From c783659bb9922d7f8231ac8ba584a4dc805a8288 Mon Sep 17 00:00:00 2001 From: Sebastian neb Date: Mon, 4 May 2020 17:28:19 +0200 Subject: [PATCH] fix: Correct identity namespace output for beta clusters (#500) * Fixes #489 Identity namespace output for beta clusters The identity namespace flag was "enabled". Changed the output value to reference the actual identity namespace of the cluster / the project. * Fixed tests by re-building the module --- autogen/main/outputs.tf.tmpl | 2 +- examples/simple_regional_beta/README.md | 1 + examples/simple_regional_beta/test_outputs.tf | 4 ++++ modules/beta-private-cluster-update-variant/outputs.tf | 2 +- modules/beta-private-cluster/outputs.tf | 2 +- modules/beta-public-cluster/outputs.tf | 2 +- test/fixtures/beta_cluster/outputs.tf | 4 ++++ test/integration/beta_cluster/controls/gcloud.rb | 7 +++++++ test/integration/beta_cluster/inspec.yml | 3 +++ 9 files changed, 23 insertions(+), 4 deletions(-) diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index 12cf92b70..ca912ef9d 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -169,7 +169,7 @@ output "release_channel" { output "identity_namespace" { description = "Workload Identity namespace" - value = var.identity_namespace + value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null depends_on = [ google_container_cluster.primary ] diff --git a/examples/simple_regional_beta/README.md b/examples/simple_regional_beta/README.md index 5aba74d58..c0771e73b 100644 --- a/examples/simple_regional_beta/README.md +++ b/examples/simple_regional_beta/README.md @@ -36,6 +36,7 @@ This example illustrates how to create a simple cluster with beta features. | ca\_certificate | | | client\_token | | | cluster\_name | Cluster name | +| identity\_namespace | | | ip\_range\_pods | The secondary IP range used for pods | | ip\_range\_services | The secondary IP range used for services | | kubernetes\_endpoint | | diff --git a/examples/simple_regional_beta/test_outputs.tf b/examples/simple_regional_beta/test_outputs.tf index e64c40e47..71e5965e0 100644 --- a/examples/simple_regional_beta/test_outputs.tf +++ b/examples/simple_regional_beta/test_outputs.tf @@ -61,3 +61,7 @@ output "master_kubernetes_version" { description = "The master Kubernetes version" value = module.gke.master_version } + +output "identity_namespace" { + value = module.gke.identity_namespace +} diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index d75cee869..908051f6c 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -166,7 +166,7 @@ output "release_channel" { output "identity_namespace" { description = "Workload Identity namespace" - value = var.identity_namespace + value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null depends_on = [ google_container_cluster.primary ] diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index d75cee869..908051f6c 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -166,7 +166,7 @@ output "release_channel" { output "identity_namespace" { description = "Workload Identity namespace" - value = var.identity_namespace + value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null depends_on = [ google_container_cluster.primary ] diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index 0115c2098..5ded07d53 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -156,7 +156,7 @@ output "release_channel" { output "identity_namespace" { description = "Workload Identity namespace" - value = var.identity_namespace + value = length(local.cluster_workload_identity_config) > 0 ? local.cluster_workload_identity_config[0].identity_namespace : null depends_on = [ google_container_cluster.primary ] diff --git a/test/fixtures/beta_cluster/outputs.tf b/test/fixtures/beta_cluster/outputs.tf index f2d5730ec..ed3b2f912 100644 --- a/test/fixtures/beta_cluster/outputs.tf +++ b/test/fixtures/beta_cluster/outputs.tf @@ -82,3 +82,7 @@ output "service_account" { output "database_encryption_key_name" { value = google_kms_crypto_key.db.self_link } + +output "identity_namespace" { + value = module.this.identity_namespace +} diff --git a/test/integration/beta_cluster/controls/gcloud.rb b/test/integration/beta_cluster/controls/gcloud.rb index d5b41677f..1b135e9c0 100644 --- a/test/integration/beta_cluster/controls/gcloud.rb +++ b/test/integration/beta_cluster/controls/gcloud.rb @@ -91,6 +91,13 @@ "keyName" => attribute('database_encryption_key_name'), }) end + + it "has the expected workload identity config" do + expect(data['workloadIdentityConfig']).to eq({ + "identityNamespace" => attribute('identity_namespace'), + "workloadPool" => attribute('identity_namespace'), + }) + end end describe "default node pool" do diff --git a/test/integration/beta_cluster/inspec.yml b/test/integration/beta_cluster/inspec.yml index 66062ea35..8be2a5218 100644 --- a/test/integration/beta_cluster/inspec.yml +++ b/test/integration/beta_cluster/inspec.yml @@ -31,3 +31,6 @@ attributes: - name: database_encryption_key_name required: true type: string + - name: identity_namespace + required: true + type: string