Add test for sandbox

* Moved `sanbox_config` to `node_pool` resouce (Fix terraform-google-modules#240) * Created test for sandbox (Fix terraform-google-modules#252) * Updated docker image version
paulpalamarchuk · Oct 14, 2019 · 6420311 · 6420311
1 parent aa048e1
commit 6420311
Show file tree

Hide file tree

Showing 19 changed files with 389 additions and 156 deletions.
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -38,96 +38,103 @@ suites:
 #      systems:
 #        - name: deploy_service
 #          backend: local
-  - name: "disable_client_cert"
-    driver:
-      root_module_directory: test/fixtures/disable_client_cert
-    verifier:
-      systems:
-        - name: disable_client_cert
-          backend: local
-# Disabled due to issue #274
-# (https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/274)
-#  - name: "node_pool"
+#  - name: "disable_client_cert"
 #    driver:
-#      root_module_directory: test/fixtures/node_pool
+#      root_module_directory: test/fixtures/disable_client_cert
 #    verifier:
 #      systems:
-#        - name: node_pool
+#        - name: disable_client_cert
 #          backend: local
-  - name: "shared_vpc"
-    driver:
-      root_module_directory: test/fixtures/shared_vpc
-    verifier:
-      systems:
-        - name: shared_vpc
-          backend: local
-  - name: "simple_regional"
-    driver:
-      root_module_directory: test/fixtures/simple_regional
-    verifier:
-      systems:
-        - name: simple_regional
-          backend: local
-  - name: "simple_regional_private"
-    driver:
-      root_module_directory: test/fixtures/simple_regional_private
-    verifier:
-      systems:
-        - name: simple_regional_private
-          backend: local
-  - name: "simple_zonal"
-    driver:
-      root_module_directory: test/fixtures/simple_zonal
-    verifier:
-      systems:
-        - name: gcloud
-          backend: local
-          controls:
-            - gcloud
-        - name: gcp
-          backend: gcp
-          controls:
-            - gcp
-  - name: "simple_zonal_private"
-    driver:
-      root_module_directory: test/fixtures/simple_zonal_private
-    verifier:
-      systems:
-        - name: simple_zonal_private
-          backend: local
-  - name: "stub_domains"
-    driver:
-      root_module_directory: test/fixtures/stub_domains
-    verifier:
-      systems:
-        - name: stub_domains
-          backend: local
-# Disabled due to issue #264
-# (https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/264)
-#  - name: stub_domains_private
+## Disabled due to issue #274
+## (https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/274)
+##  - name: "node_pool"
+##    driver:
+##      root_module_directory: test/fixtures/node_pool
+##    verifier:
+##      systems:
+##        - name: node_pool
+##          backend: local
+#  - name: "shared_vpc"
 #    driver:
-#      root_module_directory: test/fixtures/stub_domains_private
+#      root_module_directory: test/fixtures/shared_vpc
+#    verifier:
 #      systems:
-#        - name: stub_domains_private
+#        - name: shared_vpc
 #          backend: local
-  - name: "upstream_nameservers"
-    driver:
-      root_module_directory: test/fixtures/upstream_nameservers
-    verifier:
-        systems:
-          - name: upstream_nameservers
-            backend: local
-  - name: "stub_domains_upstream_nameservers"
-    driver:
-      root_module_directory: test/fixtures/stub_domains_upstream_nameservers
-    verifier:
-        systems:
-          - name: stub_domains_upstream_nameservers
-            backend: local
-  - name: "workload_metadata_config"
+#  - name: "simple_regional"
+#    driver:
+#      root_module_directory: test/fixtures/simple_regional
+#    verifier:
+#      systems:
+#        - name: simple_regional
+#          backend: local
+#  - name: "simple_regional_private"
+#    driver:
+#      root_module_directory: test/fixtures/simple_regional_private
+#    verifier:
+#      systems:
+#        - name: simple_regional_private
+#          backend: local
+#  - name: "simple_zonal"
+#    driver:
+#      root_module_directory: test/fixtures/simple_zonal
+#    verifier:
+#      systems:
+#        - name: gcloud
+#          backend: local
+#          controls:
+#            - gcloud
+#        - name: gcp
+#          backend: gcp
+#          controls:
+#            - gcp
+#  - name: "simple_zonal_private"
+#    driver:
+#      root_module_directory: test/fixtures/simple_zonal_private
+#    verifier:
+#      systems:
+#        - name: simple_zonal_private
+#          backend: local
+#  - name: "stub_domains"
+#    driver:
+#      root_module_directory: test/fixtures/stub_domains
+#    verifier:
+#      systems:
+#        - name: stub_domains
+#          backend: local
+## Disabled due to issue #264
+## (https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/264)
+##  - name: stub_domains_private
+##    driver:
+##      root_module_directory: test/fixtures/stub_domains_private
+##      systems:
+##        - name: stub_domains_private
+##          backend: local
+#  - name: "upstream_nameservers"
+#    driver:
+#      root_module_directory: test/fixtures/upstream_nameservers
+#    verifier:
+#        systems:
+#          - name: upstream_nameservers
+#            backend: local
+#  - name: "stub_domains_upstream_nameservers"
+#    driver:
+#      root_module_directory: test/fixtures/stub_domains_upstream_nameservers
+#    verifier:
+#        systems:
+#          - name: stub_domains_upstream_nameservers
+#            backend: local
+#  - name: "workload_metadata_config"
+#    driver:
+#      root_module_directory: test/fixtures/workload_metadata_config
+#    verifier:
+#      systems:
+#        - name: workload_metadata_config
+#          backend: local
+  - name: "sandbox_enabled"
     driver:
-      root_module_directory: test/fixtures/workload_metadata_config
+      root_module_directory: test/fixtures/sandbox_enabled
     verifier:
       systems:
-        - name: workload_metadata_config
+        - name: sandbox_enabled
           backend: local
diff --git a/Makefile b/Makefile
@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.1.0
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.4.2
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 

diff --git a/autogen/cluster.tf b/autogen/cluster.tf
@@ -167,14 +167,6 @@ resource "google_container_cluster" "primary" {
           node_metadata = workload_metadata_config.value.node_metadata
         }
       }
-
-      dynamic "sandbox_config" {
-        for_each = local.cluster_sandbox_enabled
-
-        content {
-          sandbox_type = sandbox_config.value
-        }
-      }
       {% endif %}
     }
   }
@@ -415,6 +407,14 @@ resource "google_container_node_pool" "pools" {
         node_metadata = workload_metadata_config.value.node_metadata
       }
     }
+
+    dynamic "sandbox_config" {
+      for_each = local.cluster_sandbox_enabled
+
+      content {
+        sandbox_type = sandbox_config.value
+      }
+    }
     {% endif %}
   }
 

diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
@@ -38,4 +38,4 @@ tags:
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.1.0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.2'
diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml
@@ -24,4 +24,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.1.0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.2'
diff --git a/examples/simple_regional_beta/README.md b/examples/simple_regional_beta/README.md
@@ -2,22 +2,24 @@
 
 This example illustrates how to create a simple cluster with beta features.
 
-[^]: (autogen_docs_start)
-
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | cloudrun | Boolean to enable / disable CloudRun | string | `"true"` | no |
 | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
 | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes |
-| credentials\_path | The path to the GCP credentials JSON file | string | n/a | yes |
 | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes |
 | istio | Boolean to enable / disable Istio | string | `"true"` | no |
 | network | The VPC network to host the cluster in | string | n/a | yes |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no |
+| node\_pools | List of maps containing node pools | list(map(string)) | `<list>` | no |
 | project\_id | The project ID to host the cluster in | string | n/a | yes |
 | region | The region to host the cluster in | string | n/a | yes |
+| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no |
+| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no |
 | subnetwork | The subnetwork to host the cluster in | string | n/a | yes |
 
 ## Outputs
@@ -40,7 +42,7 @@ This example illustrates how to create a simple cluster with beta features.
 | subnetwork |  |
 | zones | List of zones in which the cluster resides |
 
-[^]: (autogen_docs_end)
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 To provision this example, run the following from within this directory:
 - `terraform init` to get the plugins

diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf
@@ -19,25 +19,28 @@ locals {
 }
 
 provider "google-beta" {
-  version     = "~> 2.12.0"
-  credentials = file(var.credentials_path)
-  region      = var.region
+  version = "~> 2.12.0"
+  region  = var.region
 }
 
 module "gke" {
-  source                 = "../../modules/beta-public-cluster/"
-  project_id             = var.project_id
-  name                   = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  regional               = true
-  region                 = var.region
-  network                = var.network
-  subnetwork             = var.subnetwork
-  ip_range_pods          = var.ip_range_pods
-  ip_range_services      = var.ip_range_services
-  create_service_account = false
-  service_account        = var.compute_engine_service_account
-  istio                  = var.istio
-  cloudrun               = var.cloudrun
+  source                   = "../../modules/beta-public-cluster/"
+  project_id               = var.project_id
+  name                     = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
+  regional                 = true
+  region                   = var.region
+  network                  = var.network
+  subnetwork               = var.subnetwork
+  ip_range_pods            = var.ip_range_pods
+  ip_range_services        = var.ip_range_services
+  create_service_account   = false
+  service_account          = var.compute_engine_service_account
+  istio                    = var.istio
+  cloudrun                 = var.cloudrun
+  node_metadata            = var.node_metadata
+  sandbox_enabled          = var.sandbox_enabled
+  remove_default_node_pool = var.remove_default_node_pool
+  node_pools               = var.node_pools
 }
 
 data "google_client_config" "default" {

diff --git a/examples/simple_regional_beta/variables.tf b/examples/simple_regional_beta/variables.tf
@@ -18,10 +18,6 @@ variable "project_id" {
   description = "The project ID to host the cluster in"
 }
 
-variable "credentials_path" {
-  description = "The path to the GCP credentials JSON file"
-}
-
 variable "cluster_name_suffix" {
   description = "A suffix to append to the default cluster name"
   default     = ""
@@ -60,3 +56,32 @@ variable "cloudrun" {
   description = "Boolean to enable / disable CloudRun"
   default     = true
 }
+
+variable "node_metadata" {
+  description = "Specifies how node metadata is exposed to the workload running on the node"
+  default     = "SECURE"
+  type        = string
+}
+
+variable "sandbox_enabled" {
+  type        = bool
+  description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)."
+  default     = false
+}
+
+variable "remove_default_node_pool" {
+  type        = bool
+  description = "Remove default node pool while setting up the cluster"
+  default     = false
+}
+
+variable "node_pools" {
+  type        = list(map(string))
+  description = "List of maps containing node pools"
+
+  default = [
+    {
+      name = "default-node-pool"
+    },
+  ]
+}
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -158,14 +158,6 @@ resource "google_container_cluster" "primary" {
           node_metadata = workload_metadata_config.value.node_metadata
         }
       }
-
-      dynamic "sandbox_config" {
-        for_each = local.cluster_sandbox_enabled
-
-        content {
-          sandbox_type = sandbox_config.value
-        }
-      }
     }
   }
 
@@ -386,6 +378,14 @@ resource "google_container_node_pool" "pools" {
         node_metadata = workload_metadata_config.value.node_metadata
       }
     }
+
+    dynamic "sandbox_config" {
+      for_each = local.cluster_sandbox_enabled
+
+      content {
+        sandbox_type = sandbox_config.value
+      }
+    }
   }
 
   lifecycle {