From a5ace360e42ff393a4d49c5018c7ea947b322404 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Tue, 14 Apr 2020 07:35:56 -0700 Subject: [PATCH] feat: Add an `auth` submodule outputting a `kubeconfig` (#469) * Add GKE auth submodule * Add example of auth submodule * Fix copyright dates * Linting * Register test * Add test fixtures --- .kitchen.yml | 7 + build/int.cloudbuild.yaml | 20 +++ .../simple_regional_with_kubeconfig/README.md | 46 +++++ .../simple_regional_with_kubeconfig/main.tf | 48 +++++ .../outputs.tf | 39 ++++ .../test_outputs.tf | 63 +++++++ .../variables.tf | 54 ++++++ modules/auth/README.md | 44 +++++ modules/auth/main.tf | 34 ++++ modules/auth/outputs.tf | 42 +++++ .../templates/kubeconfig-template.yaml.tpl | 18 ++ modules/auth/variables.tf | 30 ++++ .../example.tf | 30 ++++ .../network.tf | 48 +++++ .../outputs.tf | 1 + .../variables.tf | 1 + .../controls/gcloud.rb | 170 ++++++++++++++++++ .../inspec.yml | 17 ++ 18 files changed, 712 insertions(+) create mode 100644 examples/simple_regional_with_kubeconfig/README.md create mode 100644 examples/simple_regional_with_kubeconfig/main.tf create mode 100644 examples/simple_regional_with_kubeconfig/outputs.tf create mode 100755 examples/simple_regional_with_kubeconfig/test_outputs.tf create mode 100644 examples/simple_regional_with_kubeconfig/variables.tf create mode 100644 modules/auth/README.md create mode 100644 modules/auth/main.tf create mode 100644 modules/auth/outputs.tf create mode 100644 modules/auth/templates/kubeconfig-template.yaml.tpl create mode 100644 modules/auth/variables.tf create mode 100644 test/fixtures/simple_regional_with_kubeconfig/example.tf create mode 100644 test/fixtures/simple_regional_with_kubeconfig/network.tf create mode 120000 test/fixtures/simple_regional_with_kubeconfig/outputs.tf create mode 120000 test/fixtures/simple_regional_with_kubeconfig/variables.tf create mode 100644 test/integration/simple_regional_with_kubeconfig/controls/gcloud.rb create mode 100644 test/integration/simple_regional_with_kubeconfig/inspec.yml diff --git a/.kitchen.yml b/.kitchen.yml index 813daaea3..79239c0a0 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -99,6 +99,13 @@ suites: systems: - name: simple_regional_private backend: local + - name: "simple_regional_with_kubeconfig" + driver: + root_module_directory: test/fixtures/simple_regional_with_kubeconfig + verifier: + systems: + - name: simple_regional_with_kubeconfig + backend: local - name: "simple_zonal" driver: root_module_directory: test/fixtures/simple_zonal diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 05c66836f..532b48c3b 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -124,6 +124,26 @@ steps: - verify simple-regional-private-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy simple-regional-private-local'] +- id: create simple-regional-with-kubeconfig-local + waitFor: + - prepare + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create simple-regional-with-kubeconfig-local'] +- id: converge simple-regional-with-kubeconfig-local + waitFor: + - create simple-regional-with-kubeconfig-local + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge simple-regional-with-kubeconfig-local'] +- id: verify simple-regional-with-kubeconfig-local + waitFor: + - converge simple-regional-with-kubeconfig-local + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify simple-regional-with-kubeconfig-local'] +- id: destroy simple-regional-with-kubeconfig-local + waitFor: + - verify simple-regional-with-kubeconfig-local + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy simple-regional-with-kubeconfig-local'] - id: create simple-regional-with-networking-local waitFor: - prepare diff --git a/examples/simple_regional_with_kubeconfig/README.md b/examples/simple_regional_with_kubeconfig/README.md new file mode 100644 index 000000000..a4c17efdc --- /dev/null +++ b/examples/simple_regional_with_kubeconfig/README.md @@ -0,0 +1,46 @@ +# Simple Regional Cluster + +This example illustrates how to create a simple cluster and output a `kubeconfig` + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | +| compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | +| ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | +| ip\_range\_services | The secondary ip range to use for services | string | n/a | yes | +| network | The VPC network to host the cluster in | string | n/a | yes | +| project\_id | The project ID to host the cluster in | string | n/a | yes | +| region | The region to host the cluster in | string | n/a | yes | +| skip\_provisioners | Flag to skip local-exec provisioners | bool | `"false"` | no | +| subnetwork | The subnetwork to host the cluster in | string | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| ca\_certificate | | +| client\_token | | +| cluster\_name | Cluster name | +| ip\_range\_pods | The secondary IP range used for pods | +| ip\_range\_services | The secondary IP range used for services | +| kubeconfig\_raw | | +| kubernetes\_endpoint | | +| location | | +| master\_kubernetes\_version | The master Kubernetes version | +| network | | +| project\_id | | +| region | | +| service\_account | The default service account used for running nodes. | +| subnetwork | | +| zones | List of zones in which the cluster resides | + + + +To provision this example, run the following from within this directory: +- `terraform init` to get the plugins +- `terraform plan` to see the infrastructure plan +- `terraform apply` to apply the infrastructure build +- `terraform destroy` to destroy the built infrastructure diff --git a/examples/simple_regional_with_kubeconfig/main.tf b/examples/simple_regional_with_kubeconfig/main.tf new file mode 100644 index 000000000..6aee4445f --- /dev/null +++ b/examples/simple_regional_with_kubeconfig/main.tf @@ -0,0 +1,48 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + cluster_type = "simple-regional" +} + +provider "google" { + version = "~> 3.3.0" + region = var.region +} + +module "gke" { + source = "../../" + project_id = var.project_id + name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" + regional = true + region = var.region + network = var.network + subnetwork = var.subnetwork + ip_range_pods = var.ip_range_pods + ip_range_services = var.ip_range_services + create_service_account = false + service_account = var.compute_engine_service_account + skip_provisioners = var.skip_provisioners +} + +module "gke_auth" { + source = "../../modules/auth" + + project_id = var.project_id + location = module.gke.location + cluster_name = module.gke.name +} + diff --git a/examples/simple_regional_with_kubeconfig/outputs.tf b/examples/simple_regional_with_kubeconfig/outputs.tf new file mode 100644 index 000000000..95b791ec6 --- /dev/null +++ b/examples/simple_regional_with_kubeconfig/outputs.tf @@ -0,0 +1,39 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "kubernetes_endpoint" { + sensitive = true + value = module.gke_auth.host +} + +output "client_token" { + sensitive = true + value = module.gke_auth.token +} + +output "ca_certificate" { + value = module.gke_auth.cluster_ca_certificate +} + +output "kubeconfig_raw" { + value = module.gke_auth.kubeconfig_raw +} + +output "service_account" { + description = "The default service account used for running nodes." + value = module.gke.service_account +} + diff --git a/examples/simple_regional_with_kubeconfig/test_outputs.tf b/examples/simple_regional_with_kubeconfig/test_outputs.tf new file mode 100755 index 000000000..a0bc9a28f --- /dev/null +++ b/examples/simple_regional_with_kubeconfig/test_outputs.tf @@ -0,0 +1,63 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// These outputs are used to test the module with kitchen-terraform +// They do not need to be included in real-world uses of this module + +output "project_id" { + value = var.project_id +} + +output "region" { + value = module.gke.region +} + +output "cluster_name" { + description = "Cluster name" + value = module.gke.name +} + +output "network" { + value = var.network +} + +output "subnetwork" { + value = var.subnetwork +} + +output "location" { + value = module.gke.location +} + +output "ip_range_pods" { + description = "The secondary IP range used for pods" + value = var.ip_range_pods +} + +output "ip_range_services" { + description = "The secondary IP range used for services" + value = var.ip_range_services +} + +output "zones" { + description = "List of zones in which the cluster resides" + value = module.gke.zones +} + +output "master_kubernetes_version" { + description = "The master Kubernetes version" + value = module.gke.master_version +} diff --git a/examples/simple_regional_with_kubeconfig/variables.tf b/examples/simple_regional_with_kubeconfig/variables.tf new file mode 100644 index 000000000..832e036d0 --- /dev/null +++ b/examples/simple_regional_with_kubeconfig/variables.tf @@ -0,0 +1,54 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The project ID to host the cluster in" +} + +variable "cluster_name_suffix" { + description = "A suffix to append to the default cluster name" + default = "" +} + +variable "region" { + description = "The region to host the cluster in" +} + +variable "network" { + description = "The VPC network to host the cluster in" +} + +variable "subnetwork" { + description = "The subnetwork to host the cluster in" +} + +variable "ip_range_pods" { + description = "The secondary ip range to use for pods" +} + +variable "ip_range_services" { + description = "The secondary ip range to use for services" +} + +variable "compute_engine_service_account" { + description = "Service account to associate to the nodes in the cluster" +} + +variable "skip_provisioners" { + type = bool + description = "Flag to skip local-exec provisioners" + default = false +} diff --git a/modules/auth/README.md b/modules/auth/README.md new file mode 100644 index 000000000..a38af178a --- /dev/null +++ b/modules/auth/README.md @@ -0,0 +1,44 @@ +# Terraform Kubernetes Engine Auth Module + +This module allows configuring authentication to a GKE cluster +using an [OpenID Connect token](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) +retrieved from GCP as a `kubeconfig` file or as outputs intended for use with +the `kubernetes` / `helm` providers. + +This module retrieves a token for the account configured with the `google` +provider as the Terraform runner using the provider's `credentials`, +`access_token`, or other means of authentication. + +## Usage + +```tf +module "gke_auth" { + source = "terraform-google-modules/kubernetes-engine/google//modules/auth" + + project_id = "my-project-id" + cluster_name = "my-cluster-name" + location = module.gke.location +} +``` + + +### `kubeconfig` output + +```hcl +resource "local_file" "kubeconfig" { + content = module.gke_auth.kubeconfig_raw + filename = "${path.module}/kubeconfig" +} +``` + +### `kubernetes`/`helm` provider output + +```hcl +provider "kubernetes" { + load_config_file = false + + cluster_ca_certificate = module.gke_auth.cluster_ca_certificate + host = module.gke_auth.host + token = module.gke_auth.token +} +``` diff --git a/modules/auth/main.tf b/modules/auth/main.tf new file mode 100644 index 000000000..25855d842 --- /dev/null +++ b/modules/auth/main.tf @@ -0,0 +1,34 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +data "google_container_cluster" "gke_cluster" { + name = var.cluster_name + location = var.location + project = var.project_id +} + +data "google_client_config" "provider" {} + +data "template_file" "kubeconfig" { + template = file("${path.module}/templates/kubeconfig-template.yaml.tpl") + + vars = { + context = data.google_container_cluster.gke_cluster.name + cluster_ca_certificate = data.google_container_cluster.gke_cluster.master_auth[0].cluster_ca_certificate + endpoint = data.google_container_cluster.gke_cluster.endpoint + token = data.google_client_config.provider.access_token + } +} diff --git a/modules/auth/outputs.tf b/modules/auth/outputs.tf new file mode 100644 index 000000000..a33ef81f7 --- /dev/null +++ b/modules/auth/outputs.tf @@ -0,0 +1,42 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# kubeconfig + +output "kubeconfig_raw" { + sensitive = true + description = "A kubeconfig file configured to access the GKE cluster." + value = data.template_file.kubeconfig.rendered +} + +# Terraform providers (kubernetes, helm) + +output "cluster_ca_certificate" { + sensitive = true + description = "The cluster_ca_certificate value for use with the kubernetes provider." + value = base64decode(data.google_container_cluster.gke_cluster.master_auth[0].cluster_ca_certificate) +} + +output "host" { + description = "The host value for use with the kubernetes provider." + value = "https://${data.google_container_cluster.gke_cluster.endpoint}" +} + +output "token" { + sensitive = true + description = "The token value for use with the kubernetes provider." + value = data.google_client_config.provider.access_token +} diff --git a/modules/auth/templates/kubeconfig-template.yaml.tpl b/modules/auth/templates/kubeconfig-template.yaml.tpl new file mode 100644 index 000000000..abf1d71ed --- /dev/null +++ b/modules/auth/templates/kubeconfig-template.yaml.tpl @@ -0,0 +1,18 @@ +apiVersion: v1 +clusters: +- cluster: + certificate-authority-data: ${cluster_ca_certificate} + server: https://${endpoint} + name: ${context} +contexts: +- context: + cluster: ${context} + user: ${context} + name: ${context} +current-context: ${context} +kind: Config +preferences: {} +users: +- name: ${context} + user: + token: ${token} diff --git a/modules/auth/variables.tf b/modules/auth/variables.tf new file mode 100644 index 000000000..db5cb664f --- /dev/null +++ b/modules/auth/variables.tf @@ -0,0 +1,30 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The GCP project of the GKE cluster." + type = string +} + +variable "location" { + description = "The location (region or zone) of the GKE cluster." + type = string +} + +variable "cluster_name" { + description = "The name of the GKE cluster." + type = string +} diff --git a/test/fixtures/simple_regional_with_kubeconfig/example.tf b/test/fixtures/simple_regional_with_kubeconfig/example.tf new file mode 100644 index 000000000..85af7a580 --- /dev/null +++ b/test/fixtures/simple_regional_with_kubeconfig/example.tf @@ -0,0 +1,30 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "example" { + source = "../../../examples/simple_regional_with_kubeconfig" + + project_id = var.project_ids[0] + cluster_name_suffix = "-${random_string.suffix.result}" + region = var.region + network = google_compute_network.main.name + subnetwork = google_compute_subnetwork.main.name + ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name + ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name + compute_engine_service_account = var.compute_engine_service_accounts[0] + skip_provisioners = true +} + diff --git a/test/fixtures/simple_regional_with_kubeconfig/network.tf b/test/fixtures/simple_regional_with_kubeconfig/network.tf new file mode 100644 index 000000000..fad61a918 --- /dev/null +++ b/test/fixtures/simple_regional_with_kubeconfig/network.tf @@ -0,0 +1,48 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "random_string" "suffix" { + length = 4 + special = false + upper = false +} + +provider "google" { + version = "~> 3.3.0" + project = var.project_ids[0] +} + +resource "google_compute_network" "main" { + name = "cft-gke-test-${random_string.suffix.result}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "main" { + name = "cft-gke-test-${random_string.suffix.result}" + ip_cidr_range = "10.0.0.0/17" + region = var.region + network = google_compute_network.main.self_link + + secondary_ip_range { + range_name = "cft-gke-test-pods-${random_string.suffix.result}" + ip_cidr_range = "192.168.0.0/18" + } + + secondary_ip_range { + range_name = "cft-gke-test-services-${random_string.suffix.result}" + ip_cidr_range = "192.168.64.0/18" + } +} diff --git a/test/fixtures/simple_regional_with_kubeconfig/outputs.tf b/test/fixtures/simple_regional_with_kubeconfig/outputs.tf new file mode 120000 index 000000000..726bdc722 --- /dev/null +++ b/test/fixtures/simple_regional_with_kubeconfig/outputs.tf @@ -0,0 +1 @@ +../shared/outputs.tf \ No newline at end of file diff --git a/test/fixtures/simple_regional_with_kubeconfig/variables.tf b/test/fixtures/simple_regional_with_kubeconfig/variables.tf new file mode 120000 index 000000000..c113c00a3 --- /dev/null +++ b/test/fixtures/simple_regional_with_kubeconfig/variables.tf @@ -0,0 +1 @@ +../shared/variables.tf \ No newline at end of file diff --git a/test/integration/simple_regional_with_kubeconfig/controls/gcloud.rb b/test/integration/simple_regional_with_kubeconfig/controls/gcloud.rb new file mode 100644 index 000000000..d4904c7df --- /dev/null +++ b/test/integration/simple_regional_with_kubeconfig/controls/gcloud.rb @@ -0,0 +1,170 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +project_id = attribute('project_id') +location = attribute('location') +cluster_name = attribute('cluster_name') + +control "gcloud" do + title "Google Compute Engine GKE configuration" + describe command("gcloud --project=#{project_id} container clusters --zone=#{location} describe #{cluster_name} --format=json") do + its(:exit_status) { should eq 0 } + its(:stderr) { should eq '' } + + let!(:data) do + if subject.exit_status == 0 + JSON.parse(subject.stdout) + else + {} + end + end + + describe "cluster" do + it "is running" do + expect(data['status']).to eq 'RUNNING' + end + + it "is regional" do + expect(data['location']).to match(/^.*[1-9]$/) + end + + it "uses public nodes and master endpoint" do + expect(data['privateClusterConfig']).to eq nil + end + + it "has the expected addon settings" do + expect(data['addonsConfig']).to eq({ + "horizontalPodAutoscaling" => {}, + "httpLoadBalancing" => {}, + "kubernetesDashboard" => { + "disabled" => true, + }, + "networkPolicyConfig" => {}, + }) + end + end + + describe "default node pool" do + let(:default_node_pool) { data['nodePools'].select { |p| p['name'] == "default-pool" }.first } + + it "exists" do + expect(data['nodePools']).to include( + including( + "name" => "default-pool", + ) + ) + end + end + + describe "node pool" do + let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" } } + + it "has autoscaling enabled" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "enabled" => true, + ), + ) + ) + end + + it "has the expected minimum node count" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "minNodeCount" => 1, + ), + ) + ) + end + + it "has the expected maximum node count" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "maxNodeCount" => 100, + ), + ) + ) + end + + it "is the expected machine type" do + expect(node_pools).to include( + including( + "config" => including( + "machineType" => "n1-standard-2", + ), + ) + ) + end + + it "has the expected disk size" do + expect(node_pools).to include( + including( + "config" => including( + "diskSizeGb" => 100, + ), + ) + ) + end + + it "has the expected labels" do + expect(node_pools).to include( + including( + "config" => including( + "labels" => including( + "cluster_name" => cluster_name, + "node_pool" => "default-node-pool", + ), + ), + ) + ) + end + + it "has the expected network tags" do + expect(node_pools).to include( + including( + "config" => including( + "tags" => match_array([ + "gke-#{cluster_name}", + "gke-#{cluster_name}-default-node-pool", + ]), + ), + ) + ) + end + + it "has autorepair enabled" do + expect(node_pools).to include( + including( + "management" => including( + "autoRepair" => true, + ), + ) + ) + end + + it "has autoupgrade enabled" do + expect(node_pools).to include( + including( + "management" => including( + "autoUpgrade" => true, + ), + ) + ) + end + end + end +end diff --git a/test/integration/simple_regional_with_kubeconfig/inspec.yml b/test/integration/simple_regional_with_kubeconfig/inspec.yml new file mode 100644 index 000000000..a058e21ef --- /dev/null +++ b/test/integration/simple_regional_with_kubeconfig/inspec.yml @@ -0,0 +1,17 @@ +name: simple_regional_with_kubeconfig +attributes: + - name: project_id + required: true + type: string + - name: location + required: true + type: string + - name: cluster_name + required: true + type: string + - name: kubernetes_endpoint + required: true + type: string + - name: client_token + required: true + type: string