feat!: Add support for asm v1.8 to the asm module (#824)

* Initial changes to asm module to support installing asm ver 1.8.

* Updated changes to support ASM 1.8

* -updated provider version in the safer_cluster_iap_bastion example -added readme for v14.0 release

* -updated readme for v14.0 release

Co-authored-by: kaariger <kaariger@users.noreply.github.com>
Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>

docs/upgrading_to_v14.0.md

@@ -0,0 +1,15 @@
+# Upgrading to v14.0
+
+The v14.0 release of *kubernetes-engine* is a backwards incompatible
+release for some versions of Anthos Service Mesh (ASM).
+
+### ASM default version changed to 1.8
+
+[ASM submodule](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master/modules/asm) has been changed to use ASM v1.8 as default.
+
+The module now uses the new ASM [installation script](https://cloud.google.com/service-mesh/docs/scripted-install/asm-onboarding) which:
+- Does not support installation and upgrades for ASM versions older than 1.7.3.
+- Supports upgrades only from versions 1.7.3+ or a 1.8 patch release.
+- Supports migrations from open source Istio 1.7 or 1.8 to ASM
+
+Please see the script page for up to date details.

examples/safer_cluster_iap_bastion/provider.tf

@@ -15,7 +15,7 @@
  */
 
 provider "google" {
-  version = "~> 3.50.0"
+  version = "~> 3.52.0"
 }
 
 provider "google-beta" {

modules/asm/README.md

@@ -38,7 +38,7 @@ To deploy this config:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | asm\_dir | Name of directory to keep ASM resource config files. | `string` | `"asm-dir"` | no |
-| asm\_version | ASM version to deploy. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"release-1.6-asm"` | no |
+| asm\_version | ASM version to deploy. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.8"` | no |
 | cluster\_endpoint | The GKE cluster endpoint. | `string` | n/a | yes |
 | cluster\_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes |
 | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no |

modules/asm/main.tf

@@ -33,6 +33,6 @@ module "asm_install" {
   service_account_key_file = var.service_account_key_file
 
 
-  kubectl_create_command  = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_dir} ${var.asm_version} ${data.google_project.asm_project.number}"
+  kubectl_create_command  = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version}"
   kubectl_destroy_command = "kubectl delete ns istio-system"
 }

modules/asm/scripts/install_asm.sh

@@ -15,59 +15,20 @@
 
 set -e
 
-if [ "$#" -lt 6 ]; then
+if [ "$#" -lt 4 ]; then
     >&2 echo "Not all expected arguments set."
     exit 1
 fi
 
 PROJECT_ID=$1
 CLUSTER_NAME=$2
 CLUSTER_LOCATION=$3
-ASM_RESOURCES=$4
-ASM_VERSION=$5
-PROJECT_NUM=$6
-BASE_DIR="asm-base-dir"
-# check for needed binaries
-# kustomize is a requirement for installing ASM and is not available via gcloud. Safely exit if not available.
-if [[ -z $(command -v kustomize) ]]; then
-  echo "kustomize is unavailable. Skipping ASM installation. Please install kustomize, add to PATH and rerun terraform apply."
-  exit 1
-fi
-# # check docker which is optionally used for validating asm yaml using gcr.io/kustomize-functions/validate-asm:v0.1.0
-# if [[ $(command -v docker) ]]; then
-#   echo "Docker is available. ASM yaml validation will be performed."
-# else
-#   echo "ASM yaml validation will be skipped as Docker is unavailable"
-#   SKIP_ASM_VALIDATION=true
-# fi
-mkdir -p "${ASM_RESOURCES}"
-pushd "${ASM_RESOURCES}"
-gcloud config set project "${PROJECT_ID}"
-if [[ -d ./asm-patch ]]; then
-    echo "ASM patch directory exists. Skipping download..."
-else
-    echo "Downloading ASM patch"
-    kpt pkg get https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages.git/asm-patch@"${ASM_VERSION}" .
-fi
-gcloud beta anthos export "${CLUSTER_NAME}" --output-directory ${BASE_DIR} --project "${PROJECT_ID}" --location "${CLUSTER_LOCATION}"
-kpt cfg set asm-patch/ base-dir ../${BASE_DIR}
-kpt cfg set asm-patch/ gcloud.core.project "${PROJECT_ID}"
-kpt cfg set asm-patch/ gcloud.container.cluster "${CLUSTER_NAME}"
-kpt cfg set asm-patch/ gcloud.compute.location "${CLUSTER_LOCATION}"
-kpt cfg set asm-patch/ gcloud.project.environProjectNumber "${PROJECT_NUM}"
-kpt cfg list-setters asm-patch/
-pushd ${BASE_DIR}
-kustomize create --autodetect --namespace "${PROJECT_ID}"
-popd
-pushd asm-patch
-kustomize build -o ../${BASE_DIR}/all.yaml
-popd
-# # skip validate as we should investigate if we can check this without having to resort to dind
-# if [[ ${SKIP_ASM_VALIDATION} ]]; then
-#  echo "Skipping ASM validation..."
-# else
-#  echo "Running ASM validation..."
-#  kpt fn source ${BASE_DIR} | kpt fn run --image gcr.io/kustomize-functions/validate-asm:v0.1.0
-# fi
-gcloud beta anthos apply ${BASE_DIR}
-kubectl wait --for=condition=available --timeout=600s deployment --all -n istio-system
+ASM_VERSION=$4
+MODE="install"
+
+#download the correct version of the install_asm script
+curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_VERSION}" > install_asm
+chmod u+x install_asm
+
+#run the script with appropriate flags
+./install_asm --verbose --project_id "${PROJECT_ID}" --cluster_name "${CLUSTER_NAME}" --cluster_location "${CLUSTER_LOCATION}" --mode "${MODE}" --enable_cluster_labels --enable_cluster_roles

modules/asm/variables.tf

@@ -46,14 +46,13 @@ variable "asm_dir" {
   default     = "asm-dir"
 }
 
-variable "asm_version" {
-  description = "ASM version to deploy. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages"
-  type        = string
-  default     = "release-1.6-asm"
-}
-
 variable "service_account_key_file" {
   description = "Path to service account key file to auth as for running `gcloud container clusters get-credentials`."
   default     = ""
 }
 
+variable "asm_version" {
+  description = "ASM version to deploy. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages"
+  type        = string
+  default     = "1.8"
+}

test/setup/iam.tf

@@ -35,14 +35,20 @@ locals {
     "roles/iap.admin",
     "roles/gkehub.admin",
   ]
-  # roles as documented https://cloud.google.com/service-mesh/docs/gke-install-new-cluster#setting_up_your_project
+
+  # roles as documented https://cloud.google.com/service-mesh/docs/installation-permissions
   int_asm_required_roles = [
     "roles/editor",
+    "roles/compute.admin",
     "roles/container.admin",
     "roles/resourcemanager.projectIamAdmin",
+    "roles/servicemanagement.admin",
+    "roles/serviceusage.serviceUsageAdmin",
     "roles/iam.serviceAccountAdmin",
     "roles/iam.serviceAccountKeyAdmin",
+    "roles/meshconfig.admin",
     "roles/gkehub.admin",
+    "roles/privateca.admin",
   ]
 }
 

test/setup/main.tf

@@ -75,7 +75,7 @@ module "gke-project-2" {
   ]
 }
 
-# apis as documented https://cloud.google.com/service-mesh/docs/gke-install-new-cluster#setting_up_your_project
+# apis as documented https://cloud.google.com/service-mesh/docs/scripted-install/reference#setting_up_your_project
 module "gke-project-asm" {
   source  = "terraform-google-modules/project-factory/google"
   version = "~> 9.1.0"
@@ -94,5 +94,13 @@ module "gke-project-asm" {
     "meshconfig.googleapis.com",
     "anthos.googleapis.com",
     "cloudresourcemanager.googleapis.com",
+    "monitoring.googleapis.com",
+    "stackdriver.googleapis.com",
+    "cloudtrace.googleapis.com",
+    "meshca.googleapis.com",
+    "iamcredentials.googleapis.com",
+    "gkeconnect.googleapis.com",
+    "privateca.googleapis.com",
+    "gkehub.googleapis.com",
   ]
 }