +++++ variables.tf | 5 +++++ 11 files changed, 59 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 1122903c41..9a500c2470 100644 --- a/README.md +++ b/README.md @@ -135,6 +135,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | name | The name of the cluster (required) | string | n/a | yes | | network | The VPC network to host the cluster in (required) | string | n/a | yes | | network\_policy | Enable network policy addon | string | `"false"` | no | +| network\_policy\_provider | The network policy provider. | string | `"PROVIDER_UNSPECIFIED"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | | node\_pools | List of maps containing node pools | list | `` | no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `` | no | diff --git a/autogen/cluster_regional.tf b/autogen/cluster_regional.tf index bb521ed4c3..46e5e7710e 100644 --- a/autogen/cluster_regional.tf +++ b/autogen/cluster_regional.tf @@ -29,7 +29,13 @@ resource "google_container_cluster" "primary" { region = "${var.region}" node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + + network_policy { + enabled = "${var.network_policy}" + provider = "${var.network_policy_provider}" + } + subnetwork = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}" min_master_version = "${local.kubernetes_version_regional}" diff --git a/autogen/cluster_zonal.tf b/autogen/cluster_zonal.tf index 557d5b4f90..261fcc04c2 100644 --- a/autogen/cluster_zonal.tf +++ b/autogen/cluster_zonal.tf @@ -29,7 +29,13 @@ resource "google_container_cluster" "zonal_primary" { zone = "${var.zones[0]}" node_locations = ["${slice(var.zones,1,length(var.zones))}"] - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + + network_policy { + enabled = "${var.network_policy}" + provider = "${var.network_policy_provider}" + } + subnetwork = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}" min_master_version = "${local.kubernetes_version_zonal}" diff --git a/autogen/variables.tf b/autogen/variables.tf index 407c68fc0b..67ced3b03b 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -106,6 +106,11 @@ variable "network_policy" { default = false } +variable "network_policy_provider" { + description = "The network policy provider." + default = "PROVIDER_UNSPECIFIED" +} + variable "maintenance_start_time" { description = "Time window specified for daily maintenance operations in RFC3339 format" default = "05:00" diff --git a/cluster_regional.tf b/cluster_regional.tf index ce081d9081..518ef23a9c 100644 --- a/cluster_regional.tf +++ b/cluster_regional.tf @@ -29,7 +29,13 @@ resource "google_container_cluster" "primary" { region = "${var.region}" node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + + network_policy { + enabled = "${var.network_policy}" + provider = "${var.network_policy_provider}" + } + subnetwork = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}" min_master_version = "${local.kubernetes_version_regional}" diff --git a/cluster_zonal.tf b/cluster_zonal.tf index 8dc2d0c353..9b214db43b 100644 --- a/cluster_zonal.tf +++ b/cluster_zonal.tf @@ -29,7 +29,13 @@ resource "google_container_cluster" "zonal_primary" { zone = "${var.zones[0]}" node_locations = ["${slice(var.zones,1,length(var.zones))}"] - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + + network_policy { + enabled = "${var.network_policy}" + provider = "${var.network_policy_provider}" + } + subnetwork = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}" min_master_version = "${local.kubernetes_version_zonal}" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index e1978dd332..e7b6cc12a2 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -144,6 +144,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | name | The name of the cluster (required) | string | n/a | yes | | network | The VPC network to host the cluster in (required) | string | n/a | yes | | network\_policy | Enable network policy addon | string | `"false"` | no | +| network\_policy\_provider | The network policy provider. | string | `"PROVIDER_UNSPECIFIED"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | | node\_pools | List of maps containing node pools | list | `` | no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `` | no | diff --git a/modules/private-cluster/cluster_regional.tf b/modules/private-cluster/cluster_regional.tf index 34625f72fb..34f21fd9d1 100644 --- a/modules/private-cluster/cluster_regional.tf +++ b/modules/private-cluster/cluster_regional.tf @@ -29,7 +29,13 @@ resource "google_container_cluster" "primary" { region = "${var.region}" node_locations = ["${coalescelist(compact(var.zones), sort(random_shuffle.available_zones.result))}"] - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + + network_policy { + enabled = "${var.network_policy}" + provider = "${var.network_policy_provider}" + } + subnetwork = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}" min_master_version = "${local.kubernetes_version_regional}" diff --git a/modules/private-cluster/cluster_zonal.tf b/modules/private-cluster/cluster_zonal.tf index 9ffdac36a9..692cc1a6a6 100644 --- a/modules/private-cluster/cluster_zonal.tf +++ b/modules/private-cluster/cluster_zonal.tf @@ -29,7 +29,13 @@ resource "google_container_cluster" "zonal_primary" { zone = "${var.zones[0]}" node_locations = ["${slice(var.zones,1,length(var.zones))}"] - network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + network = "${replace(data.google_compute_network.gke_network.self_link, "https://www.googleapis.com/compute/v1/", "")}" + + network_policy { + enabled = "${var.network_policy}" + provider = "${var.network_policy_provider}" + } + subnetwork = "${replace(data.google_compute_subnetwork.gke_subnetwork.self_link, "https://www.googleapis.com/compute/v1/", "")}" min_master_version = "${local.kubernetes_version_zonal}" diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 4e376876cb..841501ed69 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -106,6 +106,11 @@ variable "network_policy" { default = false } +variable "network_policy_provider" { + description = "The network policy provider." + default = "PROVIDER_UNSPECIFIED" +} + variable "maintenance_start_time" { description = "Time window specified for daily maintenance operations in RFC3339 format" default = "05:00" diff --git a/variables.tf b/variables.tf index 8a95caab5e..5c22867df7 100644 --- a/variables.tf +++ b/variables.tf @@ -106,6 +106,11 @@ variable "network_policy" { default = false } +variable "network_policy_provider" { + description = "The network policy provider." + default = "PROVIDER_UNSPECIFIED" +} + variable "maintenance_start_time" { description = "Time window specified for daily maintenance operations in RFC3339 format" default = "05:00" From 9d7d84bcde8b3c918e160790a9d63da7c502f8bf Mon Sep 17 00:00:00 2001 From: Aaron Lane Date: Wed, 5 Jun 2019 13:01:40 -0400 Subject: [PATCH 4/4] Set default network policy provider to Calico --- README.md | 2 +- autogen/variables.tf | 2 +- modules/private-cluster/README.md | 2 +- modules/private-cluster/variables.tf | 2 +- variables.tf | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 9a500c2470..e56d7db123 100644 --- a/README.md +++ b/README.md @@ -135,7 +135,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | name | The name of the cluster (required) | string | n/a | yes | | network | The VPC network to host the cluster in (required) | string | n/a | yes | | network\_policy | Enable network policy addon | string | `"false"` | no | -| network\_policy\_provider | The network policy provider. | string | `"PROVIDER_UNSPECIFIED"` | no | +| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | | node\_pools | List of maps containing node pools | list | `` | no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `` | no | diff --git a/autogen/variables.tf b/autogen/variables.tf index 67ced3b03b..49af377738 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -108,7 +108,7 @@ variable "network_policy" { variable "network_policy_provider" { description = "The network policy provider." - default = "PROVIDER_UNSPECIFIED" + default = "CALICO" } variable "maintenance_start_time" { diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index e7b6cc12a2..e50dc73b3f 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -144,7 +144,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | name | The name of the cluster (required) | string | n/a | yes | | network | The VPC network to host the cluster in (required) | string | n/a | yes | | network\_policy | Enable network policy addon | string | `"false"` | no | -| network\_policy\_provider | The network policy provider. | string | `"PROVIDER_UNSPECIFIED"` | no | +| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no | | node\_pools | List of maps containing node pools | list | `` | no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `` | no | diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 841501ed69..005a04228e 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -108,7 +108,7 @@ variable "network_policy" { variable "network_policy_provider" { description = "The network policy provider." - default = "PROVIDER_UNSPECIFIED" + default = "CALICO" } variable "maintenance_start_time" { diff --git a/variables.tf b/variables.tf index 5c22867df7..2723a39df5 100644 --- a/variables.tf +++ b/variables.tf @@ -108,7 +108,7 @@ variable "network_policy" { variable "network_policy_provider" { description = "The network policy provider." - default = "PROVIDER_UNSPECIFIED" + default = "CALICO" } variable "maintenance_start_time" {