Add test for sandbox

* Moved `sanbox_config` to `node_pool` resouce (Fix terraform-google-modules#240) * Created test for sandbox (Fix terraform-google-modules#252) * Updated docker image version
paulpalamarchuk · Oct 14, 2019 · 79d8b65 · 79d8b65
1 parent aa048e1
commit 79d8b65
Show file tree

Hide file tree

Showing 15 changed files with 426 additions and 126 deletions.
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -38,96 +38,103 @@ suites:
 #      systems:
 #        - name: deploy_service
 #          backend: local
-  - name: "disable_client_cert"
-    driver:
-      root_module_directory: test/fixtures/disable_client_cert
-    verifier:
-      systems:
-        - name: disable_client_cert
-          backend: local
-# Disabled due to issue #274
-# (https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/274)
-#  - name: "node_pool"
+#  - name: "disable_client_cert"
 #    driver:
-#      root_module_directory: test/fixtures/node_pool
+#      root_module_directory: test/fixtures/disable_client_cert
 #    verifier:
 #      systems:
-#        - name: node_pool
+#        - name: disable_client_cert
 #          backend: local
-  - name: "shared_vpc"
-    driver:
-      root_module_directory: test/fixtures/shared_vpc
-    verifier:
-      systems:
-        - name: shared_vpc
-          backend: local
-  - name: "simple_regional"
-    driver:
-      root_module_directory: test/fixtures/simple_regional
-    verifier:
-      systems:
-        - name: simple_regional
-          backend: local
-  - name: "simple_regional_private"
-    driver:
-      root_module_directory: test/fixtures/simple_regional_private
-    verifier:
-      systems:
-        - name: simple_regional_private
-          backend: local
-  - name: "simple_zonal"
-    driver:
-      root_module_directory: test/fixtures/simple_zonal
-    verifier:
-      systems:
-        - name: gcloud
-          backend: local
-          controls:
-            - gcloud
-        - name: gcp
-          backend: gcp
-          controls:
-            - gcp
-  - name: "simple_zonal_private"
-    driver:
-      root_module_directory: test/fixtures/simple_zonal_private
-    verifier:
-      systems:
-        - name: simple_zonal_private
-          backend: local
-  - name: "stub_domains"
-    driver:
-      root_module_directory: test/fixtures/stub_domains
-    verifier:
-      systems:
-        - name: stub_domains
-          backend: local
-# Disabled due to issue #264
-# (https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/264)
-#  - name: stub_domains_private
+## Disabled due to issue #274
+## (https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/274)
+##  - name: "node_pool"
+##    driver:
+##      root_module_directory: test/fixtures/node_pool
+##    verifier:
+##      systems:
+##        - name: node_pool
+##          backend: local
+#  - name: "shared_vpc"
 #    driver:
-#      root_module_directory: test/fixtures/stub_domains_private
+#      root_module_directory: test/fixtures/shared_vpc
+#    verifier:
 #      systems:
-#        - name: stub_domains_private
+#        - name: shared_vpc
 #          backend: local
-  - name: "upstream_nameservers"
-    driver:
-      root_module_directory: test/fixtures/upstream_nameservers
-    verifier:
-        systems:
-          - name: upstream_nameservers
-            backend: local
-  - name: "stub_domains_upstream_nameservers"
-    driver:
-      root_module_directory: test/fixtures/stub_domains_upstream_nameservers
-    verifier:
-        systems:
-          - name: stub_domains_upstream_nameservers
-            backend: local
-  - name: "workload_metadata_config"
+#  - name: "simple_regional"
+#    driver:
+#      root_module_directory: test/fixtures/simple_regional
+#    verifier:
+#      systems:
+#        - name: simple_regional
+#          backend: local
+#  - name: "simple_regional_private"
+#    driver:
+#      root_module_directory: test/fixtures/simple_regional_private
+#    verifier:
+#      systems:
+#        - name: simple_regional_private
+#          backend: local
+#  - name: "simple_zonal"
+#    driver:
+#      root_module_directory: test/fixtures/simple_zonal
+#    verifier:
+#      systems:
+#        - name: gcloud
+#          backend: local
+#          controls:
+#            - gcloud
+#        - name: gcp
+#          backend: gcp
+#          controls:
+#            - gcp
+#  - name: "simple_zonal_private"
+#    driver:
+#      root_module_directory: test/fixtures/simple_zonal_private
+#    verifier:
+#      systems:
+#        - name: simple_zonal_private
+#          backend: local
+#  - name: "stub_domains"
+#    driver:
+#      root_module_directory: test/fixtures/stub_domains
+#    verifier:
+#      systems:
+#        - name: stub_domains
+#          backend: local
+## Disabled due to issue #264
+## (https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/264)
+##  - name: stub_domains_private
+##    driver:
+##      root_module_directory: test/fixtures/stub_domains_private
+##      systems:
+##        - name: stub_domains_private
+##          backend: local
+#  - name: "upstream_nameservers"
+#    driver:
+#      root_module_directory: test/fixtures/upstream_nameservers
+#    verifier:
+#        systems:
+#          - name: upstream_nameservers
+#            backend: local
+#  - name: "stub_domains_upstream_nameservers"
+#    driver:
+#      root_module_directory: test/fixtures/stub_domains_upstream_nameservers
+#    verifier:
+#        systems:
+#          - name: stub_domains_upstream_nameservers
+#            backend: local
+#  - name: "workload_metadata_config"
+#    driver:
+#      root_module_directory: test/fixtures/workload_metadata_config
+#    verifier:
+#      systems:
+#        - name: workload_metadata_config
+#          backend: local
+  - name: "sandbox_enabled"
     driver:
-      root_module_directory: test/fixtures/workload_metadata_config
+      root_module_directory: test/fixtures/sandbox_enabled
     verifier:
       systems:
-        - name: workload_metadata_config
+        - name: sandbox_enabled
           backend: local
diff --git a/Makefile b/Makefile
@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.1.0
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.4.2
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 

diff --git a/autogen/cluster.tf b/autogen/cluster.tf
@@ -167,14 +167,6 @@ resource "google_container_cluster" "primary" {
           node_metadata = workload_metadata_config.value.node_metadata
         }
       }
-
-      dynamic "sandbox_config" {
-        for_each = local.cluster_sandbox_enabled
-
-        content {
-          sandbox_type = sandbox_config.value
-        }
-      }
       {% endif %}
     }
   }
@@ -415,6 +407,14 @@ resource "google_container_node_pool" "pools" {
         node_metadata = workload_metadata_config.value.node_metadata
       }
     }
+
+    dynamic "sandbox_config" {
+      for_each = local.cluster_sandbox_enabled
+
+      content {
+        sandbox_type = sandbox_config.value
+      }
+    }
     {% endif %}
   }
 

diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
@@ -38,4 +38,4 @@ tags:
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.1.0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.2'
diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml
@@ -24,4 +24,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.1.0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.2'
diff --git a/examples/simple_regional_beta/README.md b/examples/simple_regional_beta/README.md
@@ -2,7 +2,7 @@
 
 This example illustrates how to create a simple cluster with beta features.
 
-[^]: (autogen_docs_start)
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Inputs
 
@@ -40,7 +40,7 @@ This example illustrates how to create a simple cluster with beta features.
 | subnetwork |  |
 | zones | List of zones in which the cluster resides |
 
-[^]: (autogen_docs_end)
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 To provision this example, run the following from within this directory:
 - `terraform init` to get the plugins

diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf
@@ -20,24 +20,27 @@ locals {
 
 provider "google-beta" {
   version     = "~> 2.12.0"
-  credentials = file(var.credentials_path)
   region      = var.region
 }
 
 module "gke" {
-  source                 = "../../modules/beta-public-cluster/"
-  project_id             = var.project_id
-  name                   = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  regional               = true
-  region                 = var.region
-  network                = var.network
-  subnetwork             = var.subnetwork
-  ip_range_pods          = var.ip_range_pods
-  ip_range_services      = var.ip_range_services
-  create_service_account = false
-  service_account        = var.compute_engine_service_account
-  istio                  = var.istio
-  cloudrun               = var.cloudrun
+  source                   = "../../modules/beta-public-cluster/"
+  project_id               = var.project_id
+  name                     = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
+  regional                 = true
+  region                   = var.region
+  network                  = var.network
+  subnetwork               = var.subnetwork
+  ip_range_pods            = var.ip_range_pods
+  ip_range_services        = var.ip_range_services
+  create_service_account   = false
+  service_account          = var.compute_engine_service_account
+  istio                    = var.istio
+  cloudrun                 = var.cloudrun
+  node_metadata            = var.node_metadata
+  sandbox_enabled          = var.sandbox_enabled
+  remove_default_node_pool = var.remove_default_node_pool
+  node_pools               = var.node_pools
 }
 
 data "google_client_config" "default" {

diff --git a/examples/simple_regional_beta/variables.tf b/examples/simple_regional_beta/variables.tf
@@ -18,10 +18,6 @@ variable "project_id" {
   description = "The project ID to host the cluster in"
 }
 
-variable "credentials_path" {
-  description = "The path to the GCP credentials JSON file"
-}
-
 variable "cluster_name_suffix" {
   description = "A suffix to append to the default cluster name"
   default     = ""
@@ -60,3 +56,32 @@ variable "cloudrun" {
   description = "Boolean to enable / disable CloudRun"
   default     = true
 }
+
+variable "node_metadata" {
+  description = "Specifies how node metadata is exposed to the workload running on the node"
+  default     = "SECURE"
+  type        = string
+}
+
+variable "sandbox_enabled" {
+  type        = bool
+  description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)."
+  default     = false
+}
+
+variable "remove_default_node_pool" {
+  type        = bool
+  description = "Remove default node pool while setting up the cluster"
+  default     = false
+}
+
+variable "node_pools" {
+  type        = list(map(string))
+  description = "List of maps containing node pools"
+
+  default = [
+    {
+      name = "default-node-pool"
+    },
+  ]
+}
diff --git a/test/fixtures/sandbox_enabled/example.tf b/test/fixtures/sandbox_enabled/example.tf
@@ -0,0 +1,39 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "example" {
+  source = "../../../examples/simple_regional_beta"
+
+  project_id                     = var.project_id
+  cluster_name_suffix            = "-sandbox-${random_string.suffix.result}"
+  region                         = var.region
+  network                        = google_compute_network.main.name
+  subnetwork                     = google_compute_subnetwork.main.name
+  ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  compute_engine_service_account = var.compute_engine_service_account
+  istio                          = false
+  cloudrun                       = false
+  node_metadata                  = "UNSPECIFIED"
+  sandbox_enabled                = true
+  remove_default_node_pool       = true
+  node_pools                     = [
+    {
+      name       = "default-node-pool"
+      image_type = "COS_CONTAINERD"
+    },
+  ]
+}