diff --git a/autogen/main/dns.tf.tmpl b/autogen/main/dns.tf.tmpl index 634edf8e4..4433095c8 100644 --- a/autogen/main/dns.tf.tmpl +++ b/autogen/main/dns.tf.tmpl @@ -20,16 +20,18 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google" - version = "~> 1.3.0" - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners - additional_components = ["kubectl"] - - upgrade = var.gcloud_upgrade - skip_download = var.gcloud_skip_download - - create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - create_cmd_body = "https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 1.4" + enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners + cluster_name = google_container_cluster.primary.name + cluster_location = google_container_cluster.primary.location + project_id = var.project_id + upgrade = var.gcloud_upgrade + skip_download = var.gcloud_skip_download + + + kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" + kubectl_destroy_command = "" module_depends_on = concat( [data.google_client_config.default.access_token], diff --git a/dns.tf b/dns.tf index 0fbf97c31..ed7fdfb01 100644 --- a/dns.tf +++ b/dns.tf @@ -20,16 +20,18 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google" - version = "~> 1.3.0" - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners - additional_components = ["kubectl"] - - upgrade = var.gcloud_upgrade - skip_download = var.gcloud_skip_download - - create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - create_cmd_body = "https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 1.4" + enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners + cluster_name = google_container_cluster.primary.name + cluster_location = google_container_cluster.primary.location + project_id = var.project_id + upgrade = var.gcloud_upgrade + skip_download = var.gcloud_skip_download + + + kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" + kubectl_destroy_command = "" module_depends_on = concat( [data.google_client_config.default.access_token], diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index 4b4fee6ea..c639992c9 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -54,12 +54,11 @@ module "gke" { } module "asm" { - source = "../../modules/asm" - cluster_name = module.gke.name - cluster_endpoint = module.gke.endpoint - project_id = var.project_id - location = module.gke.location - use_tf_google_credentials_env_var = true + source = "../../modules/asm" + cluster_name = module.gke.name + cluster_endpoint = module.gke.endpoint + project_id = var.project_id + location = module.gke.location } data "google_client_config" "default" { diff --git a/modules/acm/README.md b/modules/acm/README.md index 4548b4325..250e41016 100644 --- a/modules/acm/README.md +++ b/modules/acm/README.md @@ -54,7 +54,7 @@ By default, this module will attempt to download the ACM operator from Google di | policy\_dir | Subfolder containing configs in ACM Git repo. If un-set, uses Config Management default. | string | `""` | no | | project\_id | GCP project_id used to reach cluster. | string | n/a | yes | | secret\_type | git authentication secret type, is passed through to ConfigManagement spec.git.secretType. Overriden to value 'ssh' if `create_ssh_key` is true | string | `"ssh"` | no | -| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"false"` | no | +| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"true"` | no | | ssh\_auth\_key | Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function. | string | `"null"` | no | | sync\_branch | ACM repo Git branch. If un-set, uses Config Management default. | string | `""` | no | | sync\_repo | ACM Git repo address | string | n/a | yes | diff --git a/modules/acm/variables.tf b/modules/acm/variables.tf index e253dc018..6a6ca50d8 100644 --- a/modules/acm/variables.tf +++ b/modules/acm/variables.tf @@ -90,5 +90,5 @@ variable "install_template_library" { variable "skip_gcloud_download" { description = "Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module)" type = bool - default = false + default = true } diff --git a/modules/asm/README.md b/modules/asm/README.md index 8f2a38f0c..fbe2311e8 100644 --- a/modules/asm/README.md +++ b/modules/asm/README.md @@ -46,9 +46,9 @@ To deploy this config: | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | string | `"296.0.1"` | no | | gke\_hub\_membership\_name | Memebership name that uniquely represents the cluster being registered on the Hub | string | `"gke-asm-membership"` | no | | gke\_hub\_sa\_name | Name for the GKE Hub SA stored as a secret `creds-gcp` in the `gke-connect` namespace. | string | `"gke-hub-sa"` | no | +| internal\_ip | Use internal ip for the cluster endpoint. | bool | `"false"` | no | | location | The location (zone or region) this cluster has been created in. | string | n/a | yes | | project\_id | The project in which the resource belongs. | string | n/a | yes | | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"true"` | no | -| use\_tf\_google\_credentials\_env\_var | Optional GOOGLE_CREDENTIALS environment variable to be activated. | bool | `"false"` | no | diff --git a/modules/asm/main.tf b/modules/asm/main.tf index 06f5ce276..27d0c2045 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -18,31 +18,22 @@ locals { gke_hub_sa_key = var.enable_gke_hub_registration ? google_service_account_key.gke_hub_key[0].private_key : "" } -data "google_container_cluster" "primary" { - name = var.cluster_name - project = var.project_id - location = var.location -} - -data "google_client_config" "default" { -} - module "asm_install" { - source = "terraform-google-modules/gcloud/google" - version = "~> 1.0" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 1.4" module_depends_on = [var.cluster_endpoint] - platform = "linux" - gcloud_sdk_version = var.gcloud_sdk_version - skip_download = var.skip_gcloud_download - upgrade = true - use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var - additional_components = ["kubectl", "kpt"] + gcloud_sdk_version = var.gcloud_sdk_version + skip_download = var.skip_gcloud_download + upgrade = true + additional_components = ["kubectl", "kpt", "beta", "kustomize"] + cluster_name = var.cluster_name + cluster_location = var.location + project_id = var.project_id + - create_cmd_entrypoint = "${path.module}/scripts/install_asm.sh" - create_cmd_body = "${var.project_id} ${var.cluster_name} ${var.location}" - destroy_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - destroy_cmd_body = "https://${var.cluster_endpoint} ${data.google_client_config.default.access_token} ${data.google_container_cluster.primary.master_auth.0.cluster_ca_certificate} kubectl delete ns istio-system" + kubectl_create_command = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location}" + kubectl_destroy_command = "kubectl delete ns istio-system" } resource "google_service_account" "gke_hub_sa" { @@ -66,15 +57,14 @@ resource "google_service_account_key" "gke_hub_key" { module "gke_hub_registration" { source = "terraform-google-modules/gcloud/google" - version = "~> 1.0" + version = "~> 1.2" - platform = "linux" - gcloud_sdk_version = var.gcloud_sdk_version - skip_download = var.skip_gcloud_download - upgrade = true - enabled = var.enable_gke_hub_registration - use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var - module_depends_on = [module.asm_install.wait] + platform = "linux" + gcloud_sdk_version = var.gcloud_sdk_version + skip_download = var.skip_gcloud_download + upgrade = true + enabled = var.enable_gke_hub_registration + module_depends_on = [module.asm_install.wait] create_cmd_entrypoint = "${path.module}/scripts/gke_hub_registration.sh" create_cmd_body = "${var.gke_hub_membership_name} ${var.location} ${var.cluster_name} ${local.gke_hub_sa_key}" diff --git a/modules/asm/scripts/kubectl_wrapper.sh b/modules/asm/scripts/kubectl_wrapper.sh deleted file mode 100755 index e92300bcb..000000000 --- a/modules/asm/scripts/kubectl_wrapper.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/bash -# Copyright 2018 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -set -e - -if [ "$#" -lt 3 ]; then - >&2 echo "Not all expected arguments set." - exit 1 -fi - -HOST=$1 -TOKEN=$2 -CA_CERTIFICATE=$3 - -shift 3 - -RANDOM_ID="${RANDOM}_${RANDOM}" -export TMPDIR="/tmp/kubectl_wrapper_${RANDOM_ID}" - -function cleanup { - rm -rf "${TMPDIR}" -} -trap cleanup EXIT - -mkdir "${TMPDIR}" - -export KUBECONFIG="${TMPDIR}/config" - -# shellcheck disable=SC1117 -base64 --help | grep "\--decode" && B64_ARG="--decode" || B64_ARG="-d" -echo "${CA_CERTIFICATE}" | base64 ${B64_ARG} > "${TMPDIR}/ca_certificate" - -kubectl config set-cluster kubectl-wrapper --server="${HOST}" --certificate-authority="${TMPDIR}/ca_certificate" --embed-certs=true 1>/dev/null -rm -f "${TMPDIR}/ca_certificate" -kubectl config set-context kubectl-wrapper --cluster=kubectl-wrapper --user=kubectl-wrapper --namespace=default 1>/dev/null -kubectl config set-credentials kubectl-wrapper --token="${TOKEN}" 1>/dev/null -kubectl config use-context kubectl-wrapper 1>/dev/null -kubectl version 1>/dev/null - -"$@" diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf index f0d358051..5b22774f1 100644 --- a/modules/asm/variables.tf +++ b/modules/asm/variables.tf @@ -40,12 +40,6 @@ variable "skip_gcloud_download" { default = true } -variable "use_tf_google_credentials_env_var" { - description = "Optional GOOGLE_CREDENTIALS environment variable to be activated." - type = bool - default = false -} - variable "gcloud_sdk_version" { description = "The gcloud sdk version to use. Minimum required version is 293.0.0" type = string @@ -69,3 +63,9 @@ variable "gke_hub_membership_name" { type = string default = "gke-asm-membership" } + +variable "internal_ip" { + description = "Use internal ip for the cluster endpoint." + type = bool + default = false +} diff --git a/modules/beta-private-cluster-update-variant/dns.tf b/modules/beta-private-cluster-update-variant/dns.tf index 0fbf97c31..ed7fdfb01 100644 --- a/modules/beta-private-cluster-update-variant/dns.tf +++ b/modules/beta-private-cluster-update-variant/dns.tf @@ -20,16 +20,18 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google" - version = "~> 1.3.0" - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners - additional_components = ["kubectl"] - - upgrade = var.gcloud_upgrade - skip_download = var.gcloud_skip_download - - create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - create_cmd_body = "https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 1.4" + enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners + cluster_name = google_container_cluster.primary.name + cluster_location = google_container_cluster.primary.location + project_id = var.project_id + upgrade = var.gcloud_upgrade + skip_download = var.gcloud_skip_download + + + kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" + kubectl_destroy_command = "" module_depends_on = concat( [data.google_client_config.default.access_token], diff --git a/modules/beta-private-cluster/dns.tf b/modules/beta-private-cluster/dns.tf index 0fbf97c31..ed7fdfb01 100644 --- a/modules/beta-private-cluster/dns.tf +++ b/modules/beta-private-cluster/dns.tf @@ -20,16 +20,18 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google" - version = "~> 1.3.0" - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners - additional_components = ["kubectl"] - - upgrade = var.gcloud_upgrade - skip_download = var.gcloud_skip_download - - create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - create_cmd_body = "https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 1.4" + enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners + cluster_name = google_container_cluster.primary.name + cluster_location = google_container_cluster.primary.location + project_id = var.project_id + upgrade = var.gcloud_upgrade + skip_download = var.gcloud_skip_download + + + kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" + kubectl_destroy_command = "" module_depends_on = concat( [data.google_client_config.default.access_token], diff --git a/modules/beta-public-cluster-update-variant/dns.tf b/modules/beta-public-cluster-update-variant/dns.tf index 0fbf97c31..ed7fdfb01 100644 --- a/modules/beta-public-cluster-update-variant/dns.tf +++ b/modules/beta-public-cluster-update-variant/dns.tf @@ -20,16 +20,18 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google" - version = "~> 1.3.0" - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners - additional_components = ["kubectl"] - - upgrade = var.gcloud_upgrade - skip_download = var.gcloud_skip_download - - create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - create_cmd_body = "https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 1.4" + enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners + cluster_name = google_container_cluster.primary.name + cluster_location = google_container_cluster.primary.location + project_id = var.project_id + upgrade = var.gcloud_upgrade + skip_download = var.gcloud_skip_download + + + kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" + kubectl_destroy_command = "" module_depends_on = concat( [data.google_client_config.default.access_token], diff --git a/modules/beta-public-cluster/dns.tf b/modules/beta-public-cluster/dns.tf index 0fbf97c31..ed7fdfb01 100644 --- a/modules/beta-public-cluster/dns.tf +++ b/modules/beta-public-cluster/dns.tf @@ -20,16 +20,18 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google" - version = "~> 1.3.0" - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners - additional_components = ["kubectl"] - - upgrade = var.gcloud_upgrade - skip_download = var.gcloud_skip_download - - create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - create_cmd_body = "https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 1.4" + enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners + cluster_name = google_container_cluster.primary.name + cluster_location = google_container_cluster.primary.location + project_id = var.project_id + upgrade = var.gcloud_upgrade + skip_download = var.gcloud_skip_download + + + kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" + kubectl_destroy_command = "" module_depends_on = concat( [data.google_client_config.default.access_token], diff --git a/modules/config-sync/README.md b/modules/config-sync/README.md index 1109380bd..730c134db 100644 --- a/modules/config-sync/README.md +++ b/modules/config-sync/README.md @@ -55,7 +55,7 @@ To deploy this config: | policy\_dir | Subfolder containing configs in ACM Git repo. If un-set, uses Config Management default. | string | `""` | no | | project\_id | GCP project_id used to reach cluster. | string | n/a | yes | | secret\_type | credential secret type, passed through to ConfigManagement spec.git.secretType. Overriden to value 'ssh' if `create_ssh_key` is true | string | n/a | yes | -| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"false"` | no | +| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"true"` | no | | ssh\_auth\_key | Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function. | string | `"null"` | no | | sync\_branch | ACM repo Git branch. If un-set, uses Config Management default. | string | `""` | no | | sync\_repo | ACM Git repo address | string | n/a | yes | diff --git a/modules/config-sync/variables.tf b/modules/config-sync/variables.tf index 9582d7c37..799ffcf00 100644 --- a/modules/config-sync/variables.tf +++ b/modules/config-sync/variables.tf @@ -77,5 +77,5 @@ variable "ssh_auth_key" { variable "skip_gcloud_download" { description = "Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module)" type = bool - default = false + default = true } diff --git a/modules/k8s-operator-crd-support/main.tf b/modules/k8s-operator-crd-support/main.tf index 498d28b15..34264c30d 100644 --- a/modules/k8s-operator-crd-support/main.tf +++ b/modules/k8s-operator-crd-support/main.tf @@ -16,8 +16,6 @@ locals { cluster_endpoint = "https://${var.cluster_endpoint}" - token = data.google_client_config.default.access_token - cluster_ca_certificate = data.google_container_cluster.primary.master_auth.0.cluster_ca_certificate private_key = var.create_ssh_key && var.ssh_auth_key == null ? tls_private_key.k8sop_creds[0].private_key_pem : var.ssh_auth_key k8sop_creds_secret_key = var.secret_type == "cookiefile" ? "cookie_file" : var.secret_type should_download_manifest = var.operator_path == null ? true : false @@ -26,19 +24,9 @@ locals { policy_dir_node = var.policy_dir != "" ? format("policyDir: %s", var.policy_dir) : "" } - -data "google_container_cluster" "primary" { - name = var.cluster_name - project = var.project_id - location = var.location -} - -data "google_client_config" "default" { -} - module "k8sop_manifest" { source = "terraform-google-modules/gcloud/google" - version = "~> 1.0" + version = "~> 1.3" enabled = local.should_download_manifest skip_download = var.skip_gcloud_download @@ -50,16 +38,16 @@ module "k8sop_manifest" { module "k8s_operator" { - source = "terraform-google-modules/gcloud/google" - version = "~> 1.0" - module_depends_on = [module.k8sop_manifest.wait, data.google_client_config.default.project, data.google_container_cluster.primary.name] - additional_components = ["kubectl"] - skip_download = var.skip_gcloud_download - - create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - create_cmd_body = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl apply -f ${local.manifest_path}" - destroy_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - destroy_cmd_body = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl delete -f ${local.manifest_path}" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 1.4" + module_depends_on = [module.k8sop_manifest.wait, var.cluster_endpoint] + skip_download = var.skip_gcloud_download + cluster_name = var.cluster_name + cluster_location = var.location + project_id = var.project_id + + kubectl_create_command = "kubectl apply -f ${local.manifest_path}" + kubectl_destroy_command = "kubectl delete -f ${local.manifest_path}" } @@ -70,16 +58,16 @@ resource "tls_private_key" "k8sop_creds" { } module "k8sop_creds_secret" { - source = "terraform-google-modules/gcloud/google" - version = "~> 1.0" - module_depends_on = [module.k8s_operator.wait] - additional_components = ["kubectl"] - skip_download = var.skip_gcloud_download - - create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - create_cmd_body = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl create secret generic ${var.operator_credential_name} -n=${var.operator_credential_namespace} --from-literal=${local.k8sop_creds_secret_key}='${local.private_key}'" - destroy_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - destroy_cmd_body = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl delete secret ${var.operator_credential_name} -n=${var.operator_credential_namespace}" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 1.4" + module_depends_on = [module.k8s_operator.wait] + skip_download = var.skip_gcloud_download + cluster_name = var.cluster_name + cluster_location = var.location + project_id = var.project_id + + kubectl_create_command = "kubectl create secret generic ${var.operator_credential_name} -n=${var.operator_credential_namespace} --from-literal=${local.k8sop_creds_secret_key}='${local.private_key}'" + kubectl_destroy_command = "kubectl delete secret ${var.operator_credential_name} -n=${var.operator_credential_namespace}" } @@ -97,15 +85,20 @@ data "template_file" "k8sop_config" { } } +resource "local_file" "operator_cr" { + content = data.template_file.k8sop_config.rendered + filename = "${path.module}/operator_cr.yaml" +} + module "k8sop_config" { - source = "terraform-google-modules/gcloud/google" - version = "~> 1.0" - module_depends_on = [module.k8s_operator.wait, module.k8sop_creds_secret.wait] - additional_components = ["kubectl"] - skip_download = var.skip_gcloud_download - - create_cmd_entrypoint = "echo" - create_cmd_body = "'${data.template_file.k8sop_config.rendered}' | ${path.module}/scripts/kubectl_wrapper.sh ${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl apply -f -" - destroy_cmd_entrypoint = "echo" - destroy_cmd_body = "'${data.template_file.k8sop_config.rendered}' | ${path.module}/scripts/kubectl_wrapper.sh ${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl delete -f -" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 1.4" + module_depends_on = [module.k8s_operator.wait, module.k8sop_creds_secret.wait] + skip_download = var.skip_gcloud_download + cluster_name = var.cluster_name + cluster_location = var.location + project_id = var.project_id + + kubectl_create_command = "kubectl apply -f ${local_file.operator_cr.filename}" + kubectl_destroy_command = "kubectl delete -f ${local_file.operator_cr.filename}" } diff --git a/modules/k8s-operator-crd-support/variables.tf b/modules/k8s-operator-crd-support/variables.tf index 5bae4aaec..855aca4c1 100644 --- a/modules/k8s-operator-crd-support/variables.tf +++ b/modules/k8s-operator-crd-support/variables.tf @@ -108,6 +108,6 @@ variable "operator_cr_template_path" { variable "skip_gcloud_download" { description = "Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module)" type = bool - default = false + default = true } diff --git a/modules/private-cluster-update-variant/dns.tf b/modules/private-cluster-update-variant/dns.tf index 0fbf97c31..ed7fdfb01 100644 --- a/modules/private-cluster-update-variant/dns.tf +++ b/modules/private-cluster-update-variant/dns.tf @@ -20,16 +20,18 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google" - version = "~> 1.3.0" - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners - additional_components = ["kubectl"] - - upgrade = var.gcloud_upgrade - skip_download = var.gcloud_skip_download - - create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - create_cmd_body = "https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 1.4" + enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners + cluster_name = google_container_cluster.primary.name + cluster_location = google_container_cluster.primary.location + project_id = var.project_id + upgrade = var.gcloud_upgrade + skip_download = var.gcloud_skip_download + + + kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" + kubectl_destroy_command = "" module_depends_on = concat( [data.google_client_config.default.access_token], diff --git a/modules/private-cluster/dns.tf b/modules/private-cluster/dns.tf index 0fbf97c31..ed7fdfb01 100644 --- a/modules/private-cluster/dns.tf +++ b/modules/private-cluster/dns.tf @@ -20,16 +20,18 @@ Delete default kube-dns configmap *****************************************/ module "gcloud_delete_default_kube_dns_configmap" { - source = "terraform-google-modules/gcloud/google" - version = "~> 1.3.0" - enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners - additional_components = ["kubectl"] - - upgrade = var.gcloud_upgrade - skip_download = var.gcloud_skip_download - - create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - create_cmd_body = "https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 1.4" + enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && ! var.skip_provisioners + cluster_name = google_container_cluster.primary.name + cluster_location = google_container_cluster.primary.location + project_id = var.project_id + upgrade = var.gcloud_upgrade + skip_download = var.gcloud_skip_download + + + kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns" + kubectl_destroy_command = "" module_depends_on = concat( [data.google_client_config.default.access_token], diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf index 52ab8f47e..04a4ae21c 100644 --- a/modules/workload-identity/main.tf +++ b/modules/workload-identity/main.tf @@ -19,23 +19,9 @@ locals { gcp_sa_email = google_service_account.cluster_service_account.email # This will cause terraform to block returning outputs until the service account is created - k8s_given_name = var.k8s_sa_name != null ? var.k8s_sa_name : var.name - output_k8s_name = var.use_existing_k8s_sa ? local.k8s_given_name : kubernetes_service_account.main[0].metadata[0].name - output_k8s_namespace = var.use_existing_k8s_sa ? var.namespace : kubernetes_service_account.main[0].metadata[0].namespace - token = var.use_existing_k8s_sa ? data.google_client_config.default.0.access_token : "" - cluster_ca_certificate = var.use_existing_k8s_sa ? data.google_container_cluster.primary.0.master_auth.0.cluster_ca_certificate : "" - cluster_endpoint = var.use_existing_k8s_sa ? "https://${data.google_container_cluster.primary.0.endpoint}" : "" -} - -data "google_container_cluster" "primary" { - count = var.use_existing_k8s_sa ? 1 : 0 - name = var.cluster_name - project = var.project_id - location = var.location -} - -data "google_client_config" "default" { - count = var.use_existing_k8s_sa ? 1 : 0 + k8s_given_name = var.k8s_sa_name != null ? var.k8s_sa_name : var.name + output_k8s_name = var.use_existing_k8s_sa ? local.k8s_given_name : kubernetes_service_account.main[0].metadata[0].name + output_k8s_namespace = var.use_existing_k8s_sa ? var.namespace : kubernetes_service_account.main[0].metadata[0].namespace } resource "google_service_account" "cluster_service_account" { @@ -58,19 +44,17 @@ resource "kubernetes_service_account" "main" { } module "annotate-sa" { - source = "terraform-google-modules/gcloud/google" - version = "~> 0.5" - - platform = "linux" - additional_components = ["kubectl"] - enabled = var.use_existing_k8s_sa - skip_download = true + source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" + version = "~> 1.4" - create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - create_cmd_body = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl annotate --overwrite sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account=${local.gcp_sa_email}" + enabled = var.use_existing_k8s_sa + skip_download = true + cluster_name = var.cluster_name + cluster_location = var.location + project_id = var.project_id - destroy_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - destroy_cmd_body = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl annotate sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account-" + kubectl_create_command = "kubectl annotate --overwrite sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account=${local.gcp_sa_email}" + kubectl_destroy_command = "kubectl annotate sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account-" } resource "google_service_account_iam_member" "main" {