From ca761626f11bf8babb9d3a1ff3d2b0babf9a6dd6 Mon Sep 17 00:00:00 2001 From: Sam Naser Date: Fri, 4 Mar 2022 11:58:38 -0800 Subject: [PATCH 1/3] add guide for migrating from previous module --- docs/upgrading_to_v20.0.md | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/docs/upgrading_to_v20.0.md b/docs/upgrading_to_v20.0.md index 6e24483370..08b4a4ef2b 100644 --- a/docs/upgrading_to_v20.0.md +++ b/docs/upgrading_to_v20.0.md @@ -6,5 +6,24 @@ release for the Anthos Service Mesh (ASM) module. ### ASM module rewrite The [ASM submodule](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master/modules/asm) has been rewritten to use the `ControlPlaneRevision` API to provision -a managed control plane rather than using an installer script. Due to the drastic difference in implementation the module does not support an upgrade path -from the previous version. +a managed control plane rather than using an installer script. Due to implementation differences, there are migration steps required to safely move from +an installation performed with the old module to using the new module. **NOTE:** these migration steps are best-effort and have not been tested against all possible ASM configurations. + +1. Run `terraform state rm module.asm` +2. Update the module version to v20.0 +3. Import the system namespace into the new module with `terraform import module.asm.kubernetes_namespace.system istio-system` +4. Run `terraform apply` + +There should be two ASM revisions present at this point (in-cluster or managed, depending on whether the previous installation was managed). Now, +we must perform a canary upgrade to move workloads onto the new ASM revision. To do this: + +1. Relabel namespaces to use the revision label from the managed revision (either `asm-managed`, `asm-managed-stable`, or `asm-managed-rapid`) +2. Rollout workloads in those namespaces to get them onto the new ASM version +3. [Optional] Remove the previous revision with `istioctl x uninstall --revision ...` (if the previous installation was in-cluster) + + +#### Migrating options + +Another difference from the previous module is that the new ASM module does not provide variables option configuration (i.e. `custom_overlay`, `options`). These should be managed separately +outside the module. This is because those options were tightly coupled to pulling down an installer which the new module does not do. To use options specified in the previous module with the new module find the corresponding configuration [here](https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages/tree/main/asm/istio/options) and move the +config to the mesh configuration for the revision. From 007fbcaef8994e7ad4d557b4db767fc1d793ccf1 Mon Sep 17 00:00:00 2001 From: Sam Naser Date: Fri, 4 Mar 2022 14:13:31 -0800 Subject: [PATCH 2/3] add options for fleet registration and feature enablement --- docs/upgrading_to_v20.0.md | 6 +++--- examples/simple_zonal_with_asm/main.tf | 14 ++++++++------ modules/asm/README.md | 2 ++ .../simple_zonal_with_asm => modules/asm}/hub.tf | 10 ++++++---- modules/asm/main.tf | 2 ++ modules/asm/variables.tf | 12 ++++++++++++ 6 files changed, 33 insertions(+), 13 deletions(-) rename {examples/simple_zonal_with_asm => modules/asm}/hub.tf (70%) diff --git a/docs/upgrading_to_v20.0.md b/docs/upgrading_to_v20.0.md index 08b4a4ef2b..28caed71ea 100644 --- a/docs/upgrading_to_v20.0.md +++ b/docs/upgrading_to_v20.0.md @@ -17,13 +17,13 @@ an installation performed with the old module to using the new module. **NOTE:** There should be two ASM revisions present at this point (in-cluster or managed, depending on whether the previous installation was managed). Now, we must perform a canary upgrade to move workloads onto the new ASM revision. To do this: -1. Relabel namespaces to use the revision label from the managed revision (either `asm-managed`, `asm-managed-stable`, or `asm-managed-rapid`) +1. Relabel namespaces to use the revision label from the managed revision (`asm-managed`, `asm-managed-stable`, or `asm-managed-rapid`) 2. Rollout workloads in those namespaces to get them onto the new ASM version 3. [Optional] Remove the previous revision with `istioctl x uninstall --revision ...` (if the previous installation was in-cluster) #### Migrating options -Another difference from the previous module is that the new ASM module does not provide variables option configuration (i.e. `custom_overlay`, `options`). These should be managed separately +Another difference from the previous module is that the new ASM module does not provide variables for option configuration (e.g. `custom_overlay`, `options`). For the new version these should be managed separately outside the module. This is because those options were tightly coupled to pulling down an installer which the new module does not do. To use options specified in the previous module with the new module find the corresponding configuration [here](https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages/tree/main/asm/istio/options) and move the -config to the mesh configuration for the revision. +config to the mesh configuration for the managed revision. diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index 871f81670f..8953c8b55e 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -57,10 +57,12 @@ module "gke" { } module "asm" { - source = "../../modules/asm" - project_id = var.project_id - cluster_name = module.gke.name - cluster_location = module.gke.location - multicluster_mode = "connected" - enable_cni = true + source = "../../modules/asm" + project_id = var.project_id + cluster_name = module.gke.name + cluster_location = module.gke.location + multicluster_mode = "connected" + enable_cni = true + enable_fleet_registration = true + enable_mesh_feature = true } diff --git a/modules/asm/README.md b/modules/asm/README.md index 11be0c1ab1..3bbc93bc09 100644 --- a/modules/asm/README.md +++ b/modules/asm/README.md @@ -35,6 +35,8 @@ To deploy this config: | cluster\_location | The cluster location for this ASM installation. | `string` | n/a | yes | | cluster\_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes | | enable\_cni | Determines whether to enable CNI for this ASM installation. Required to use Managed Data Plane (MDP). | `bool` | `false` | no | +| enable\_fleet\_registration | Determines whether the module enables the mesh feature on the fleet. | `bool` | `false` | no | +| enable\_mesh\_feature | Determines whether the module registers the cluster to the fleet. | `bool` | `false` | no | | enable\_vpc\_sc | Determines whether to enable VPC-SC for this ASM installation. For more information read https://cloud.google.com/service-mesh/docs/managed/vpc-sc | `bool` | `false` | no | | fleet\_id | The fleet to use for this ASM installation. | `string` | `""` | no | | multicluster\_mode | [Preview] Determines whether remote secrets should be autogenerated across fleet cluster. | `string` | `"manual"` | no | diff --git a/examples/simple_zonal_with_asm/hub.tf b/modules/asm/hub.tf similarity index 70% rename from examples/simple_zonal_with_asm/hub.tf rename to modules/asm/hub.tf index 8fe8b1f6d9..02f9558b9e 100644 --- a/examples/simple_zonal_with_asm/hub.tf +++ b/modules/asm/hub.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -14,18 +14,20 @@ * limitations under the License. */ -resource "google_gke_hub_membership" "cluster_membership" { +resource "google_gke_hub_membership" "membership" { + count = var.enable_fleet_registration ? 1 : 0 provider = google-beta project = var.project_id - membership_id = "gke-asm-membership" + membership_id = "${data.google_container_cluster.asm.name}-membership" endpoint { gke_cluster { - resource_link = "//container.googleapis.com/${module.gke.cluster_id}" + resource_link = "//container.googleapis.com/${data.google_container_cluster.asm.id}" } } } resource "google_gke_hub_feature" "mesh" { + count = var.enable_mesh_feature ? 1 : 0 name = "servicemesh" project = var.project_id location = "global" diff --git a/modules/asm/main.tf b/modules/asm/main.tf index 72c8c734ed..08d0eb6d45 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -46,6 +46,8 @@ resource "kubernetes_config_map" "asm_options" { data = { multicluster_mode = var.multicluster_mode } + + depends_on = [google_gke_hub_membership.membership, google_gke_hub_feature.mesh] } module "cpr" { diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf index 71efd3c59e..57faebd01d 100644 --- a/modules/asm/variables.tf +++ b/modules/asm/variables.tf @@ -74,3 +74,15 @@ variable "enable_vpc_sc" { type = bool default = false } + +variable "enable_fleet_registration" { + description = "Determines whether the module enables the mesh feature on the fleet." + type = bool + default = false +} + +variable "enable_mesh_feature" { + description = "Determines whether the module registers the cluster to the fleet." + type = bool + default = false +} From 0cea37f831aecb2ecf93ffe0805a1f41078d1a0e Mon Sep 17 00:00:00 2001 From: Sam Naser Date: Tue, 8 Mar 2022 12:31:20 -0800 Subject: [PATCH 3/3] fix test with membership name --- test/integration/simple_zonal_with_asm/controls/gcloud.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/simple_zonal_with_asm/controls/gcloud.rb b/test/integration/simple_zonal_with_asm/controls/gcloud.rb index 3478bf3794..56adc1ff62 100644 --- a/test/integration/simple_zonal_with_asm/controls/gcloud.rb +++ b/test/integration/simple_zonal_with_asm/controls/gcloud.rb @@ -40,7 +40,7 @@ end end - describe command("gcloud container hub memberships describe gke-asm-membership --project=#{project_id} --format=json") do + describe command("gcloud container hub memberships describe #{cluster_name}-membership --project=#{project_id} --format=json") do its(:exit_status) { should eq 0 } its(:stderr) { should eq '' }