Merge branch 'master' into confidential-nodes-example

Author: arthurlapertosa

.kitchen.yml

@@ -85,13 +85,3 @@ suites:
       systems:
         - name: workload_metadata_config
           backend: local
-  - name: "node_pool"
-    transport:
-      root_module_directory: test/fixtures/node_pool
-    verifier:
-      systems:
-        - name: node_pool
-          backend: local
-          controls:
-            - gcloud
-            - kubectl

CODEOWNERS

@@ -1,7 +1,7 @@
 # NOTE: This file is automatically generated from values at:
 # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/master/infra/terraform/test-org/org/locals.tf
 
-* @terraform-google-modules/cft-admins @ericyz @gtsorbo
+* @terraform-google-modules/cft-admins @apeabody @ericyz @gtsorbo
 
 # NOTE: GitHub CODEOWNERS locations:
 # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-and-branch-protection

build/int.cloudbuild.yaml

@@ -305,21 +305,21 @@ steps:
     - verify deploy-service-local
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestDeployService --stage destroy --verbose']
-- id: converge node-pool-local
+- id: apply node-pool-local
   waitFor:
     - create-all
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge node-pool-local']
+  args: ['/bin/bash', '-c', 'cft test run TestNodePool --stage apply --verbose']
 - id: verify node-pool-local
   waitFor:
-    - converge node-pool-local
+    - apply node-pool-local
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify node-pool-local']
+  args: ['/bin/bash', '-c', 'cft test run TestNodePool --stage verify --verbose']
 - id: destroy node-pool-local
   waitFor:
     - verify node-pool-local
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy node-pool-local']
+  args: ['/bin/bash', '-c', 'cft test run TestNodePool --stage destroy --verbose']
 - id: apply sandbox-enabled-local
   waitFor:
     - create-all
@@ -471,6 +471,21 @@ steps:
     - verify simple-fleet-app-operator-permissions
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestSimpleFleetAppOperatorPermissions --stage teardown --verbose']
+- id: apply test-confidential-safer-cluster
+  waitFor:
+    - create-all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestConfidentialSaferCluster --stage apply --verbose']
+- id: verify test-confidential-safer-cluster
+  waitFor:
+    - apply test-confidential-safer-cluster
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestConfidentialSaferCluster --stage verify --verbose']
+- id: teardown test-confidential-safer-cluster
+  waitFor:
+    - verify test-confidential-safer-cluster
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestConfidentialSaferCluster --stage teardown --verbose']
 tags:
 - 'ci'
 - 'integration'

examples/confidential_safer_cluster/network.tf

@@ -16,10 +16,11 @@
 
 module "gcp-network" {
   source  = "terraform-google-modules/network/google"
-  version = ">= 7.5"
+  version = "~> 10.0"
 
   project_id   = var.project_id
   network_name = local.network_name
+  routing_mode = "GLOBAL"
 
   subnets = [
     {

examples/confidential_safer_cluster/versions.tf

@@ -15,7 +15,7 @@
  */
 
 terraform {
-  required_version = ">= 0.13"
+  required_version = ">= 1.3"
   required_providers {
     google = {
       source = "hashicorp/google"

examples/node_pool/main.tf

@@ -43,6 +43,7 @@ module "gke" {
   disable_legacy_metadata_endpoints = false
   cluster_autoscaling               = var.cluster_autoscaling
   deletion_protection               = false
+  service_account                   = "default"
 
   node_pools = [
     {

test/fixtures/node_pool/example.tf

@@ -14,6 +14,10 @@
  * limitations under the License.
  */
 
+locals {
+  compute_engine_service_account = var.compute_engine_service_accounts[0]
+}
+
 module "example" {
   source = "../../../examples/node_pool"
 
@@ -25,7 +29,7 @@ module "example" {
   subnetwork                     = google_compute_subnetwork.main.name
   ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
   ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
-  compute_engine_service_account = var.compute_engine_service_accounts[0]
+  compute_engine_service_account = local.compute_engine_service_account
 
   cluster_autoscaling = {
     enabled             = true

test/fixtures/node_pool/outputs.tf

@@ -83,3 +83,11 @@ output "service_account" {
 output "registry_project_ids" {
   value = var.registry_project_ids
 }
+
+output "random_string" {
+  value = random_string.suffix.result
+}
+
+output "compute_engine_service_account" {
+  value = local.compute_engine_service_account
+}

test/integration/confidential_safer_cluster/confidential_safer_cluster_test.go

@@ -32,6 +32,7 @@ func TestConfidentialSaferCluster(t *testing.T) {
 	bpt.DefineVerify(func(assert *assert.Assertions) {
 		// Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token
 		// bpt.DefaultVerify(assert)
+		testutils.TGKEVerify(t, bpt, assert)
 
 		projectId := bpt.GetStringOutput("project_id")
 		location := bpt.GetStringOutput("location")

test/integration/go.mod

@@ -9,6 +9,8 @@ require (
 	github.com/gruntwork-io/terratest v0.48.1
 	github.com/hashicorp/terraform-json v0.24.0
 	github.com/stretchr/testify v1.10.0
+	github.com/tidwall/gjson v1.18.0
+	golang.org/x/sync v0.10.0
 )
 
 require (
@@ -103,7 +105,6 @@ require (
 	github.com/pquerna/otp v1.4.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/tidwall/gjson v1.18.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tidwall/sjson v1.2.5 // indirect
@@ -112,14 +113,13 @@ require (
 	github.com/urfave/cli/v2 v2.25.7 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	github.com/zclconf/go-cty v1.15.1 // indirect
-	golang.org/x/crypto v0.29.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/mod v0.22.0 // indirect
 	golang.org/x/net v0.31.0 // indirect
 	golang.org/x/oauth2 v0.24.0 // indirect
-	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.27.0 // indirect
-	golang.org/x/term v0.26.0 // indirect
-	golang.org/x/text v0.20.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/term v0.27.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.8.0 // indirect
 	golang.org/x/tools v0.22.0 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect