diff --git a/docs/upgrading_to_v20.0.md b/docs/upgrading_to_v20.0.md new file mode 100644 index 0000000000..6e24483370 --- /dev/null +++ b/docs/upgrading_to_v20.0.md @@ -0,0 +1,10 @@ +# Upgrading to v20.0 + +The v20.0 release of *kubernetes-engine* is a backwards incompatible +release for the Anthos Service Mesh (ASM) module. + +### ASM module rewrite + +The [ASM submodule](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master/modules/asm) has been rewritten to use the `ControlPlaneRevision` API to provision +a managed control plane rather than using an installer script. Due to the drastic difference in implementation the module does not support an upgrade path +from the previous version. diff --git a/examples/simple_zonal_with_asm/hub.tf b/examples/simple_zonal_with_asm/hub.tf index 4f6162a01c..8fe8b1f6d9 100644 --- a/examples/simple_zonal_with_asm/hub.tf +++ b/examples/simple_zonal_with_asm/hub.tf @@ -14,11 +14,20 @@ * limitations under the License. */ -module "hub" { - source = "../../modules/hub" - project_id = var.project_id - location = module.gke.location - cluster_name = module.gke.name - cluster_endpoint = module.gke.endpoint - gke_hub_membership_name = "gke-asm-membership" +resource "google_gke_hub_membership" "cluster_membership" { + provider = google-beta + project = var.project_id + membership_id = "gke-asm-membership" + endpoint { + gke_cluster { + resource_link = "//container.googleapis.com/${module.gke.cluster_id}" + } + } +} + +resource "google_gke_hub_feature" "mesh" { + name = "servicemesh" + project = var.project_id + location = "global" + provider = google-beta } diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index 849248d38e..871f81670f 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -44,29 +44,23 @@ module "gke" { ip_range_services = var.ip_range_services network_policy = false cluster_resource_labels = { "mesh_id" : "proj-${data.google_project.project.number}" } + identity_namespace = "${var.project_id}.svc.id.goog" node_pools = [ { name = "asm-node-pool" autoscaling = false auto_upgrade = true - # ASM requires minimum 4 nodes and e2-standard-4 - node_count = 4 + node_count = 3 machine_type = "e2-standard-4" }, ] } module "asm" { - source = "../../modules/asm" - cluster_name = module.gke.name - cluster_endpoint = module.gke.endpoint - project_id = var.project_id - location = module.gke.location - enable_cluster_roles = true - enable_cluster_labels = true - enable_gcp_apis = true - enable_gcp_components = true - enable_namespace_creation = true - options = ["envoy-access-log"] - outdir = "./${module.gke.name}-outdir" + source = "../../modules/asm" + project_id = var.project_id + cluster_name = module.gke.name + cluster_location = module.gke.location + multicluster_mode = "connected" + enable_cni = true } diff --git a/modules/asm/README.md b/modules/asm/README.md index 9c5f8d5fcb..11be0c1ab1 100644 --- a/modules/asm/README.md +++ b/modules/asm/README.md @@ -2,32 +2,23 @@ This module installs [Anthos Service Mesh](https://cloud.google.com/service-mesh/docs) (ASM) in a Kubernetes Engine (GKE) cluster. -Specifically, this module automates installing the ASM Istio Operator on your cluster ([installing ASM](https://cloud.google.com/service-mesh/docs/install)). - ## Usage -There is a [full example](../../examples/simple_zonal_with_asm) provided. Detailed usage example is as follows: +There are a few prerequisites to using this module that can be done either through Terraform or manually: + +1. Enable the `mesh.cloud.googleapis.com` service +1. Enable the `servicemesh` feature on the cluster hub +1. Register target cluster to the servicemesh-enabled hub + +There is a full example provided [here](../../examples/simple_zonal_with_asm). Detailed usage example is as follows: ```tf module "asm" { - source = "terraform-google-modules/kubernetes-engine/google//modules/asm" - - project_id = "my-project-id" - cluster_name = "my-cluster-name" - location = module.gke.location - cluster_endpoint = module.gke.endpoint - enable_all = false - enable_cluster_roles = true - enable_cluster_labels = false - enable_gcp_apis = false - enable_gcp_iam_roles = true - enable_gcp_components = true - enable_registration = false - managed_control_plane = false - options = ["envoy-access-log,egressgateways"] - custom_overlays = ["./custom_ingress_gateway.yaml"] - skip_validation = true - outdir = "./${module.gke.name}-outdir-${var.asm_version}" + source = "../../modules/asm" + project_id = var.project_id + cluster_name = module.gke.name + cluster_location = module.gke.location + enable_cni = true } ``` @@ -35,54 +26,25 @@ To deploy this config: 1. Run `terraform apply` -## Requirements - -- Anthos Service Mesh on GCP no longer requires an active Anthos license. You can use Anthos Service Mesh as a standalone product on GCP (on GKE) or as part of your Anthos subscription for hybrid and multi-cloud architectures. -- GKE cluster must have minimum four nodes. -- Minimum machine type is `e2-standard-4`. -- GKE cluster must be enrolled in a release channel. ASM does not support static version. -- ASM on a private GKE cluster requires adding a firewall rule to open port 15017 if you want to use [automatic sidecar injection](https://cloud.google.com/service-mesh/docs/proxy-injection). -- One ASM mesh per Google Cloud project is supported. - ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| asm\_git\_tag | ASM git tag to deploy. This module supports versions `1.8`, `1.9` and `1.10`. You can get the exact `asm_git_tag` by running the command `install_asm --version`. The ASM git tab should be of the form `1.9.3-asm.2+config5`. You can also see all ASM git tags by running `curl https://storage.googleapis.com/csm-artifacts/asm/STABLE_VERSIONS`. You must provide the full and exact git tag. This variable is optional. Leaving it empty (default) will download the latest `install_asm` script for the version provided by the `asm_version` variable. | `string` | `""` | no | -| asm\_version | ASM version to deploy. This module supports versions `1.8`, `1.9` and `1.10`. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.9"` | no | -| ca | Sets CA option. Possible values are `meshca` or `citadel`. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `string` | `"meshca"` | no | -| ca\_certs | Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `map(any)` | `{}` | no | -| cluster\_endpoint | The GKE cluster endpoint. | `string` | n/a | yes | +| channel | The channel to use for this ASM installation. | `string` | `""` | no | +| cluster\_location | The cluster location for this ASM installation. | `string` | n/a | yes | | cluster\_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes | -| custom\_overlays | Comma separated list of custom\_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file | `list(any)` | `[]` | no | -| enable\_all | Sets `--enable_all` option if true. | `bool` | `false` | no | -| enable\_cluster\_labels | Sets `--enable_cluster_labels` option if true. | `bool` | `false` | no | -| enable\_cluster\_roles | Sets `--enable_cluster_roles` option if true. | `bool` | `false` | no | -| enable\_gcp\_apis | Sets `--enable_gcp_apis` option if true. | `bool` | `false` | no | -| enable\_gcp\_components | Sets --enable\_gcp\_components option if true. Can be true or false. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `bool` | `false` | no | -| enable\_gcp\_iam\_roles | Grants IAM roles required for ASM if true. If enable\_gcp\_iam\_roles, one of impersonate\_service\_account, service\_account, or iam\_member must be set. | `bool` | `false` | no | -| enable\_namespace\_creation | Sets `--enable_namespace_creation` option if true. | `bool` | `false` | no | -| enable\_registration | Sets `--enable_registration` option if true. | `bool` | `false` | no | -| gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no | -| iam\_member | The GCP member email address to grant IAM roles to. If impersonate\_service\_account or service\_account is set, roles are granted to that SA. | `string` | `""` | no | -| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | -| key\_file | The GCP Service Account credentials file path used to deploy ASM. | `string` | `""` | no | -| location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes | -| managed\_control\_plane | ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional. | `bool` | `false` | no | -| mode | ASM mode for deployment. Supported modes are `install` and `upgrade`. | `string` | `"install"` | no | -| options | Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features. | `list(any)` | `[]` | no | -| outdir | Sets `--outdir` option. | `string` | `"none"` | no | +| enable\_cni | Determines whether to enable CNI for this ASM installation. Required to use Managed Data Plane (MDP). | `bool` | `false` | no | +| enable\_vpc\_sc | Determines whether to enable VPC-SC for this ASM installation. For more information read https://cloud.google.com/service-mesh/docs/managed/vpc-sc | `bool` | `false` | no | +| fleet\_id | The fleet to use for this ASM installation. | `string` | `""` | no | +| multicluster\_mode | [Preview] Determines whether remote secrets should be autogenerated across fleet cluster. | `string` | `"manual"` | no | | project\_id | The project in which the resource belongs. | `string` | n/a | yes | -| revision\_name | Sets `--revision-name` option. | `string` | `"none"` | no | -| service\_account | The GCP Service Account email address used to deploy ASM. | `string` | `""` | no | -| service\_account\_key\_file | Path to service account key file to auth as for running `gcloud container clusters get-credentials`. | `string` | `""` | no | -| skip\_validation | Sets `_CI_NO_VALIDATE` variable. Determines whether the script should perform validation checks for prerequisites such as IAM roles, Google APIs etc. | `bool` | `false` | no | ## Outputs | Name | Description | |------|-------------| -| asm\_wait | An output to use when you want to depend on ASM finishing | +| revision\_name | The name of the installed managed ASM revision. | +| wait | An output to use when depending on the ASM installation finishing. | - + diff --git a/modules/asm/main.tf b/modules/asm/main.tf index 84e3828c39..72c8c734ed 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -14,95 +14,50 @@ * limitations under the License. */ -data "google_project" "asm_project" { - project_id = var.project_id -} - locals { - options_string = length(var.options) > 0 ? join(",", var.options) : "none" - custom_overlays_string = length(var.custom_overlays) > 0 ? join(",", var.custom_overlays) : "none" - asm_git_tag_string = (var.asm_git_tag == "" ? "none" : var.asm_git_tag) - service_account_string = (var.service_account == "" ? "none" : var.service_account) - key_file_string = (var.key_file == "" ? "none" : var.key_file) - ca_cert = lookup(var.ca_certs, "ca_cert", "none") - ca_key = lookup(var.ca_certs, "ca_key", "none") - root_cert = lookup(var.ca_certs, "root_cert", "none") - cert_chain = lookup(var.ca_certs, "cert_chain", "none") - revision_name_string = (var.revision_name == "" ? "none" : var.revision_name) - asm_minor_version = tonumber(split(".", var.asm_version)[1]) - # https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages/blob/1cf61b679cd369f42a0e735f8e201de1a6a6433b/scripts/asm-installer/install_asm#L1970 - iam_roles = [ - "roles/container.admin", - "roles/meshconfig.admin", - "roles/gkehub.admin", - ] - # https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages/blob/1cf61b679cd369f42a0e735f8e201de1a6a6433b/scripts/asm-installer/install_asm#L1958 - mcp_iam_roles = [ - "roles/serviceusage.serviceUsageConsumer", - "roles/container.admin", - "roles/monitoring.metricWriter", - "roles/logging.logWriter", - "roles/gkehub.viewer", - "roles/gkehub.gatewayAdmin", - ] - # if enable_gcp_iam_roles is set, grant IAM roles to first non null principal in the order below - asm_iam_member = var.enable_gcp_iam_roles ? coalesce(var.impersonate_service_account, var.service_account, var.iam_member) : "" - # compute any additonal resources that ASM provisioner should depend on - additional_depends_on = concat(var.enable_gcp_apis ? [module.asm-services[0].project_id] : [], local.asm_iam_member != "" ? [for k, v in google_project_iam_member.asm_iam : v.etag] : []) - # base command template for ASM installation - kubectl_create_command_base = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${local.service_account_string} ${local.key_file_string} ${local.asm_git_tag_string} ${local.revision_name_string}" + // GKE release channel is a list with max length 1 https://github.com/hashicorp/terraform-provider-google/blob/9d5f69f9f0f74f1a8245f1a52dd6cffb572bbce4/google/resource_container_cluster.go#L954 + gke_release_channel = data.google_container_cluster.asm.release_channel != null ? data.google_container_cluster.asm.release_channel[0].channel : "" + gke_release_channel_filtered = lower(local.gke_release_channel) == "unspecified" ? "" : local.gke_release_channel + // In order or precedence, use (1) user specified channel, (2) GKE release channel, and (3) regular channel + channel = lower(coalesce(var.channel, local.gke_release_channel_filtered, "regular")) + revision_name = "asm-managed${local.channel == "regular" ? "" : "-${local.channel}"}" + // Fleet ID should default to project ID if unset + fleet_id = coalesce(var.fleet_id, var.project_id) } -resource "google_project_iam_member" "asm_iam" { - for_each = toset(local.asm_iam_member != "" ? (var.managed_control_plane ? local.mcp_iam_roles : local.iam_roles) : []) +data "google_container_cluster" "asm" { project = var.project_id - role = each.value - member = "serviceAccount:${local.asm_iam_member}" + name = var.cluster_name + location = var.cluster_location } -module "asm-services" { - source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 11.3" - - count = var.enable_gcp_apis ? 1 : 0 +resource "kubernetes_namespace" "system" { + metadata { + name = "istio-system" + } +} - project_id = var.project_id - disable_services_on_destroy = false - disable_dependent_services = false +resource "kubernetes_config_map" "asm_options" { + metadata { + name = "asm-options" + namespace = kubernetes_namespace.system.metadata[0].name + } - # https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages/blob/1cf61b679cd369f42a0e735f8e201de1a6a6433b/scripts/asm-installer/install_asm#L2005 - activate_apis = [ - "container.googleapis.com", - "monitoring.googleapis.com", - "logging.googleapis.com", - "cloudtrace.googleapis.com", - "meshtelemetry.googleapis.com", - "meshconfig.googleapis.com", - "meshca.googleapis.com", - "iamcredentials.googleapis.com", - "gkeconnect.googleapis.com", - "gkehub.googleapis.com", - "cloudresourcemanager.googleapis.com", - "stackdriver.googleapis.com", - ] + data = { + multicluster_mode = var.multicluster_mode + } } -module "asm_install" { +module "cpr" { source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" version = "~> 3.1" - module_depends_on = concat([var.cluster_endpoint], local.additional_depends_on) + project_id = var.project_id + cluster_name = var.cluster_name + cluster_location = var.cluster_location - gcloud_sdk_version = var.gcloud_sdk_version - upgrade = true - additional_components = ["kubectl", "kpt", "beta"] - cluster_name = var.cluster_name - cluster_location = var.location - project_id = var.project_id - service_account_key_file = var.service_account_key_file - impersonate_service_account = var.impersonate_service_account + kubectl_create_command = "${path.module}/scripts/create_cpr.sh ${local.revision_name} ${local.channel} ${var.enable_cni} ${var.enable_vpc_sc}" + kubectl_destroy_command = "${path.module}/scripts/destroy_cpr.sh ${local.revision_name}" - # enable_namespace_creation flag is only available starting 1.10 - kubectl_create_command = (local.asm_minor_version > 9 ? "${local.kubectl_create_command_base} ${var.enable_namespace_creation}" : local.kubectl_create_command_base) - kubectl_destroy_command = "${path.module}/scripts/destroy_asm.sh" + module_depends_on = [kubernetes_config_map.asm_options] } diff --git a/modules/asm/outputs.tf b/modules/asm/outputs.tf index 7b806b515d..ba9237238c 100644 --- a/modules/asm/outputs.tf +++ b/modules/asm/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -14,7 +14,12 @@ * limitations under the License. */ -output "asm_wait" { - description = "An output to use when you want to depend on ASM finishing" - value = module.asm_install.wait +output "revision_name" { + value = local.revision_name + description = "The name of the installed managed ASM revision." +} + +output "wait" { + value = module.cpr.wait + description = "An output to use when depending on the ASM installation finishing." } diff --git a/modules/asm/scripts/.gitignore b/modules/asm/scripts/.gitignore deleted file mode 100644 index a0e7b1004b..0000000000 --- a/modules/asm/scripts/.gitignore +++ /dev/null @@ -1 +0,0 @@ -install_asm diff --git a/modules/asm/scripts/create_cpr.sh b/modules/asm/scripts/create_cpr.sh new file mode 100755 index 0000000000..60ad768cbe --- /dev/null +++ b/modules/asm/scripts/create_cpr.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env bash + +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +if [ "$#" -lt 4 ]; then + >&2 echo "Not all expected arguments set." + exit 1 +fi + +REVISION_NAME=$1; shift +CHANNEL=$1; shift +ENABLE_CNI=$1; shift +ENABLE_VPC_SC=$1; shift + +# Wait for the CRD to get created before creating the CPR. Not possible to use `kubectl --wait ...` here since +# the CRD won't exist at the time of checking (https://stackoverflow.com/questions/57115602/how-to-kubectl-wait-for-crd-creation) +readonly CPR_RESOURCE=controlplanerevisions.mesh.cloud.google.com +for _i in {1..18}; do + echo "Ensuring ControlPlaneRevision exists in cluster... attempt ${_i}" + if kubectl get crd "${CPR_RESOURCE}" + then + break + else + sleep 10 + fi +done + +kubectl wait --for condition=established --timeout=60s crd/"${CPR_RESOURCE}" + +cat <&2 echo "Not all expected arguments set." + exit 1 +fi + +REVISION_NAME=$1; shift + +if ! kubectl delete controlplanerevision -n istio-system "${REVISION_NAME}" ; then + echo "ControlPlaneRevision ${REVISION_NAME} not found" +fi diff --git a/modules/asm/scripts/install_asm.sh b/modules/asm/scripts/install_asm.sh deleted file mode 100755 index 3be6f6d92f..0000000000 --- a/modules/asm/scripts/install_asm.sh +++ /dev/null @@ -1,217 +0,0 @@ -#!/usr/bin/env bash - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -e - -if [ "$#" -lt 5 ]; then - >&2 echo "Not all expected arguments set." - exit 1 -fi - -PROJECT_ID=${1} -CLUSTER_NAME=${2} -CLUSTER_LOCATION=${3} -ASM_VERSION=${4} -MODE=${5} -MCP=${6} -SKIP_VALIDATION=${7} -OPTIONS_LIST=${8} -CUSTOM_OVERLAYS_LIST=${9} -ENABLE_ALL=${10} -ENABLE_CLUSTER_ROLES=${11} -ENABLE_CLUSTER_LABELS=${12} -ENABLE_GCP_COMPONENTS=${13} -ENABLE_REGISTRATION=${14} -OUTDIR=${15} -CA=${16} -CA_CERT=${17} -CA_KEY=${18} -ROOT_CERT=${19} -CERT_CHAIN=${20} -SERVICE_ACCOUNT=${21} -KEY_FILE=${22} -ASM_GIT_TAG=${23} -REVISION_NAME=${24} -ENABLE_NAMESPACE_CREATION=${25} - -# Set SKIP_VALIDATION variable -if [[ ${SKIP_VALIDATION} = "true" ]]; then - export _CI_NO_VALIDATE=1 -else - export _CI_NO_VALIDATE=0 -fi - -# Create bash arrays from options and custom_overlays lists -if [[ ${OPTIONS_LIST} ]]; then - IFS=',' read -r -a OPTIONS <<< "${OPTIONS_LIST}" -elif [[ ${OPTIONS_LIST} = "" ]]; then - read -r -a OPTIONS <<< "none" -fi - -if [[ ${CUSTOM_OVERLAYS_LIST} ]]; then - IFS=',' read -r -a CUSTOM_OVERLAYS <<< "${CUSTOM_OVERLAYS_LIST}" -else - read -r -a CUSTOM_OVERLAYS <<< "none" -fi - -# Echo all values -echo -e "MODE is $MODE" -echo -e "MCP is $MCP" -echo -e "ASM_VERSION is $ASM_VERSION" -echo -e "ASM_GIT_TAG is $ASM_GIT_TAG" -echo -e "SKIP_VALIDATION is $SKIP_VALIDATION" -echo -e "_CI_NO_VALIDATE is $_CI_NO_VALIDATE" -echo -e "OPTIONS_LIST is ${OPTIONS_LIST}" -echo -e "OPTIONS array length is ${#OPTIONS[@]}" -# Create options command snippet -item="${OPTIONS[*]}";OPTIONS_COMMAND=$(echo "--option" "${item// / --option }") -echo -e "OPTIONS_COMMAND is $OPTIONS_COMMAND" -echo -e "CUSTOM_OVERLAYS array length is ${#CUSTOM_OVERLAYS[@]}" -# Create custom_overlays command snippet -if [[ "${CUSTOM_OVERLAYS[*]}" == "none" ]]; then - CUSTOM_OVERLAYS_COMMAND="--custom_overlay none" -else - item="${CUSTOM_OVERLAYS[*]}";CUSTOM_OVERLAYS_COMMAND=$(echo "--custom_overlay" "$(pwd)/${item// / --custom_overlay $(pwd)/}") -fi -echo -e "CUSTOM_OVERLAYS_COMMAND is $CUSTOM_OVERLAYS_COMMAND" -echo -e "ENABLE_ALL is $ENABLE_ALL" -echo -e "ENABLE_CLUSTER_ROLES is $ENABLE_CLUSTER_ROLES" -echo -e "ENABLE_CLUSTER_LABELS is $ENABLE_CLUSTER_LABELS" -echo -e "ENABLE_GCP_COMPONENTS is $ENABLE_GCP_COMPONENTS" -echo -e "ENABLE_REGISTRATION is $ENABLE_REGISTRATION" -echo -e "ENABLE_NAMESPACE_CREATION is $ENABLE_NAMESPACE_CREATION" -echo -e "OUTDIR is $OUTDIR" -echo -e "SERVICE_ACCOUNT is $SERVICE_ACCOUNT" -echo -e "KEY_FILE is $KEY_FILE" -echo -e "REVISION_NAME is $REVISION_NAME" -echo -e "CA is $CA" -echo -e "CA_CERT is $CA_CERT" -echo -e "CA_KEY is $CA_KEY" -echo -e "ROOT_CERT is $ROOT_CERT" -echo -e "CERT_CHAIN is $CERT_CHAIN" -#download the correct version of the install_asm script -if [[ "${ASM_GIT_TAG}" = "none" ]]; then - echo -e "Downloading install_asm with latest git tag..." - curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_VERSION}" > install_asm_"${ASM_VERSION}" - chmod u+x install_asm_"${ASM_VERSION}" -else - ASM_GIT_TAG_FIXED=$(sed 's/+/-/g' <<<"$ASM_GIT_TAG") - echo -e "Downloading install_asm with git tag $ASM_GIT_TAG..." - curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_GIT_TAG_FIXED}" > install_asm_"${ASM_VERSION}" - chmod u+x install_asm_"${ASM_VERSION}" -fi - -# Craft MCP section for install_asm -if [[ "${MCP}" = true ]]; then - MCP_COMMAND_SNIPPET="--managed" -else - MCP_COMMAND_SNIPPET="" -fi - -# Craft service_account section for install_asm -if [[ "${SERVICE_ACCOUNT}" = "none" ]]; then - SERVICE_ACCOUNT_COMMAND_SNIPPET="" -else - SERVICE_ACCOUNT_COMMAND_SNIPPET="--service_account ${SERVICE_ACCOUNT}" -fi - -# Craft key_file section for install_asm -if [[ "${KEY_FILE}" = "none" ]]; then - KEY_FILE_COMMAND_SNIPPET="" -else - KEY_FILE_COMMAND_SNIPPET="--key_file $(pwd)/${KEY_FILE}" -fi - -# Craft options section for install_asm -if [[ "${OPTIONS_COMMAND}" = "--option none" ]]; then - OPTIONS_COMMAND_SNIPPET="" -else - OPTIONS_COMMAND_SNIPPET="${OPTIONS_COMMAND}" -fi - -if [[ "${CUSTOM_OVERLAYS_COMMAND}" = "--custom_overlay none" ]]; then - CUSTOM_OVERLAYS_COMMAND_SNIPPET="" -else - CUSTOM_OVERLAYS_COMMAND_SNIPPET="${CUSTOM_OVERLAYS_COMMAND}" -fi - -if [[ "${ENABLE_ALL}" = false ]]; then - ENABLE_ALL_COMMAND_SNIPPET="" -else - ENABLE_ALL_COMMAND_SNIPPET="--enable_all" -fi - -if [[ "${ENABLE_CLUSTER_ROLES}" = false ]]; then - ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET="" -else - ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET="--enable_cluster_roles" -fi - -if [[ "${ENABLE_CLUSTER_LABELS}" = false ]]; then - ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET="" -else - ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET="--enable_cluster_labels" -fi - -if [[ "${ENABLE_GCP_COMPONENTS}" = false ]]; then - ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET="" -else - ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET="--enable_gcp_components" -fi - -if [[ "${ENABLE_REGISTRATION}" = false ]]; then - ENABLE_REGISTRATION_COMMAND_SNIPPET="" -else - ENABLE_REGISTRATION_COMMAND_SNIPPET="--enable_registration" -fi - -if [[ "${ENABLE_NAMESPACE_CREATION}" = true ]]; then - ENABLE_NAMESPACE_CREATION_COMMAND_SNIPPET="--enable_namespace_creation" -else - ENABLE_NAMESPACE_CREATION_COMMAND_SNIPPET="" -fi - -if [[ "${OUTDIR}" = "none" ]]; then - OUTDIR_COMMAND_SNIPPET="" -else - OUTDIR_COMMAND_SNIPPET="--output_dir ${OUTDIR}" - mkdir -p "${OUTDIR}" -fi - -if [[ "${CA}" == "citadel" ]]; then - CA_COMMAND_SNIPPET="--ca citadel" -else - CA_COMMAND_SNIPPET="" -fi - -if [[ "${CA_CERT}" == "none" ]]; then - CA_CERTS_COMMAND_SNIPPET="" -else - CA_CERTS_COMMAND_SNIPPET="--ca_cert ${CA_CERT} --ca_key ${CA_KEY} --root_cert ${ROOT_CERT} --cert_chain ${CERT_CHAIN}" -fi - -if [[ "${REVISION_NAME}" == "none" ]]; then - REVISION_NAME_COMMAND_SNIPPET="" -else - REVISION_NAME_COMMAND_SNIPPET="--revision_name ${REVISION_NAME}" -fi - -# Echo the command before executing -echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${ENABLE_NAMESPACE_CREATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${CA_CERTS_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET} ${REVISION_NAME_COMMAND_SNIPPET}" - -# run the script with appropriate flags -# shellcheck disable=SC2086 -./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${ENABLE_NAMESPACE_CREATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${CA_CERTS_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET} ${REVISION_NAME_COMMAND_SNIPPET} diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf index a3002eda3d..71efd3c59e 100644 --- a/modules/asm/variables.tf +++ b/modules/asm/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -14,187 +14,63 @@ * limitations under the License. */ -variable "cluster_name" { - description = "The unique name to identify the cluster in ASM." - type = string -} - -variable "cluster_endpoint" { - description = "The GKE cluster endpoint." - type = string -} - variable "project_id" { description = "The project in which the resource belongs." type = string } -variable "location" { - description = "The location (zone or region) this cluster has been created in." - type = string -} - -variable "gcloud_sdk_version" { - description = "The gcloud sdk version to use. Minimum required version is 293.0.0" - type = string - default = "296.0.1" -} - -# variable "asm_dir" { -# description = "Name of directory to keep ASM resource config files." -# type = string -# default = "asm-dir" -# } - -variable "service_account_key_file" { - description = "Path to service account key file to auth as for running `gcloud container clusters get-credentials`." - default = "" -} - -variable "asm_version" { - description = "ASM version to deploy. This module supports versions `1.8`, `1.9` and `1.10`. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" - type = string - default = "1.9" -} - -variable "asm_git_tag" { - description = "ASM git tag to deploy. This module supports versions `1.8`, `1.9` and `1.10`. You can get the exact `asm_git_tag` by running the command `install_asm --version`. The ASM git tab should be of the form `1.9.3-asm.2+config5`. You can also see all ASM git tags by running `curl https://storage.googleapis.com/csm-artifacts/asm/STABLE_VERSIONS`. You must provide the full and exact git tag. This variable is optional. Leaving it empty (default) will download the latest `install_asm` script for the version provided by the `asm_version` variable." +variable "cluster_name" { + description = "The unique name to identify the cluster in ASM." type = string - default = "" } -variable "mode" { - description = "ASM mode for deployment. Supported modes are `install` and `upgrade`." +variable "cluster_location" { + description = "The cluster location for this ASM installation." type = string - default = "install" } -variable "service_account" { - description = "The GCP Service Account email address used to deploy ASM." +variable "fleet_id" { + description = "The fleet to use for this ASM installation." type = string default = "" } -variable "key_file" { - description = "The GCP Service Account credentials file path used to deploy ASM." +variable "channel" { + description = "The channel to use for this ASM installation." type = string - default = "" -} - -variable "managed_control_plane" { - description = "ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional." - type = bool - default = false + validation { + condition = anytrue([ + var.channel == "rapid", + var.channel == "regular", + var.channel == "stable", + var.channel == "", // if unset, use GKE data source and use release cluster channel + ]) + error_message = "Must be one of rapid, regular, or stable." + } + default = "" } -variable "impersonate_service_account" { +variable "multicluster_mode" { + description = "[Preview] Determines whether remote secrets should be autogenerated across fleet cluster." type = string - description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials." - default = "" -} - -variable "options" { - description = "Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features." - type = list(any) - default = [] -} - -variable "custom_overlays" { - description = "Comma separated list of custom_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file" - type = list(any) - default = [] -} - -variable "skip_validation" { - description = "Sets `_CI_NO_VALIDATE` variable. Determines whether the script should perform validation checks for prerequisites such as IAM roles, Google APIs etc." - type = bool - default = false -} - -variable "enable_all" { - description = "Sets `--enable_all` option if true." - type = bool - default = false -} - -variable "enable_cluster_roles" { - description = "Sets `--enable_cluster_roles` option if true." - type = bool - default = false -} - -variable "enable_cluster_labels" { - description = "Sets `--enable_cluster_labels` option if true." - type = bool - default = false -} - -variable "enable_gcp_apis" { - description = "Sets `--enable_gcp_apis` option if true." - type = bool - default = false -} - -variable "enable_gcp_iam_roles" { - description = "Grants IAM roles required for ASM if true. If enable_gcp_iam_roles, one of impersonate_service_account, service_account, or iam_member must be set." - type = bool - default = false -} - -variable "enable_gcp_components" { - description = "Sets --enable_gcp_components option if true. Can be true or false. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" - type = bool - default = false + validation { + condition = anytrue([ + var.multicluster_mode == "manual", + var.multicluster_mode == "connected", + ]) + error_message = "Must be one of manual or connected." + } + default = "manual" } -variable "enable_registration" { - description = "Sets `--enable_registration` option if true." +variable "enable_cni" { + description = "Determines whether to enable CNI for this ASM installation. Required to use Managed Data Plane (MDP)." type = bool default = false } -variable "enable_namespace_creation" { - description = "Sets `--enable_namespace_creation` option if true." +variable "enable_vpc_sc" { + description = "Determines whether to enable VPC-SC for this ASM installation. For more information read https://cloud.google.com/service-mesh/docs/managed/vpc-sc" type = bool default = false } - -variable "outdir" { - description = "Sets `--outdir` option." - type = string - default = "none" -} - -variable "ca" { - description = "Sets CA option. Possible values are `meshca` or `citadel`. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca." - type = string - default = "meshca" -} - -variable "ca_certs" { - description = "Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca." - type = map(any) - default = {} - # default = { - # "ca_cert" = "none" - # "ca_key" = "none" - # "root_cert" = "none" - # "cert_chain" = "none" - # } - validation { - condition = contains([4, 0], length(compact([for k in ["ca_cert", "ca_key", "root_cert", "cert_chain"] : lookup(var.ca_certs, k, "")]))) - error_message = "One or more required keys for ca_certs are missing. If you plan to use the self-signed certificate, do not declare the ca_certs variable." - } -} - -variable "iam_member" { - description = "The GCP member email address to grant IAM roles to. If impersonate_service_account or service_account is set, roles are granted to that SA." - type = string - default = "" -} - -variable "revision_name" { - description = "Sets `--revision-name` option." - type = string - default = "none" -} diff --git a/test/integration/simple_zonal_with_asm/controls/kubectl.rb b/test/integration/simple_zonal_with_asm/controls/kubectl.rb index e0b42a317f..6d4370de06 100644 --- a/test/integration/simple_zonal_with_asm/controls/kubectl.rb +++ b/test/integration/simple_zonal_with_asm/controls/kubectl.rb @@ -42,17 +42,21 @@ ) end - describe "Mesh" do - describe "CA" do - let(:pod) { client.get_pods(label_selector:"app=istio-ingressgateway", namespace: "istio-system", as: :raw) } - it "ingressgateway exists" do - expect(pod).not_to be_nil - end + describe "configmap" do + describe "asm-options" do + let(:asmoptions_configmap) { client.get_config_map("asm-options", "istio-system") } - it "ingressgateway has correct CA_ADDR " do - expect(pod).to include("{\"name\":\"CA_ADDR\",\"value\":\"meshca.googleapis.com:443\"}") + it "exists" do + expect(asmoptions_configmap.metadata.name).to eq "asm-options" end end end + + describe "namespace" do + let(:system_namespace) { client.get_namespace("istio-system") } + it "exists" do + expect(system_namespace).not_to be_nil + end + end end end