Skip to content

Commit

Permalink
fix: support explicit k8s version with unspecified release channel (#…
Browse files Browse the repository at this point in the history
…1335)

* fix: support explicit k8s version with unspecified release channel

* update example, add test

* Update versions.tf

Co-authored-by: Andrew Peabody <andrewpeabody@google.com>
  • Loading branch information
bharathkkb and apeabody authored Jul 27, 2022
1 parent f8a5cca commit dc1de85
Show file tree
Hide file tree
Showing 16 changed files with 42 additions and 11 deletions.
2 changes: 1 addition & 1 deletion autogen/main/cluster.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ resource "google_container_cluster" "primary" {
disabled = var.disable_default_snat
}
{% endif %}
min_master_version = var.release_channel != null ? null : local.master_version
min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null

{% if beta_cluster and autopilot_cluster != true %}
dynamic "cluster_telemetry" {
Expand Down
2 changes: 1 addition & 1 deletion cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ resource "google_container_cluster" "primary" {

subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}"

min_master_version = var.release_channel != null ? null : local.master_version
min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null

logging_service = var.logging_service
monitoring_service = var.monitoring_service
Expand Down
1 change: 1 addition & 0 deletions examples/safer_cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ This example illustrates how to instantiate the opinionated Safer Cluster module
| ca\_certificate | The cluster ca certificate (base64 encoded) |
| client\_token | The bearer token for auth |
| cluster\_name | Cluster name |
| explicit\_k8s\_version | Explicit version used for cluster creation |
| kubernetes\_endpoint | The cluster endpoint |
| location | n/a |
| master\_kubernetes\_version | Kubernetes version of the master |
Expand Down
14 changes: 14 additions & 0 deletions examples/safer_cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,18 @@ provider "kubernetes" {
cluster_ca_certificate = base64decode(module.gke.ca_certificate)
}

// A random valid k8s version is retrived
// to specify as an explicit version.
data "google_container_engine_versions" "current" {
project = var.project_id
location = var.region
}

resource "random_shuffle" "version" {
input = data.google_container_engine_versions.current.valid_master_versions
result_count = 1
}

module "gke" {
source = "../../modules/safer-cluster/"
project_id = var.project_id
Expand All @@ -51,6 +63,8 @@ module "gke" {
master_ipv4_cidr_block = "172.16.0.0/28"
add_cluster_firewall_rules = true
firewall_inbound_ports = ["9443", "15017"]
kubernetes_version = random_shuffle.version.result[0]
release_channel = "UNSPECIFIED"

master_authorized_networks = [
{
Expand Down
5 changes: 5 additions & 0 deletions examples/safer_cluster/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -74,3 +74,8 @@ output "project_id" {
description = "The project ID the cluster is in"
value = var.project_id
}

output "explicit_k8s_version" {
description = "Explicit version used for cluster creation"
value = random_shuffle.version.result[0]
}
3 changes: 2 additions & 1 deletion examples/safer_cluster/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ terraform {
source = "hashicorp/kubernetes"
}
random = {
source = "hashicorp/random"
source = "hashicorp/random"
version = "~> 3.0"
}
}
}
2 changes: 1 addition & 1 deletion modules/beta-autopilot-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ resource "google_container_cluster" "primary" {
default_snat_status {
disabled = var.disable_default_snat
}
min_master_version = var.release_channel != null ? null : local.master_version
min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null

logging_service = var.logging_service
monitoring_service = var.monitoring_service
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-autopilot-public-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ resource "google_container_cluster" "primary" {
default_snat_status {
disabled = var.disable_default_snat
}
min_master_version = var.release_channel != null ? null : local.master_version
min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null

logging_service = var.logging_service
monitoring_service = var.monitoring_service
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-private-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ resource "google_container_cluster" "primary" {
default_snat_status {
disabled = var.disable_default_snat
}
min_master_version = var.release_channel != null ? null : local.master_version
min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null

dynamic "cluster_telemetry" {
for_each = local.cluster_telemetry_type_is_set ? [1] : []
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ resource "google_container_cluster" "primary" {
default_snat_status {
disabled = var.disable_default_snat
}
min_master_version = var.release_channel != null ? null : local.master_version
min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null

dynamic "cluster_telemetry" {
for_each = local.cluster_telemetry_type_is_set ? [1] : []
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-public-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ resource "google_container_cluster" "primary" {
default_snat_status {
disabled = var.disable_default_snat
}
min_master_version = var.release_channel != null ? null : local.master_version
min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null

dynamic "cluster_telemetry" {
for_each = local.cluster_telemetry_type_is_set ? [1] : []
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-public-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ resource "google_container_cluster" "primary" {
default_snat_status {
disabled = var.disable_default_snat
}
min_master_version = var.release_channel != null ? null : local.master_version
min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null

dynamic "cluster_telemetry" {
for_each = local.cluster_telemetry_type_is_set ? [1] : []
Expand Down
2 changes: 1 addition & 1 deletion modules/private-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ resource "google_container_cluster" "primary" {

subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}"

min_master_version = var.release_channel != null ? null : local.master_version
min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null

logging_service = var.logging_service
monitoring_service = var.monitoring_service
Expand Down
2 changes: 1 addition & 1 deletion modules/private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ resource "google_container_cluster" "primary" {

subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}"

min_master_version = var.release_channel != null ? null : local.master_version
min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null

logging_service = var.logging_service
monitoring_service = var.monitoring_service
Expand Down
4 changes: 4 additions & 0 deletions test/fixtures/safer_cluster/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -55,3 +55,7 @@ output "service_account" {
description = "The service account to default running nodes as if not overridden in `node_pools`."
value = module.example.service_account
}

output "explicit_k8s_version" {
value = module.example.explicit_k8s_version
}
6 changes: 6 additions & 0 deletions test/integration/safer_cluster/controls/gcloud.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
project_id = attribute('project_id')
location = attribute('location')
cluster_name = attribute('cluster_name')
explicit_version = attribute('explicit_k8s_version')

control "gcloud" do
title "Google Compute Engine GKE configuration"
Expand All @@ -35,6 +36,11 @@
expect(data['status']).to eq 'RUNNING'
end

it "has expected explicit version" do
expect(data['currentMasterVersion']).to eq explicit_version
expect(data['currentNodeVersion']).to eq explicit_version
end

it "is regional" do
expect(data['location']).to match(/^.*[1-9]$/)
end
Expand Down

0 comments on commit dc1de85

Please sign in to comment.