From 167521cd6a4a21eafe63d55ba28edbf2a8253a83 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Mon, 30 Mar 2020 09:56:23 -0700 Subject: [PATCH 1/6] Add GKE auth submodule --- modules/auth/README.md | 44 +++++++++++++++++++++++++++ modules/auth/kubeconfig-template.yaml | 18 +++++++++++ modules/auth/main.tf | 18 +++++++++++ modules/auth/outputs.tf | 23 ++++++++++++++ modules/auth/variables.tf | 14 +++++++++ 5 files changed, 117 insertions(+) create mode 100644 modules/auth/README.md create mode 100644 modules/auth/kubeconfig-template.yaml create mode 100644 modules/auth/main.tf create mode 100644 modules/auth/outputs.tf create mode 100644 modules/auth/variables.tf diff --git a/modules/auth/README.md b/modules/auth/README.md new file mode 100644 index 0000000000..a38af178a1 --- /dev/null +++ b/modules/auth/README.md @@ -0,0 +1,44 @@ +# Terraform Kubernetes Engine Auth Module + +This module allows configuring authentication to a GKE cluster +using an [OpenID Connect token](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) +retrieved from GCP as a `kubeconfig` file or as outputs intended for use with +the `kubernetes` / `helm` providers. + +This module retrieves a token for the account configured with the `google` +provider as the Terraform runner using the provider's `credentials`, +`access_token`, or other means of authentication. + +## Usage + +```tf +module "gke_auth" { + source = "terraform-google-modules/kubernetes-engine/google//modules/auth" + + project_id = "my-project-id" + cluster_name = "my-cluster-name" + location = module.gke.location +} +``` + + +### `kubeconfig` output + +```hcl +resource "local_file" "kubeconfig" { + content = module.gke_auth.kubeconfig_raw + filename = "${path.module}/kubeconfig" +} +``` + +### `kubernetes`/`helm` provider output + +```hcl +provider "kubernetes" { + load_config_file = false + + cluster_ca_certificate = module.gke_auth.cluster_ca_certificate + host = module.gke_auth.host + token = module.gke_auth.token +} +``` diff --git a/modules/auth/kubeconfig-template.yaml b/modules/auth/kubeconfig-template.yaml new file mode 100644 index 0000000000..abf1d71edc --- /dev/null +++ b/modules/auth/kubeconfig-template.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +clusters: +- cluster: + certificate-authority-data: ${cluster_ca_certificate} + server: https://${endpoint} + name: ${context} +contexts: +- context: + cluster: ${context} + user: ${context} + name: ${context} +current-context: ${context} +kind: Config +preferences: {} +users: +- name: ${context} + user: + token: ${token} diff --git a/modules/auth/main.tf b/modules/auth/main.tf new file mode 100644 index 0000000000..da0f06bbf3 --- /dev/null +++ b/modules/auth/main.tf @@ -0,0 +1,18 @@ +data "google_container_cluster" "gke_cluster" { + name = var.cluster_name + location = var.location + project = var.project_id +} + +data "google_client_config" "provider" {} + +data "template_file" "kubeconfig" { + template = file("${path.module}/kubeconfig-template.yaml") + + vars = { + context = data.google_container_cluster.gke_cluster.name + cluster_ca_certificate = data.google_container_cluster.gke_cluster.master_auth[0].cluster_ca_certificate + endpoint = data.google_container_cluster.gke_cluster.endpoint + token = data.google_client_config.provider.access_token + } +} diff --git a/modules/auth/outputs.tf b/modules/auth/outputs.tf new file mode 100644 index 0000000000..584951d411 --- /dev/null +++ b/modules/auth/outputs.tf @@ -0,0 +1,23 @@ +# kubeconfig + +output "kubeconfig_raw" { + description = "A kubeconfig file configured to access the GKE cluster." + value = data.template_file.kubeconfig.rendered +} + +# Terraform providers (kubernetes, helm) + +output "cluster_ca_certificate" { + description = "The cluster_ca_certificate value for use with the kubernetes provider." + value = base64decode(data.google_container_cluster.gke_cluster.master_auth[0].cluster_ca_certificate) +} + +output "host" { + description = "The host value for use with the kubernetes provider." + value = "https://${data.google_container_cluster.gke_cluster.endpoint}" +} + +output "token" { + description = "The token value for use with the kubernetes provider." + value = data.google_client_config.provider.access_token +} diff --git a/modules/auth/variables.tf b/modules/auth/variables.tf new file mode 100644 index 0000000000..dd2601d97e --- /dev/null +++ b/modules/auth/variables.tf @@ -0,0 +1,14 @@ +variable "project_id" { + description = "The GCP project of the GKE cluster." + type = string +} + +variable "location" { + description = "The location (region or zone) of the GKE cluster." + type = string +} + +variable "cluster_name" { + description = "The name of the GKE cluster." + type = string +} From 778c6fd5ad551ff9a952a5d5010011e2962d3844 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Mon, 30 Mar 2020 14:05:18 -0700 Subject: [PATCH 2/6] Add example of auth submodule --- .../simple_regional_with_kubeconfig/README.md | 46 +++++ .../simple_regional_with_kubeconfig/main.tf | 48 +++++ .../outputs.tf | 39 ++++ .../test_outputs.tf | 63 +++++++ .../variables.tf | 54 ++++++ modules/auth/outputs.tf | 3 + .../controls/gcloud.rb | 170 ++++++++++++++++++ .../inspec.yml | 17 ++ 8 files changed, 440 insertions(+) create mode 100644 examples/simple_regional_with_kubeconfig/README.md create mode 100644 examples/simple_regional_with_kubeconfig/main.tf create mode 100644 examples/simple_regional_with_kubeconfig/outputs.tf create mode 100755 examples/simple_regional_with_kubeconfig/test_outputs.tf create mode 100644 examples/simple_regional_with_kubeconfig/variables.tf create mode 100644 test/integration/simple_regional_with_kubeconfig/controls/gcloud.rb create mode 100644 test/integration/simple_regional_with_kubeconfig/inspec.yml diff --git a/examples/simple_regional_with_kubeconfig/README.md b/examples/simple_regional_with_kubeconfig/README.md new file mode 100644 index 0000000000..a4c17efdc4 --- /dev/null +++ b/examples/simple_regional_with_kubeconfig/README.md @@ -0,0 +1,46 @@ +# Simple Regional Cluster + +This example illustrates how to create a simple cluster and output a `kubeconfig` + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | +| compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | +| ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | +| ip\_range\_services | The secondary ip range to use for services | string | n/a | yes | +| network | The VPC network to host the cluster in | string | n/a | yes | +| project\_id | The project ID to host the cluster in | string | n/a | yes | +| region | The region to host the cluster in | string | n/a | yes | +| skip\_provisioners | Flag to skip local-exec provisioners | bool | `"false"` | no | +| subnetwork | The subnetwork to host the cluster in | string | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| ca\_certificate | | +| client\_token | | +| cluster\_name | Cluster name | +| ip\_range\_pods | The secondary IP range used for pods | +| ip\_range\_services | The secondary IP range used for services | +| kubeconfig\_raw | | +| kubernetes\_endpoint | | +| location | | +| master\_kubernetes\_version | The master Kubernetes version | +| network | | +| project\_id | | +| region | | +| service\_account | The default service account used for running nodes. | +| subnetwork | | +| zones | List of zones in which the cluster resides | + + + +To provision this example, run the following from within this directory: +- `terraform init` to get the plugins +- `terraform plan` to see the infrastructure plan +- `terraform apply` to apply the infrastructure build +- `terraform destroy` to destroy the built infrastructure diff --git a/examples/simple_regional_with_kubeconfig/main.tf b/examples/simple_regional_with_kubeconfig/main.tf new file mode 100644 index 0000000000..c0b68b31cb --- /dev/null +++ b/examples/simple_regional_with_kubeconfig/main.tf @@ -0,0 +1,48 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + cluster_type = "simple-regional" +} + +provider "google" { + version = "~> 3.3.0" + region = var.region +} + +module "gke" { + source = "../../" + project_id = var.project_id + name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" + regional = true + region = var.region + network = var.network + subnetwork = var.subnetwork + ip_range_pods = var.ip_range_pods + ip_range_services = var.ip_range_services + create_service_account = false + service_account = var.compute_engine_service_account + skip_provisioners = var.skip_provisioners +} + +module "gke_auth" { + source = "../../modules/auth" + + project_id = var.project_id + location = module.gke.location + cluster_name = module.gke.name +} + diff --git a/examples/simple_regional_with_kubeconfig/outputs.tf b/examples/simple_regional_with_kubeconfig/outputs.tf new file mode 100644 index 0000000000..490d5cb070 --- /dev/null +++ b/examples/simple_regional_with_kubeconfig/outputs.tf @@ -0,0 +1,39 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "kubernetes_endpoint" { + sensitive = true + value = module.gke_auth.host +} + +output "client_token" { + sensitive = true + value = module.gke_auth.token +} + +output "ca_certificate" { + value = module.gke_auth.cluster_ca_certificate +} + +output "kubeconfig_raw" { + value = module.gke_auth.kubeconfig_raw +} + +output "service_account" { + description = "The default service account used for running nodes." + value = module.gke.service_account +} + diff --git a/examples/simple_regional_with_kubeconfig/test_outputs.tf b/examples/simple_regional_with_kubeconfig/test_outputs.tf new file mode 100755 index 0000000000..e64c40e477 --- /dev/null +++ b/examples/simple_regional_with_kubeconfig/test_outputs.tf @@ -0,0 +1,63 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// These outputs are used to test the module with kitchen-terraform +// They do not need to be included in real-world uses of this module + +output "project_id" { + value = var.project_id +} + +output "region" { + value = module.gke.region +} + +output "cluster_name" { + description = "Cluster name" + value = module.gke.name +} + +output "network" { + value = var.network +} + +output "subnetwork" { + value = var.subnetwork +} + +output "location" { + value = module.gke.location +} + +output "ip_range_pods" { + description = "The secondary IP range used for pods" + value = var.ip_range_pods +} + +output "ip_range_services" { + description = "The secondary IP range used for services" + value = var.ip_range_services +} + +output "zones" { + description = "List of zones in which the cluster resides" + value = module.gke.zones +} + +output "master_kubernetes_version" { + description = "The master Kubernetes version" + value = module.gke.master_version +} diff --git a/examples/simple_regional_with_kubeconfig/variables.tf b/examples/simple_regional_with_kubeconfig/variables.tf new file mode 100644 index 0000000000..ae6a86978e --- /dev/null +++ b/examples/simple_regional_with_kubeconfig/variables.tf @@ -0,0 +1,54 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The project ID to host the cluster in" +} + +variable "cluster_name_suffix" { + description = "A suffix to append to the default cluster name" + default = "" +} + +variable "region" { + description = "The region to host the cluster in" +} + +variable "network" { + description = "The VPC network to host the cluster in" +} + +variable "subnetwork" { + description = "The subnetwork to host the cluster in" +} + +variable "ip_range_pods" { + description = "The secondary ip range to use for pods" +} + +variable "ip_range_services" { + description = "The secondary ip range to use for services" +} + +variable "compute_engine_service_account" { + description = "Service account to associate to the nodes in the cluster" +} + +variable "skip_provisioners" { + type = bool + description = "Flag to skip local-exec provisioners" + default = false +} diff --git a/modules/auth/outputs.tf b/modules/auth/outputs.tf index 584951d411..f890039d3f 100644 --- a/modules/auth/outputs.tf +++ b/modules/auth/outputs.tf @@ -1,6 +1,7 @@ # kubeconfig output "kubeconfig_raw" { + sensitive = true description = "A kubeconfig file configured to access the GKE cluster." value = data.template_file.kubeconfig.rendered } @@ -8,6 +9,7 @@ output "kubeconfig_raw" { # Terraform providers (kubernetes, helm) output "cluster_ca_certificate" { + sensitive = true description = "The cluster_ca_certificate value for use with the kubernetes provider." value = base64decode(data.google_container_cluster.gke_cluster.master_auth[0].cluster_ca_certificate) } @@ -18,6 +20,7 @@ output "host" { } output "token" { + sensitive = true description = "The token value for use with the kubernetes provider." value = data.google_client_config.provider.access_token } diff --git a/test/integration/simple_regional_with_kubeconfig/controls/gcloud.rb b/test/integration/simple_regional_with_kubeconfig/controls/gcloud.rb new file mode 100644 index 0000000000..d4904c7df9 --- /dev/null +++ b/test/integration/simple_regional_with_kubeconfig/controls/gcloud.rb @@ -0,0 +1,170 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +project_id = attribute('project_id') +location = attribute('location') +cluster_name = attribute('cluster_name') + +control "gcloud" do + title "Google Compute Engine GKE configuration" + describe command("gcloud --project=#{project_id} container clusters --zone=#{location} describe #{cluster_name} --format=json") do + its(:exit_status) { should eq 0 } + its(:stderr) { should eq '' } + + let!(:data) do + if subject.exit_status == 0 + JSON.parse(subject.stdout) + else + {} + end + end + + describe "cluster" do + it "is running" do + expect(data['status']).to eq 'RUNNING' + end + + it "is regional" do + expect(data['location']).to match(/^.*[1-9]$/) + end + + it "uses public nodes and master endpoint" do + expect(data['privateClusterConfig']).to eq nil + end + + it "has the expected addon settings" do + expect(data['addonsConfig']).to eq({ + "horizontalPodAutoscaling" => {}, + "httpLoadBalancing" => {}, + "kubernetesDashboard" => { + "disabled" => true, + }, + "networkPolicyConfig" => {}, + }) + end + end + + describe "default node pool" do + let(:default_node_pool) { data['nodePools'].select { |p| p['name'] == "default-pool" }.first } + + it "exists" do + expect(data['nodePools']).to include( + including( + "name" => "default-pool", + ) + ) + end + end + + describe "node pool" do + let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" } } + + it "has autoscaling enabled" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "enabled" => true, + ), + ) + ) + end + + it "has the expected minimum node count" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "minNodeCount" => 1, + ), + ) + ) + end + + it "has the expected maximum node count" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "maxNodeCount" => 100, + ), + ) + ) + end + + it "is the expected machine type" do + expect(node_pools).to include( + including( + "config" => including( + "machineType" => "n1-standard-2", + ), + ) + ) + end + + it "has the expected disk size" do + expect(node_pools).to include( + including( + "config" => including( + "diskSizeGb" => 100, + ), + ) + ) + end + + it "has the expected labels" do + expect(node_pools).to include( + including( + "config" => including( + "labels" => including( + "cluster_name" => cluster_name, + "node_pool" => "default-node-pool", + ), + ), + ) + ) + end + + it "has the expected network tags" do + expect(node_pools).to include( + including( + "config" => including( + "tags" => match_array([ + "gke-#{cluster_name}", + "gke-#{cluster_name}-default-node-pool", + ]), + ), + ) + ) + end + + it "has autorepair enabled" do + expect(node_pools).to include( + including( + "management" => including( + "autoRepair" => true, + ), + ) + ) + end + + it "has autoupgrade enabled" do + expect(node_pools).to include( + including( + "management" => including( + "autoUpgrade" => true, + ), + ) + ) + end + end + end +end diff --git a/test/integration/simple_regional_with_kubeconfig/inspec.yml b/test/integration/simple_regional_with_kubeconfig/inspec.yml new file mode 100644 index 0000000000..a058e21ef1 --- /dev/null +++ b/test/integration/simple_regional_with_kubeconfig/inspec.yml @@ -0,0 +1,17 @@ +name: simple_regional_with_kubeconfig +attributes: + - name: project_id + required: true + type: string + - name: location + required: true + type: string + - name: cluster_name + required: true + type: string + - name: kubernetes_endpoint + required: true + type: string + - name: client_token + required: true + type: string From af93bcfc49e22d02777b76e7df250ef0e3bb1b97 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Mon, 30 Mar 2020 14:08:57 -0700 Subject: [PATCH 3/6] Fix copyright dates --- examples/simple_regional_with_kubeconfig/main.tf | 2 +- examples/simple_regional_with_kubeconfig/outputs.tf | 2 +- examples/simple_regional_with_kubeconfig/test_outputs.tf | 2 +- examples/simple_regional_with_kubeconfig/variables.tf | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/simple_regional_with_kubeconfig/main.tf b/examples/simple_regional_with_kubeconfig/main.tf index c0b68b31cb..e2443bd1aa 100644 --- a/examples/simple_regional_with_kubeconfig/main.tf +++ b/examples/simple_regional_with_kubeconfig/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2020 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/examples/simple_regional_with_kubeconfig/outputs.tf b/examples/simple_regional_with_kubeconfig/outputs.tf index 490d5cb070..95b791ec6d 100644 --- a/examples/simple_regional_with_kubeconfig/outputs.tf +++ b/examples/simple_regional_with_kubeconfig/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2020 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/examples/simple_regional_with_kubeconfig/test_outputs.tf b/examples/simple_regional_with_kubeconfig/test_outputs.tf index e64c40e477..a0bc9a28f0 100755 --- a/examples/simple_regional_with_kubeconfig/test_outputs.tf +++ b/examples/simple_regional_with_kubeconfig/test_outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2020 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/examples/simple_regional_with_kubeconfig/variables.tf b/examples/simple_regional_with_kubeconfig/variables.tf index ae6a86978e..832e036d0a 100644 --- a/examples/simple_regional_with_kubeconfig/variables.tf +++ b/examples/simple_regional_with_kubeconfig/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2020 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. From 0d06b7cf7bfb0990f7e965495795089ce825699c Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Mon, 30 Mar 2020 15:29:21 -0700 Subject: [PATCH 4/6] Linting --- .../simple_regional_with_kubeconfig/main.tf | 4 ++-- modules/auth/main.tf | 18 +++++++++++++++++- modules/auth/outputs.tf | 16 ++++++++++++++++ .../kubeconfig-template.yaml.tpl} | 0 modules/auth/variables.tf | 16 ++++++++++++++++ 5 files changed, 51 insertions(+), 3 deletions(-) rename modules/auth/{kubeconfig-template.yaml => templates/kubeconfig-template.yaml.tpl} (100%) diff --git a/examples/simple_regional_with_kubeconfig/main.tf b/examples/simple_regional_with_kubeconfig/main.tf index e2443bd1aa..6aee4445f4 100644 --- a/examples/simple_regional_with_kubeconfig/main.tf +++ b/examples/simple_regional_with_kubeconfig/main.tf @@ -41,8 +41,8 @@ module "gke" { module "gke_auth" { source = "../../modules/auth" - project_id = var.project_id - location = module.gke.location + project_id = var.project_id + location = module.gke.location cluster_name = module.gke.name } diff --git a/modules/auth/main.tf b/modules/auth/main.tf index da0f06bbf3..25855d842d 100644 --- a/modules/auth/main.tf +++ b/modules/auth/main.tf @@ -1,3 +1,19 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + data "google_container_cluster" "gke_cluster" { name = var.cluster_name location = var.location @@ -7,7 +23,7 @@ data "google_container_cluster" "gke_cluster" { data "google_client_config" "provider" {} data "template_file" "kubeconfig" { - template = file("${path.module}/kubeconfig-template.yaml") + template = file("${path.module}/templates/kubeconfig-template.yaml.tpl") vars = { context = data.google_container_cluster.gke_cluster.name diff --git a/modules/auth/outputs.tf b/modules/auth/outputs.tf index f890039d3f..a33ef81f7e 100644 --- a/modules/auth/outputs.tf +++ b/modules/auth/outputs.tf @@ -1,3 +1,19 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + # kubeconfig output "kubeconfig_raw" { diff --git a/modules/auth/kubeconfig-template.yaml b/modules/auth/templates/kubeconfig-template.yaml.tpl similarity index 100% rename from modules/auth/kubeconfig-template.yaml rename to modules/auth/templates/kubeconfig-template.yaml.tpl diff --git a/modules/auth/variables.tf b/modules/auth/variables.tf index dd2601d97e..db5cb664fe 100644 --- a/modules/auth/variables.tf +++ b/modules/auth/variables.tf @@ -1,3 +1,19 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + variable "project_id" { description = "The GCP project of the GKE cluster." type = string From e4029cc3b7dc26d2338b4d705e39db20b5836445 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Tue, 31 Mar 2020 08:52:10 -0700 Subject: [PATCH 5/6] Register test --- .kitchen.yml | 7 +++++++ build/int.cloudbuild.yaml | 20 ++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/.kitchen.yml b/.kitchen.yml index 813daaea31..79239c0a0d 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -99,6 +99,13 @@ suites: systems: - name: simple_regional_private backend: local + - name: "simple_regional_with_kubeconfig" + driver: + root_module_directory: test/fixtures/simple_regional_with_kubeconfig + verifier: + systems: + - name: simple_regional_with_kubeconfig + backend: local - name: "simple_zonal" driver: root_module_directory: test/fixtures/simple_zonal diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 05c66836fe..532b48c3b4 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -124,6 +124,26 @@ steps: - verify simple-regional-private-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy simple-regional-private-local'] +- id: create simple-regional-with-kubeconfig-local + waitFor: + - prepare + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create simple-regional-with-kubeconfig-local'] +- id: converge simple-regional-with-kubeconfig-local + waitFor: + - create simple-regional-with-kubeconfig-local + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge simple-regional-with-kubeconfig-local'] +- id: verify simple-regional-with-kubeconfig-local + waitFor: + - converge simple-regional-with-kubeconfig-local + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify simple-regional-with-kubeconfig-local'] +- id: destroy simple-regional-with-kubeconfig-local + waitFor: + - verify simple-regional-with-kubeconfig-local + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy simple-regional-with-kubeconfig-local'] - id: create simple-regional-with-networking-local waitFor: - prepare From cff4211d7b48b2eab4ff7df17b16339ce9c196d9 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Tue, 31 Mar 2020 10:40:11 -0700 Subject: [PATCH 6/6] Add test fixtures --- .../example.tf | 30 ++++++++++++ .../network.tf | 48 +++++++++++++++++++ .../outputs.tf | 1 + .../variables.tf | 1 + 4 files changed, 80 insertions(+) create mode 100644 test/fixtures/simple_regional_with_kubeconfig/example.tf create mode 100644 test/fixtures/simple_regional_with_kubeconfig/network.tf create mode 120000 test/fixtures/simple_regional_with_kubeconfig/outputs.tf create mode 120000 test/fixtures/simple_regional_with_kubeconfig/variables.tf diff --git a/test/fixtures/simple_regional_with_kubeconfig/example.tf b/test/fixtures/simple_regional_with_kubeconfig/example.tf new file mode 100644 index 0000000000..85af7a5803 --- /dev/null +++ b/test/fixtures/simple_regional_with_kubeconfig/example.tf @@ -0,0 +1,30 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "example" { + source = "../../../examples/simple_regional_with_kubeconfig" + + project_id = var.project_ids[0] + cluster_name_suffix = "-${random_string.suffix.result}" + region = var.region + network = google_compute_network.main.name + subnetwork = google_compute_subnetwork.main.name + ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name + ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name + compute_engine_service_account = var.compute_engine_service_accounts[0] + skip_provisioners = true +} + diff --git a/test/fixtures/simple_regional_with_kubeconfig/network.tf b/test/fixtures/simple_regional_with_kubeconfig/network.tf new file mode 100644 index 0000000000..fad61a918d --- /dev/null +++ b/test/fixtures/simple_regional_with_kubeconfig/network.tf @@ -0,0 +1,48 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "random_string" "suffix" { + length = 4 + special = false + upper = false +} + +provider "google" { + version = "~> 3.3.0" + project = var.project_ids[0] +} + +resource "google_compute_network" "main" { + name = "cft-gke-test-${random_string.suffix.result}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "main" { + name = "cft-gke-test-${random_string.suffix.result}" + ip_cidr_range = "10.0.0.0/17" + region = var.region + network = google_compute_network.main.self_link + + secondary_ip_range { + range_name = "cft-gke-test-pods-${random_string.suffix.result}" + ip_cidr_range = "192.168.0.0/18" + } + + secondary_ip_range { + range_name = "cft-gke-test-services-${random_string.suffix.result}" + ip_cidr_range = "192.168.64.0/18" + } +} diff --git a/test/fixtures/simple_regional_with_kubeconfig/outputs.tf b/test/fixtures/simple_regional_with_kubeconfig/outputs.tf new file mode 120000 index 0000000000..726bdc722f --- /dev/null +++ b/test/fixtures/simple_regional_with_kubeconfig/outputs.tf @@ -0,0 +1 @@ +../shared/outputs.tf \ No newline at end of file diff --git a/test/fixtures/simple_regional_with_kubeconfig/variables.tf b/test/fixtures/simple_regional_with_kubeconfig/variables.tf new file mode 120000 index 0000000000..c113c00a3d --- /dev/null +++ b/test/fixtures/simple_regional_with_kubeconfig/variables.tf @@ -0,0 +1 @@ +../shared/variables.tf \ No newline at end of file