Add a new resource and data source named rancher2_pod_security_admission_configuration_template for rancher2_pod_security_admission_configuration_template so users can manage custom admission configuration templates via Terraform for RKE and RKE2/K3s clusters.
Testing
Engineering Testing
Manual Testing
Tested creating, modifying, and removing a custom PSACT resource. All tests are successful.
Tested creating a template with bad data and this failed as expected.
Tested creating and destroying a PSACT along with an RKE2 cluster and RKE1 cluster. All tests are successful.
Tested fetching an existing rancher2_pod_security_admission_configuration_template data source
Automated Testing
unit test
The standard sets of tests are added for the new Resource & DataSource.
acceptance test
The acceptance tests are added but "disabled" by making the function names lowercase. This is because the current framework does not support running acceptance tests in Rancher v2.7.9 and v2.8.1.
Here is how the acceptance test works:
step 1: start a k3s cluster, currently using the versionv1.19.10-k3s1
step 2: deploy Rancher v2.3.6 using Helm
step 3: create a set of Resources via TF into the Rancher setup, and validate the expected values present
step 4: upgrade Rancher to 2.5.9 using Helm
Steps 3 and 4 are repeated to upgrade and test on Rancher v2.4.13, v2.5.9, and v2.6.2.
To add the tests for the PSACT resource, I tried to add Rancher v2.7.9 and v2.8.1 to the version list. However, it did not work due to the following reasons:
the local cluster version, v1.19.10-k3s1, is too old for Rancher v2.7.9 and v2.8.1, as well as a newer version of Cert-manager, to run
Some legacy resources, such as rancher2_app, can be not deployed in Rancher v2.7.2 and above. More specifically the app used in the test is deprecated and no new chart is available.
To make the acceptance test work, we need to:
add support for upgrading the local cluster
add support for deploying new versions of Rancher and Cert-manger
filter out the broken tests on the newer version of Rancher
Issue:
https://github.com/rancher/terraform-provider-rancher2/issues/1189
Problem
Rancher v2.7.2 supports a new CRD for Pod Security Admission (PSA) Configuration Templates that can only be created outside of TF manually.
Solution
Add a new resource and data source named
rancher2_pod_security_admission_configuration_template
for rancher2_pod_security_admission_configuration_template so users can manage custom admission configuration templates via Terraform for RKE and RKE2/K3s clusters.Testing
Engineering Testing
Manual Testing
rancher2_pod_security_admission_configuration_template
data sourceAutomated Testing
unit test
The standard sets of tests are added for the new
Resource
&DataSource
.acceptance test
The acceptance tests are added but "disabled" by making the function names lowercase. This is because the current framework does not support running acceptance tests in Rancher v2.7.9 and v2.8.1.
Here is how the acceptance test works:
v1.19.10-k3s1
Steps 3 and 4 are repeated to upgrade and test on Rancher v2.4.13, v2.5.9, and v2.6.2.
To add the tests for the PSACT resource, I tried to add Rancher v2.7.9 and v2.8.1 to the version list. However, it did not work due to the following reasons:
To make the acceptance test work, we need to:
That work is large enough to be a separate task. (Update: the issue was made https://github.com/rancher/terraform-provider-rancher2/issues/1308)
The good news is that the manual and automated tests that QA performs can cover more than the acceptance I planned to add.
QA Testing Considerations
rancher2_pod_security_admission_configuration_template
rancher2_pod_security_admission_configuration_template
resource when it is used by existing clustersrancher2_pod_security_admission_configuration_template
and an RKE2 or RKE1 cluster that uses it in the same TF configurationrancher2_pod_security_admission_configuration_template
data sourceRegressions Considerations
The new resource and data source themselves should not affect anything existing.
QA should validate there is no regression for deleting a
rancher2_cluster_v2
resource because one change is made in this PR.