Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: add target tags to node_pool_auto_config for standard clusters #2118

Merged

Conversation

wyardley
Copy link
Contributor

While #1817 added autopilot support for adding tags to node_pool_auto_config when add_cluster_firewall_rules is set to true, the same change did not apply for standard (non-autopilot) clusters with cluster level autoscaling (nodepool autoprovisioning) in place,

Fixes #2104

Copy link
Contributor Author

@wyardley wyardley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@apeabody I'm not sure this example is one you'd want in examples -- I think I saw something about that; in that case, do I just fold the whole example into fixtures? Or should I just add more comments or adjust the sample code slightly?

@wyardley wyardley force-pushed the wyardley/fix_2104 branch 2 times, most recently from 1c97eef to 5882a43 Compare September 26, 2024 04:30
@apeabody
Copy link
Contributor

/gcbrun

@apeabody
Copy link
Contributor

@apeabody I'm not sure this example is one you'd want in examples -- I think I saw something about that; in that case, do I just fold the whole example into fixtures? Or should I just add more comments or adjust the sample code slightly?

Hi @wyardley! I think it's fine to add a relevant example, although we have to be careful with the concurrent test resource usage (might need to also waitFor a subsequent step).

While this repo has a cft test run all --stage init, it doesn't for the subsequent states, so you will need to add something like this:

build/int.cloudbuild.yaml

- id: apply simple-regional-cluster-autoscaling
  waitFor:
    - init-all
    - create-all
  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
  args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalClusterAutoscaling --stage apply --verbose']
- id: verify simple-regional-cluster-autoscaling
  waitFor:
    - apply simple-regional-cluster-autoscaling
  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
  args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalClusterAutoscaling --stage verify --verbose']
- id: destroy simple-regional-cluster-autoscaling
  waitFor:
    - verify simple-regional-cluster-autoscaling
  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
  args: ['/bin/bash', '-c', 'cft test run TestSimpleRegionalClusterAutoscaling --stage teardown --verbose']

@wyardley
Copy link
Contributor Author

Hi @wyardley! I think it's fine to add a relevant example,

Yeah, I guess seemed a little niche of a use case; obviously someone copying that one without thinking about what it's doing could end up opening up network holes unnecessarily? And not sure if we should adjust the wording or comments anywhere, or make a more descriptive directory name?

I also picked simple regional as the base for this more or less arbitrarily.

I'll add in the snippet you suggested for the Cloudbuild config (should maybe remove the lint one at some point?) and we can see how it goes.

If the fixture with the expected content is too far off base to adjust, I will probably need your help to figure out how that should be updated / adjusted as well.

@apeabody
Copy link
Contributor

/gcbrun

@apeabody
Copy link
Contributor

I'll add in the snippet you suggested for the Cloudbuild config (should maybe remove the lint one at some point?) and we can see how it goes.

Sure: #2120

@apeabody
Copy link
Contributor

Looks like this will need to also wait on a longer destroy for resource availability.

Error: Error waiting to create Network: Error waiting for Creating Network: Quota 'NETWORKS' exceeded.  Limit: 15.0 globally.
	metric name = compute.googleapis.com/networks
	limit name = NETWORKS-per-project
	limit = 15
	dimensions = map[global:global]


  with google_compute_network.main,
  on network.tf line 27, in resource "google_compute_network" "main":
  27: resource "google_compute_network" "main" {

@wyardley
Copy link
Contributor Author

Looks like this will need to also wait on a longer destroy for resource availability.

Are you suggesting to bump the retry interval in tft.WithRetryableTerraformErrors(), or to override the timeout for the cloudrun job's step?

@apeabody
Copy link
Contributor

Looks like this will need to also wait on a longer destroy for resource availability.

Are you suggesting to bump the retry interval in tft.WithRetryableTerraformErrors(), or to override the timeout for the cloudrun job's step?

Sorry - Typo, that should be "later", not "longer. Like this example: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/master/build/int.cloudbuild.yaml#L458

@wyardley
Copy link
Contributor Author

wyardley commented Sep 27, 2024

Sorry - Typo, that should be "later", not "longer. Like this example

Since there's no explicit init step for this one, add it to the apply, right? Is 336cbff what you had in mind?

@apeabody
Copy link
Contributor

Sorry - Typo, that should be "later", not "longer. Like this example

Since there's no explicit init step for this one, add it to the apply, right? Is 336cbff what you had in mind?

Yeah - As there is now an init all, we shouldn't need the per test inits, and ideally can be removed at some point.

Looks good, let's see how the tests go:

/gcbrun

@apeabody
Copy link
Contributor

FYI: Any step you depend on has to be "earlier" in the cloudbuild file.

invalid build: invalid .steps field: build step https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/24 - "apply simple-regional-cluster-autoscaling" depends on "destroy simple-autopilot-private-local", which has not been defined

@apeabody
Copy link
Contributor

/gcbrun

1 similar comment
@apeabody
Copy link
Contributor

apeabody commented Oct 1, 2024

/gcbrun

@wyardley
Copy link
Contributor Author

wyardley commented Oct 1, 2024

Are we getting closer to a real failure yet? I can try to do the local setup if needed.

@apeabody
Copy link
Contributor

apeabody commented Oct 1, 2024

Are we getting closer to a real failure yet? I can try to do the local setup if needed.

I don't think so, there is an API change which is breaking the test data as of this morning. Will re-run this once that is updated.

@apeabody
Copy link
Contributor

apeabody commented Oct 3, 2024

/gcbrun

3 similar comments
@apeabody
Copy link
Contributor

apeabody commented Oct 4, 2024

/gcbrun

@apeabody
Copy link
Contributor

apeabody commented Oct 8, 2024

/gcbrun

@apeabody
Copy link
Contributor

apeabody commented Oct 9, 2024

/gcbrun

@wyardley
Copy link
Contributor Author

wyardley commented Oct 9, 2024

@apeabody this should almost definitely still be failing at least partially because of the roughed in / bad fixture, right?
Is there an easy way to collect / create the values that should be in there without setting up the whole integration test setup locally?

@apeabody
Copy link
Contributor

apeabody commented Oct 9, 2024

@apeabody this should almost definitely still be failing at least partially because of the roughed in / bad fixture, right? Is there an easy way to collect / create the values that should be in there without setting up the whole integration test setup locally?

Hi @wyardley! I didn't have a chance to review. In theory you could use the same command that is used in the verify to gather the details from a "model" project/cluster, but the formatting can be tricky, so this might be simpler:

Step #25 - "verify simple-regional-cluster-autoscaling": TestSimpleRegionalClusterAutoscaling 2024-10-08T17:22:58Z command.go:185: "cloud-foundation-cicd"
Step #25 - "verify simple-regional-cluster-autoscaling":     golden.go:157: 
Step #25 - "verify simple-regional-cluster-autoscaling":         	Error Trace:	/builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/[email protected]/pkg/golden/golden.go:157
Step #25 - "verify simple-regional-cluster-autoscaling":         	            				/workspace/test/integration/simple_regional_cluster_autoscaling/simple_regional_cluster_autoscaling_test.go:59
Step #25 - "verify simple-regional-cluster-autoscaling":         	            				/builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/[email protected]/pkg/tft/terraform.go:638
Step #25 - "verify simple-regional-cluster-autoscaling":         	            				/builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/[email protected]/pkg/tft/terraform.go:670
Step #25 - "verify simple-regional-cluster-autoscaling":         	            				/builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/[email protected]/pkg/utils/stages.go:31
Step #25 - "verify simple-regional-cluster-autoscaling":         	            				/builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/[email protected]/pkg/tft/terraform.go:670
Step #25 - "verify simple-regional-cluster-autoscaling":         	Error:      	Not equal: 
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	expected: "{\n    \"configConnectorConfig\": {},\n    \"dnsCacheConfig\": {},\n    \"gcePersistentDiskCsiDriverConfig\": {\n      \"enabled\": true\n    },\n    \"gcpFilestoreCsiDriverConfig\": {},\n    \"gcsFuseCsiDriverConfig\": {\n      \"enabled\": true\n    },\n    \"gkeBackupAgentConfig\": {},\n    \"horizontalPodAutoscaling\": {},\n    \"httpLoadBalancing\": {},\n    \"kubernetesDashboard\": {\n      \"disabled\": true\n    },\n    \"networkPolicyConfig\": {\n      \"disabled\": true\n    },\n    \"statefulHaConfig\": {\n      \"enabled\": true\n    }\n  }"
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	actual  : "{\n    \"configConnectorConfig\": {},\n    \"dnsCacheConfig\": {},\n    \"gcePersistentDiskCsiDriverConfig\": {\n      \"enabled\": true\n    },\n    \"gcpFilestoreCsiDriverConfig\": {},\n    \"gkeBackupAgentConfig\": {},\n    \"horizontalPodAutoscaling\": {},\n    \"httpLoadBalancing\": {},\n    \"kubernetesDashboard\": {\n      \"disabled\": true\n    },\n    \"networkPolicyConfig\": {\n      \"disabled\": true\n    }\n  }"
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	Diff:
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	--- Expected
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	+++ Actual
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	@@ -7,5 +7,2 @@
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	     "gcpFilestoreCsiDriverConfig": {},
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	-    "gcsFuseCsiDriverConfig": {
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	-      "enabled": true
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	-    },
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	     "gkeBackupAgentConfig": {},
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	@@ -18,5 +15,2 @@
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	       "disabled": true
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	-    },
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	-    "statefulHaConfig": {
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	-      "enabled": true
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	     }
Step #25 - "verify simple-regional-cluster-autoscaling":         	Test:       	TestSimpleRegionalClusterAutoscaling
Step #25 - "verify simple-regional-cluster-autoscaling":         	Messages:   	expected addonsConfig to match fixture {
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    "configConnectorConfig": {},
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    "dnsCacheConfig": {},
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    "gcePersistentDiskCsiDriverConfig": {
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	      "enabled": true
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    },
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    "gcpFilestoreCsiDriverConfig": {},
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    "gcsFuseCsiDriverConfig": {
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	      "enabled": true
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    },
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    "gkeBackupAgentConfig": {},
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    "horizontalPodAutoscaling": {},
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    "httpLoadBalancing": {},
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    "kubernetesDashboard": {
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	      "disabled": true
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    },
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    "networkPolicyConfig": {
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	      "disabled": true
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    },
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    "statefulHaConfig": {
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	      "enabled": true
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    }
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	  }
Step #25 - "verify simple-regional-cluster-autoscaling": TestSimpleRegionalClusterAutoscaling 2024-10-08T17:22:59Z command.go:100: Running command gcloud with args [config get-value project --format json]
Step #25 - "verify simple-regional-cluster-autoscaling": TestSimpleRegionalClusterAutoscaling 2024-10-08T17:22:59Z command.go:185: "cloud-foundation-cicd"
Step #25 - "verify simple-regional-cluster-autoscaling": TestSimpleRegionalClusterAutoscaling 2024-10-08T17:22:59Z command.go:100: Running command gcloud with args [config get-value project --format json]
Step #25 - "verify simple-regional-cluster-autoscaling": TestSimpleRegionalClusterAutoscaling 2024-10-08T17:23:00Z command.go:185: "cloud-foundation-cicd"
Step #25 - "verify simple-regional-cluster-autoscaling": TestSimpleRegionalClusterAutoscaling 2024-10-08T17:23:00Z command.go:100: Running command gcloud with args [config get-value project --format json]
Step #25 - "verify simple-regional-cluster-autoscaling": TestSimpleRegionalClusterAutoscaling 2024-10-08T17:23:01Z command.go:185: "cloud-foundation-cicd"
Step #25 - "verify simple-regional-cluster-autoscaling":     golden.go:157: 
Step #25 - "verify simple-regional-cluster-autoscaling":         	Error Trace:	/builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/[email protected]/pkg/golden/golden.go:157
Step #25 - "verify simple-regional-cluster-autoscaling":         	            				/workspace/test/integration/simple_regional_cluster_autoscaling/simple_regional_cluster_autoscaling_test.go:59
Step #25 - "verify simple-regional-cluster-autoscaling":         	            				/builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/[email protected]/pkg/tft/terraform.go:638
Step #25 - "verify simple-regional-cluster-autoscaling":         	            				/builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/[email protected]/pkg/tft/terraform.go:670
Step #25 - "verify simple-regional-cluster-autoscaling":         	            				/builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/[email protected]/pkg/utils/stages.go:31
Step #25 - "verify simple-regional-cluster-autoscaling":         	            				/builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/[email protected]/pkg/tft/terraform.go:670
Step #25 - "verify simple-regional-cluster-autoscaling":         	Error:      	Not equal: 
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	expected: "{\n    \"evaluationMode\": \"PROJECT_SINGLETON_POLICY_ENFORCE\"\n  }"
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	actual  : "{}"
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	Diff:
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	--- Expected
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	+++ Actual
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	@@ -1,3 +1 @@
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	-{
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	-    "evaluationMode": "PROJECT_SINGLETON_POLICY_ENFORCE"
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	-  }
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	+{}
Step #25 - "verify simple-regional-cluster-autoscaling":         	Test:       	TestSimpleRegionalClusterAutoscaling
Step #25 - "verify simple-regional-cluster-autoscaling":         	Messages:   	expected binaryAuthorization to match fixture {
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	    "evaluationMode": "PROJECT_SINGLETON_POLICY_ENFORCE"
Step #25 - "verify simple-regional-cluster-autoscaling":         	            	  }

While terraform-google-modules#1817 added autopilot support for adding tags to
`node_pool_auto_config` when `add_cluster_firewall_rules` is set to
`true`, the same change did not apply for standard (non-autopilot)
clusters with cluster level autoscaling (nodepool autoprovisioning) in
place,

Fixes terraform-google-modules#2104

Signed-off-by: William Yardley <[email protected]>
@wyardley wyardley marked this pull request as ready for review October 9, 2024 17:37
@wyardley wyardley requested review from ericyz, gtsorbo and a team as code owners October 9, 2024 17:37
@apeabody
Copy link
Contributor

apeabody commented Oct 9, 2024

/gcbrun

@wyardley
Copy link
Contributor Author

wyardley commented Oct 9, 2024

Sorry, can you check if I missed something and / or anything else needs to be adjusted?

@apeabody
Copy link
Contributor

apeabody commented Oct 9, 2024

/gcbrun

@apeabody
Copy link
Contributor

apeabody commented Oct 9, 2024

Sorry, can you check if I missed something and / or anything else needs to be adjusted?

Looks good!

@wyardley
Copy link
Contributor Author

wyardley commented Oct 9, 2024

Ah, ok guess that last failure was another spurious one 🤷

thanks, glad this one is passing

Copy link
Contributor

@apeabody apeabody left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution @wyardley!

@apeabody apeabody merged commit d5f66e8 into terraform-google-modules:master Oct 9, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

GKE Standard Clusters with AutoProvisioned NodePools not adding the Firewall target_tags
2 participants