Skip to content

Commit

Permalink
fix: Add additional guardrails for disabled workload identity. (#542)
Browse files Browse the repository at this point in the history
  • Loading branch information
@morgante
morgante committed May 27, 2020
1 parent cc30fbb commit 43c4349
Show file tree
Hide file tree
Showing 6 changed files with 12 additions and 31 deletions.
3 changes: 2 additions & 1 deletion autogen/main/main.tf.tmpl
View file
Expand Up @@ -171,7 +171,8 @@ locals {
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled

cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{
workload_identity_enabled = ! (var.identity_namespace == null || var.identity_namespace == "null")
cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
}]
# /BETA features
Expand Down
4 changes: 4 additions & 0 deletions examples/simple_regional_beta/main.tf
View file
Expand Up @@ -47,6 +47,10 @@ module "gke" {
enable_binary_authorization = var.enable_binary_authorization
pod_security_policy_config = var.pod_security_policy_config
release_channel = "REGULAR"

# Disable workload identity
identity_namespace = null
node_metadata = "UNSPECIFIED"
}

data "google_client_config" "default" {
Expand Down
3 changes: 2 additions & 1 deletion modules/beta-private-cluster-update-variant/main.tf
View file
Expand Up @@ -155,7 +155,8 @@ locals {
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled

cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{
workload_identity_enabled = ! (var.identity_namespace == null || var.identity_namespace == "null")
cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
}]
# /BETA features
Expand Down
3 changes: 2 additions & 1 deletion modules/beta-private-cluster/main.tf
View file
Expand Up @@ -155,7 +155,8 @@ locals {
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled

cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{
workload_identity_enabled = ! (var.identity_namespace == null || var.identity_namespace == "null")
cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
}]
# /BETA features
Expand Down
3 changes: 2 additions & 1 deletion modules/beta-public-cluster/main.tf
View file
Expand Up @@ -154,7 +154,8 @@ locals {
cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled
cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled

cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{
workload_identity_enabled = ! (var.identity_namespace == null || var.identity_namespace == "null")
cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
}]
# /BETA features
Expand Down
27 changes: 0 additions & 27 deletions test/integration/beta_cluster/controls/gcloud.rb
View file
Expand Up @@ -74,13 +74,6 @@
})
end

it "has the expected nodeMetadata conseal config" do
expect(data['nodeConfig']['workloadMetadataConfig']).to eq({
"mode" => "GKE_METADATA",
"nodeMetadata" => 'GKE_METADATA_SERVER',
})
end

it "has the expected podSecurityPolicyConfig config" do
expect(data['podSecurityPolicyConfig']).to eq({
"enabled" => true,
Expand All @@ -93,13 +86,6 @@
"keyName" => attribute('database_encryption_key_name'),
})
end

it "has the expected workload identity config" do
expect(data['workloadIdentityConfig']).to eq({
"identityNamespace" => attribute('identity_namespace'),
"workloadPool" => attribute('identity_namespace'),
})
end
end

describe "default node pool" do
Expand Down Expand Up @@ -212,19 +198,6 @@
)
)
end

it "has the expected node metadata for workload identity" do
expect(node_pools).to include(
including(
"config" => including(
"workloadMetadataConfig" => eq(
"mode" => "GKE_METADATA",
"nodeMetadata" => 'GKE_METADATA_SERVER',
),
),
)
)
end
end
end
end

0 comments on commit 43c4349

Please sign in to comment.