transition to kubectl module

modules/acm/README.md

@@ -54,7 +54,7 @@ By default, this module will attempt to download the ACM operator from Google di
 | policy\_dir | Subfolder containing configs in ACM Git repo. If un-set, uses Config Management default. | string | `""` | no |
 | project\_id | GCP project_id used to reach cluster. | string | n/a | yes |
 | secret\_type | git authentication secret type, is passed through to ConfigManagement spec.git.secretType. Overriden to value 'ssh' if `create_ssh_key` is true | string | `"ssh"` | no |
-| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"false"` | no |
+| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"true"` | no |
 | ssh\_auth\_key | Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function. | string | `"null"` | no |
 | sync\_branch | ACM repo Git branch. If un-set, uses Config Management default. | string | `""` | no |
 | sync\_repo | ACM Git repo address | string | n/a | yes |

modules/acm/variables.tf

@@ -90,5 +90,5 @@ variable "install_template_library" {
 variable "skip_gcloud_download" {
   description = "Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module)"
   type        = bool
-  default     = false
+  default     = true
 }

modules/asm/README.md

@@ -46,6 +46,7 @@ To deploy this config:
 | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | string | `"296.0.1"` | no |
 | gke\_hub\_membership\_name | Memebership name that uniquely represents the cluster being registered on the Hub | string | `"gke-asm-membership"` | no |
 | gke\_hub\_sa\_name | Name for the GKE Hub SA stored as a secret `creds-gcp` in the `gke-connect` namespace. | string | `"gke-hub-sa"` | no |
+| internal\_ip | Use internal ip for the cluster endpoint. | bool | `"false"` | no |
 | location | The location (zone or region) this cluster has been created in. | string | n/a | yes |
 | project\_id | The project in which the resource belongs. | string | n/a | yes |
 | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"true"` | no |

modules/asm/main.tf

@@ -15,18 +15,10 @@
  */
 
 locals {
+  base_cmd       = "${var.cluster_name} ${var.location} ${var.project_id} ${var.internal_ip} false"
   gke_hub_sa_key = var.enable_gke_hub_registration ? google_service_account_key.gke_hub_key[0].private_key : ""
 }
 
-data "google_container_cluster" "primary" {
-  name     = var.cluster_name
-  project  = var.project_id
-  location = var.location
-}
-
-data "google_client_config" "default" {
-}
-
 module "asm_install" {
   source            = "terraform-google-modules/gcloud/google"
   version           = "~> 1.2"
@@ -42,7 +34,7 @@ module "asm_install" {
   create_cmd_entrypoint  = "${path.module}/scripts/install_asm.sh"
   create_cmd_body        = "${var.project_id} ${var.cluster_name} ${var.location}"
   destroy_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh"
-  destroy_cmd_body       = "https://${var.cluster_endpoint} ${data.google_client_config.default.access_token} ${data.google_container_cluster.primary.master_auth.0.cluster_ca_certificate} kubectl delete ns istio-system"
+  destroy_cmd_body       = "${local.base_cmd} kubectl delete ns istio-system"
 }
 
 resource "google_service_account" "gke_hub_sa" {

modules/asm/scripts/kubectl_wrapper.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Copyright 2018 Google LLC
+# Copyright 2020 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -21,33 +21,47 @@ if [ "$#" -lt 3 ]; then
     exit 1
 fi
 
-HOST=$1
-TOKEN=$2
-CA_CERTIFICATE=$3
+CLUSTER_NAME=$1
+LOCATION=$2
+PROJECT_ID=$3
+INTERNAL=$4
+USE_EXISTING_CONTEXT=$5
 
-shift 3
+shift 5
 
-RANDOM_ID="${RANDOM}_${RANDOM}"
-export TMPDIR="/tmp/kubectl_wrapper_${RANDOM_ID}"
+if $USE_EXISTING_CONTEXT ;then
 
-function cleanup {
-    rm -rf "${TMPDIR}"
-}
-trap cleanup EXIT
+    "$@"
 
-mkdir "${TMPDIR}"
+else
 
-export KUBECONFIG="${TMPDIR}/config"
+    RANDOM_ID="${RANDOM}_${RANDOM}"
+    export TMPDIR="/tmp/kubectl_wrapper_${RANDOM_ID}"
 
-# shellcheck disable=SC1117
-base64 --help | grep "\--decode" && B64_ARG="--decode" || B64_ARG="-d"
-echo "${CA_CERTIFICATE}" | base64 ${B64_ARG} > "${TMPDIR}/ca_certificate"
+    function cleanup {
+        rm -rf "${TMPDIR}"
+    }
+    trap cleanup EXIT
 
-kubectl config set-cluster kubectl-wrapper --server="${HOST}" --certificate-authority="${TMPDIR}/ca_certificate" --embed-certs=true 1>/dev/null
-rm -f "${TMPDIR}/ca_certificate"
-kubectl config set-context kubectl-wrapper --cluster=kubectl-wrapper --user=kubectl-wrapper --namespace=default 1>/dev/null
-kubectl config set-credentials kubectl-wrapper --token="${TOKEN}" 1>/dev/null
-kubectl config use-context kubectl-wrapper 1>/dev/null
-kubectl version 1>/dev/null
+    mkdir "${TMPDIR}"
 
-"$@"
+    export KUBECONFIG="${TMPDIR}/config"
+
+    LOCATION_TYPE=$(grep -o "-" <<< "${LOCATION}" | wc -l)
+
+    CMD="gcloud container clusters get-credentials ${CLUSTER_NAME} --project ${PROJECT_ID}"
+
+    if [[ $LOCATION_TYPE -eq 2 ]] ;then
+        CMD+=" --zone ${LOCATION}"
+    else
+        CMD+=" --region ${LOCATION}"
+    fi
+
+    if $INTERNAL ;then
+        CMD+=" --internal-ip"
+    fi
+
+    $CMD
+
+    "$@"
+fi

modules/asm/variables.tf

@@ -69,3 +69,9 @@ variable "gke_hub_membership_name" {
   type        = string
   default     = "gke-asm-membership"
 }
+
+variable "internal_ip" {
+  description = "Use internal ip for the cluster endpoint."
+  type        = bool
+  default     = false
+}

modules/config-sync/README.md

@@ -55,7 +55,7 @@ To deploy this config:
 | policy\_dir | Subfolder containing configs in ACM Git repo. If un-set, uses Config Management default. | string | `""` | no |
 | project\_id | GCP project_id used to reach cluster. | string | n/a | yes |
 | secret\_type | credential secret type, passed through to ConfigManagement spec.git.secretType. Overriden to value 'ssh' if `create_ssh_key` is true | string | n/a | yes |
-| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"false"` | no |
+| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"true"` | no |
 | ssh\_auth\_key | Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function. | string | `"null"` | no |
 | sync\_branch | ACM repo Git branch. If un-set, uses Config Management default. | string | `""` | no |
 | sync\_repo | ACM Git repo address | string | n/a | yes |

modules/config-sync/variables.tf

@@ -77,5 +77,5 @@ variable "ssh_auth_key" {
 variable "skip_gcloud_download" {
   description = "Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module)"
   type        = bool
-  default     = false
+  default     = true
 }

modules/k8s-operator-crd-support/main.tf

@@ -50,16 +50,16 @@ module "k8sop_manifest" {
 
 
 module "k8s_operator" {
-  source                = "terraform-google-modules/gcloud/google"
-  version               = "~> 1.2"
-  module_depends_on     = [module.k8sop_manifest.wait, data.google_client_config.default.project, data.google_container_cluster.primary.name]
-  additional_components = ["kubectl"]
-  skip_download         = var.skip_gcloud_download
-
-  create_cmd_entrypoint  = "${path.module}/scripts/kubectl_wrapper.sh"
-  create_cmd_body        = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl apply -f ${local.manifest_path}"
-  destroy_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh"
-  destroy_cmd_body       = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl delete -f ${local.manifest_path}"
+  source = "github.com/terraform-google-modules/terraform-google-gcloud//modules/kubectl-wrapper"
+  # version           = "~> 1.3"
+  module_depends_on = [module.k8sop_manifest.wait, data.google_client_config.default.project, data.google_container_cluster.primary.name]
+  skip_download     = var.skip_gcloud_download
+  cluster_name      = var.cluster_name
+  cluster_location  = var.location
+  project_id        = var.project_id
+
+  kubectl_create_command  = "kubectl apply -f ${local.manifest_path}"
+  kubectl_destroy_command = "kubectl delete -f ${local.manifest_path}"
 }
 
 
@@ -70,16 +70,16 @@ resource "tls_private_key" "k8sop_creds" {
 }
 
 module "k8sop_creds_secret" {
-  source                = "terraform-google-modules/gcloud/google"
-  version               = "~> 1.2"
-  module_depends_on     = [module.k8s_operator.wait]
-  additional_components = ["kubectl"]
-  skip_download         = var.skip_gcloud_download
-
-  create_cmd_entrypoint  = "${path.module}/scripts/kubectl_wrapper.sh"
-  create_cmd_body        = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl create secret generic ${var.operator_credential_name} -n=${var.operator_credential_namespace} --from-literal=${local.k8sop_creds_secret_key}='${local.private_key}'"
-  destroy_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh"
-  destroy_cmd_body       = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl delete secret ${var.operator_credential_name} -n=${var.operator_credential_namespace}"
+  source = "github.com/terraform-google-modules/terraform-google-gcloud//modules/kubectl-wrapper"
+  # version           = "~> 1.3"
+  module_depends_on = [module.k8s_operator.wait]
+  skip_download     = var.skip_gcloud_download
+  cluster_name      = var.cluster_name
+  cluster_location  = var.location
+  project_id        = var.project_id
+
+  kubectl_create_command  = "kubectl create secret generic ${var.operator_credential_name} -n=${var.operator_credential_namespace} --from-literal=${local.k8sop_creds_secret_key}='${local.private_key}'"
+  kubectl_destroy_command = "kubectl delete secret ${var.operator_credential_name} -n=${var.operator_credential_namespace}"
 }
 
 
@@ -97,15 +97,20 @@ data "template_file" "k8sop_config" {
   }
 }
 
+resource "local_file" "operator_cr" {
+  content  = data.template_file.k8sop_config.rendered
+  filename = "${path.module}/operator_cr.yaml"
+}
+
 module "k8sop_config" {
-  source                = "terraform-google-modules/gcloud/google"
-  version               = "~> 1.2"
-  module_depends_on     = [module.k8s_operator.wait, module.k8sop_creds_secret.wait]
-  additional_components = ["kubectl"]
-  skip_download         = var.skip_gcloud_download
-
-  create_cmd_entrypoint  = "echo"
-  create_cmd_body        = "'${data.template_file.k8sop_config.rendered}' | ${path.module}/scripts/kubectl_wrapper.sh ${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl apply -f -"
-  destroy_cmd_entrypoint = "echo"
-  destroy_cmd_body       = "'${data.template_file.k8sop_config.rendered}' | ${path.module}/scripts/kubectl_wrapper.sh ${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl delete -f -"
+  source = "github.com/terraform-google-modules/terraform-google-gcloud//modules/kubectl-wrapper"
+  # version           = "~> 1.3"
+  module_depends_on = [module.k8s_operator.wait, module.k8sop_creds_secret.wait]
+  skip_download     = var.skip_gcloud_download
+  cluster_name      = var.cluster_name
+  cluster_location  = var.location
+  project_id        = var.project_id
+
+  kubectl_create_command  = "kubectl apply -f ${local_file.operator_cr.filename}"
+  kubectl_destroy_command = "kubectl delete -f ${local_file.operator_cr.filename}"
 }

modules/k8s-operator-crd-support/variables.tf

@@ -108,6 +108,6 @@ variable "operator_cr_template_path" {
 variable "skip_gcloud_download" {
   description = "Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module)"
   type        = bool
-  default     = false
+  default     = true
 }
 

modules/workload-identity/main.tf

@@ -19,23 +19,9 @@ locals {
   gcp_sa_email            = google_service_account.cluster_service_account.email
 
   # This will cause terraform to block returning outputs until the service account is created
-  k8s_given_name         = var.k8s_sa_name != null ? var.k8s_sa_name : var.name
-  output_k8s_name        = var.use_existing_k8s_sa ? local.k8s_given_name : kubernetes_service_account.main[0].metadata[0].name
-  output_k8s_namespace   = var.use_existing_k8s_sa ? var.namespace : kubernetes_service_account.main[0].metadata[0].namespace
-  token                  = var.use_existing_k8s_sa ? data.google_client_config.default.0.access_token : ""
-  cluster_ca_certificate = var.use_existing_k8s_sa ? data.google_container_cluster.primary.0.master_auth.0.cluster_ca_certificate : ""
-  cluster_endpoint       = var.use_existing_k8s_sa ? "https://${data.google_container_cluster.primary.0.endpoint}" : ""
-}
-
-data "google_container_cluster" "primary" {
-  count    = var.use_existing_k8s_sa ? 1 : 0
-  name     = var.cluster_name
-  project  = var.project_id
-  location = var.location
-}
-
-data "google_client_config" "default" {
-  count = var.use_existing_k8s_sa ? 1 : 0
+  k8s_given_name       = var.k8s_sa_name != null ? var.k8s_sa_name : var.name
+  output_k8s_name      = var.use_existing_k8s_sa ? local.k8s_given_name : kubernetes_service_account.main[0].metadata[0].name
+  output_k8s_namespace = var.use_existing_k8s_sa ? var.namespace : kubernetes_service_account.main[0].metadata[0].namespace
 }
 
 resource "google_service_account" "cluster_service_account" {
@@ -58,19 +44,17 @@ resource "kubernetes_service_account" "main" {
 }
 
 module "annotate-sa" {
-  source  = "terraform-google-modules/gcloud/google"
-  version = "~> 1.2"
-
-  platform              = "linux"
-  additional_components = ["kubectl"]
-  enabled               = var.use_existing_k8s_sa
-  skip_download         = true
+  source = "github.com/terraform-google-modules/terraform-google-gcloud//modules/kubectl-wrapper"
+  # version = "~> 1.2"
 
-  create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh"
-  create_cmd_body       = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl annotate --overwrite sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account=${local.gcp_sa_email}"
+  enabled          = var.use_existing_k8s_sa
+  skip_download    = true
+  cluster_name     = var.cluster_name
+  cluster_location = var.location
+  project_id       = var.project_id
 
-  destroy_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh"
-  destroy_cmd_body       = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl annotate sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account-"
+  kubectl_create_command  = "kubectl annotate --overwrite sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account=${local.gcp_sa_email}"
+  kubectl_destroy_command = "kubectl annotate sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account-"
 }
 
 resource "google_service_account_iam_member" "main" {