Fixes #180: Add tests for beta submodules/examples

#180

Added tests for the beta private cluster.

.kitchen.yml

@@ -148,6 +148,19 @@ suites:
       systems:
         - name: workload_metadata_config
           backend: local
+  - name: "beta_cluster"
+    driver:
+      root_module_directory: test/fixtures/beta_cluster
+    verifier:
+      systems:
+        - name: gcloud
+          backend: local
+          controls:
+            - gcloud
+        - name: gcp
+          backend: gcp
+          controls:
+            - gcp
   - name: "sandbox_enabled"
     driver:
       root_module_directory: test/fixtures/sandbox_enabled

build/int.cloudbuild.yaml

@@ -241,6 +241,26 @@ steps:
     - verify workload-metadata-config-local
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy workload-metadata-config-local']
+- id: create beta-cluster-local
+  waitFor:
+    - prepare
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create beta-cluster-local']
+- id: converge beta-cluster-local
+  waitFor:
+    - create beta-cluster-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge beta-cluster-local']
+- id: verify beta-cluster-local
+  waitFor:
+    - converge beta-cluster-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify beta-cluster-local']
+- id: destroy beta-cluster-local
+  waitFor:
+    - verify beta-cluster-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy beta-cluster-local']
 - id: create sandbox-enabled-local
   waitFor:
     - prepare
@@ -264,6 +284,8 @@ steps:
 tags:
 - 'ci'
 - 'integration'
+options:
+  machineType: 'N1_HIGHCPU_8'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
   _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.6'

modules/beta-private-cluster/README.md

@@ -174,10 +174,9 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | string | `"10.0.0.0/28"` | no |
 | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com"` | no |
 | name | The name of the cluster (required) | string | n/a | yes |
-| network | The VPC network to host the cluster in (required) | string | n/a | yes |
+| network | The VPC network link to host the cluster in (required) | string | n/a | yes |
 | network\_policy | Enable network policy addon | bool | `"false"` | no |
 | network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
-| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no |
 | node\_pools | List of maps containing node pools | list(map(string)) | `<list>` | no |
 | node\_pools\_labels | Map of maps containing node labels by node-pool name | map(map(string)) | `<map>` | no |
@@ -199,7 +198,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no |
 | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
-| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
+| subnetwork | The subnetwork link to host the cluster in (required) | string | n/a | yes |
 | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `<list>` | no |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list(string) | `<list>` | no |
 

modules/beta-private-cluster/cluster.tf

@@ -30,7 +30,7 @@ resource "google_container_cluster" "primary" {
   location          = local.location
   node_locations    = local.node_locations
   cluster_ipv4_cidr = var.cluster_ipv4_cidr
-  network           = data.google_compute_network.gke_network.self_link
+  network           = var.network
 
   dynamic "network_policy" {
     for_each = local.cluster_network_policy
@@ -49,7 +49,7 @@ resource "google_container_cluster" "primary" {
     }
   }
 
-  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  subnetwork         = var.subnetwork
   min_master_version = local.master_version
 
   logging_service    = var.logging_service

modules/beta-private-cluster/main.tf

@@ -49,7 +49,6 @@ locals {
 
   custom_kube_dns_config      = length(keys(var.stub_domains)) > 0
   upstream_nameservers_config = length(var.upstream_nameservers) > 0
-  network_project_id          = var.network_project_id != "" ? var.network_project_id : var.project_id
   zone_count                  = length(var.zones)
   cluster_type                = var.regional ? "regional" : "zonal"
   // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous.

modules/beta-private-cluster/variables.tf

@@ -52,18 +52,12 @@ variable "zones" {
 
 variable "network" {
   type        = string
-  description = "The VPC network to host the cluster in (required)"
-}
-
-variable "network_project_id" {
-  type        = string
-  description = "The project ID of the shared VPC's host (for shared vpc support)"
-  default     = ""
+  description = "The VPC network link to host the cluster in (required)"
 }
 
 variable "subnetwork" {
   type        = string
-  description = "The subnetwork to host the cluster in (required)"
+  description = "The subnetwork link to host the cluster in (required)"
 }
 
 variable "kubernetes_version" {

modules/beta-public-cluster/cluster.tf

@@ -30,7 +30,7 @@ resource "google_container_cluster" "primary" {
   location          = local.location
   node_locations    = local.node_locations
   cluster_ipv4_cidr = var.cluster_ipv4_cidr
-  network           = data.google_compute_network.gke_network.self_link
+  network           = var.network
 
   dynamic "network_policy" {
     for_each = local.cluster_network_policy
@@ -49,7 +49,7 @@ resource "google_container_cluster" "primary" {
     }
   }
 
-  subnetwork         = data.google_compute_subnetwork.gke_subnetwork.self_link
+  subnetwork         = var.subnetwork
   min_master_version = local.master_version
 
   logging_service    = var.logging_service

modules/beta-public-cluster/main.tf

@@ -49,7 +49,6 @@ locals {
 
   custom_kube_dns_config      = length(keys(var.stub_domains)) > 0
   upstream_nameservers_config = length(var.upstream_nameservers) > 0
-  network_project_id          = var.network_project_id != "" ? var.network_project_id : var.project_id
   zone_count                  = length(var.zones)
   cluster_type                = var.regional ? "regional" : "zonal"
   // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous.

modules/beta-public-cluster/variables.tf

@@ -55,12 +55,6 @@ variable "network" {
   description = "The VPC network to host the cluster in (required)"
 }
 
-variable "network_project_id" {
-  type        = string
-  description = "The project ID of the shared VPC's host (for shared vpc support)"
-  default     = ""
-}
-
 variable "subnetwork" {
   type        = string
   description = "The subnetwork to host the cluster in (required)"

test/ci/beta-cluster.yml

@@ -0,0 +1,18 @@
+---
+
+platform: linux
+
+inputs:
+- name: pull-request
+  path: terraform-google-kubernetes-engine
+
+run:
+  path: make
+  args: ['test_integration']
+  dir: terraform-google-kubernetes-engine
+
+params:
+  SUITE: "beta-cluster-local"
+  COMPUTE_ENGINE_SERVICE_ACCOUNT: ""
+  REGION: "us-east4"
+  ZONES: '["us-east4-a", "us-east4-b", "us-east4-c"]'

test/fixtures/beta_cluster/main.tf

@@ -0,0 +1,78 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+provider "google" {
+  version = "~> 2.18.0"
+  project = var.project_id
+  region  = var.region
+}
+
+provider "google-beta" {
+  version = "~> 2.18.0"
+  project = var.project_id
+  region  = var.region
+}
+
+locals {
+  name = "beta-cluster-${random_string.suffix.result}"
+}
+
+resource "google_kms_key_ring" "db" {
+  location = var.region
+  name     = "${local.name}-db"
+}
+
+resource "google_kms_crypto_key" "db" {
+  name     = local.name
+  key_ring = google_kms_key_ring.db.self_link
+}
+
+module "this" {
+  source = "../../../modules/beta-public-cluster"
+
+  name              = local.name
+  project_id        = var.project_id
+  regional          = false
+  region            = var.region
+  zones             = slice(var.zones, 0, 1)
+  network           = google_compute_network.main.self_link
+  subnetwork        = google_compute_subnetwork.main.self_link
+  ip_range_pods     = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+  service_account   = "create"
+
+  // Beta features
+  istio = true
+
+  database_encryption = [{
+    state    = "ENCRYPTED"
+    key_name = google_kms_crypto_key.db.self_link
+  }]
+
+  cloudrun = true
+
+  enable_binary_authorization = true
+
+  pod_security_policy_config = [{
+    enabled = true
+  }]
+
+  node_metadata = "EXPOSE"
+}
+
+data "google_client_config" "default" {
+}

test/fixtures/beta_cluster/network.tf

@@ -0,0 +1,44 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "random_string" "suffix" {
+  length  = 4
+  special = false
+  upper   = false
+}
+
+resource "google_compute_network" "main" {
+  name                    = "cft-gke-test-${random_string.suffix.result}"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "main" {
+  name          = "cft-gke-test-${random_string.suffix.result}"
+  ip_cidr_range = "10.0.0.0/17"
+  region        = var.region
+  network       = google_compute_network.main.self_link
+
+  secondary_ip_range {
+    range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
+    ip_cidr_range = "192.168.0.0/18"
+  }
+
+  secondary_ip_range {
+    range_name    = "cft-gke-test-services-${random_string.suffix.result}"
+    ip_cidr_range = "192.168.64.0/18"
+  }
+}
+