feat: Add ASM install submodule (#538)

.gitignore

@@ -50,3 +50,7 @@ credentials.json
 
 # File to populate env vars used by Docker test runs
 .envrc
+
+# ignore generated ASM yamls in /workspace/test/fixtures/simple_regional_with_asm as it is a test
+# in a production scenario these files are expected to be checked in
+/test/fixtures/simple_regional_with_asm/asm-dir

.kitchen.yml

@@ -228,3 +228,13 @@ suites:
       systems:
         - name: safer_cluster_iap_bastion
           backend: local
+  - name: "simple_regional_with_asm"
+    driver:
+      root_module_directory: test/fixtures/simple_regional_with_asm
+    verifier:
+      systems:
+        - name: simple_regional_with_asm
+          backend: local
+          controls:
+            - gcloud
+            - kubectl

build/int.cloudbuild.yaml

@@ -404,6 +404,26 @@ steps:
     - verify safer-cluster-iap-bastion-local
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy safer-cluster-iap-bastion-local']
+- id: create simple-regional-with-asm-local
+  waitFor:
+    - prepare
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create simple-regional-with-asm-local']
+- id: converge simple-regional-with-asm-local
+  waitFor:
+    - create simple-regional-with-asm-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge simple-regional-with-asm-local']
+- id: verify simple-regional-with-asm-local
+  waitFor:
+    - converge simple-regional-with-asm-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify simple-regional-with-asm-local']
+- id: destroy simple-regional-with-asm-local
+  waitFor:
+    - verify simple-regional-with-asm-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy simple-regional-with-asm-local']
 tags:
 - 'ci'
 - 'integration'

build/lint.cloudbuild.yaml

@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+timeout: 900s
 steps:
 - id: 'lint-tests'
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'

examples/simple_regional_with_asm/README.md

@@ -0,0 +1,44 @@
+# Simple Regional Cluster with ASM
+
+This example illustrates how to create a simple regional cluster with ASM.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
+| ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
+| ip\_range\_services | The secondary ip range to use for services | string | n/a | yes |
+| network | The VPC network to host the cluster in | string | n/a | yes |
+| project\_id | The project ID to host the cluster in | string | n/a | yes |
+| region | The region to host the cluster in | string | n/a | yes |
+| subnetwork | The subnetwork to host the cluster in | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| ca\_certificate |  |
+| client\_token |  |
+| cluster\_name | Cluster name |
+| identity\_namespace |  |
+| ip\_range\_pods | The secondary IP range used for pods |
+| ip\_range\_services | The secondary IP range used for services |
+| kubernetes\_endpoint |  |
+| location |  |
+| master\_kubernetes\_version | The master Kubernetes version |
+| network |  |
+| project\_id |  |
+| region |  |
+| service\_account | The default service account used for running nodes. |
+| subnetwork |  |
+| zones | List of zones in which the cluster resides |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/simple_regional_with_asm/main.tf

@@ -0,0 +1,65 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  cluster_type = "simple-regional-asm2"
+}
+
+provider "google-beta" {
+  version = "~> 3.23.0"
+  region  = var.region
+}
+
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+module "gke" {
+  source                  = "../../modules/beta-public-cluster/"
+  project_id              = var.project_id
+  name                    = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
+  regional                = true
+  release_channel         = "REGULAR"
+  region                  = var.region
+  network                 = var.network
+  subnetwork              = var.subnetwork
+  ip_range_pods           = var.ip_range_pods
+  ip_range_services       = var.ip_range_services
+  network_policy          = false
+  cluster_resource_labels = { "mesh_id" : "proj-${data.google_project.project.number}" }
+  node_pools = [
+    {
+      name        = "asm-node-pool"
+      autoscaling = false
+      # ASM requires minimum 4 nodes and e2-standard-4
+      # As this is a regional cluster we have node_count * 3 = 6 nodes
+      node_count   = 2
+      machine_type = "e2-standard-4"
+    },
+  ]
+}
+
+module "asm" {
+  source                            = "../../modules/asm"
+  cluster_name                      = module.gke.name
+  cluster_endpoint                  = module.gke.endpoint
+  project_id                        = var.project_id
+  location                          = module.gke.location
+  use_tf_google_credentials_env_var = true
+}
+
+data "google_client_config" "default" {
+}

examples/simple_regional_with_asm/outputs.tf

@@ -0,0 +1,34 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "kubernetes_endpoint" {
+  sensitive = true
+  value     = module.gke.endpoint
+}
+
+output "client_token" {
+  sensitive = true
+  value     = base64encode(data.google_client_config.default.access_token)
+}
+
+output "ca_certificate" {
+  value = module.gke.ca_certificate
+}
+
+output "service_account" {
+  description = "The default service account used for running nodes."
+  value       = module.gke.service_account
+}

examples/simple_regional_with_asm/test_outputs.tf

@@ -0,0 +1,67 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// These outputs are used to test the module with kitchen-terraform
+// They do not need to be included in real-world uses of this module
+
+output "project_id" {
+  value = var.project_id
+}
+
+output "region" {
+  value = module.gke.region
+}
+
+output "cluster_name" {
+  description = "Cluster name"
+  value       = module.gke.name
+}
+
+output "network" {
+  value = var.network
+}
+
+output "subnetwork" {
+  value = var.subnetwork
+}
+
+output "location" {
+  value = module.gke.location
+}
+
+output "ip_range_pods" {
+  description = "The secondary IP range used for pods"
+  value       = var.ip_range_pods
+}
+
+output "ip_range_services" {
+  description = "The secondary IP range used for services"
+  value       = var.ip_range_services
+}
+
+output "zones" {
+  description = "List of zones in which the cluster resides"
+  value       = module.gke.zones
+}
+
+output "master_kubernetes_version" {
+  description = "The master Kubernetes version"
+  value       = module.gke.master_version
+}
+
+output "identity_namespace" {
+  value = module.gke.identity_namespace
+}

examples/simple_regional_with_asm/variables.tf

@@ -0,0 +1,44 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project ID to host the cluster in"
+}
+
+variable "cluster_name_suffix" {
+  description = "A suffix to append to the default cluster name"
+  default     = ""
+}
+
+variable "region" {
+  description = "The region to host the cluster in"
+}
+
+variable "network" {
+  description = "The VPC network to host the cluster in"
+}
+
+variable "subnetwork" {
+  description = "The subnetwork to host the cluster in"
+}
+
+variable "ip_range_pods" {
+  description = "The secondary ip range to use for pods"
+}
+
+variable "ip_range_services" {
+  description = "The secondary ip range to use for services"
+}

examples/simple_regional_with_asm/versions.tf

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.12"
+}

modules/asm/README.md

@@ -0,0 +1,54 @@
+# Terraform Kubernetes Engine ASM Submodule
+
+This module installs [Anthos Service Mesh](https://cloud.google.com/service-mesh/docs) (ASM) in a Kubernetes cluster.
+
+Specifically, this module automates the following steps for [installing ASM](https://cloud.google.com/service-mesh/docs/install):
+
+1. Installing the ASM Istio Operator on your cluster.
+2. Optionally registering your cluster with GKE Hub.
+
+## Usage
+
+There is a [full example](../../examples/simple_regional_with_asm) provided. Simple usage is as follows:
+
+```tf
+module "asm" {
+  source           = "terraform-google-modules/kubernetes-engine/google//modules/asm"
+
+  project_id       = "my-project-id"
+  cluster_name     = "my-cluster-name"
+  location         = module.gke.location
+  cluster_endpoint = module.gke.endpoint
+}
+```
+
+To deploy this config:
+1. Run `terraform apply`
+
+## Requirements
+
+- Anthos Service Mesh [requires](https://cloud.google.com/service-mesh/docs/gke-install-existing-cluster#requirements) an active Anthos license.
+- GKE cluster must have minimum four nodes.
+- Minimum machine type is `e2-standard-4`.
+- GKE cluster must be enrolled in a release channel. ASM does not support static version.
+- ASM on a private GKE cluster requires adding a firewall rule to open port 15017 if you want to use [automatic sidecar injection](https://cloud.google.com/service-mesh/docs/proxy-injection).
+- Only one ASM per Google Cloud project is supported.
+
+
+ <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cluster\_endpoint | The GKE cluster endpoint. | string | n/a | yes |
+| cluster\_name | The unique name to identify the cluster in ASM. | string | n/a | yes |
+| enable\_gke\_hub\_registration | Enables GKE Hub Registration when set to true | bool | `"true"` | no |
+| gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | string | `"296.0.1"` | no |
+| gke\_hub\_membership\_name | Memebership name that uniquely represents the cluster being registered on the Hub | string | `"gke-asm-membership"` | no |
+| gke\_hub\_sa\_name | Name for the GKE Hub SA stored as a secret `creds-gcp` in the `gke-connect` namespace. | string | `"gke-hub-sa"` | no |
+| location | The location (zone or region) this cluster has been created in. | string | n/a | yes |
+| project\_id | The project in which the resource belongs. | string | n/a | yes |
+| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"true"` | no |
+| use\_tf\_google\_credentials\_env\_var | Optional GOOGLE_CREDENTIALS environment variable to be activated. | bool | `"false"` | no |
+
+ <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->