Feature/add gke tests

.kitchen.yml

@@ -1,4 +1,4 @@
-# Copyright 2018 Google LLC
+# Copyright 2020 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -66,6 +66,21 @@ suites:
           backend: local
           controls:
             - forseti-org-iam
+  - name: on_gke_end_to_end
+    lifecycle:
+      pre_verify:
+        - chmod go-rwx test/fixtures/on_gke_end_to_end/sshkey
+    driver:
+      name: terraform
+      root_module_directory: test/fixtures/on_gke_end_to_end/
+      command_timeout: 1800
+    verifier:
+      systems:
+        - name: gke
+          backend: local
+          controls:
+            - gcloud
+            - kubectl
   - name: shared_vpc
     lifecycle:
       pre_verify:

examples/on_gke_end_to_end/main.tf

@@ -172,4 +172,5 @@ module "forseti" {
   policy_library_repository_branch   = var.policy_library_repository_branch
   policy_library_sync_enabled        = var.policy_library_sync_enabled
   server_log_level                   = var.server_log_level
+  client_instance_metadata           = var.client_instance_metadata
 }

examples/on_gke_end_to_end/outputs.tf

@@ -14,6 +14,22 @@
  * limitations under the License.
  */
 
+output "client_token" {
+  description = "The bearer token for auth"
+  sensitive = true
+  value     = base64encode(data.google_client_config.default.access_token)
+}
+
+output "ca_certificate" {
+  description = "The cluster CA certificate"
+  value       = module.gke.ca_certificate
+}
+
+output "config-validator-git-public-key-openssh" {
+  description = "The public OpenSSH key generated to allow the Forseti Server to clone the policy library repository."
+  value       = module.forseti.config-validator-git-public-key-openssh
+}
+
 output "forseti-client-service-account" {
   description = "Forseti Client service account"
   value       = module.forseti.forseti-client-service-account
@@ -24,47 +40,58 @@ output "forseti-client-storage-bucket" {
   value       = module.forseti.forseti-client-storage-bucket
 }
 
+output "forseti-client-vm-ip" {
+  description = "Forseti Client VM private IP address"
+  value       = module.forseti.forseti-client-vm-ip
+}
+
 output "forseti-cloudsql-connection-name" {
   description = "Forseti CloudSQL Connection String"
   value       = module.forseti.forseti-cloudsql-connection-name
 }
 
-output "forseti-client-vm-ip" {
-  description = "Forseti Client VM private IP address"
-  value       = module.forseti.forseti-client-vm-ip
+output "forseti-server-service-account" {
+  description = "Forseti Server service account"
+  value       = module.forseti.forseti-server-service-account
 }
 
 output "forseti-server-storage-bucket" {
   description = "Forseti Server storage bucket"
   value       = module.forseti.forseti-server-storage-bucket
 }
 
-output "forseti-server-service-account" {
-  description = "Forseti Server service account"
-  value       = module.forseti.forseti-server-service-account
+output "gke_cluster_location" {
+  description = "Cluster location"
+  value       = module.gke.location
+}
+
+output "gke_cluster_name" {
+  description = "Cluster name"
+  value = var.gke_cluster_name
+}
+
+output "kubernetes_endpoint" {
+  description = "The cluster endpoint"
+  sensitive = true
+  value     = module.gke.endpoint
 }
 
 output "kubernetes-forseti-namespace" {
   description = "The Kubernetes namespace in which Forseti is deployed"
   value       = module.forseti.kubernetes-forseti-namespace
 }
 
-output "kubernetes-forseti-tiller-sa-name" {
-  description = "The name of the service account deploying Forseti"
-  value       = module.forseti.kubernetes-forseti-tiller-sa-name
-}
-
 output "kubernetes-forseti-server-ingress" {
   description = "The loadbalancer ingress address of the forseti-server service in GKE"
   value       = module.forseti.kubernetes-forseti-server-ingress
 }
 
+output "kubernetes-forseti-tiller-sa-name" {
+  description = "The name of the service account deploying Forseti"
+  value       = module.forseti.kubernetes-forseti-tiller-sa-name
+}
+
 output "suffix" {
   description = "The random suffix appended to Forseti resources"
   value       = module.forseti.suffix
 }
-
-output "config-validator-git-public-key-openssh" {
-  description = "The public OpenSSH key generated to allow the Forseti Server to clone the policy library repository."
-  value       = module.forseti.config-validator-git-public-key-openssh
-}

examples/on_gke_end_to_end/variables.tf

@@ -196,6 +196,12 @@ variable "server_log_level" {
   default     = "info"
 }
 
+variable "client_instance_metadata" {
+  description = "Metadata key/value pairs to make available from within the client instance."
+  type        = map(string)
+  default     = {}
+}
+
 #----------------#
 # Forseti bucket #
 #----------------#

modules/on_gke/variables.tf

@@ -911,7 +911,7 @@ variable "git_sync_wait" {
 
 variable "helm_chart_version" {
   description = "The version of the Helm chart to use"
-  default     = "2.1.0"
+  default     = "2.2.0-rc1"
 }
 
 variable "helm_repository_url" {

test/fixtures/on_gke_end_to_end/main.tf

@@ -0,0 +1,51 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "tls_private_key" "main" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "local_file" "gce-keypair-pk" {
+  content  = tls_private_key.main.private_key_pem
+  filename = "${path.module}/sshkey"
+}
+
+#-------------------------#
+# Forseti
+#-------------------------#
+module "forseti" {
+  source = "../../../examples/on_gke_end_to_end"
+
+  # Forseti
+  config_validator_enabled = var.config_validator_enabled
+  domain                   = var.domain
+  gsuite_admin_email       = var.gsuite_admin_email
+
+  # Forseti Client
+  client_instance_metadata = {
+    sshKeys = "ubuntu:${tls_private_key.main.public_key_openssh}"
+  }
+
+  # GCP
+  org_id     = var.org_id
+  project_id = var.gke_project_id
+
+  # GKE
+  k8s_forseti_orchestrator_image_tag = var.k8s_forseti_orchestrator_image_tag
+  k8s_forseti_server_image_tag       = var.k8s_forseti_server_image_tag
+  network_description                = var.network_description
+}

test/fixtures/on_gke_end_to_end/outputs.tf

@@ -0,0 +1,52 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "client_token" {
+  description = "The bearer token for auth"
+  sensitive = true
+  value     = module.forseti.client_token
+}
+
+output "ca_certificate" {
+  description = "The cluster CA certificate"
+  value       = module.forseti.ca_certificate
+}
+
+output "forseti-client-vm-ip" {
+  description = "Forseti Client VM private IP address"
+  value       = module.forseti.forseti-client-vm-ip
+}
+
+output "gke_cluster_location" {
+  description = "Cluster location (region if regional cluster, zone if zonal cluster)"
+  value       = module.forseti.gke_cluster_location
+}
+
+output "gke_cluster_name" {
+  description = "The name of the GKE Cluster"
+  value       = module.forseti.gke_cluster_name
+}
+
+output "gke_project_id" {
+  description = "The ID of an existing Google project where Forseti will be installed"
+  value       = var.gke_project_id
+}
+
+output "kubernetes_endpoint" {
+  description = "The cluster endpoint"
+  sensitive = true
+  value     = module.forseti.kubernetes_endpoint
+}

test/fixtures/on_gke_end_to_end/variables.tf

@@ -0,0 +1,53 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "config_validator_enabled" {
+  description = "Config Validator scanner enabled."
+  type        = bool
+  default     = false
+}
+
+variable "domain" {
+  description = "The domain associated with the GCP Organization ID"
+}
+
+variable "gke_project_id" {
+  description = "The ID of an existing Google project where Forseti will be installed"
+}
+
+variable "gsuite_admin_email" {
+  description = "G-Suite administrator email address to manage your Forseti installation"
+}
+
+variable "k8s_forseti_orchestrator_image_tag" {
+  description = "The tag for the container image for the Forseti orchestrator"
+  default     = "master"
+}
+
+variable "k8s_forseti_server_image_tag" {
+  description = "The tag for the container image for the Forseti server"
+  default     = "master"
+}
+
+variable "network_description" {
+  type        = string
+  description = "An optional description of the network. The resource must be recreated to modify this field."
+  default     = "GKE Network"
+}
+
+variable "org_id" {
+  description = "GCP Organization ID that Forseti will have purview over"
+}

test/fixtures/on_gke_end_to_end/versions.tf

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}

test/integration/install_simple/controls/client.rb

@@ -0,0 +1 @@
+../../shared/controls/client.rb