From a1ae0748a55fc0ad762aa3e898e53590d573fda1 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 14 Jan 2025 21:28:58 +0000 Subject: [PATCH] chore(CI): migrate remaining kitchen tests --- .kitchen.yml | 62 ---- build/int.cloudbuild.yaml | 208 +++++++------ test/fixtures/deploy_service/example.tf | 9 +- test/fixtures/deploy_service/network.tf | 4 +- .../outputs.tf | 10 +- .../simple_regional_with_ipv6/outputs.tf | 10 +- .../example.tf | 8 +- .../outputs.tf | 10 +- .../workload_metadata_config/outputs.tf | 6 +- .../testdata/TestBetaCluster.json | 1 - .../node_pool/testdata/TestNodePool.json | 1 - .../testdata/TestSimpleRegional.json | 1 - .../TestSimpleRegionalClusterAutoscaling.json | 1 - .../controls/gcloud.rb | 199 ------------- .../inspec.yml | 31 -- .../simple_regional_with_gateway_api_test.go | 66 +++++ .../TestSimpleRegionalWithGatewayAPI.json | 270 +++++++++++++++++ .../controls/gcloud.rb | 192 ------------ .../simple_regional_with_ipv6/inspec.yml | 31 -- .../simple_regional_with_ipv6_test.go | 66 +++++ .../testdata/TestSimpleRegionalWithIPV6.json | 265 +++++++++++++++++ .../testdata/TestStubDomains.json | 1 - .../testdata/TestStubDomainsPrivate.json | 1 - .../controls/gcloud.rb | 52 ---- .../controls/kubectl.rb | 92 ------ .../inspec.yml | 34 --- .../stub_domains_upstream_nameservers_test.go | 102 +++++++ .../TestStubDomainsUpstreamNameservers.json | 274 ++++++++++++++++++ .../testdata/TestUpstreamNameservers.json | 1 - .../workload_metadata_config/inspec.yml | 31 -- .../testdata/TestWorkloadMetadataConfig.json | 194 +++++++++++++ .../workload_metadata_config_test.go | 66 +++++ 32 files changed, 1450 insertions(+), 849 deletions(-) delete mode 100644 .kitchen.yml delete mode 100644 test/integration/simple_regional_with_gateway_api/controls/gcloud.rb delete mode 100644 test/integration/simple_regional_with_gateway_api/inspec.yml create mode 100644 test/integration/simple_regional_with_gateway_api/simple_regional_with_gateway_api_test.go create mode 100644 test/integration/simple_regional_with_gateway_api/testdata/TestSimpleRegionalWithGatewayAPI.json delete mode 100644 test/integration/simple_regional_with_ipv6/controls/gcloud.rb delete mode 100644 test/integration/simple_regional_with_ipv6/inspec.yml create mode 100644 test/integration/simple_regional_with_ipv6/simple_regional_with_ipv6_test.go create mode 100644 test/integration/simple_regional_with_ipv6/testdata/TestSimpleRegionalWithIPV6.json delete mode 100644 test/integration/stub_domains_upstream_nameservers/controls/gcloud.rb delete mode 100644 test/integration/stub_domains_upstream_nameservers/controls/kubectl.rb delete mode 100644 test/integration/stub_domains_upstream_nameservers/inspec.yml create mode 100644 test/integration/stub_domains_upstream_nameservers/stub_domains_upstream_nameservers_test.go create mode 100644 test/integration/stub_domains_upstream_nameservers/testdata/TestStubDomainsUpstreamNameservers.json delete mode 100644 test/integration/workload_metadata_config/inspec.yml create mode 100644 test/integration/workload_metadata_config/testdata/TestWorkloadMetadataConfig.json create mode 100644 test/integration/workload_metadata_config/workload_metadata_config_test.go diff --git a/.kitchen.yml b/.kitchen.yml deleted file mode 100644 index 7447818116..0000000000 --- a/.kitchen.yml +++ /dev/null @@ -1,62 +0,0 @@ -# Copyright 2018 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -driver: - name: "terraform" - verify_version: false - -provisioner: - name: "terraform" - -transport: - name: "terraform" - command_timeout: 2700 - -verifier: - name: terraform - color: false - fail_fast: false - -platforms: - - name: local - -suites: - - name: "simple_regional_with_gateway_api" - transport: - root_module_directory: test/fixtures/simple_regional_with_gateway_api - verifier: - systems: - - name: simple_regional_with_gateway_api - backend: local - - name: "simple_regional_with_ipv6" - transport: - root_module_directory: test/fixtures/simple_regional_with_ipv6 - verifier: - systems: - - name: simple_regional_with_ipv6 - backend: local - - name: "stub_domains_upstream_nameservers" - transport: - root_module_directory: test/fixtures/stub_domains_upstream_nameservers - verifier: - systems: - - name: stub_domains_upstream_nameservers - backend: local - - name: "workload_metadata_config" - transport: - root_module_directory: test/fixtures/workload_metadata_config - verifier: - systems: - - name: workload_metadata_config - backend: local diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index eb4b6f63d6..0c42e0935b 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -1,4 +1,4 @@ -# Copyright 2019 Google LLC +# Copyright 2019-2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -29,44 +29,39 @@ steps: - prepare name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run all --stage init --verbose'] -- id: create-all - waitFor: - - init-all - name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create'] - id: apply disable-client-cert waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestDisableClientCert --stage apply --verbose --test-dir test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestDisableClientCert --stage apply --verbose'] - id: verify disable-client-cert waitFor: - apply disable-client-cert name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestDisableClientCert --stage verify --verbose --test-dir test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestDisableClientCert --stage verify --verbose'] - id: teardown disable-client-cert waitFor: - verify disable-client-cert name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestDisableClientCert --stage teardown --verbose --test-dir test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestDisableClientCert --stage teardown --verbose'] - id: apply shared-vpc-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestSharedVPC --stage apply --verbose --test-dir test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestSharedVPC --stage apply --verbose'] - id: verify shared-vpc-local waitFor: - apply shared-vpc-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestSharedVPC --stage verify --verbose --test-dir test/integration'] -- id: destroy shared-vpc-local + args: ['/bin/bash', '-c', 'cft test run TestSharedVPC --stage verify --verbose'] +- id: teardown shared-vpc-local waitFor: - verify shared-vpc-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestSharedVPC --stage teardown --verbose --test-dir test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestSharedVPC --stage teardown --verbose'] - id: apply safer-cluster-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSaferCluster --stage apply --verbose'] - id: verify safer-cluster-local @@ -74,14 +69,14 @@ steps: - apply safer-cluster-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSaferCluster --stage verify --verbose'] -- id: destroy safer-cluster-local +- id: teardown safer-cluster-local waitFor: - verify safer-cluster-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestSaferCluster --stage destroy --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestSaferCluster --stage teardown --verbose'] - id: apply simple-regional-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleRegional --stage apply --verbose'] - id: verify simple-regional-local @@ -89,14 +84,14 @@ steps: - apply simple-regional-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleRegional --stage verify --verbose'] -- id: destroy simple-regional-local +- id: teardown simple-regional-local waitFor: - verify simple-regional-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleRegional --stage teardown --verbose'] - id: apply simple-regional-private-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalPrivate --stage apply --verbose'] - id: verify simple-regional-private-local @@ -104,15 +99,14 @@ steps: - apply simple-regional-private-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalPrivate --stage verify --verbose'] -- id: destroy simple-regional-private-local +- id: teardown simple-regional-private-local waitFor: - verify simple-regional-private-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalPrivate --stage teardown --verbose'] - id: apply simple-regional-cluster-autoscaling waitFor: - - create-all - - destroy simple-regional-private-local + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalClusterAutoscaling --stage apply --verbose'] - id: verify simple-regional-cluster-autoscaling @@ -120,14 +114,14 @@ steps: - apply simple-regional-cluster-autoscaling name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalClusterAutoscaling --stage verify --verbose'] -- id: destroy simple-regional-cluster-autoscaling +- id: teardown simple-regional-cluster-autoscaling waitFor: - verify simple-regional-cluster-autoscaling name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalClusterAutoscaling --stage teardown --verbose'] - id: apply simple-regional-with-kubeconfig-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalWithKubeConfig --stage apply --verbose'] - id: verify simple-regional-with-kubeconfig-local @@ -135,29 +129,29 @@ steps: - apply simple-regional-with-kubeconfig-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalWithKubeConfig --stage verify --verbose'] -- id: destroy simple-regional-with-kubeconfig-local +- id: teardown simple-regional-with-kubeconfig-local waitFor: - verify simple-regional-with-kubeconfig-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalWithKubeConfig --stage teardown --verbose'] -- id: converge simple-regional-with-gateway-api-local +- id: apply simple-regional-with-gateway-api-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge simple-regional-with-gateway-api-local'] + args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalWithGatewayAPI --stage apply --verbose'] - id: verify simple-regional-with-gateway-api-local waitFor: - - converge simple-regional-with-gateway-api-local + - apply simple-regional-with-gateway-api-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify simple-regional-with-gateway-api-local'] -- id: destroy simple-regional-with-gateway-api-local + args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalWithGatewayAPI --stage verify --verbose'] +- id: teardown simple-regional-with-gateway-api-local waitFor: - verify simple-regional-with-gateway-api-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy simple-regional-with-gateway-api-local'] + args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalWithGatewayAPI --stage teardown --verbose'] - id: apply simple-regional-with-networking-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalWithNetworking --stage apply --verbose'] - id: verify simple-regional-with-networking-local @@ -165,14 +159,14 @@ steps: - apply simple-regional-with-networking-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalWithNetworking --stage verify --verbose'] -- id: destroy simple-regional-with-networking-local +- id: teardown simple-regional-with-networking-local waitFor: - verify simple-regional-with-networking-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalWithNetworking --stage teardown --verbose'] - id: apply simple-zonal-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleZonal --stage apply --verbose'] - id: verify simple-zonal-local @@ -180,14 +174,14 @@ steps: - apply simple-zonal-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleZonal --stage verify --verbose'] -- id: destroy simple-zonal-local +- id: teardown simple-zonal-local waitFor: - verify simple-zonal-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleZonal --stage teardown --verbose'] - id: apply simple-zonal-private-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleZonalPrivate --stage apply --verbose'] - id: verify simple-zonal-private-local @@ -195,120 +189,120 @@ steps: - apply simple-zonal-private-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleZonalPrivate --stage verify --verbose'] -- id: destroy simple-zonal-private-local +- id: teardown simple-zonal-private-local waitFor: - verify simple-zonal-private-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleZonalPrivate --stage teardown --verbose'] - id: apply stub-domains-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestStubDomains --stage apply --verbose --test-dir test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestStubDomains --stage apply --verbose'] - id: verify stub-domains-local waitFor: - apply stub-domains-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestStubDomains --stage verify --verbose --test-dir test/integration'] -- id: destroy stub-domains-local + args: ['/bin/bash', '-c', 'cft test run TestStubDomains --stage verify --verbose'] +- id: teardown stub-domains-local waitFor: - verify stub-domains-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestStubDomains --stage destroy --verbose --test-dir test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestStubDomains --stage teardown --verbose'] # Disabled: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/264 # - id: apply stub-domains-private-local # waitFor: -# - create-all +# - init-all # name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' -# args: ['/bin/bash', '-c', 'cft test run TestStubDomainsPrivate --stage apply --verbose --test-dir test/integration'] +# args: ['/bin/bash', '-c', 'cft test run TestStubDomainsPrivate --stage apply --verbose'] # - id: verify stub-domains-private-local # waitFor: # - apply stub-domains-private-local # name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' -# args: ['/bin/bash', '-c', 'cft test run TestStubDomainsPrivate --stage verify --verbose --test-dir test/integration'] -# - id: destroy stub-domains-private-local +# args: ['/bin/bash', '-c', 'cft test run TestStubDomainsPrivate --stage verify --verbose'] +# - id: teardown stub-domains-private-local # waitFor: # - verify stub-domains-private-local # name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' -# args: ['/bin/bash', '-c', 'cft test run TestStubDomainsPrivate --stage destroy --verbose --test-dir test/integration'] +# args: ['/bin/bash', '-c', 'cft test run TestStubDomainsPrivate --stage teardown --verbose'] - id: apply upstream-nameservers-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestUpstreamNameservers --stage apply --verbose --test-dir test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestUpstreamNameservers --stage apply --verbose'] - id: verify upstream-nameservers-local waitFor: - apply upstream-nameservers-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestUpstreamNameservers --stage verify --verbose --test-dir test/integration'] -- id: destroy upstream-nameservers-local + args: ['/bin/bash', '-c', 'cft test run TestUpstreamNameservers --stage verify --verbose'] +- id: teardown upstream-nameservers-local waitFor: - verify upstream-nameservers-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestUpstreamNameservers --stage destroy --verbose --test-dir test/integration'] -- id: converge stub-domains-upstream-nameservers-local + args: ['/bin/bash', '-c', 'cft test run TestUpstreamNameservers --stage teardown --verbose'] +- id: apply stub-domains-upstream-nameservers-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge stub-domains-upstream-nameservers-local'] + args: ['/bin/bash', '-c', 'cft test run TestStubDomainsUpstreamNameservers --stage apply --verbose'] - id: verify stub-domains-upstream-nameservers-local waitFor: - - converge stub-domains-upstream-nameservers-local + - apply stub-domains-upstream-nameservers-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify stub-domains-upstream-nameservers-local'] -- id: destroy stub-domains-upstream-nameservers-local + args: ['/bin/bash', '-c', 'cft test run TestStubDomainsUpstreamNameservers --stage verify --verbose'] +- id: teardown stub-domains-upstream-nameservers-local waitFor: - verify stub-domains-upstream-nameservers-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy stub-domains-upstream-nameservers-local'] -- id: converge workload-metadata-config-local + args: ['/bin/bash', '-c', 'cft test run TestStubDomainsUpstreamNameservers --stage teardown --verbose'] +- id: apply workload-metadata-config-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge workload-metadata-config-local'] + args: ['/bin/bash', '-c', 'cft test run TestWorkloadMetadataConfig --stage apply --verbose'] - id: verify workload-metadata-config-local waitFor: - - converge workload-metadata-config-local + - apply workload-metadata-config-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify workload-metadata-config-local'] -- id: destroy workload-metadata-config-local + args: ['/bin/bash', '-c', 'cft test run TestWorkloadMetadataConfig --stage verify --verbose'] +- id: teardown workload-metadata-config-local waitFor: - verify workload-metadata-config-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy workload-metadata-config-local'] + args: ['/bin/bash', '-c', 'cft test run TestWorkloadMetadataConfig --stage teardown --verbose'] - id: apply beta-cluster waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestBetaCluster --stage apply --verbose --test-dir test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestBetaCluster --stage apply --verbose'] - id: verify beta-cluster waitFor: - apply beta-cluster name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestBetaCluster --stage verify --verbose --test-dir test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestBetaCluster --stage verify --verbose'] - id: teardown beta-cluster waitFor: - verify beta-cluster name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestBetaCluster --stage teardown --verbose --test-dir test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestBetaCluster --stage teardown --verbose'] - id: apply simple-windows-node-pool-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestSimpleWindowsNodePool --stage apply --verbose --test-dir test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestSimpleWindowsNodePool --stage apply --verbose'] - id: verify simple-windows-node-pool-local waitFor: - apply simple-windows-node-pool-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestSimpleWindowsNodePool --stage verify --verbose --test-dir test/integration'] -- id: destroy simple-windows-node-pool-local + args: ['/bin/bash', '-c', 'cft test run TestSimpleWindowsNodePool --stage verify --verbose'] +- id: teardown simple-windows-node-pool-local waitFor: - verify simple-windows-node-pool-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestSimpleWindowsNodePool --stage teardown --verbose --test-dir test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestSimpleWindowsNodePool --stage teardown --verbose'] - id: apply deploy-service-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestDeployService --stage apply --verbose'] - id: verify deploy-service-local @@ -316,14 +310,14 @@ steps: - apply deploy-service-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestDeployService --stage verify --verbose'] -- id: destroy deploy-service-local +- id: teardown deploy-service-local waitFor: - verify deploy-service-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestDeployService --stage destroy --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestDeployService --stage teardown --verbose'] - id: apply node-pool-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestNodePool --stage apply --verbose'] - id: verify node-pool-local @@ -331,14 +325,14 @@ steps: - apply node-pool-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestNodePool --stage verify --verbose'] -- id: destroy node-pool-local +- id: teardown node-pool-local waitFor: - verify node-pool-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestNodePool --stage destroy --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestNodePool --stage teardown --verbose'] - id: apply sandbox-enabled-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSandboxEnabled --stage apply --verbose'] - id: verify sandbox-enabled-local @@ -346,14 +340,14 @@ steps: - apply sandbox-enabled-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSandboxEnabled --stage verify --verbose'] -- id: destroy sandbox-enabled-local +- id: teardown sandbox-enabled-local waitFor: - verify sandbox-enabled-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestSandboxEnabled --stage destroy --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestSandboxEnabled --stage teardown --verbose'] - id: apply workload-identity-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestWorkloadIdentity --stage apply --verbose'] - id: verify workload-identity-local @@ -361,14 +355,14 @@ steps: - apply workload-identity-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestWorkloadIdentity --stage verify --verbose'] -- id: destroy workload-identity-local +- id: teardown workload-identity-local waitFor: - verify workload-identity-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestWorkloadIdentity --stage teardown --verbose'] - id: apply safer-cluster-iap-bastion-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSaferClusterIapBastion --stage apply --verbose'] - id: verify safer-cluster-iap-bastion-local @@ -376,14 +370,14 @@ steps: - apply safer-cluster-iap-bastion-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSaferClusterIapBastion --stage verify --verbose'] -- id: destroy safer-cluster-iap-bastion-local +- id: teardown safer-cluster-iap-bastion-local waitFor: - verify safer-cluster-iap-bastion-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSaferClusterIapBastion --stage teardown --verbose'] - id: apply simple-zonal-with-asm-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleZonalWithASM --stage apply --verbose'] - id: verify simple-zonal-with-asm-local @@ -391,14 +385,14 @@ steps: - apply simple-zonal-with-asm-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleZonalWithASM --stage verify --verbose'] -- id: destroy simple-zonal-with-asm-local +- id: teardown simple-zonal-with-asm-local waitFor: - verify simple-zonal-with-asm-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleZonalWithASM --stage teardown --verbose'] - id: apply simple-autopilot-private-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleAutopilotPrivate --stage apply --verbose'] - id: verify simple-autopilot-private-local @@ -406,15 +400,15 @@ steps: - apply simple-autopilot-private-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleAutopilotPrivate --stage verify --verbose'] -- id: destroy simple-autopilot-private-local +- id: teardown simple-autopilot-private-local waitFor: - verify simple-autopilot-private-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleAutopilotPrivate --stage teardown --verbose'] - id: apply autopilot-private-firewalls waitFor: - - create-all - - destroy simple-autopilot-private-local + - init-all + - teardown simple-autopilot-private-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestAutopilotPrivateFirewalls --stage apply --verbose'] - id: verify autopilot-private-firewalls @@ -422,14 +416,14 @@ steps: - apply autopilot-private-firewalls name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestAutopilotPrivateFirewalls --stage verify --verbose'] -- id: destroy autopilot-private-firewalls +- id: teardown autopilot-private-firewalls waitFor: - verify autopilot-private-firewalls name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestAutopilotPrivateFirewalls --stage destroy --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestAutopilotPrivateFirewalls --stage teardown --verbose'] - id: apply simple-autopilot-public-local waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleAutopilotPublic --stage apply --verbose'] - id: verify simple-autopilot-public-local @@ -437,29 +431,29 @@ steps: - apply simple-autopilot-public-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleAutopilotPublic --stage verify --verbose'] -- id: destroy simple-autopilot-public-local +- id: teardown simple-autopilot-public-local waitFor: - verify simple-autopilot-public-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleAutopilotPublic --stage teardown --verbose'] - id: apply private-zonal-with-networking waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestPrivateZonalWithNetworking --stage apply --verbose --test-dir test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestPrivateZonalWithNetworking --stage apply --verbose'] - id: verify private-zonal-with-networking waitFor: - apply private-zonal-with-networking name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestPrivateZonalWithNetworking --stage verify --verbose --test-dir test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestPrivateZonalWithNetworking --stage verify --verbose'] - id: teardown private-zonal-with-networking waitFor: - verify private-zonal-with-networking name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestPrivateZonalWithNetworking --stage teardown --verbose --test-dir test/integration'] + args: ['/bin/bash', '-c', 'cft test run TestPrivateZonalWithNetworking --stage teardown --verbose'] - id: apply simple-autopilot-private-non-default-sa waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleAutopilotPrivateNonDefaultSA --stage apply --verbose'] - id: verify simple-autopilot-private-non-default-sa @@ -474,7 +468,7 @@ steps: args: ['/bin/bash', '-c', 'cft test run TestSimpleAutopilotPrivateNonDefaultSA --stage teardown --verbose'] - id: apply simple-fleet-app-operator-permissions waitFor: - - create-all + - init-all name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleFleetAppOperatorPermissions --stage apply --verbose'] - id: verify simple-fleet-app-operator-permissions diff --git a/test/fixtures/deploy_service/example.tf b/test/fixtures/deploy_service/example.tf index 60904163a8..fa1640da34 100644 --- a/test/fixtures/deploy_service/example.tf +++ b/test/fixtures/deploy_service/example.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2018-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -13,17 +13,20 @@ * See the License for the specific language governing permissions and * limitations under the License. */ +locals { + cluster_index = 1 +} module "example" { source = "../../../examples/deploy_service" - project_id = var.project_ids[0] + project_id = var.project_ids[local.cluster_index] cluster_name_suffix = "-${random_string.suffix.result}" region = var.region network = google_compute_network.main.name subnetwork = google_compute_subnetwork.main.name ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name - compute_engine_service_account = var.compute_engine_service_accounts[0] + compute_engine_service_account = var.compute_engine_service_accounts[local.cluster_index] } diff --git a/test/fixtures/deploy_service/network.tf b/test/fixtures/deploy_service/network.tf index 94bb29e63c..724cd57afc 100644 --- a/test/fixtures/deploy_service/network.tf +++ b/test/fixtures/deploy_service/network.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2018-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,7 +21,7 @@ resource "random_string" "suffix" { } provider "google" { - project = var.project_ids[0] + project = var.project_ids[local.cluster_index] } resource "google_compute_network" "main" { diff --git a/test/fixtures/simple_regional_with_gateway_api/outputs.tf b/test/fixtures/simple_regional_with_gateway_api/outputs.tf index a62317bf64..9aa2299196 100644 --- a/test/fixtures/simple_regional_with_gateway_api/outputs.tf +++ b/test/fixtures/simple_regional_with_gateway_api/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2018-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -83,3 +83,11 @@ output "service_account" { output "registry_project_ids" { value = var.registry_project_ids } + +output "random_string" { + value = random_string.suffix.result +} + +output "compute_engine_service_account" { + value = var.compute_engine_service_accounts[local.cluster_index] +} diff --git a/test/fixtures/simple_regional_with_ipv6/outputs.tf b/test/fixtures/simple_regional_with_ipv6/outputs.tf index a62317bf64..9aa2299196 100644 --- a/test/fixtures/simple_regional_with_ipv6/outputs.tf +++ b/test/fixtures/simple_regional_with_ipv6/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2018-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -83,3 +83,11 @@ output "service_account" { output "registry_project_ids" { value = var.registry_project_ids } + +output "random_string" { + value = random_string.suffix.result +} + +output "compute_engine_service_account" { + value = var.compute_engine_service_accounts[local.cluster_index] +} diff --git a/test/fixtures/stub_domains_upstream_nameservers/example.tf b/test/fixtures/stub_domains_upstream_nameservers/example.tf index a6923c0f13..c45039bded 100644 --- a/test/fixtures/stub_domains_upstream_nameservers/example.tf +++ b/test/fixtures/stub_domains_upstream_nameservers/example.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2018-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -14,6 +14,10 @@ * limitations under the License. */ +locals { + compute_engine_service_account = var.compute_engine_service_accounts[1] +} + module "example" { source = "../../../examples/stub_domains_upstream_nameservers" @@ -24,6 +28,6 @@ module "example" { subnetwork = google_compute_subnetwork.main.name ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name - compute_engine_service_account = var.compute_engine_service_accounts[1] + compute_engine_service_account = local.compute_engine_service_account } diff --git a/test/fixtures/stub_domains_upstream_nameservers/outputs.tf b/test/fixtures/stub_domains_upstream_nameservers/outputs.tf index 403576809a..7c5d1b6c7e 100644 --- a/test/fixtures/stub_domains_upstream_nameservers/outputs.tf +++ b/test/fixtures/stub_domains_upstream_nameservers/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2018-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -56,3 +56,11 @@ output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = module.example.service_account } + +output "random_string" { + value = random_string.suffix.result +} + +output "compute_engine_service_account" { + value = local.compute_engine_service_account +} diff --git a/test/fixtures/workload_metadata_config/outputs.tf b/test/fixtures/workload_metadata_config/outputs.tf index 403576809a..1bd41c3373 100644 --- a/test/fixtures/workload_metadata_config/outputs.tf +++ b/test/fixtures/workload_metadata_config/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2018-2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -56,3 +56,7 @@ output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = module.example.service_account } + +output "random_string" { + value = random_string.suffix.result +} diff --git a/test/integration/beta_cluster/testdata/TestBetaCluster.json b/test/integration/beta_cluster/testdata/TestBetaCluster.json index dbc703d59b..1f1277dc5d 100755 --- a/test/integration/beta_cluster/testdata/TestBetaCluster.json +++ b/test/integration/beta_cluster/testdata/TestBetaCluster.json @@ -60,7 +60,6 @@ "clusterIpv4Cidr": "192.168.0.0/18", "clusterIpv4CidrBlock": "192.168.0.0/18", "clusterSecondaryRangeName": "cft-gke-test-pods-qwc4", - "defaultPodIpv4RangeUtilization": 0.0156, "podCidrOverprovisionConfig": {}, "servicesIpv4Cidr": "192.168.64.0/18", "servicesIpv4CidrBlock": "192.168.64.0/18", diff --git a/test/integration/node_pool/testdata/TestNodePool.json b/test/integration/node_pool/testdata/TestNodePool.json index b99dfd8a88..df7f0d7ff2 100644 --- a/test/integration/node_pool/testdata/TestNodePool.json +++ b/test/integration/node_pool/testdata/TestNodePool.json @@ -86,7 +86,6 @@ "clusterIpv4Cidr": "192.168.0.0/18", "clusterIpv4CidrBlock": "192.168.0.0/18", "clusterSecondaryRangeName": "cft-gke-test-pods-RANDOM_STRING", - "defaultPodIpv4RangeUtilization": 0.0624, "podCidrOverprovisionConfig": {}, "servicesIpv4Cidr": "192.168.64.0/18", "servicesIpv4CidrBlock": "192.168.64.0/18", diff --git a/test/integration/simple_regional/testdata/TestSimpleRegional.json b/test/integration/simple_regional/testdata/TestSimpleRegional.json index 16d6297fdc..741dcdbbb5 100644 --- a/test/integration/simple_regional/testdata/TestSimpleRegional.json +++ b/test/integration/simple_regional/testdata/TestSimpleRegional.json @@ -60,7 +60,6 @@ "clusterIpv4Cidr": "192.168.0.0/18", "clusterIpv4CidrBlock": "192.168.0.0/18", "clusterSecondaryRangeName": "cft-gke-test-pods-44kc", - "defaultPodIpv4RangeUtilization": 0.0469, "podCidrOverprovisionConfig": {}, "servicesIpv4Cidr": "192.168.64.0/18", "servicesIpv4CidrBlock": "192.168.64.0/18", diff --git a/test/integration/simple_regional_cluster_autoscaling/testdata/TestSimpleRegionalClusterAutoscaling.json b/test/integration/simple_regional_cluster_autoscaling/testdata/TestSimpleRegionalClusterAutoscaling.json index a922600484..76e598d086 100644 --- a/test/integration/simple_regional_cluster_autoscaling/testdata/TestSimpleRegionalClusterAutoscaling.json +++ b/test/integration/simple_regional_cluster_autoscaling/testdata/TestSimpleRegionalClusterAutoscaling.json @@ -52,7 +52,6 @@ "clusterIpv4Cidr": "192.168.0.0/18", "clusterIpv4CidrBlock": "192.168.0.0/18", "clusterSecondaryRangeName": "cft-gke-test-pods-44kc", - "defaultPodIpv4RangeUtilization": 0.0469, "podCidrOverprovisionConfig": {}, "servicesIpv4Cidr": "192.168.64.0/18", "servicesIpv4CidrBlock": "192.168.64.0/18", diff --git a/test/integration/simple_regional_with_gateway_api/controls/gcloud.rb b/test/integration/simple_regional_with_gateway_api/controls/gcloud.rb deleted file mode 100644 index 631eae3d2a..0000000000 --- a/test/integration/simple_regional_with_gateway_api/controls/gcloud.rb +++ /dev/null @@ -1,199 +0,0 @@ -# Copyright 2019 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -project_id = attribute('project_id') -location = attribute('location') -cluster_name = attribute('cluster_name') - -control "gcloud" do - title "Google Compute Engine GKE configuration" - describe command("gcloud --project=#{project_id} container clusters --zone=#{location} describe #{cluster_name} --format=json") do - its(:exit_status) { should eq 0 } - its(:stderr) { should eq '' } - - let!(:data) do - if subject.exit_status == 0 - JSON.parse(subject.stdout) - else - {} - end - end - - describe "cluster" do - it "is running" do - expect(data['status']).to eq 'RUNNING' - end - - it "is regional" do - expect(data['location']).to match(/^.*[1-9]$/) - end - - it "uses public nodes and master endpoint" do - expect(data['privateClusterConfig']['enablePrivateEndpoint']).to eq nil - expect(data['privateClusterConfig']['enablePrivateNodes']).to eq nil - end - - it "has the expected addon settings" do - expect(data['addonsConfig']).to include( - "horizontalPodAutoscaling" => {}, - "httpLoadBalancing" => {}, - "kubernetesDashboard" => { - "disabled" => true, - }, - "networkPolicyConfig" => { - "disabled" => true, - }, - ) - end - - it "has gateway api enabled" do - expect(data['networkConfig']).to include( - "gatewayApiConfig" => { - "channel" => "CHANNEL_STANDARD", - }, - ) - end - - it "has the expected databaseEncryption config" do - expect(data['databaseEncryption']).to include({ - "state" => 'DECRYPTED', - }) - end - - it "has the expected shieldedNodes config" do - expect(data['shieldedNodes']).to eq({ - "enabled" => true, - }) - end - - it "has the expected binaryAuthorization config" do - expect(data['binaryAuthorization']).to eq({ - "evaluationMode" => "PROJECT_SINGLETON_POLICY_ENFORCE", - }) - end - end - - describe "default node pool" do - let(:default_node_pool) { data['nodePools'].select { |p| p['name'] == "default-pool" }.first } - - it "exists" do - expect(data['nodePools']).to include( - including( - "name" => "default-pool", - ) - ) - end - end - - describe "node pool" do - let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" } } - - it "has autoscaling enabled" do - expect(node_pools).to include( - including( - "autoscaling" => including( - "enabled" => true, - ), - ) - ) - end - - it "has the expected minimum node count" do - expect(node_pools).to include( - including( - "autoscaling" => including( - "minNodeCount" => 1, - ), - ) - ) - end - - it "has the expected maximum node count" do - expect(node_pools).to include( - including( - "autoscaling" => including( - "maxNodeCount" => 100, - ), - ) - ) - end - - it "is the expected machine type" do - expect(node_pools).to include( - including( - "config" => including( - "machineType" => "e2-medium", - ), - ) - ) - end - - it "has the expected disk size" do - expect(node_pools).to include( - including( - "config" => including( - "diskSizeGb" => 100, - ), - ) - ) - end - - it "has the expected labels" do - expect(node_pools).to include( - including( - "config" => including( - "labels" => including( - "cluster_name" => cluster_name, - "node_pool" => "default-node-pool", - ), - ), - ) - ) - end - - it "has the expected network tags" do - expect(node_pools).to include( - including( - "config" => including( - "tags" => match_array([ - "gke-#{cluster_name}", - "gke-#{cluster_name}-default-node-pool", - ]), - ), - ) - ) - end - - it "has autorepair enabled" do - expect(node_pools).to include( - including( - "management" => including( - "autoRepair" => true, - ), - ) - ) - end - - it "has autoupgrade enabled" do - expect(node_pools).to include( - including( - "management" => including( - "autoUpgrade" => true, - ), - ) - ) - end - end - end -end diff --git a/test/integration/simple_regional_with_gateway_api/inspec.yml b/test/integration/simple_regional_with_gateway_api/inspec.yml deleted file mode 100644 index e91bbc6ca9..0000000000 --- a/test/integration/simple_regional_with_gateway_api/inspec.yml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: simple_regional_with_gateway_api -attributes: - - name: project_id - required: true - type: string - - name: location - required: true - type: string - - name: cluster_name - required: true - type: string - - name: kubernetes_endpoint - required: true - type: string - - name: client_token - required: true - type: string diff --git a/test/integration/simple_regional_with_gateway_api/simple_regional_with_gateway_api_test.go b/test/integration/simple_regional_with_gateway_api/simple_regional_with_gateway_api_test.go new file mode 100644 index 0000000000..54e113d766 --- /dev/null +++ b/test/integration/simple_regional_with_gateway_api/simple_regional_with_gateway_api_test.go @@ -0,0 +1,66 @@ +// Copyright 2024-2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +package node_pool + +import ( + "fmt" + "testing" + "time" + + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/cai" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" + "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" +) + +func TestSimpleRegionalWithGatewayAPI(t *testing.T) { + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) + + bpt.DefineVerify(func(assert *assert.Assertions) { + // Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token + // bpt.DefaultVerify(assert) + testutils.TGKEVerify(t, bpt, assert) // Verify Resources + + projectId := bpt.GetStringOutput("project_id") + location := bpt.GetStringOutput("location") + clusterName := bpt.GetStringOutput("cluster_name") + randomString := bpt.GetStringOutput("random_string") + kubernetesEndpoint := bpt.GetStringOutput("kubernetes_endpoint") + nodeServiceAccount := bpt.GetStringOutput("compute_engine_service_account") + + // Retrieve Project CAI + projectCAI := cai.GetProjectResources(t, projectId, cai.WithAssetTypes([]string{"container.googleapis.com/Cluster"})) + + // Retrieve Cluster from CAI + // Equivalent gcloud describe command (classic) + // cluster := gcloud.Runf(t, "container clusters describe %s --zone %s --project %s", clusterName, location, projectId) + clusterResourceName := fmt.Sprintf("//container.googleapis.com/projects/%s/locations/%s/clusters/%s", projectId, location, clusterName) + cluster := projectCAI.Get("#(name=\"" + clusterResourceName + "\").resource.data") + + // Setup golden image with sanitizers + g := golden.NewOrUpdate(t, cluster.String(), + golden.WithSanitizer(golden.StringSanitizer(nodeServiceAccount, "NODE_SERVICE_ACCOUNT")), + golden.WithSanitizer(golden.StringSanitizer(projectId, "PROJECT_ID")), + golden.WithSanitizer(golden.StringSanitizer(randomString, "RANDOM_STRING")), + golden.WithSanitizer(golden.StringSanitizer(kubernetesEndpoint, "KUBERNETES_ENDPOINT")), + ) + + // Cluster Assertions + testutils.TGKEAssertGolden(assert, g, &cluster, []string{"default-pool"}, []string{"monitoringConfig.componentConfig.enableComponents"}) // TODO: enableComponents is UL + }) + bpt.Test() +} diff --git a/test/integration/simple_regional_with_gateway_api/testdata/TestSimpleRegionalWithGatewayAPI.json b/test/integration/simple_regional_with_gateway_api/testdata/TestSimpleRegionalWithGatewayAPI.json new file mode 100644 index 0000000000..9d740e330e --- /dev/null +++ b/test/integration/simple_regional_with_gateway_api/testdata/TestSimpleRegionalWithGatewayAPI.json @@ -0,0 +1,270 @@ +{ + "addonsConfig": { + "configConnectorConfig": {}, + "dnsCacheConfig": {}, + "gcePersistentDiskCsiDriverConfig": { + "enabled": true + }, + "gcpFilestoreCsiDriverConfig": {}, + "gkeBackupAgentConfig": {}, + "horizontalPodAutoscaling": {}, + "httpLoadBalancing": {}, + "kubernetesDashboard": { + "disabled": true + }, + "networkPolicyConfig": { + "disabled": true + } + }, + "autopilot": {}, + "autoscaling": { + "autoscalingProfile": "BALANCED" + }, + "binaryAuthorization": { + "evaluationMode": "PROJECT_SINGLETON_POLICY_ENFORCE" + }, + "clusterIpv4Cidr": "192.168.0.0/18", + "controlPlaneEndpointsConfig": { + "dnsEndpointConfig": { + "allowExternalTraffic": false + }, + "ipEndpointsConfig": { + "authorizedNetworksConfig": { + "gcpPublicCidrsAccessEnabled": true + }, + "enablePublicEndpoint": true, + "enabled": true, + "privateEndpoint": "10.0.0.2", + "publicEndpoint": "KUBERNETES_ENDPOINT" + } + }, + "currentNodeCount": 3, + "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", + "state": "DECRYPTED" + }, + "defaultMaxPodsConstraint": { + "maxPodsPerNode": "110" + }, + "endpoint": "KUBERNETES_ENDPOINT", + "enterpriseConfig": { + "clusterTier": "STANDARD" + }, + "identityServiceConfig": {}, + "ipAllocationPolicy": { + "clusterIpv4Cidr": "192.168.0.0/18", + "clusterIpv4CidrBlock": "192.168.0.0/18", + "clusterSecondaryRangeName": "cft-gke-test-pods-RANDOM_STRING", + "podCidrOverprovisionConfig": {}, + "servicesIpv4Cidr": "192.168.64.0/18", + "servicesIpv4CidrBlock": "192.168.64.0/18", + "servicesSecondaryRangeName": "cft-gke-test-services-RANDOM_STRING", + "stackType": "IPV4", + "useIpAliases": true + }, + "labelFingerprint": "78cdf2f6", + "legacyAbac": {}, + "location": "us-central1", + "loggingConfig": { + "componentConfig": { + "enableComponents": [ + "SYSTEM_COMPONENTS", + "WORKLOADS" + ] + } + }, + "loggingService": "logging.googleapis.com/kubernetes", + "maintenancePolicy": { + "resourceVersion": "ce912209", + "window": { + "dailyMaintenanceWindow": { + "duration": "PT4H0M0S", + "startTime": "05:00" + } + } + }, + "masterAuth": { + "clientCertificateConfig": {} + }, + "masterAuthorizedNetworksConfig": { + "gcpPublicCidrsAccessEnabled": true + }, + "meshCertificates": { + "enableCertificates": false + }, + "monitoringConfig": { + "advancedDatapathObservabilityConfig": {}, + "componentConfig": { + "enableComponents": [ + "SYSTEM_COMPONENTS", + "STORAGE", + "HPA", + "POD", + "DAEMONSET", + "DEPLOYMENT", + "STATEFULSET", + "CADVISOR", + "KUBELET" + ] + }, + "managedPrometheusConfig": { + "enabled": true + } + }, + "monitoringService": "monitoring.googleapis.com/kubernetes", + "name": "simple-regional-gatewayapi-cluster-RANDOM_STRING", + "network": "cft-gke-test-RANDOM_STRING", + "networkConfig": { + "defaultSnatStatus": {}, + "network": "projects/PROJECT_ID/global/networks/cft-gke-test-RANDOM_STRING", + "serviceExternalIpsConfig": {}, + "subnetwork": "projects/PROJECT_ID/regions/us-central1/subnetworks/cft-gke-test-RANDOM_STRING", + "gatewayApiConfig": { + "channel": "CHANNEL_STANDARD" + } + }, + "nodeConfig": { + "diskSizeGb": 100, + "diskType": "pd-balanced", + "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V2", + "gcfsConfig": {}, + "imageType": "COS_CONTAINERD", + "loggingConfig": { + "variantConfig": { + "variant": "DEFAULT" + } + }, + "machineType": "e2-medium", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauthScopes": [ + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/cloud-platform" + ], + "shieldedInstanceConfig": { + "enableIntegrityMonitoring": true + }, + "tags": [ + "gke-simple-regional-gatewayapi-cluster-RANDOM_STRING", + "gke-simple-regional-gatewayapi-cluster-RANDOM_STRING-default-pool" + ], + "windowsNodeConfig": {}, + "workloadMetadataConfig": { + "mode": "GKE_METADATA" + } + }, + "nodePoolDefaults": { + "nodeConfigDefaults": { + "gcfsConfig": {}, + "loggingConfig": { + "variantConfig": { + "variant": "DEFAULT" + } + }, + "nodeKubeletConfig": {} + } + }, + "nodePools": [ + { + "autoscaling": { + "enabled": true, + "minNodeCount": 1, + "maxNodeCount": 100 + }, + "config": { + "diskSizeGb": 100, + "diskType": "pd-balanced", + "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V2", + "gcfsConfig": {}, + "imageType": "COS_CONTAINERD", + "labels": { + "cluster_name": "simple-regional-gatewayapi-cluster-RANDOM_STRING", + "node_pool": "default-node-pool" + }, + "loggingConfig": { + "variantConfig": { + "variant": "DEFAULT" + } + }, + "machineType": "e2-medium", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauthScopes": [ + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/cloud-platform" + ], + "serviceAccount": "NODE_SERVICE_ACCOUNT", + "shieldedInstanceConfig": { + "enableIntegrityMonitoring": true + }, + "tags": [ + "gke-node-pool-cluster-RANDOM_STRING", + "gke-node-pool-cluster-RANDOM_STRING-default-pool" + ], + "windowsNodeConfig": {}, + "workloadMetadataConfig": { + "mode": "GKE_METADATA" + } + }, + "locations": [ + "europe-west4-b" + ], + "management": { + "autoRepair": true, + "autoUpgrade": true + }, + "maxPodsConstraint": { + "maxPodsPerNode": "110" + }, + "name": "default-pool", + "networkConfig": { + "podIpv4CidrBlock": "192.168.0.0/18", + "podRange": "cft-gke-test-pods-RANDOM_STRING" + }, + "podIpv4CidrSize": 24, + "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/locations/europe-west4/clusters/node-pool-cluster-RANDOM_STRING/nodePools/default-pool", + "status": "RUNNING", + "upgradeSettings": { + "maxSurge": 1, + "strategy": "SURGE" + } + } + ], + "notificationConfig": { + "pubsub": {} + }, + "privateClusterConfig": { + "enablePrivateEndpoint": null, + "enablePrivateNodes": null, + "privateEndpoint": "10.0.0.2", + "publicEndpoint": "KUBERNETES_ENDPOINT" + }, + "rbacBindingConfig": { + "enableInsecureBindingSystemAuthenticated": true, + "enableInsecureBindingSystemUnauthenticated": true + }, + "releaseChannel": { + "channel": "REGULAR" + }, + "resourceLabels": { + "goog-terraform-provisioned": "true" + }, + "securityPostureConfig": { + "mode": "DISABLED", + "vulnerabilityMode": "VULNERABILITY_DISABLED" + }, + "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/locations/us-central1/clusters/simple-regional-gatewayapi-cluster-RANDOM_STRING", + "servicesIpv4Cidr": "192.168.64.0/18", + "shieldedNodes": { + "enabled": true + }, + "status": "RUNNING", + "subnetwork": "cft-gke-test-RANDOM_STRING", + "verticalPodAutoscaling": {}, + "workloadIdentityConfig": { + "workloadPool": "PROJECT_ID.svc.id.goog" + }, + "zone": "us-central1" +} diff --git a/test/integration/simple_regional_with_ipv6/controls/gcloud.rb b/test/integration/simple_regional_with_ipv6/controls/gcloud.rb deleted file mode 100644 index 0080ed5c14..0000000000 --- a/test/integration/simple_regional_with_ipv6/controls/gcloud.rb +++ /dev/null @@ -1,192 +0,0 @@ -# Copyright 2019 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -project_id = attribute('project_id') -location = attribute('location') -cluster_name = attribute('cluster_name') - -control "gcloud" do - title "Google Compute Engine GKE configuration" - describe command("gcloud --project=#{project_id} container clusters --zone=#{location} describe #{cluster_name} --format=json") do - its(:exit_status) { should eq 0 } - its(:stderr) { should eq '' } - - let!(:data) do - if subject.exit_status == 0 - JSON.parse(subject.stdout) - else - {} - end - end - - describe "cluster" do - it "is running" do - expect(data['status']).to eq 'RUNNING' - end - - it "is regional" do - expect(data['location']).to match(/^.*[1-9]$/) - end - - it "uses public nodes and master endpoint" do - expect(data['privateClusterConfig']['enablePrivateEndpoint']).to eq nil - expect(data['privateClusterConfig']['enablePrivateNodes']).to eq nil - end - - it "has the expected addon settings" do - expect(data['addonsConfig']).to include( - "horizontalPodAutoscaling" => {}, - "httpLoadBalancing" => {}, - "kubernetesDashboard" => { - "disabled" => true, - }, - "networkPolicyConfig" => { - "disabled" => true, - }, - ) - end - - it "has dual stack enabled" do - expect(data['ipAllocationPolicy']).to include( - "stackType" => "IPV4_IPV6", - ) - end - - it "has the expected databaseEncryption config" do - expect(data['databaseEncryption']).to include({ - "state" => 'DECRYPTED', - }) - end - - it "has the expected shieldedNodes config" do - expect(data['shieldedNodes']).to eq({ - "enabled" => true, - }) - end - - end - - describe "default node pool" do - let(:default_node_pool) { data['nodePools'].select { |p| p['name'] == "default-pool" }.first } - - it "exists" do - expect(data['nodePools']).to include( - including( - "name" => "default-pool", - ) - ) - end - end - - describe "node pool" do - let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" } } - - it "has autoscaling enabled" do - expect(node_pools).to include( - including( - "autoscaling" => including( - "enabled" => true, - ), - ) - ) - end - - it "has the expected minimum node count" do - expect(node_pools).to include( - including( - "autoscaling" => including( - "minNodeCount" => 1, - ), - ) - ) - end - - it "has the expected maximum node count" do - expect(node_pools).to include( - including( - "autoscaling" => including( - "maxNodeCount" => 100, - ), - ) - ) - end - - it "is the expected machine type" do - expect(node_pools).to include( - including( - "config" => including( - "machineType" => "e2-medium", - ), - ) - ) - end - - it "has the expected disk size" do - expect(node_pools).to include( - including( - "config" => including( - "diskSizeGb" => 100, - ), - ) - ) - end - - it "has the expected labels" do - expect(node_pools).to include( - including( - "config" => including( - "labels" => including( - "cluster_name" => cluster_name, - "node_pool" => "default-node-pool", - ), - ), - ) - ) - end - - it "has the expected network tags" do - expect(node_pools).to include( - including( - "config" => including( - "tags" => match_array([ - "gke-#{cluster_name}", - "gke-#{cluster_name}-default-node-pool", - ]), - ), - ) - ) - end - - it "has autorepair enabled" do - expect(node_pools).to include( - including( - "management" => including( - "autoRepair" => true, - ), - ) - ) - end - - it "has autoupgrade enabled" do - expect(node_pools).to include( - including( - "management" => including( - "autoUpgrade" => true, - ), - ) - ) - end - end - end -end diff --git a/test/integration/simple_regional_with_ipv6/inspec.yml b/test/integration/simple_regional_with_ipv6/inspec.yml deleted file mode 100644 index e91bbc6ca9..0000000000 --- a/test/integration/simple_regional_with_ipv6/inspec.yml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: simple_regional_with_gateway_api -attributes: - - name: project_id - required: true - type: string - - name: location - required: true - type: string - - name: cluster_name - required: true - type: string - - name: kubernetes_endpoint - required: true - type: string - - name: client_token - required: true - type: string diff --git a/test/integration/simple_regional_with_ipv6/simple_regional_with_ipv6_test.go b/test/integration/simple_regional_with_ipv6/simple_regional_with_ipv6_test.go new file mode 100644 index 0000000000..54e113d766 --- /dev/null +++ b/test/integration/simple_regional_with_ipv6/simple_regional_with_ipv6_test.go @@ -0,0 +1,66 @@ +// Copyright 2024-2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +package node_pool + +import ( + "fmt" + "testing" + "time" + + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/cai" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" + "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" +) + +func TestSimpleRegionalWithGatewayAPI(t *testing.T) { + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) + + bpt.DefineVerify(func(assert *assert.Assertions) { + // Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token + // bpt.DefaultVerify(assert) + testutils.TGKEVerify(t, bpt, assert) // Verify Resources + + projectId := bpt.GetStringOutput("project_id") + location := bpt.GetStringOutput("location") + clusterName := bpt.GetStringOutput("cluster_name") + randomString := bpt.GetStringOutput("random_string") + kubernetesEndpoint := bpt.GetStringOutput("kubernetes_endpoint") + nodeServiceAccount := bpt.GetStringOutput("compute_engine_service_account") + + // Retrieve Project CAI + projectCAI := cai.GetProjectResources(t, projectId, cai.WithAssetTypes([]string{"container.googleapis.com/Cluster"})) + + // Retrieve Cluster from CAI + // Equivalent gcloud describe command (classic) + // cluster := gcloud.Runf(t, "container clusters describe %s --zone %s --project %s", clusterName, location, projectId) + clusterResourceName := fmt.Sprintf("//container.googleapis.com/projects/%s/locations/%s/clusters/%s", projectId, location, clusterName) + cluster := projectCAI.Get("#(name=\"" + clusterResourceName + "\").resource.data") + + // Setup golden image with sanitizers + g := golden.NewOrUpdate(t, cluster.String(), + golden.WithSanitizer(golden.StringSanitizer(nodeServiceAccount, "NODE_SERVICE_ACCOUNT")), + golden.WithSanitizer(golden.StringSanitizer(projectId, "PROJECT_ID")), + golden.WithSanitizer(golden.StringSanitizer(randomString, "RANDOM_STRING")), + golden.WithSanitizer(golden.StringSanitizer(kubernetesEndpoint, "KUBERNETES_ENDPOINT")), + ) + + // Cluster Assertions + testutils.TGKEAssertGolden(assert, g, &cluster, []string{"default-pool"}, []string{"monitoringConfig.componentConfig.enableComponents"}) // TODO: enableComponents is UL + }) + bpt.Test() +} diff --git a/test/integration/simple_regional_with_ipv6/testdata/TestSimpleRegionalWithIPV6.json b/test/integration/simple_regional_with_ipv6/testdata/TestSimpleRegionalWithIPV6.json new file mode 100644 index 0000000000..11a1fa60dd --- /dev/null +++ b/test/integration/simple_regional_with_ipv6/testdata/TestSimpleRegionalWithIPV6.json @@ -0,0 +1,265 @@ +{ + "addonsConfig": { + "configConnectorConfig": {}, + "dnsCacheConfig": {}, + "gcePersistentDiskCsiDriverConfig": { + "enabled": true + }, + "gcpFilestoreCsiDriverConfig": {}, + "gkeBackupAgentConfig": {}, + "horizontalPodAutoscaling": {}, + "httpLoadBalancing": {}, + "kubernetesDashboard": { + "disabled": true + }, + "networkPolicyConfig": { + "disabled": true + } + }, + "autopilot": {}, + "autoscaling": { + "autoscalingProfile": "BALANCED" + }, + "binaryAuthorization": {}, + "clusterIpv4Cidr": "192.168.0.0/18", + "controlPlaneEndpointsConfig": { + "dnsEndpointConfig": { + "allowExternalTraffic": false + }, + "ipEndpointsConfig": { + "authorizedNetworksConfig": { + "gcpPublicCidrsAccessEnabled": true + }, + "enablePublicEndpoint": true, + "enabled": true, + "privateEndpoint": "10.0.0.2", + "publicEndpoint": "KUBERNETES_ENDPOINT" + } + }, + "currentNodeCount": 3, + "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", + "state": "DECRYPTED" + }, + "defaultMaxPodsConstraint": { + "maxPodsPerNode": "110" + }, + "endpoint": "KUBERNETES_ENDPOINT", + "enterpriseConfig": { + "clusterTier": "STANDARD" + }, + "identityServiceConfig": {}, + "ipAllocationPolicy": { + "clusterIpv4Cidr": "192.168.0.0/18", + "clusterIpv4CidrBlock": "192.168.0.0/18", + "clusterSecondaryRangeName": "cft-gke-test-pods-RANDOM_STRING", + "podCidrOverprovisionConfig": {}, + "servicesIpv4Cidr": "192.168.64.0/18", + "servicesIpv4CidrBlock": "192.168.64.0/18", + "servicesSecondaryRangeName": "cft-gke-test-services-RANDOM_STRING", + "stackType": "IPV4_IPV6", + "useIpAliases": true + }, + "labelFingerprint": "78cdf2f6", + "legacyAbac": {}, + "location": "us-central1", + "loggingConfig": { + "componentConfig": { + "enableComponents": [ + "SYSTEM_COMPONENTS", + "WORKLOADS" + ] + } + }, + "loggingService": "logging.googleapis.com/kubernetes", + "maintenancePolicy": { + "resourceVersion": "ce912209", + "window": { + "dailyMaintenanceWindow": { + "duration": "PT4H0M0S", + "startTime": "05:00" + } + } + }, + "masterAuth": { + "clientCertificateConfig": {} + }, + "masterAuthorizedNetworksConfig": { + "gcpPublicCidrsAccessEnabled": true + }, + "meshCertificates": { + "enableCertificates": false + }, + "monitoringConfig": { + "advancedDatapathObservabilityConfig": {}, + "componentConfig": { + "enableComponents": [ + "SYSTEM_COMPONENTS", + "STORAGE", + "HPA", + "POD", + "DAEMONSET", + "DEPLOYMENT", + "STATEFULSET", + "CADVISOR", + "KUBELET" + ] + }, + "managedPrometheusConfig": { + "enabled": true + } + }, + "monitoringService": "monitoring.googleapis.com/kubernetes", + "name": "simple-regional-ipv6-cluster-RANDOM_STRING", + "network": "cft-gke-test-RANDOM_STRING", + "networkConfig": { + "defaultSnatStatus": {}, + "network": "projects/PROJECT_ID/global/networks/cft-gke-test-RANDOM_STRING", + "serviceExternalIpsConfig": {}, + "subnetwork": "projects/PROJECT_ID/regions/us-central1/subnetworks/cft-gke-test-RANDOM_STRING" + }, + "nodeConfig": { + "diskSizeGb": 100, + "diskType": "pd-balanced", + "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V2", + "gcfsConfig": {}, + "imageType": "COS_CONTAINERD", + "loggingConfig": { + "variantConfig": { + "variant": "DEFAULT" + } + }, + "machineType": "e2-medium", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauthScopes": [ + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/cloud-platform" + ], + "shieldedInstanceConfig": { + "enableIntegrityMonitoring": true + }, + "tags": [ + "gke-simple-regional-ipv6-cluster-RANDOM_STRING", + "gke-simple-regional-ipv6-cluster-RANDOM_STRING-default-pool" + ], + "windowsNodeConfig": {}, + "workloadMetadataConfig": { + "mode": "GKE_METADATA" + } + }, + "nodePoolDefaults": { + "nodeConfigDefaults": { + "gcfsConfig": {}, + "loggingConfig": { + "variantConfig": { + "variant": "DEFAULT" + } + }, + "nodeKubeletConfig": {} + } + }, + "nodePools": [ + { + "autoscaling": { + "enabled": true, + "minNodeCount": 1, + "maxNodeCount": 100 + }, + "config": { + "diskSizeGb": 100, + "diskType": "pd-balanced", + "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V2", + "gcfsConfig": {}, + "imageType": "COS_CONTAINERD", + "labels": { + "cluster_name": "simple-regional-gatewayapi-cluster-RANDOM_STRING", + "node_pool": "default-node-pool" + }, + "loggingConfig": { + "variantConfig": { + "variant": "DEFAULT" + } + }, + "machineType": "e2-medium", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauthScopes": [ + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/cloud-platform" + ], + "serviceAccount": "NODE_SERVICE_ACCOUNT", + "shieldedInstanceConfig": { + "enableIntegrityMonitoring": true + }, + "tags": [ + "gke-node-pool-cluster-RANDOM_STRING", + "gke-node-pool-cluster-RANDOM_STRING-default-pool" + ], + "windowsNodeConfig": {}, + "workloadMetadataConfig": { + "mode": "GKE_METADATA" + } + }, + "locations": [ + "europe-west4-b" + ], + "management": { + "autoRepair": true, + "autoUpgrade": true + }, + "maxPodsConstraint": { + "maxPodsPerNode": "110" + }, + "name": "default-pool", + "networkConfig": { + "podIpv4CidrBlock": "192.168.0.0/18", + "podRange": "cft-gke-test-pods-RANDOM_STRING" + }, + "podIpv4CidrSize": 24, + "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/locations/europe-west4/clusters/node-pool-cluster-RANDOM_STRING/nodePools/default-pool", + "status": "RUNNING", + "upgradeSettings": { + "maxSurge": 1, + "strategy": "SURGE" + } + } + ], + "notificationConfig": { + "pubsub": {} + }, + "privateClusterConfig": { + "enablePrivateEndpoint": null, + "enablePrivateNodes": null, + "privateEndpoint": "KUBERNETES_ENDPOINT", + "publicEndpoint": "KUBERNETES_ENDPOINT" + }, + "rbacBindingConfig": { + "enableInsecureBindingSystemAuthenticated": true, + "enableInsecureBindingSystemUnauthenticated": true + }, + "releaseChannel": { + "channel": "REGULAR" + }, + "resourceLabels": { + "goog-terraform-provisioned": "true" + }, + "securityPostureConfig": { + "mode": "DISABLED", + "vulnerabilityMode": "VULNERABILITY_DISABLED" + }, + "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/locations/us-central1/clusters/simple-regional-ipv6-cluster-RANDOM_STRING", + "servicesIpv4Cidr": "192.168.64.0/18", + "shieldedNodes": { + "enabled": true + }, + "status": "RUNNING", + "subnetwork": "cft-gke-test-RANDOM_STRING", + "verticalPodAutoscaling": {}, + "workloadIdentityConfig": { + "workloadPool": "PROJECT_ID.svc.id.goog" + }, + "zone": "us-central1" +} diff --git a/test/integration/stub_domains/testdata/TestStubDomains.json b/test/integration/stub_domains/testdata/TestStubDomains.json index 07794f9ac5..b8bfde4020 100644 --- a/test/integration/stub_domains/testdata/TestStubDomains.json +++ b/test/integration/stub_domains/testdata/TestStubDomains.json @@ -53,7 +53,6 @@ "clusterIpv4Cidr": "192.168.0.0/18", "clusterIpv4CidrBlock": "192.168.0.0/18", "clusterSecondaryRangeName": "cft-gke-test-pods-RANDOM_STRING", - "defaultPodIpv4RangeUtilization": 0.0469, "podCidrOverprovisionConfig": {}, "servicesIpv4Cidr": "192.168.64.0/18", "servicesIpv4CidrBlock": "192.168.64.0/18", diff --git a/test/integration/stub_domains_private/testdata/TestStubDomainsPrivate.json b/test/integration/stub_domains_private/testdata/TestStubDomainsPrivate.json index 265e4cb2f2..6dc321fa39 100644 --- a/test/integration/stub_domains_private/testdata/TestStubDomainsPrivate.json +++ b/test/integration/stub_domains_private/testdata/TestStubDomainsPrivate.json @@ -53,7 +53,6 @@ "clusterIpv4Cidr": "192.168.0.0/18", "clusterIpv4CidrBlock": "192.168.0.0/18", "clusterSecondaryRangeName": "cft-gke-test-pods-RANDOM_STRING", - "defaultPodIpv4RangeUtilization": 0.0469, "podCidrOverprovisionConfig": {}, "servicesIpv4Cidr": "192.168.64.0/18", "servicesIpv4CidrBlock": "192.168.64.0/18", diff --git a/test/integration/stub_domains_upstream_nameservers/controls/gcloud.rb b/test/integration/stub_domains_upstream_nameservers/controls/gcloud.rb deleted file mode 100644 index 8131dc371f..0000000000 --- a/test/integration/stub_domains_upstream_nameservers/controls/gcloud.rb +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright 2019 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -project_id = attribute('project_id') -location = attribute('location') -cluster_name = attribute('cluster_name') - -control "gcloud" do - title "Google Compute Engine GKE configuration" - describe command("gcloud --project=#{project_id} container clusters --zone=#{location} describe #{cluster_name} --format=json") do - its(:exit_status) { should eq 0 } - its(:stderr) { should eq '' } - - let!(:data) do - if subject.exit_status == 0 - JSON.parse(subject.stdout) - else - {} - end - end - - describe "cluster" do - it "is running" do - expect(data['status']).to eq 'RUNNING' - end - - it "has the expected addon settings" do - expect(data['addonsConfig']).to include( - "horizontalPodAutoscaling" => {}, - "httpLoadBalancing" => {}, - "kubernetesDashboard" => { - "disabled" => true, - }, - "networkPolicyConfig" => { - "disabled" => true, - }, - ) - end - end - end -end diff --git a/test/integration/stub_domains_upstream_nameservers/controls/kubectl.rb b/test/integration/stub_domains_upstream_nameservers/controls/kubectl.rb deleted file mode 100644 index 548140fc39..0000000000 --- a/test/integration/stub_domains_upstream_nameservers/controls/kubectl.rb +++ /dev/null @@ -1,92 +0,0 @@ -# Copyright 2019 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -require 'kubeclient' -require 'rest-client' - -require 'base64' - -kubernetes_endpoint = attribute('kubernetes_endpoint') -client_token = attribute('client_token') -ca_certificate = attribute('ca_certificate') - -control "kubectl" do - title "Kubernetes configuration" - - describe "kubernetes" do - let(:kubernetes_http_endpoint) { "https://#{kubernetes_endpoint}/api" } - let(:client) do - cert_store = OpenSSL::X509::Store.new - cert_store.add_cert(OpenSSL::X509::Certificate.new(Base64.decode64(ca_certificate))) - Kubeclient::Client.new( - kubernetes_http_endpoint, - "v1", - ssl_options: { - cert_store: cert_store, - verify_ssl: OpenSSL::SSL::VERIFY_PEER, - }, - auth_options: { - bearer_token: Base64.decode64(client_token), - }, - ) - end - - describe "configmap" do - describe "kube-dns" do - let(:kubedns_configmap) { client.get_config_map("kube-dns", "kube-system") } - - it "is managed by Terraform" do - expect(kubedns_configmap.metadata.managedFields[0].manager).to eq "Terraform" - end - - it "reflects the stub_domains configuration" do - expect(JSON.parse(kubedns_configmap.data.stubDomains)).to eq({ - "example.com" => [ - "10.254.154.11", - "10.254.154.12", - ], - "example.net" => [ - "10.254.154.11", - "10.254.154.12", - ], - }) - end - - it "reflects the upstream_nameservers configuration" do - expect(JSON.parse(kubedns_configmap.data.upstreamNameservers)).to eq(["8.8.8.8", "8.8.4.4"]) - end - end - - describe "ipmasq" do - let(:ipmasq_configmap) { client.get_config_map("ip-masq-agent", "kube-system") } - - it "is created by Terraform" do - expect(ipmasq_configmap.metadata.labels.maintained_by).to eq "terraform" - end - - it "is configured properly" do - expect(YAML.load(ipmasq_configmap.data.config)).to eq({ - "nonMasqueradeCIDRs" => [ - "10.0.0.0/8", - "172.16.0.0/12", - "192.168.0.0/16", - ], - "resyncInterval" => "60s", - "masqLinkLocal" => false, - }) - end - end - end - end -end diff --git a/test/integration/stub_domains_upstream_nameservers/inspec.yml b/test/integration/stub_domains_upstream_nameservers/inspec.yml deleted file mode 100644 index 60e6f84963..0000000000 --- a/test/integration/stub_domains_upstream_nameservers/inspec.yml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: stub_domains_upstream_nameservers -attributes: - - name: project_id - required: true - type: string - - name: location - required: true - type: string - - name: cluster_name - required: true - type: string - - name: kubernetes_endpoint - required: true - type: string - - name: client_token - required: true - type: string - - name: ca_certificate - required: true - type: string diff --git a/test/integration/stub_domains_upstream_nameservers/stub_domains_upstream_nameservers_test.go b/test/integration/stub_domains_upstream_nameservers/stub_domains_upstream_nameservers_test.go new file mode 100644 index 0000000000..46811d8964 --- /dev/null +++ b/test/integration/stub_domains_upstream_nameservers/stub_domains_upstream_nameservers_test.go @@ -0,0 +1,102 @@ +// Copyright 2024-2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +package node_pool + +import ( + "fmt" + "testing" + "time" + + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/cai" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" + "github.com/gruntwork-io/terratest/modules/k8s" + "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" +) + +func TestStubDomainsUpstreamNameservers(t *testing.T) { + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) + + bpt.DefineVerify(func(assert *assert.Assertions) { + // Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token + // bpt.DefaultVerify(assert) + testutils.TGKEVerify(t, bpt, assert) // Verify Resources + + projectId := bpt.GetStringOutput("project_id") + location := bpt.GetStringOutput("location") + clusterName := bpt.GetStringOutput("cluster_name") + randomString := bpt.GetStringOutput("random_string") + kubernetesEndpoint := bpt.GetStringOutput("kubernetes_endpoint") + nodeServiceAccount := bpt.GetStringOutput("compute_engine_service_account") + + // Retrieve Project CAI + projectCAI := cai.GetProjectResources(t, projectId, cai.WithAssetTypes([]string{"container.googleapis.com/Cluster"})) + + // Retrieve Cluster from CAI + // Equivalent gcloud describe command (classic) + // cluster := gcloud.Runf(t, "container clusters describe %s --zone %s --project %s", clusterName, location, projectId) + clusterResourceName := fmt.Sprintf("//container.googleapis.com/projects/%s/locations/%s/clusters/%s", projectId, location, clusterName) + cluster := projectCAI.Get("#(name=\"" + clusterResourceName + "\").resource.data") + + // Setup golden image with sanitizers + g := golden.NewOrUpdate(t, cluster.String(), + golden.WithSanitizer(golden.StringSanitizer(nodeServiceAccount, "NODE_SERVICE_ACCOUNT")), + golden.WithSanitizer(golden.StringSanitizer(projectId, "PROJECT_ID")), + golden.WithSanitizer(golden.StringSanitizer(randomString, "RANDOM_STRING")), + golden.WithSanitizer(golden.StringSanitizer(kubernetesEndpoint, "KUBERNETES_ENDPOINT")), + ) + + // Cluster Assertions + testutils.TGKEAssertGolden(assert, g, &cluster, []string{}, []string{"monitoringConfig.componentConfig.enableComponents"}) // TODO: enableComponents is UL + + // K8s Assertions + // CAI does not include k8s.io/ConfigMap + gcloud.Runf(t, "container clusters get-credentials %s --region %s --project %s", clusterName, location, projectId) + k8sOpts := k8s.NewKubectlOptions(fmt.Sprintf("gke_%s_%s_%s", projectId, location, clusterName), "", "") + + // kube-dns + listKubeDnsConfigMap, err := k8s.RunKubectlAndGetOutputE(t, k8sOpts, "get", "configmap", "kube-dns", "-n", "kube-system", "-o", "json", "--show-managed-fields") + assert.NoError(err) + kubeDnsCM := utils.ParseKubectlJSONResult(t, listKubeDnsConfigMap) + assert.Contains("kube-dns", kubeDnsCM.Get("metadata.name").String(), "kube-dns configmap is present") + assert.Equal("Terraform", kubeDnsCM.Get("metadata.managedFields.0.manager").String(), "kube-dns configmap is managed by Terraform") + assert.Equal("[\"8.8.8.8\",\"8.8.4.4\"]\n", kubeDnsCM.Get("data.stubDomains").String(), "kube-dns configmap reflects the upstream_nameservers configuration") + + assert.JSONEq(`{ + "example.com": [ + "10.254.154.11", + "10.254.154.12" + ], + "example.net": [ + "10.254.154.11", + "10.254.154.12" + ] + }`, + kubeDnsCM.Get("data.stubDomains").String(), "kube-dns configmap the expected stubdomains") + + // ip-masq-agent + listIpMasqAgentConfigMap, err := k8s.RunKubectlAndGetOutputE(t, k8sOpts, "get", "configmap", "ip-masq-agent", "-n", "kube-system", "-o", "json", "--show-managed-fields") + assert.NoError(err) + ipMasqAgentConfigMap := utils.ParseKubectlJSONResult(t, listIpMasqAgentConfigMap) + assert.Contains("ip-masq-agent", ipMasqAgentConfigMap.Get("metadata.name").String(), "ip-masq-agent configmap is present") + assert.Equal("terraform", ipMasqAgentConfigMap.Get("metadata.labels.maintained_by").String(), "ip-masq-agent configmap is maintained_by Terraform") + assert.Equal("nonMasqueradeCIDRs:\n - 10.0.0.0/8\n - 172.16.0.0/12\n - 192.168.0.0/16\nresyncInterval: 60s\nmasqLinkLocal: false\n", ipMasqAgentConfigMap.Get("data.config").String(), "ip-masq-agent configmap is configured properly") + }) + bpt.Test() +} diff --git a/test/integration/stub_domains_upstream_nameservers/testdata/TestStubDomainsUpstreamNameservers.json b/test/integration/stub_domains_upstream_nameservers/testdata/TestStubDomainsUpstreamNameservers.json new file mode 100644 index 0000000000..64b5c58081 --- /dev/null +++ b/test/integration/stub_domains_upstream_nameservers/testdata/TestStubDomainsUpstreamNameservers.json @@ -0,0 +1,274 @@ +{ + "addonsConfig": { + "configConnectorConfig": {}, + "dnsCacheConfig": {}, + "gcePersistentDiskCsiDriverConfig": { + "enabled": true + }, + "gcpFilestoreCsiDriverConfig": {}, + "gkeBackupAgentConfig": {}, + "horizontalPodAutoscaling": {}, + "httpLoadBalancing": {}, + "kubernetesDashboard": { + "disabled": true + }, + "networkPolicyConfig": { + "disabled": true + } + }, + "autopilot": {}, + "autoscaling": { + "autoscalingProfile": "BALANCED" + }, + "binaryAuthorization": {}, + "clusterIpv4Cidr": "192.168.0.0/18", + "controlPlaneEndpointsConfig": { + "dnsEndpointConfig": { + "allowExternalTraffic": false + }, + "ipEndpointsConfig": { + "authorizedNetworksConfig": { + "gcpPublicCidrsAccessEnabled": true + }, + "enablePublicEndpoint": true, + "enabled": true, + "privateEndpoint": "10.0.0.2", + "publicEndpoint": "KUBERNETES_ENDPOINT" + } + }, + "currentNodeCount": 3, + "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", + "state": "DECRYPTED" + }, + "defaultMaxPodsConstraint": { + "maxPodsPerNode": "110" + }, + "endpoint": "KUBERNETES_ENDPOINT", + "enterpriseConfig": { + "clusterTier": "STANDARD" + }, + "identityServiceConfig": {}, + "ipAllocationPolicy": { + "clusterIpv4Cidr": "192.168.0.0/18", + "clusterIpv4CidrBlock": "192.168.0.0/18", + "clusterSecondaryRangeName": "cft-gke-test-pods-RANDOM_STRING", + "podCidrOverprovisionConfig": {}, + "servicesIpv4Cidr": "192.168.64.0/18", + "servicesIpv4CidrBlock": "192.168.64.0/18", + "servicesSecondaryRangeName": "cft-gke-test-services-RANDOM_STRING", + "stackType": "IPV4", + "useIpAliases": true + }, + "labelFingerprint": "78cdf2f6", + "legacyAbac": {}, + "location": "us-central1", + "loggingConfig": { + "componentConfig": { + "enableComponents": [ + "SYSTEM_COMPONENTS", + "WORKLOADS" + ] + } + }, + "loggingService": "logging.googleapis.com/kubernetes", + "maintenancePolicy": { + "resourceVersion": "ce912209", + "window": { + "dailyMaintenanceWindow": { + "duration": "PT4H0M0S", + "startTime": "05:00" + } + } + }, + "masterAuth": { + "clientCertificateConfig": {} + }, + "masterAuthorizedNetworksConfig": { + "gcpPublicCidrsAccessEnabled": true + }, + "meshCertificates": { + "enableCertificates": false + }, + "monitoringConfig": { + "advancedDatapathObservabilityConfig": {}, + "componentConfig": { + "enableComponents": [ + "SYSTEM_COMPONENTS", + "STORAGE", + "HPA", + "POD", + "DAEMONSET", + "DEPLOYMENT", + "STATEFULSET", + "CADVISOR", + "KUBELET" + ] + }, + "managedPrometheusConfig": { + "enabled": true + } + }, + "monitoringService": "monitoring.googleapis.com/kubernetes", + "name": "domains-nameservers-cluster-RANDOM_STRING", + "network": "cft-gke-test-RANDOM_STRING", + "networkConfig": { + "defaultSnatStatus": {}, + "network": "projects/PROJECT_ID/global/networks/cft-gke-test-RANDOM_STRING", + "serviceExternalIpsConfig": {}, + "subnetwork": "projects/PROJECT_ID/regions/us-central1/subnetworks/cft-gke-test-RANDOM_STRING" + }, + "nodeConfig": { + "diskSizeGb": 100, + "diskType": "pd-balanced", + "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V2", + "gcfsConfig": {}, + "imageType": "COS_CONTAINERD", + "loggingConfig": { + "variantConfig": { + "variant": "DEFAULT" + } + }, + "machineType": "e2-medium", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauthScopes": [ + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/cloud-platform" + ], + "shieldedInstanceConfig": { + "enableIntegrityMonitoring": true + }, + "tags": [ + "gke-domains-nameservers-cluster-RANDOM_STRING", + "gke-domains-nameservers-cluster-RANDOM_STRING-default-pool" + ], + "windowsNodeConfig": {}, + "workloadMetadataConfig": { + "mode": "GKE_METADATA" + } + }, + "nodePoolDefaults": { + "nodeConfigDefaults": { + "gcfsConfig": {}, + "loggingConfig": { + "variantConfig": { + "variant": "DEFAULT" + } + }, + "nodeKubeletConfig": {} + } + }, + "nodePoolDefaults": { + "nodeConfigDefaults": { + "gcfsConfig": {}, + "loggingConfig": { + "variantConfig": { + "variant": "DEFAULT" + } + }, + "nodeKubeletConfig": {} + } + }, + "nodePools": [ + { + "autoscaling": { + "enabled": true, + "minNodeCount": 1, + "maxNodeCount": 100 + }, + "config": { + "diskSizeGb": 100, + "diskType": "pd-balanced", + "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V2", + "gcfsConfig": {}, + "imageType": "COS_CONTAINERD", + "labels": { + "cluster_name": "domains-nameservers-cluster-RANDOM_STRING", + "node_pool": "default-node-pool" + }, + "loggingConfig": { + "variantConfig": { + "variant": "DEFAULT" + } + }, + "machineType": "e2-medium", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauthScopes": [ + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/cloud-platform" + ], + "serviceAccount": "NODE_SERVICE_ACCOUNT", + "shieldedInstanceConfig": { + "enableIntegrityMonitoring": true + }, + "tags": [ + "gke-node-pool-cluster-RANDOM_STRING", + "gke-node-pool-cluster-RANDOM_STRING-default-pool" + ], + "windowsNodeConfig": {}, + "workloadMetadataConfig": { + "mode": "GKE_METADATA" + } + }, + "locations": [ + "europe-west4-b" + ], + "management": { + "autoRepair": true, + "autoUpgrade": true + }, + "maxPodsConstraint": { + "maxPodsPerNode": "110" + }, + "name": "default-pool", + "networkConfig": { + "podIpv4CidrBlock": "192.168.0.0/18", + "podRange": "cft-gke-test-pods-RANDOM_STRING" + }, + "podIpv4CidrSize": 24, + "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/locations/europe-west4/clusters/node-pool-cluster-RANDOM_STRING/nodePools/default-pool", + "status": "RUNNING", + "upgradeSettings": { + "maxSurge": 1, + "strategy": "SURGE" + } + } + ], + "notificationConfig": { + "pubsub": {} + }, + "privateClusterConfig": { + "privateEndpoint": "10.0.0.2", + "publicEndpoint": "KUBERNETES_ENDPOINT" + }, + "rbacBindingConfig": { + "enableInsecureBindingSystemAuthenticated": true, + "enableInsecureBindingSystemUnauthenticated": true + }, + "releaseChannel": { + "channel": "REGULAR" + }, + "resourceLabels": { + "goog-terraform-provisioned": "true" + }, + "securityPostureConfig": { + "mode": "DISABLED", + "vulnerabilityMode": "VULNERABILITY_DISABLED" + }, + "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/locations/us-central1/clusters/domains-nameservers-cluster-RANDOM_STRING", + "servicesIpv4Cidr": "192.168.64.0/18", + "shieldedNodes": { + "enabled": true + }, + "status": "RUNNING", + "subnetwork": "cft-gke-test-RANDOM_STRING", + "verticalPodAutoscaling": {}, + "workloadIdentityConfig": { + "workloadPool": "PROJECT_ID.svc.id.goog" + }, + "zone": "us-central1" +} diff --git a/test/integration/upstream_nameservers/testdata/TestUpstreamNameservers.json b/test/integration/upstream_nameservers/testdata/TestUpstreamNameservers.json index f650e4898c..5f9922e3d0 100644 --- a/test/integration/upstream_nameservers/testdata/TestUpstreamNameservers.json +++ b/test/integration/upstream_nameservers/testdata/TestUpstreamNameservers.json @@ -53,7 +53,6 @@ "clusterIpv4Cidr": "192.168.0.0/18", "clusterIpv4CidrBlock": "192.168.0.0/18", "clusterSecondaryRangeName": "cft-gke-test-pods-RANDOM_STRING", - "defaultPodIpv4RangeUtilization": 0.0469, "podCidrOverprovisionConfig": {}, "servicesIpv4Cidr": "192.168.64.0/18", "servicesIpv4CidrBlock": "192.168.64.0/18", diff --git a/test/integration/workload_metadata_config/inspec.yml b/test/integration/workload_metadata_config/inspec.yml deleted file mode 100644 index 8aa790f975..0000000000 --- a/test/integration/workload_metadata_config/inspec.yml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: workload_metadata_config -attributes: - - name: cluster_name - required: true - type: string - - name: location - required: true - type: string - - name: project_id - required: true - type: string - - name: service_account - required: true - type: string - - name: registry_project_ids - required: false - type: array diff --git a/test/integration/workload_metadata_config/testdata/TestWorkloadMetadataConfig.json b/test/integration/workload_metadata_config/testdata/TestWorkloadMetadataConfig.json new file mode 100644 index 0000000000..094c65874f --- /dev/null +++ b/test/integration/workload_metadata_config/testdata/TestWorkloadMetadataConfig.json @@ -0,0 +1,194 @@ +{ + "addonsConfig": { + "configConnectorConfig": {}, + "dnsCacheConfig": {}, + "gcePersistentDiskCsiDriverConfig": { + "enabled": true + }, + "gcpFilestoreCsiDriverConfig": {}, + "gkeBackupAgentConfig": {}, + "horizontalPodAutoscaling": {}, + "httpLoadBalancing": {}, + "kubernetesDashboard": { + "disabled": true + }, + "networkPolicyConfig": { + "disabled": true + } + }, + "autopilot": {}, + "autoscaling": { + "autoscalingProfile": "BALANCED" + }, + "binaryAuthorization": {}, + "clusterIpv4Cidr": "192.168.0.0/18", + "controlPlaneEndpointsConfig": { + "dnsEndpointConfig": { + "allowExternalTraffic": false + }, + "ipEndpointsConfig": { + "authorizedNetworksConfig": { + "gcpPublicCidrsAccessEnabled": {} + }, + "enablePublicEndpoint": false, + "enabled": true, + "privateEndpoint": "KUBERNETES_ENDPOINT" + } + }, + "currentNodeCount": 1, + "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", + "state": "DECRYPTED" + }, + "defaultMaxPodsConstraint": { + "maxPodsPerNode": "110" + }, + "endpoint": "KUBERNETES_ENDPOINT", + "enterpriseConfig": { + "clusterTier": "STANDARD" + }, + "identityServiceConfig": {}, + "ipAllocationPolicy": { + "clusterIpv4Cidr": "192.168.0.0/18", + "clusterIpv4CidrBlock": "192.168.0.0/18", + "clusterSecondaryRangeName": "cft-gke-test-pods-RANDOM_STRING", + "podCidrOverprovisionConfig": {}, + "servicesIpv4Cidr": "192.168.64.0/18", + "servicesIpv4CidrBlock": "192.168.64.0/18", + "servicesSecondaryRangeName": "cft-gke-test-services-RANDOM_STRING", + "stackType": "IPV4", + "useIpAliases": true + }, + "labelFingerprint": "78cdf2f6", + "legacyAbac": {}, + "location": "us-central1-a", + "loggingConfig": { + "componentConfig": { + "enableComponents": [ + "SYSTEM_COMPONENTS", + "WORKLOADS" + ] + } + }, + "loggingService": "logging.googleapis.com/kubernetes", + "maintenancePolicy": { + "resourceVersion": "ce912209", + "window": { + "dailyMaintenanceWindow": { + "duration": "PT4H0M0S", + "startTime": "05:00" + } + } + }, + "masterAuth": { + "clientCertificateConfig": {} + }, + "masterAuthorizedNetworksConfig": { + "gcpPublicCidrsAccessEnabled": {} + }, + "meshCertificates": { + "enableCertificates": false + }, + "monitoringConfig": { + "advancedDatapathObservabilityConfig": {}, + "componentConfig": { + "enableComponents": [ + "SYSTEM_COMPONENTS", + "STORAGE", + "HPA", + "POD", + "DAEMONSET", + "DEPLOYMENT", + "STATEFULSET", + "CADVISOR", + "KUBELET" + ] + }, + "managedPrometheusConfig": { + "enabled": true + } + }, + "monitoringService": "monitoring.googleapis.com/kubernetes", + "name": "workload-metadata-private-cluster-RANDOM_STRING", + "network": "cft-gke-test-RANDOM_STRING", + "networkConfig": { + "defaultSnatStatus": {}, + "network": "projects/PROJECT_ID/global/networks/cft-gke-test-RANDOM_STRING", + "serviceExternalIpsConfig": {}, + "subnetwork": "projects/PROJECT_ID/regions/us-central1/subnetworks/cft-gke-test-RANDOM_STRING" + }, + "nodeConfig": { + "diskSizeGb": 100, + "diskType": "pd-balanced", + "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V2", + "gcfsConfig": {}, + "imageType": "COS_CONTAINERD", + "loggingConfig": { + "variantConfig": { + "variant": "DEFAULT" + } + }, + "machineType": "e2-medium", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauthScopes": [ + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/cloud-platform" + ], + "shieldedInstanceConfig": { + "enableIntegrityMonitoring": true + }, + "tags": [ + "gke-workload-metadata-private-cluster-RANDOM_STRING", + "gke-workload-metadata-private-cluster-RANDOM_STRING-default-pool" + ], + "windowsNodeConfig": {}, + "workloadMetadataConfig": { + "mode": "GKE_METADATA" + } + }, + "nodePoolDefaults": { + "nodeConfigDefaults": { + "gcfsConfig": {}, + "loggingConfig": { + "variantConfig": { + "variant": "DEFAULT" + } + }, + "nodeKubeletConfig": {} + } + }, + "notificationConfig": { + "pubsub": {} + }, + "privateClusterConfig": { + "privateEndpoint": "KUBERNETES_ENDPOINT" + }, + "rbacBindingConfig": { + "enableInsecureBindingSystemAuthenticated": true, + "enableInsecureBindingSystemUnauthenticated": true + }, + "releaseChannel": { + "channel": "REGULAR" + }, + "resourceLabels": { + "goog-terraform-provisioned": "true" + }, + "securityPostureConfig": { + "mode": "DISABLED", + "vulnerabilityMode": "VULNERABILITY_DISABLED" + }, + "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/us-central1-a/clusters/workload-metadata-private-cluster-RANDOM_STRING", + "servicesIpv4Cidr": "192.168.64.0/18", + "shieldedNodes": { + "enabled": true + }, + "status": "RUNNING", + "subnetwork": "cft-gke-test-RANDOM_STRING", + "verticalPodAutoscaling": {}, + "workloadIdentityConfig": { + "workloadPool": "PROJECT_ID.svc.id.goog" + }, + "zone": "us-central1-a" +} diff --git a/test/integration/workload_metadata_config/workload_metadata_config_test.go b/test/integration/workload_metadata_config/workload_metadata_config_test.go new file mode 100644 index 0000000000..d8baf8dcdc --- /dev/null +++ b/test/integration/workload_metadata_config/workload_metadata_config_test.go @@ -0,0 +1,66 @@ +// Copyright 2024-2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +package node_pool + +import ( + "fmt" + "testing" + "time" + + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/cai" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" + "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" +) + +func TestWorkloadMetadataConfig(t *testing.T) { + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) + + bpt.DefineVerify(func(assert *assert.Assertions) { + // Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token + // bpt.DefaultVerify(assert) + testutils.TGKEVerify(t, bpt, assert) // Verify Resources + + projectId := bpt.GetStringOutput("project_id") + location := bpt.GetStringOutput("location") + clusterName := bpt.GetStringOutput("cluster_name") + randomString := bpt.GetStringOutput("random_string") + kubernetesEndpoint := bpt.GetStringOutput("kubernetes_endpoint") + //nodeServiceAccount := bpt.GetStringOutput("compute_engine_service_account") + + // Retrieve Project CAI + projectCAI := cai.GetProjectResources(t, projectId, cai.WithAssetTypes([]string{"container.googleapis.com/Cluster", "iam.googleapis.com/PolicyV2"})) + + // Retrieve Cluster from CAI + // Equivalent gcloud describe command (classic) + // cluster := gcloud.Runf(t, "container clusters describe %s --zone %s --project %s", clusterName, location, projectId) + clusterResourceName := fmt.Sprintf("//container.googleapis.com/projects/%s/zones/%s/clusters/%s", projectId, location, clusterName) + cluster := projectCAI.Get("#(name=\"" + clusterResourceName + "\").resource.data") + + // Setup golden image with sanitizers + g := golden.NewOrUpdate(t, cluster.String(), + //golden.WithSanitizer(golden.StringSanitizer(nodeServiceAccount, "NODE_SERVICE_ACCOUNT")), + golden.WithSanitizer(golden.StringSanitizer(projectId, "PROJECT_ID")), + golden.WithSanitizer(golden.StringSanitizer(randomString, "RANDOM_STRING")), + golden.WithSanitizer(golden.StringSanitizer(kubernetesEndpoint, "KUBERNETES_ENDPOINT")), + ) + + // Cluster Assertions + testutils.TGKEAssertGolden(assert, g, &cluster, []string{}, []string{"monitoringConfig.componentConfig.enableComponents"}) // TODO: enableComponents is UL + }) + bpt.Test() +}