From fdaa6e42731122b9b1f16deec7e24b4c75dd0770 Mon Sep 17 00:00:00 2001 From: coder Date: Fri, 16 Apr 2021 01:37:26 +0000 Subject: [PATCH 01/17] updated asm module --- modules/asm/main.tf | 12 +++- modules/asm/scripts/install_asm.sh | 91 ++++++++++++++++++++++++++++-- modules/asm/variables.tf | 55 +++++++++++++++++- 3 files changed, 149 insertions(+), 9 deletions(-) diff --git a/modules/asm/main.tf b/modules/asm/main.tf index eb512bf547..aa1cac0397 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -18,6 +18,15 @@ data "google_project" "asm_project" { project_id = var.project_id } +locals { + options_string = join(",", var.options) + custom_overlays_string = join(",", var.custom_overlays) + ca_cert = var.ca_certs["ca_cert"] + ca_key = var.ca_certs["ca_key"] + root_cert = var.ca_certs["root_cert"] + cert_chain = var.ca_certs["cert_chain"] +} + module "asm_install" { source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper" @@ -32,7 +41,6 @@ module "asm_install" { project_id = var.project_id service_account_key_file = var.service_account_key_file - - kubectl_create_command = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version}" + kubectl_create_command = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all_apis} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain}" kubectl_destroy_command = "kubectl delete ns istio-system" } diff --git a/modules/asm/scripts/install_asm.sh b/modules/asm/scripts/install_asm.sh index dcdb69da21..e8e6aed450 100755 --- a/modules/asm/scripts/install_asm.sh +++ b/modules/asm/scripts/install_asm.sh @@ -15,7 +15,7 @@ set -e -if [ "$#" -lt 4 ]; then +if [ "$#" -lt 5 ]; then >&2 echo "Not all expected arguments set." exit 1 fi @@ -24,11 +24,90 @@ PROJECT_ID=$1 CLUSTER_NAME=$2 CLUSTER_LOCATION=$3 ASM_VERSION=$4 -MODE="install" +MODE=$5 +SKIP_VALIDATION=$6 +OPTIONS_LIST=$7 +CUSTOM_OVERLAYS_LIST=$8 +ENABLE_ALL=$9 +OUTDIR=${10} +CA=${11} +CA_CERT=${12} +CA_KEY=${13} +ROOT_CERT=${14} +CERT_CHAIN=${15} + +# Set SKIP_VALIDATION variable +if [[ ${SKIP_VALIDATION} = "true" ]]; then + export _CI_NO_VALIDATE=1 +else + export _CI_NO_VALIDATE=0 +fi + +# Create bash arrays from options and custom_overlays lists +if [[ ${OPTIONS_LIST} ]]; then + IFS=',' read -r -a OPTIONS <<< "${OPTIONS_LIST}" +fi + +if [[ ${CUSTOM_OVERLAYS_LIST} ]]; then + IFS=',' read -r -a CUSTOM_OVERLAYS <<< "${CUSTOM_OVERLAYS_LIST}" +fi + +# Echo all values +echo -e "MODE is $MODE" +echo -e "ASM_VERSION is $ASM_VERSION" +echo -e "SKIP_VALIDATION is $SKIP_VALIDATION" +echo -e "_CI_NO_VALIDATE is $_CI_NO_VALIDATE" +echo -e "OPTIONS is ${OPTIONS[@]}" +echo -e "OPTIONS array length is ${#OPTIONS[@]}" +# Create options command snippet +item="${OPTIONS[@]}";OPTIONS_COMMAND=$(echo "--option" ${item// / --option }) +echo -e "OPTIONS_COMMAND is $OPTIONS_COMMAND" +echo -e "CUSTOM_OVERLAYS is ${CUSTOM_OVERLAYS[@]}" +echo -e "CUSTOM_OVERLAYS array length is ${#CUSTOM_OVERLAYS[@]}" +# Create custom_overlays command snippet +item="${CUSTOM_OVERLAYS[@]}";CUSTOM_OVERLAYS_COMMAND=$(echo "--custom_overlay" ${item// / --custom_overlay }) +echo -e "CUSTOM_OVERLAYS_COMMAND is $CUSTOM_OVERLAYS_COMMAND" +echo -e "ENABLE_ALL is $ENABLE_ALL" +echo -e "OUTDIR is $OUTDIR" #download the correct version of the install_asm script -curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_VERSION}" > install_asm -chmod u+x install_asm +curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_VERSION}" > install_asm_"${ASM_VERSION}" +chmod u+x install_asm_"${ASM_VERSION}" + +# Craft options section for install_asm +if [[ "${OPTIONS_COMMAND}" = "--option none" ]]; then + OPTIONS_COMMAND_SNIPPET="" +else + OPTIONS_COMMAND_SNIPPET="${OPTIONS_COMMAND}" +fi + +if [[ "${CUSTOM_OVERLAYS_COMMAND}" = "--custom_overlay none" ]]; then + CUSTOM_OVERLAYS_COMMAND_SNIPPET="" +else + CUSTOM_OVERLAYS_COMMAND_SNIPPET="${CUSTOM_OVERLAYS_COMMAND}" +fi + +if [[ "${ENABLE_ALL}" = false ]]; then + ENABLE_ALL_COMMAND_SNIPPET="" +else + ENABLE_ALL_COMMAND_SNIPPET="--enable_all" +fi + +if [[ "${OUTDIR}" = "none" ]]; then + OUTDIR_COMMAND_SNIPPET="" +else + OUTDIR_COMMAND_SNIPPET="--output_dir ${OUTDIR}" + mkdir -p ${OUTDIR} +fi + +if [[ "${CA}" = "citadel" ]]; then + CA_COMMAND_SNIPPET="--ca citadel --ca_cert ${CA_CERT} --ca_key ${CA_KEY} --root_cert ${ROOT_CERT} --cert_chain ${CERT_CHAIN}" +else + CA_COMMAND_SNIPPET="" +fi + +# Echo the command before executing +echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET}" -#run the script with appropriate flags -./install_asm --verbose --project_id "${PROJECT_ID}" --cluster_name "${CLUSTER_NAME}" --cluster_location "${CLUSTER_LOCATION}" --mode "${MODE}" --enable_cluster_labels --enable_cluster_roles +# #run the script with appropriate flags +./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf index b38bdc01d5..a387d14ed6 100644 --- a/modules/asm/variables.tf +++ b/modules/asm/variables.tf @@ -54,5 +54,58 @@ variable "service_account_key_file" { variable "asm_version" { description = "ASM version to deploy. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" type = string - default = "1.8" + default = "1.9" +} + +variable "mode" { + description = "ASM mode for deployment. Supported mode is install. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + type = string + default = "install" +} + +variable "options" { + description = "Comma separated list of options. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + type = list + default = ["none"] +} + +variable "custom_overlays" { + description = "Comma separated list of custom_overlay file paths. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + type = list + default = ["none"] +} + +variable "skip_validation" { + description = "Sets _CI_NO_VALIDATE variable. Can be true or false. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + type = bool + default = false +} + +variable "enable_all_apis" { + description = "Sets --enable-all option if true. Can be true or false. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + type = bool + default = false +} + +variable "outdir" { + description = "Sets --outdir option. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + type = string + default = "none" +} + +variable "ca" { + description = "Sets CA option. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + type = string + default = "meshca" +} + +variable "ca_certs" { + description = "Sets CA certificate file paths. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + type = map + default = { + "ca_cert" = "none" + "ca_key" = "none" + "root_cert" = "none" + "cert_chain" = "none" + } } From 28519049c58dade28afa50e1d199580df25a798f Mon Sep 17 00:00:00 2001 From: coder Date: Wed, 28 Apr 2021 16:45:46 +0000 Subject: [PATCH 02/17] updated asm module --- modules/asm/main.tf | 2 +- modules/asm/scripts/install_asm.sh | 39 ++++++++++++++++++------------ modules/asm/variables.tf | 6 +++++ 3 files changed, 31 insertions(+), 16 deletions(-) diff --git a/modules/asm/main.tf b/modules/asm/main.tf index aa1cac0397..b1b17f00d7 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -41,6 +41,6 @@ module "asm_install" { project_id = var.project_id service_account_key_file = var.service_account_key_file - kubectl_create_command = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all_apis} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain}" + kubectl_create_command = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all_apis} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain}" kubectl_destroy_command = "kubectl delete ns istio-system" } diff --git a/modules/asm/scripts/install_asm.sh b/modules/asm/scripts/install_asm.sh index e8e6aed450..2b4c3ca62f 100755 --- a/modules/asm/scripts/install_asm.sh +++ b/modules/asm/scripts/install_asm.sh @@ -25,16 +25,17 @@ CLUSTER_NAME=$2 CLUSTER_LOCATION=$3 ASM_VERSION=$4 MODE=$5 -SKIP_VALIDATION=$6 -OPTIONS_LIST=$7 -CUSTOM_OVERLAYS_LIST=$8 -ENABLE_ALL=$9 -OUTDIR=${10} -CA=${11} -CA_CERT=${12} -CA_KEY=${13} -ROOT_CERT=${14} -CERT_CHAIN=${15} +MCP=$6 +SKIP_VALIDATION=$7 +OPTIONS_LIST=$8 +CUSTOM_OVERLAYS_LIST=$9 +ENABLE_ALL=${10} +OUTDIR=${11} +CA=${12} +CA_CERT=${13} +CA_KEY=${14} +ROOT_CERT=${15} +CERT_CHAIN=${16} # Set SKIP_VALIDATION variable if [[ ${SKIP_VALIDATION} = "true" ]]; then @@ -54,6 +55,7 @@ fi # Echo all values echo -e "MODE is $MODE" +echo -e "MCP is $MCP" echo -e "ASM_VERSION is $ASM_VERSION" echo -e "SKIP_VALIDATION is $SKIP_VALIDATION" echo -e "_CI_NO_VALIDATE is $_CI_NO_VALIDATE" @@ -74,14 +76,21 @@ echo -e "OUTDIR is $OUTDIR" curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_VERSION}" > install_asm_"${ASM_VERSION}" chmod u+x install_asm_"${ASM_VERSION}" +# Craft MCP section for install_asm +if [[ "${MCP}" = true ]]; then + MCP_COMMAND_SNIPPET="--managed" +else + MCP_COMMAND_SNIPPET="" +fi + # Craft options section for install_asm -if [[ "${OPTIONS_COMMAND}" = "--option none" ]]; then +if [[ "${OPTIONS_COMMAND}" = "--option none" ]] || [[ "${MCP}" = true ]]; then OPTIONS_COMMAND_SNIPPET="" else OPTIONS_COMMAND_SNIPPET="${OPTIONS_COMMAND}" fi -if [[ "${CUSTOM_OVERLAYS_COMMAND}" = "--custom_overlay none" ]]; then +if [[ "${CUSTOM_OVERLAYS_COMMAND}" = "--custom_overlay none" ]] || [[ "${MCP}" = true ]]; then CUSTOM_OVERLAYS_COMMAND_SNIPPET="" else CUSTOM_OVERLAYS_COMMAND_SNIPPET="${CUSTOM_OVERLAYS_COMMAND}" @@ -100,14 +109,14 @@ else mkdir -p ${OUTDIR} fi -if [[ "${CA}" = "citadel" ]]; then +if [[ "${CA}" = "citadel" ]] && [[ "${MCP}" = false ]]; then CA_COMMAND_SNIPPET="--ca citadel --ca_cert ${CA_CERT} --ca_key ${CA_KEY} --root_cert ${ROOT_CERT} --cert_chain ${CERT_CHAIN}" else CA_COMMAND_SNIPPET="" fi # Echo the command before executing -echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET}" +echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET}" # #run the script with appropriate flags -./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} +./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf index a387d14ed6..0e14298000 100644 --- a/modules/asm/variables.tf +++ b/modules/asm/variables.tf @@ -63,6 +63,12 @@ variable "mode" { default = "install" } +variable "managed_control_plane" { + description = "ASM managed control plane boolean. Supported mode is install." + type = bool + default = false +} + variable "options" { description = "Comma separated list of options. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" type = list From 40181fec35d3d403da99670d2b2b8af48ae0408b Mon Sep 17 00:00:00 2001 From: coder Date: Wed, 5 May 2021 16:54:04 +0000 Subject: [PATCH 03/17] updated asm module --- examples/simple_zonal_with_asm/main.tf | 21 ++++++-- modules/asm/README.md | 51 ++++++++++++------- modules/asm/main.tf | 2 +- modules/asm/scripts/install_asm.sh | 70 ++++++++++++++++++++++---- modules/asm/variables.tf | 68 +++++++++++++++++++------ 5 files changed, 160 insertions(+), 52 deletions(-) diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index b4f3cf5d01..f8dd1df5a6 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -68,9 +68,20 @@ module "gke" { } module "asm" { - source = "../../modules/asm" - cluster_name = module.gke.name - cluster_endpoint = module.gke.endpoint - project_id = var.project_id - location = module.gke.location + source = "../../modules/asm" + cluster_name = module.gke.name + cluster_endpoint = module.gke.endpoint + project_id = var.project_id + location = module.gke.location + enable_all = false + enable_cluster_roles = true + enable_cluster_labels = false + enable_gcp_apis = false + enable_gcp_iam_roles = true + enable_gcp_components = true + enable_registration = false + managed_control_plane = false + options = ["envoy-access-log,egressgateways"] + skip_validation = true + outdir = "./${module.gke.name}-outdir-${var.asm_version}" } diff --git a/modules/asm/README.md b/modules/asm/README.md index e0c3264381..de4614eb01 100644 --- a/modules/asm/README.md +++ b/modules/asm/README.md @@ -1,12 +1,12 @@ # Terraform Kubernetes Engine ASM Submodule -This module installs [Anthos Service Mesh](https://cloud.google.com/service-mesh/docs) (ASM) in a Kubernetes cluster. +This module installs [Anthos Service Mesh](https://cloud.google.com/service-mesh/docs) (ASM) in a Kubernetes Engine (GKE) cluster. -Specifically, this module automates installing the ASM Istio Operator on your cluster ([installing ASM](https://cloud.google.com/service-mesh/docs/install)) +Specifically, this module automates installing the ASM Istio Operator on your cluster ([installing ASM](https://cloud.google.com/service-mesh/docs/install)). ## Usage -There is a [full example](../../examples/simple_zonal_with_asm) provided. Simple usage is as follows: +There is a [full example](../../examples/simple_zonal_with_asm) provided. Detailed usage example is as follows: ```tf module "asm" { @@ -16,40 +16,53 @@ module "asm" { cluster_name = "my-cluster-name" location = module.gke.location cluster_endpoint = module.gke.endpoint + enable_all = false + enable_cluster_roles = true + enable_cluster_labels = false + enable_gcp_apis = false + enable_gcp_iam_roles = true + enable_gcp_components = true + enable_registration = false + managed_control_plane = false + options = ["envoy-access-log,egressgateways"] + custom_overlays = ["./custom_ingress_gateway.yaml"] + skip_validation = true + outdir = "./${module.gke.name}-outdir-${var.asm_version}" } ``` To deploy this config: + 1. Run `terraform apply` ## Requirements -- Anthos Service Mesh [requires](https://cloud.google.com/service-mesh/docs/gke-install-existing-cluster#requirements) an active Anthos license. +- Anthos Service Mesh on GCP no longer requires an active Anthos license. You can use Anthos Service Mesh as a standalone product on GCP (on GKE) or as part of your Anthos subscription for hybrid and multi-cloud architectures. - GKE cluster must have minimum four nodes. - Minimum machine type is `e2-standard-4`. - GKE cluster must be enrolled in a release channel. ASM does not support static version. - ASM on a private GKE cluster requires adding a firewall rule to open port 15017 if you want to use [automatic sidecar injection](https://cloud.google.com/service-mesh/docs/proxy-injection). -- Only one ASM per Google Cloud project is supported. - +- One ASM mesh per Google Cloud project is supported. + ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| asm\_dir | Name of directory to keep ASM resource config files. | `string` | `"asm-dir"` | no | -| asm\_version | ASM version to deploy. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.8"` | no | -| cluster\_endpoint | The GKE cluster endpoint. | `string` | n/a | yes | -| cluster\_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes | -| gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no | -| location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes | -| project\_id | The project in which the resource belongs. | `string` | n/a | yes | -| service\_account\_key\_file | Path to service account key file to auth as for running `gcloud container clusters get-credentials`. | `string` | `""` | no | +| Name | Description | Type | Default | Required | +| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------- | :------: | +| asm_dir | Name of directory to keep ASM resource config files. | `string` | `"asm-dir"` | no | +| asm_version | ASM version to deploy. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.8"` | no | +| cluster_endpoint | The GKE cluster endpoint. | `string` | n/a | yes | +| cluster_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes | +| gcloud_sdk_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no | +| location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes | +| project_id | The project in which the resource belongs. | `string` | n/a | yes | +| service_account_key_file | Path to service account key file to auth as for running `gcloud container clusters get-credentials`. | `string` | `""` | no | ## Outputs -| Name | Description | -|------|-------------| -| asm\_wait | An output to use when you want to depend on ASM finishing | +| Name | Description | +| -------- | --------------------------------------------------------- | +| asm_wait | An output to use when you want to depend on ASM finishing | diff --git a/modules/asm/main.tf b/modules/asm/main.tf index b1b17f00d7..597850afe0 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -41,6 +41,6 @@ module "asm_install" { project_id = var.project_id service_account_key_file = var.service_account_key_file - kubectl_create_command = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all_apis} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain}" + kubectl_create_command = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_apis} ${var.enable_gcp_iam_roles} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain}" kubectl_destroy_command = "kubectl delete ns istio-system" } diff --git a/modules/asm/scripts/install_asm.sh b/modules/asm/scripts/install_asm.sh index 2b4c3ca62f..ea74939b95 100755 --- a/modules/asm/scripts/install_asm.sh +++ b/modules/asm/scripts/install_asm.sh @@ -30,12 +30,18 @@ SKIP_VALIDATION=$7 OPTIONS_LIST=$8 CUSTOM_OVERLAYS_LIST=$9 ENABLE_ALL=${10} -OUTDIR=${11} -CA=${12} -CA_CERT=${13} -CA_KEY=${14} -ROOT_CERT=${15} -CERT_CHAIN=${16} +ENABLE_CLUSTER_ROLES=${11} +ENABLE_CLUSTER_LABELS=${12} +ENABLE_GCP_APIS=${13} +ENABLE_GCP_IAM_ROLES=${14} +ENABLE_GCP_COMPONENTS=${15} +ENABLE_REGISTRATION=${16} +OUTDIR=${17} +CA=${18} +CA_CERT=${19} +CA_KEY=${20} +ROOT_CERT=${21} +CERT_CHAIN=${22} # Set SKIP_VALIDATION variable if [[ ${SKIP_VALIDATION} = "true" ]]; then @@ -70,6 +76,12 @@ echo -e "CUSTOM_OVERLAYS array length is ${#CUSTOM_OVERLAYS[@]}" item="${CUSTOM_OVERLAYS[@]}";CUSTOM_OVERLAYS_COMMAND=$(echo "--custom_overlay" ${item// / --custom_overlay }) echo -e "CUSTOM_OVERLAYS_COMMAND is $CUSTOM_OVERLAYS_COMMAND" echo -e "ENABLE_ALL is $ENABLE_ALL" +echo -e "ENABLE_CLUSTER_ROLES is $ENABLE_CLUSTER_ROLES" +echo -e "ENABLE_CLUSTER_LABELS is $ENABLE_CLUSTER_LABELS" +echo -e "ENABLE_GCP_APIS is $ENABLE_GCP_APIS" +echo -e "ENABLE_GCP_IAM_ROLES is $ENABLE_GCP_IAM_ROLES" +echo -e "ENABLE_GCP_COMPONENTS is $ENABLE_GCP_COMPONENTS" +echo -e "ENABLE_REGISTRATION is $ENABLE_REGISTRATION" echo -e "OUTDIR is $OUTDIR" #download the correct version of the install_asm script @@ -84,13 +96,13 @@ else fi # Craft options section for install_asm -if [[ "${OPTIONS_COMMAND}" = "--option none" ]] || [[ "${MCP}" = true ]]; then +if [[ "${OPTIONS_COMMAND}" = "--option none" ]]; then OPTIONS_COMMAND_SNIPPET="" else OPTIONS_COMMAND_SNIPPET="${OPTIONS_COMMAND}" fi -if [[ "${CUSTOM_OVERLAYS_COMMAND}" = "--custom_overlay none" ]] || [[ "${MCP}" = true ]]; then +if [[ "${CUSTOM_OVERLAYS_COMMAND}" = "--custom_overlay none" ]]; then CUSTOM_OVERLAYS_COMMAND_SNIPPET="" else CUSTOM_OVERLAYS_COMMAND_SNIPPET="${CUSTOM_OVERLAYS_COMMAND}" @@ -102,6 +114,42 @@ else ENABLE_ALL_COMMAND_SNIPPET="--enable_all" fi +if [[ "${ENABLE_CLUSTER_ROLES}" = false ]]; then + ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET="" +else + ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET="--enable_cluster_roles" +fi + +if [[ "${ENABLE_CLUSTER_LABELS}" = false ]]; then + ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET="" +else + ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET="--enable_cluster_labels" +fi + +if [[ "${ENABLE_GCP_APIS}" = false ]]; then + ENABLE_GCP_APIS_COMMAND_SNIPPET="" +else + ENABLE_GCP_APIS_COMMAND_SNIPPET="--enable_gcp_apis" +fi + +if [[ "${ENABLE_GCP_IAM_ROLES}" = false ]]; then + ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET="" +else + ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET="--enable_gcp_iam_roles" +fi + +if [[ "${ENABLE_GCP_COMPONENTS}" = false ]]; then + ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET="" +else + ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET="--enable_gcp_components" +fi + +if [[ "${ENABLE_REGISTRATION}" = false ]]; then + ENABLE_REGISTRATION_COMMAND_SNIPPET="" +else + ENABLE_REGISTRATION_COMMAND_SNIPPET="--enable_registration" +fi + if [[ "${OUTDIR}" = "none" ]]; then OUTDIR_COMMAND_SNIPPET="" else @@ -109,14 +157,14 @@ else mkdir -p ${OUTDIR} fi -if [[ "${CA}" = "citadel" ]] && [[ "${MCP}" = false ]]; then +if [[ "${CA}" = "citadel" ]]; then CA_COMMAND_SNIPPET="--ca citadel --ca_cert ${CA_CERT} --ca_key ${CA_KEY} --root_cert ${ROOT_CERT} --cert_chain ${CERT_CHAIN}" else CA_COMMAND_SNIPPET="" fi # Echo the command before executing -echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET}" +echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_APIS_COMMAND_SNIPPET} ${ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET}" # #run the script with appropriate flags -./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} +./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_APIS_COMMAND_SNIPPET} ${ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf index 0e14298000..d8b5930cd1 100644 --- a/modules/asm/variables.tf +++ b/modules/asm/variables.tf @@ -40,11 +40,11 @@ variable "gcloud_sdk_version" { default = "296.0.1" } -variable "asm_dir" { - description = "Name of directory to keep ASM resource config files." - type = string - default = "asm-dir" -} +# variable "asm_dir" { +# description = "Name of directory to keep ASM resource config files." +# type = string +# default = "asm-dir" +# } variable "service_account_key_file" { description = "Path to service account key file to auth as for running `gcloud container clusters get-credentials`." @@ -52,61 +52,97 @@ variable "service_account_key_file" { } variable "asm_version" { - description = "ASM version to deploy. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + description = "ASM version to deploy. This module supports versions `1.8` and `1.9`. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" type = string default = "1.9" } variable "mode" { - description = "ASM mode for deployment. Supported mode is install. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + description = "ASM mode for deployment. Supported mode is `install` only." type = string default = "install" } variable "managed_control_plane" { - description = "ASM managed control plane boolean. Supported mode is install." + description = "ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional." type = bool default = false } variable "options" { - description = "Comma separated list of options. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + description = "Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features." type = list default = ["none"] } variable "custom_overlays" { - description = "Comma separated list of custom_overlay file paths. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + description = "Comma separated list of custom_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file" type = list default = ["none"] } variable "skip_validation" { - description = "Sets _CI_NO_VALIDATE variable. Can be true or false. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + description = "Sets _CI_NO_VALIDATE variable. Determines whether the script should perform validation checks for prerequisites such as IAM roles, Google APIs etc." + type = bool + default = false +} + +variable "enable_all" { + description = "Sets `--enable_all` option if true." + type = bool + default = false +} + +variable "enable_cluster_roles" { + description = "Sets `--enable_cluster_roles` option if true." + type = bool + default = false +} + +variable "enable_cluster_labels" { + description = "Sets `--enable_cluster_labels` option if true." + type = bool + default = false +} + +variable "enable_gcp_apis" { + description = "Sets `--enable_gcp_apis` option if true." + type = bool + default = false +} + +variable "enable_gcp_iam_roles" { + description = "Sets `--enable_gcp_iam_roles` option if true." + type = bool + default = false +} + +variable "enable_gcp_components" { + description = "Sets --enable_gcp_components option if true. Can be true or false. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" type = bool default = false } -variable "enable_all_apis" { - description = "Sets --enable-all option if true. Can be true or false. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" +variable "enable_registration" { + description = "Sets `--enable_registration` option if true." type = bool default = false } variable "outdir" { - description = "Sets --outdir option. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + description = "Sets `--outdir` option." type = string default = "none" } variable "ca" { - description = "Sets CA option. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + description = "Sets CA option. Possible values are `meshca` or `citadel`. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca." type = string default = "meshca" } variable "ca_certs" { - description = "Sets CA certificate file paths. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" + description = "Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca." type = map default = { "ca_cert" = "none" From bf0ed7e5a3ebfa7a5434d99e32d5d64ef9f4ac86 Mon Sep 17 00:00:00 2001 From: coder Date: Wed, 5 May 2021 16:56:10 +0000 Subject: [PATCH 04/17] updated asm module --- modules/asm/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/asm/README.md b/modules/asm/README.md index de4614eb01..f6a724ec39 100644 --- a/modules/asm/README.md +++ b/modules/asm/README.md @@ -10,12 +10,12 @@ There is a [full example](../../examples/simple_zonal_with_asm) provided. Detail ```tf module "asm" { - source = "terraform-google-modules/kubernetes-engine/google//modules/asm" + source = "terraform-google-modules/kubernetes-engine/google//modules/asm" - project_id = "my-project-id" - cluster_name = "my-cluster-name" - location = module.gke.location - cluster_endpoint = module.gke.endpoint + project_id = "my-project-id" + cluster_name = "my-cluster-name" + location = module.gke.location + cluster_endpoint = module.gke.endpoint enable_all = false enable_cluster_roles = true enable_cluster_labels = false From d65d3743481906d356c38aeff946c5d8b99ef53b Mon Sep 17 00:00:00 2001 From: coder Date: Wed, 5 May 2021 17:50:36 +0000 Subject: [PATCH 05/17] updated asm module --- modules/asm/README.md | 41 +++++++++++++++++++++++++++-------------- 1 file changed, 27 insertions(+), 14 deletions(-) diff --git a/modules/asm/README.md b/modules/asm/README.md index f6a724ec39..5ffc85cb07 100644 --- a/modules/asm/README.md +++ b/modules/asm/README.md @@ -45,24 +45,37 @@ To deploy this config: - One ASM mesh per Google Cloud project is supported. - ## Inputs -| Name | Description | Type | Default | Required | -| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------- | :------: | -| asm_dir | Name of directory to keep ASM resource config files. | `string` | `"asm-dir"` | no | -| asm_version | ASM version to deploy. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.8"` | no | -| cluster_endpoint | The GKE cluster endpoint. | `string` | n/a | yes | -| cluster_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes | -| gcloud_sdk_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no | -| location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes | -| project_id | The project in which the resource belongs. | `string` | n/a | yes | -| service_account_key_file | Path to service account key file to auth as for running `gcloud container clusters get-credentials`. | `string` | `""` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| asm\_version | ASM version to deploy. This module supports versions `1.8` and `1.9`. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.9"` | no | +| ca | Sets CA option. Possible values are `meshca` or `citadel`. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `string` | `"meshca"` | no | +| ca\_certs | Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `map` | 
{
  "ca_cert": "none",
  "ca_key": "none",
  "cert_chain": "none",
  "root_cert": "none"
}
| no | +| cluster\_endpoint | The GKE cluster endpoint. | `string` | n/a | yes | +| cluster\_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes | +| custom\_overlays | Comma separated list of custom\_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file | `list` | 
[
  "none"
]
| no | +| enable\_all | Sets `--enable_all` option if true. | `bool` | `false` | no | +| enable\_cluster\_labels | Sets `--enable_cluster_labels` option if true. | `bool` | `false` | no | +| enable\_cluster\_roles | Sets `--enable_cluster_roles` option if true. | `bool` | `false` | no | +| enable\_gcp\_apis | Sets `--enable_gcp_apis` option if true. | `bool` | `false` | no | +| enable\_gcp\_components | Sets --enable\_gcp\_components option if true. Can be true or false. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `bool` | `false` | no | +| enable\_gcp\_iam\_roles | Sets `--enable_gcp_iam_roles` option if true. | `bool` | `false` | no | +| enable\_registration | Sets `--enable_registration` option if true. | `bool` | `false` | no | +| gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no | +| location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes | +| managed\_control\_plane | ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional. | `bool` | `false` | no | +| mode | ASM mode for deployment. Supported mode is `install` only. | `string` | `"install"` | no | +| options | Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features. | `list` | 
[
  "none"
]
| no | +| outdir | Sets `--outdir` option. | `string` | `"none"` | no | +| project\_id | The project in which the resource belongs. | `string` | n/a | yes | +| service\_account\_key\_file | Path to service account key file to auth as for running `gcloud container clusters get-credentials`. | `string` | `""` | no | +| skip\_validation | Sets \_CI\_NO\_VALIDATE variable. Determines whether the script should perform validation checks for prerequisites such as IAM roles, Google APIs etc. | `bool` | `false` | no | ## Outputs -| Name | Description | -| -------- | --------------------------------------------------------- | -| asm_wait | An output to use when you want to depend on ASM finishing | +| Name | Description | +|------|-------------| +| asm\_wait | An output to use when you want to depend on ASM finishing | From 407007aa7dcd4d625a032152acf9597450a67109 Mon Sep 17 00:00:00 2001 From: coder Date: Wed, 5 May 2021 17:52:20 +0000 Subject: [PATCH 06/17] updated asm module --- modules/asm/README.md | 2 +- modules/asm/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/asm/README.md b/modules/asm/README.md index 5ffc85cb07..d1ee2119dd 100644 --- a/modules/asm/README.md +++ b/modules/asm/README.md @@ -70,7 +70,7 @@ To deploy this config: | outdir | Sets `--outdir` option. | `string` | `"none"` | no | | project\_id | The project in which the resource belongs. | `string` | n/a | yes | | service\_account\_key\_file | Path to service account key file to auth as for running `gcloud container clusters get-credentials`. | `string` | `""` | no | -| skip\_validation | Sets \_CI\_NO\_VALIDATE variable. Determines whether the script should perform validation checks for prerequisites such as IAM roles, Google APIs etc. | `bool` | `false` | no | +| skip\_validation | Sets `_CI_NO_VALIDATE` variable. Determines whether the script should perform validation checks for prerequisites such as IAM roles, Google APIs etc. | `bool` | `false` | no | ## Outputs diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf index d8b5930cd1..5a6a1bc3d2 100644 --- a/modules/asm/variables.tf +++ b/modules/asm/variables.tf @@ -82,7 +82,7 @@ variable "custom_overlays" { } variable "skip_validation" { - description = "Sets _CI_NO_VALIDATE variable. Determines whether the script should perform validation checks for prerequisites such as IAM roles, Google APIs etc." + description = "Sets `_CI_NO_VALIDATE` variable. Determines whether the script should perform validation checks for prerequisites such as IAM roles, Google APIs etc." type = bool default = false } From 9ba8cc64ab8406058c9334176d7d82b3e0cf9531 Mon Sep 17 00:00:00 2001 From: coder Date: Mon, 10 May 2021 18:53:38 +0000 Subject: [PATCH 07/17] updated asm module --- modules/asm/README.md | 2 ++ modules/asm/main.tf | 2 +- modules/asm/scripts/install_asm.sh | 22 ++++++++++++++++++++-- modules/asm/variables.tf | 12 ++++++++++++ 4 files changed, 35 insertions(+), 3 deletions(-) diff --git a/modules/asm/README.md b/modules/asm/README.md index d1ee2119dd..6e14fbd67c 100644 --- a/modules/asm/README.md +++ b/modules/asm/README.md @@ -63,12 +63,14 @@ To deploy this config: | enable\_gcp\_iam\_roles | Sets `--enable_gcp_iam_roles` option if true. | `bool` | `false` | no | | enable\_registration | Sets `--enable_registration` option if true. | `bool` | `false` | no | | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no | +| key\_file | The GCP Service Account credentials file path used to deploy ASM. | `string` | `""` | no | | location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes | | managed\_control\_plane | ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional. | `bool` | `false` | no | | mode | ASM mode for deployment. Supported mode is `install` only. | `string` | `"install"` | no | | options | Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features. | `list` | 
[
  "none"
]
| no | | outdir | Sets `--outdir` option. | `string` | `"none"` | no | | project\_id | The project in which the resource belongs. | `string` | n/a | yes | +| service\_account | The GCP Service Account email address used to deploy ASM. | `string` | `""` | no | | service\_account\_key\_file | Path to service account key file to auth as for running `gcloud container clusters get-credentials`. | `string` | `""` | no | | skip\_validation | Sets `_CI_NO_VALIDATE` variable. Determines whether the script should perform validation checks for prerequisites such as IAM roles, Google APIs etc. | `bool` | `false` | no | diff --git a/modules/asm/main.tf b/modules/asm/main.tf index 597850afe0..106f5ddbca 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -41,6 +41,6 @@ module "asm_install" { project_id = var.project_id service_account_key_file = var.service_account_key_file - kubectl_create_command = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_apis} ${var.enable_gcp_iam_roles} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain}" + kubectl_create_command = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_apis} ${var.enable_gcp_iam_roles} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${var.service_account} ${var.key_file}" kubectl_destroy_command = "kubectl delete ns istio-system" } diff --git a/modules/asm/scripts/install_asm.sh b/modules/asm/scripts/install_asm.sh index ea74939b95..fb31636677 100755 --- a/modules/asm/scripts/install_asm.sh +++ b/modules/asm/scripts/install_asm.sh @@ -42,6 +42,8 @@ CA_CERT=${19} CA_KEY=${20} ROOT_CERT=${21} CERT_CHAIN=${22} +SERVICE_ACCOUNT=${23} +KEY_FILE=${24} # Set SKIP_VALIDATION variable if [[ ${SKIP_VALIDATION} = "true" ]]; then @@ -83,6 +85,8 @@ echo -e "ENABLE_GCP_IAM_ROLES is $ENABLE_GCP_IAM_ROLES" echo -e "ENABLE_GCP_COMPONENTS is $ENABLE_GCP_COMPONENTS" echo -e "ENABLE_REGISTRATION is $ENABLE_REGISTRATION" echo -e "OUTDIR is $OUTDIR" +echo -e "SERVICE_ACCOUNT is $SERVICE_ACCOUNT" +echo -e "KEY_FILE is $KEY_FILE" #download the correct version of the install_asm script curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_VERSION}" > install_asm_"${ASM_VERSION}" @@ -95,6 +99,20 @@ else MCP_COMMAND_SNIPPET="" fi +# Craft service_account section for install_asm +if [[ "${SERVICE_ACCOUNT}" = "" ]]; then + SERVICE_ACCOUNT_COMMAND_SNIPPET="" +else + SERVICE_ACCOUNT_COMMAND_SNIPPET="--service_account ${SERVICE_ACCOUNT}" +fi + +# Craft key_file section for install_asm +if [[ "${KEY_FILE}" = "" ]]; then + KEY_FILE_COMMAND_SNIPPET="" +else + KEY_FILE_COMMAND_SNIPPET="--key_file ${KEY_FILE}" +fi + # Craft options section for install_asm if [[ "${OPTIONS_COMMAND}" = "--option none" ]]; then OPTIONS_COMMAND_SNIPPET="" @@ -164,7 +182,7 @@ else fi # Echo the command before executing -echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_APIS_COMMAND_SNIPPET} ${ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET}" +echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_APIS_COMMAND_SNIPPET} ${ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET}" # #run the script with appropriate flags -./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_APIS_COMMAND_SNIPPET} ${ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} +./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_APIS_COMMAND_SNIPPET} ${ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET} diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf index 5a6a1bc3d2..a86610ab0f 100644 --- a/modules/asm/variables.tf +++ b/modules/asm/variables.tf @@ -63,6 +63,18 @@ variable "mode" { default = "install" } +variable "service_account" { + description = "The GCP Service Account email address used to deploy ASM." + type = string + default = "" +} + +variable "key_file" { + description = "The GCP Service Account credentials file path used to deploy ASM." + type = string + default = "" +} + variable "managed_control_plane" { description = "ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional." type = bool From bb8ccd0ea7e295275386dfae4cedfe3dac43cbe6 Mon Sep 17 00:00:00 2001 From: coder Date: Thu, 13 May 2021 22:01:08 +0000 Subject: [PATCH 08/17] updated asm module --- modules/asm/main.tf | 14 ++++++++------ modules/asm/scripts/install_asm.sh | 7 ++++++- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/modules/asm/main.tf b/modules/asm/main.tf index 106f5ddbca..693641e0dc 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -19,12 +19,14 @@ data "google_project" "asm_project" { } locals { - options_string = join(",", var.options) - custom_overlays_string = join(",", var.custom_overlays) - ca_cert = var.ca_certs["ca_cert"] - ca_key = var.ca_certs["ca_key"] - root_cert = var.ca_certs["root_cert"] - cert_chain = var.ca_certs["cert_chain"] + options_to_string = join(",", var.options) + options_string = (local.options_to_string != "" ? join(",", var.options) : "none") + custom_overlays_to_string = join(",", var.custom_overlays) + custom_overlays_string = (local.custom_overlays_to_string != "" ? join(",", var.custom_overlays) : "none") + ca_cert = var.ca_certs["ca_cert"] + ca_key = var.ca_certs["ca_key"] + root_cert = var.ca_certs["root_cert"] + cert_chain = var.ca_certs["cert_chain"] } diff --git a/modules/asm/scripts/install_asm.sh b/modules/asm/scripts/install_asm.sh index fb31636677..4873d33024 100755 --- a/modules/asm/scripts/install_asm.sh +++ b/modules/asm/scripts/install_asm.sh @@ -55,10 +55,14 @@ fi # Create bash arrays from options and custom_overlays lists if [[ ${OPTIONS_LIST} ]]; then IFS=',' read -r -a OPTIONS <<< "${OPTIONS_LIST}" +elif [[ ${OPTIONS_LIST} = "" ]]; then + export OPTIONS="--option none" fi if [[ ${CUSTOM_OVERLAYS_LIST} ]]; then IFS=',' read -r -a CUSTOM_OVERLAYS <<< "${CUSTOM_OVERLAYS_LIST}" +else + export CUSTOM_OVERLAYS="--custom_overlay none" fi # Echo all values @@ -67,6 +71,7 @@ echo -e "MCP is $MCP" echo -e "ASM_VERSION is $ASM_VERSION" echo -e "SKIP_VALIDATION is $SKIP_VALIDATION" echo -e "_CI_NO_VALIDATE is $_CI_NO_VALIDATE" +echo -e "OPTIONS_LIST is ${OPTIONS_LIST}" echo -e "OPTIONS is ${OPTIONS[@]}" echo -e "OPTIONS array length is ${#OPTIONS[@]}" # Create options command snippet @@ -110,7 +115,7 @@ fi if [[ "${KEY_FILE}" = "" ]]; then KEY_FILE_COMMAND_SNIPPET="" else - KEY_FILE_COMMAND_SNIPPET="--key_file ${KEY_FILE}" + KEY_FILE_COMMAND_SNIPPET="--key_file `pwd`/${KEY_FILE}" fi # Craft options section for install_asm From a5225771ce7623956b0f13e444cf36eb5d63389c Mon Sep 17 00:00:00 2001 From: coder Date: Fri, 14 May 2021 20:46:56 +0000 Subject: [PATCH 09/17] updated asm module --- modules/asm/README.md | 1 + modules/asm/main.tf | 3 ++- modules/asm/scripts/install_asm.sh | 14 ++++++++++++-- modules/asm/variables.tf | 6 ++++++ 4 files changed, 21 insertions(+), 3 deletions(-) diff --git a/modules/asm/README.md b/modules/asm/README.md index 6e14fbd67c..4d2abcf543 100644 --- a/modules/asm/README.md +++ b/modules/asm/README.md @@ -49,6 +49,7 @@ To deploy this config: | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| asm\_git\_tag | ASM git tag to deploy. This module supports versions `1.8` and `1.9`. You can get the exact `asm_git_tag` by running the command `install_asm --version`. The ASM git tab should be of the form `1.9.3-asm.2+config5`. You can also see all ASM git tags by running `curl https://storage.googleapis.com/csm-artifacts/asm/STABLE_VERSIONS`. You must provide the full and exact git tag. This variable is optional. Leaving it empty (default) will download the latest `install_asm` script for the version provided by the `asm_version` variable. | `string` | `""` | no | | asm\_version | ASM version to deploy. This module supports versions `1.8` and `1.9`. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.9"` | no | | ca | Sets CA option. Possible values are `meshca` or `citadel`. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `string` | `"meshca"` | no | | ca\_certs | Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `map` | 
{
  "ca_cert": "none",
  "ca_key": "none",
  "cert_chain": "none",
  "root_cert": "none"
}
| no | diff --git a/modules/asm/main.tf b/modules/asm/main.tf index 693641e0dc..214ffab724 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -23,6 +23,7 @@ locals { options_string = (local.options_to_string != "" ? join(",", var.options) : "none") custom_overlays_to_string = join(",", var.custom_overlays) custom_overlays_string = (local.custom_overlays_to_string != "" ? join(",", var.custom_overlays) : "none") + asm_git_tag_string = (var.asm_git_tag == "" ? "none" : var.asm_git_tag) ca_cert = var.ca_certs["ca_cert"] ca_key = var.ca_certs["ca_key"] root_cert = var.ca_certs["root_cert"] @@ -43,6 +44,6 @@ module "asm_install" { project_id = var.project_id service_account_key_file = var.service_account_key_file - kubectl_create_command = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_apis} ${var.enable_gcp_iam_roles} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${var.service_account} ${var.key_file}" + kubectl_create_command = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_apis} ${var.enable_gcp_iam_roles} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${var.service_account} ${var.key_file} ${local.asm_git_tag_string}" kubectl_destroy_command = "kubectl delete ns istio-system" } diff --git a/modules/asm/scripts/install_asm.sh b/modules/asm/scripts/install_asm.sh index 4873d33024..5f95540554 100755 --- a/modules/asm/scripts/install_asm.sh +++ b/modules/asm/scripts/install_asm.sh @@ -44,6 +44,7 @@ ROOT_CERT=${21} CERT_CHAIN=${22} SERVICE_ACCOUNT=${23} KEY_FILE=${24} +ASM_GIT_TAG=${25} # Set SKIP_VALIDATION variable if [[ ${SKIP_VALIDATION} = "true" ]]; then @@ -69,6 +70,7 @@ fi echo -e "MODE is $MODE" echo -e "MCP is $MCP" echo -e "ASM_VERSION is $ASM_VERSION" +echo -e "ASM_GIT_TAG is $ASM_GIT_TAG" echo -e "SKIP_VALIDATION is $SKIP_VALIDATION" echo -e "_CI_NO_VALIDATE is $_CI_NO_VALIDATE" echo -e "OPTIONS_LIST is ${OPTIONS_LIST}" @@ -94,8 +96,16 @@ echo -e "SERVICE_ACCOUNT is $SERVICE_ACCOUNT" echo -e "KEY_FILE is $KEY_FILE" #download the correct version of the install_asm script -curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_VERSION}" > install_asm_"${ASM_VERSION}" -chmod u+x install_asm_"${ASM_VERSION}" +if [[ "${ASM_GIT_TAG}" = "none" ]]; then + echo -e "Downloading install_asm with latest git tag..." + curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_VERSION}" > install_asm_"${ASM_VERSION}" + chmod u+x install_asm_"${ASM_VERSION}" +else + ASM_GIT_TAG_FIXED=$(sed 's/+/-/g' <<<"$ASM_GIT_TAG") + echo -e "Downloading install_asm with git tag $ASM_GIT_TAG..." + curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_GIT_TAG_FIXED}" > install_asm_"${ASM_VERSION}" + chmod u+x install_asm_"${ASM_VERSION}" +fi # Craft MCP section for install_asm if [[ "${MCP}" = true ]]; then diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf index a86610ab0f..96c3809acb 100644 --- a/modules/asm/variables.tf +++ b/modules/asm/variables.tf @@ -57,6 +57,12 @@ variable "asm_version" { default = "1.9" } +variable "asm_git_tag" { + description = "ASM git tag to deploy. This module supports versions `1.8` and `1.9`. You can get the exact `asm_git_tag` by running the command `install_asm --version`. The ASM git tab should be of the form `1.9.3-asm.2+config5`. You can also see all ASM git tags by running `curl https://storage.googleapis.com/csm-artifacts/asm/STABLE_VERSIONS`. You must provide the full and exact git tag. This variable is optional. Leaving it empty (default) will download the latest `install_asm` script for the version provided by the `asm_version` variable." + type = string + default = "" +} + variable "mode" { description = "ASM mode for deployment. Supported mode is `install` only." type = string From 81b032021d657422e7dfb5eea0185ed6beda5cf0 Mon Sep 17 00:00:00 2001 From: coder Date: Wed, 19 May 2021 17:48:20 +0000 Subject: [PATCH 10/17] updated asm module --- modules/asm/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/asm/README.md b/modules/asm/README.md index 4d2abcf543..6ce59fbc83 100644 --- a/modules/asm/README.md +++ b/modules/asm/README.md @@ -66,6 +66,7 @@ To deploy this config: | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no | | key\_file | The GCP Service Account credentials file path used to deploy ASM. | `string` | `""` | no | | location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes | +| managed | Whether the control plane should be managed. | `bool` | `false` | no | | managed\_control\_plane | ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional. | `bool` | `false` | no | | mode | ASM mode for deployment. Supported mode is `install` only. | `string` | `"install"` | no | | options | Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features. | `list` | 
[
  "none"
]
| no | From 3729ed424d52d5236759b4b19eddda39cb0e20aa Mon Sep 17 00:00:00 2001 From: coder Date: Wed, 19 May 2021 20:53:00 +0000 Subject: [PATCH 11/17] updated asm module --- examples/simple_zonal_with_asm/README.md | 1 + examples/simple_zonal_with_asm/main.tf | 1 + examples/simple_zonal_with_asm/variables.tf | 4 ++++ modules/asm/scripts/install_asm.sh | 22 +++++++++---------- .../fixtures/simple_zonal_with_asm/example.tf | 1 + 5 files changed, 18 insertions(+), 11 deletions(-) diff --git a/examples/simple_zonal_with_asm/README.md b/examples/simple_zonal_with_asm/README.md index ce486ec503..025fcdc46f 100644 --- a/examples/simple_zonal_with_asm/README.md +++ b/examples/simple_zonal_with_asm/README.md @@ -7,6 +7,7 @@ This example illustrates how to create a simple zonal cluster with ASM. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| asm\_version | ASM major version for example 1.9 | `any` | n/a | yes | | cluster\_name\_suffix | A suffix to append to the default cluster name | `string` | `""` | no | | ip\_range\_pods | The secondary ip range to use for pods | `any` | n/a | yes | | ip\_range\_services | The secondary ip range to use for services | `any` | n/a | yes | diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index a910650b7a..428bd3ad64 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -80,6 +80,7 @@ module "asm" { enable_gcp_components = true enable_registration = false managed_control_plane = false + asm_version = "1.9" options = ["envoy-access-log,egressgateways"] skip_validation = true outdir = "./${module.gke.name}-outdir-${var.asm_version}" diff --git a/examples/simple_zonal_with_asm/variables.tf b/examples/simple_zonal_with_asm/variables.tf index 6dd142621c..373eb3e273 100644 --- a/examples/simple_zonal_with_asm/variables.tf +++ b/examples/simple_zonal_with_asm/variables.tf @@ -47,3 +47,7 @@ variable "ip_range_pods" { variable "ip_range_services" { description = "The secondary ip range to use for services" } + +variable "asm_version" { + description = "ASM major version for example 1.9" +} diff --git a/modules/asm/scripts/install_asm.sh b/modules/asm/scripts/install_asm.sh index 0a80228340..f9c73c3401 100755 --- a/modules/asm/scripts/install_asm.sh +++ b/modules/asm/scripts/install_asm.sh @@ -48,9 +48,9 @@ KEY_FILE=${24} ASM_GIT_TAG=${25} # Set SKIP_VALIDATION variable -if [[ ${SKIP_VALIDATION} = "true" ]]; then +if [[ ${SKIP_VALIDATION} = "true" ]]; then export _CI_NO_VALIDATE=1 -else +else export _CI_NO_VALIDATE=0 fi @@ -58,13 +58,13 @@ fi if [[ ${OPTIONS_LIST} ]]; then IFS=',' read -r -a OPTIONS <<< "${OPTIONS_LIST}" elif [[ ${OPTIONS_LIST} = "" ]]; then - export OPTIONS="--option none" + read -r -a OPTIONS <<< "none" fi if [[ ${CUSTOM_OVERLAYS_LIST} ]]; then IFS=',' read -r -a CUSTOM_OVERLAYS <<< "${CUSTOM_OVERLAYS_LIST}" else - export CUSTOM_OVERLAYS="--custom_overlay none" + read -r -a CUSTOM_OVERLAYS <<< "none" fi # Echo all values @@ -75,15 +75,15 @@ echo -e "ASM_GIT_TAG is $ASM_GIT_TAG" echo -e "SKIP_VALIDATION is $SKIP_VALIDATION" echo -e "_CI_NO_VALIDATE is $_CI_NO_VALIDATE" echo -e "OPTIONS_LIST is ${OPTIONS_LIST}" -echo -e "OPTIONS is ${OPTIONS[@]}" +# echo -e "OPTIONS is ${OPTIONS[@]}" echo -e "OPTIONS array length is ${#OPTIONS[@]}" # Create options command snippet -item="${OPTIONS[@]}";OPTIONS_COMMAND=$(echo "--option" ${item// / --option }) +item="${OPTIONS[*]}";OPTIONS_COMMAND=$(echo "--option" "${item// / --option }") echo -e "OPTIONS_COMMAND is $OPTIONS_COMMAND" -echo -e "CUSTOM_OVERLAYS is ${CUSTOM_OVERLAYS[@]}" +# echo -e "CUSTOM_OVERLAYS is ${CUSTOM_OVERLAYS[@]}" echo -e "CUSTOM_OVERLAYS array length is ${#CUSTOM_OVERLAYS[@]}" # Create custom_overlays command snippet -item="${CUSTOM_OVERLAYS[@]}";CUSTOM_OVERLAYS_COMMAND=$(echo "--custom_overlay" ${item// / --custom_overlay }) +item="${CUSTOM_OVERLAYS[*]}";CUSTOM_OVERLAYS_COMMAND=$(echo "--custom_overlay" "${item// / --custom_overlay }") echo -e "CUSTOM_OVERLAYS_COMMAND is $CUSTOM_OVERLAYS_COMMAND" echo -e "ENABLE_ALL is $ENABLE_ALL" echo -e "ENABLE_CLUSTER_ROLES is $ENABLE_CLUSTER_ROLES" @@ -126,7 +126,7 @@ fi if [[ "${KEY_FILE}" = "" ]]; then KEY_FILE_COMMAND_SNIPPET="" else - KEY_FILE_COMMAND_SNIPPET="--key_file `pwd`/${KEY_FILE}" + KEY_FILE_COMMAND_SNIPPET="--key_file $(pwd)/${KEY_FILE}" fi # Craft options section for install_asm @@ -188,7 +188,7 @@ if [[ "${OUTDIR}" = "none" ]]; then OUTDIR_COMMAND_SNIPPET="" else OUTDIR_COMMAND_SNIPPET="--output_dir ${OUTDIR}" - mkdir -p ${OUTDIR} + mkdir -p "${OUTDIR}" fi if [[ "${CA}" = "citadel" ]]; then @@ -201,4 +201,4 @@ fi echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_APIS_COMMAND_SNIPPET} ${ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET}" # #run the script with appropriate flags -./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_APIS_COMMAND_SNIPPET} ${ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET} +./install_asm_"${ASM_VERSION}" --verbose --project_id "${PROJECT_ID}" --cluster_name "${CLUSTER_NAME}" --cluster_location "${CLUSTER_LOCATION}" --mode "${MODE}" "${MCP_COMMAND_SNIPPET}" "${OPTIONS_COMMAND_SNIPPET}" "${CUSTOM_OVERLAYS_COMMAND_SNIPPET}" "${OUTDIR_COMMAND_SNIPPET}" "${ENABLE_ALL_COMMAND_SNIPPET}" "${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET}" "${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET}" "${ENABLE_GCP_APIS_COMMAND_SNIPPET}" "${ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET}" "${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET}" "${ENABLE_REGISTRATION_COMMAND_SNIPPET}" "${CA_COMMAND_SNIPPET}" "${SERVICE_ACCOUNT_COMMAND_SNIPPET}" "${KEY_FILE_COMMAND_SNIPPET}" diff --git a/test/fixtures/simple_zonal_with_asm/example.tf b/test/fixtures/simple_zonal_with_asm/example.tf index 30df325bd1..4e907450a5 100644 --- a/test/fixtures/simple_zonal_with_asm/example.tf +++ b/test/fixtures/simple_zonal_with_asm/example.tf @@ -29,4 +29,5 @@ module "example" { subnetwork = google_compute_subnetwork.main.name ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name + asm_version = var.asm_version } From 92a0240adde7f853d59d2027ace169069504d669 Mon Sep 17 00:00:00 2001 From: coder Date: Wed, 19 May 2021 21:24:33 +0000 Subject: [PATCH 12/17] updated asm module --- test/fixtures/simple_zonal_with_asm/variables.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/test/fixtures/simple_zonal_with_asm/variables.tf b/test/fixtures/simple_zonal_with_asm/variables.tf index 16f1b9367c..3c46389b19 100644 --- a/test/fixtures/simple_zonal_with_asm/variables.tf +++ b/test/fixtures/simple_zonal_with_asm/variables.tf @@ -29,3 +29,8 @@ variable "zones" { description = "The GCP zones to create and test resources in, for applicable tests" default = ["us-central1-a", "us-central1-b", "us-central1-c"] } + +variable "asm_version" { + description = "ASM major version for example 1.9" + default = "1.9" +} From 8b9c422e0d316de7606bb53efffbe6578dd7ebff Mon Sep 17 00:00:00 2001 From: coder Date: Wed, 19 May 2021 23:55:43 +0000 Subject: [PATCH 13/17] updated asm module --- examples/simple_zonal_with_asm/README.md | 1 + examples/simple_zonal_with_asm/variables.tf | 6 ++++++ modules/asm/main.tf | 4 +++- modules/asm/scripts/install_asm.sh | 4 ++-- test/fixtures/simple_zonal_with_asm/variables.tf | 6 ++++++ 5 files changed, 18 insertions(+), 3 deletions(-) diff --git a/examples/simple_zonal_with_asm/README.md b/examples/simple_zonal_with_asm/README.md index 025fcdc46f..b0e9c64b77 100644 --- a/examples/simple_zonal_with_asm/README.md +++ b/examples/simple_zonal_with_asm/README.md @@ -14,6 +14,7 @@ This example illustrates how to create a simple zonal cluster with ASM. | network | The VPC network to host the cluster in | `any` | n/a | yes | | project\_id | The project ID to host the cluster in | `any` | n/a | yes | | region | The region to host the cluster in | `any` | n/a | yes | +| service\_account | The GCP Service Account email address used to deploy ASM. | `string` | `""` | no | | subnetwork | The subnetwork to host the cluster in | `any` | n/a | yes | | zones | The zone to host the cluster in (required if is a zonal cluster) | `list(string)` | n/a | yes | diff --git a/examples/simple_zonal_with_asm/variables.tf b/examples/simple_zonal_with_asm/variables.tf index 373eb3e273..abf125b43d 100644 --- a/examples/simple_zonal_with_asm/variables.tf +++ b/examples/simple_zonal_with_asm/variables.tf @@ -51,3 +51,9 @@ variable "ip_range_services" { variable "asm_version" { description = "ASM major version for example 1.9" } + +variable "service_account" { + description = "The GCP Service Account email address used to deploy ASM." + type = string + default = "" +} diff --git a/modules/asm/main.tf b/modules/asm/main.tf index b2632962d9..eec2b789ba 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -24,6 +24,8 @@ locals { custom_overlays_to_string = join(",", var.custom_overlays) custom_overlays_string = (local.custom_overlays_to_string != "" ? join(",", var.custom_overlays) : "none") asm_git_tag_string = (var.asm_git_tag == "" ? "none" : var.asm_git_tag) + service_account_string = (var.service_account == "" ? "none" : var.service_account) + key_file_string = (var.key_file == "" ? "none" : var.key_file) ca_cert = var.ca_certs["ca_cert"] ca_key = var.ca_certs["ca_key"] root_cert = var.ca_certs["root_cert"] @@ -43,6 +45,6 @@ module "asm_install" { project_id = var.project_id service_account_key_file = var.service_account_key_file - kubectl_create_command = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_apis} ${var.enable_gcp_iam_roles} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${var.service_account} ${var.key_file} ${local.asm_git_tag_string}" + kubectl_create_command = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_apis} ${var.enable_gcp_iam_roles} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${local.service_account_string} ${local.key_file_string} ${local.asm_git_tag_string}" kubectl_destroy_command = "kubectl delete ns istio-system" } diff --git a/modules/asm/scripts/install_asm.sh b/modules/asm/scripts/install_asm.sh index f9c73c3401..2dfb706a70 100755 --- a/modules/asm/scripts/install_asm.sh +++ b/modules/asm/scripts/install_asm.sh @@ -116,14 +116,14 @@ else fi # Craft service_account section for install_asm -if [[ "${SERVICE_ACCOUNT}" = "" ]]; then +if [[ "${SERVICE_ACCOUNT}" = "none" ]]; then SERVICE_ACCOUNT_COMMAND_SNIPPET="" else SERVICE_ACCOUNT_COMMAND_SNIPPET="--service_account ${SERVICE_ACCOUNT}" fi # Craft key_file section for install_asm -if [[ "${KEY_FILE}" = "" ]]; then +if [[ "${KEY_FILE}" = "none" ]]; then KEY_FILE_COMMAND_SNIPPET="" else KEY_FILE_COMMAND_SNIPPET="--key_file $(pwd)/${KEY_FILE}" diff --git a/test/fixtures/simple_zonal_with_asm/variables.tf b/test/fixtures/simple_zonal_with_asm/variables.tf index 3c46389b19..8ec5da3891 100644 --- a/test/fixtures/simple_zonal_with_asm/variables.tf +++ b/test/fixtures/simple_zonal_with_asm/variables.tf @@ -34,3 +34,9 @@ variable "asm_version" { description = "ASM major version for example 1.9" default = "1.9" } + +variable "service_account" { + description = "The GCP Service Account email address used to deploy ASM." + type = string + default = "" +} From 99839866729bfce9e7f02661a9502cd214cf8051 Mon Sep 17 00:00:00 2001 From: coder Date: Thu, 20 May 2021 01:04:16 +0000 Subject: [PATCH 14/17] updated asm module --- examples/simple_zonal_with_asm/main.tf | 26 ++++++++-------------- examples/simple_zonal_with_asm/versions.tf | 2 +- 2 files changed, 10 insertions(+), 18 deletions(-) diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index 428bd3ad64..c86ca31753 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -67,21 +67,13 @@ module "gke" { } module "asm" { - source = "../../modules/asm" - cluster_name = module.gke.name - cluster_endpoint = module.gke.endpoint - project_id = var.project_id - location = module.gke.location - enable_all = false - enable_cluster_roles = true - enable_cluster_labels = false - enable_gcp_apis = false - enable_gcp_iam_roles = true - enable_gcp_components = true - enable_registration = false - managed_control_plane = false - asm_version = "1.9" - options = ["envoy-access-log,egressgateways"] - skip_validation = true - outdir = "./${module.gke.name}-outdir-${var.asm_version}" + source = "../../modules/asm" + cluster_name = module.gke.name + cluster_endpoint = module.gke.endpoint + project_id = var.project_id + location = module.gke.location + enable_all = true + asm_version = "1.9" + options = ["envoy-access-log"] + outdir = "./${module.gke.name}-outdir-${var.asm_version}" } diff --git a/examples/simple_zonal_with_asm/versions.tf b/examples/simple_zonal_with_asm/versions.tf index 22884dadd4..1dcf340b5c 100644 --- a/examples/simple_zonal_with_asm/versions.tf +++ b/examples/simple_zonal_with_asm/versions.tf @@ -15,5 +15,5 @@ */ terraform { - required_version = ">=0.12" + required_version = ">=0.13" } From 7ec01b0a10bb84b98adcb722a754d4feb7f40c06 Mon Sep 17 00:00:00 2001 From: coder Date: Thu, 20 May 2021 15:58:11 +0000 Subject: [PATCH 15/17] updated asm module --- examples/simple_zonal_with_asm/README.md | 1 - examples/simple_zonal_with_asm/main.tf | 1 - examples/simple_zonal_with_asm/variables.tf | 4 ---- modules/asm/README.md | 4 ++-- modules/asm/main.tf | 24 ++++++++++--------- modules/asm/scripts/install_asm.sh | 5 ++-- modules/asm/variables.tf | 4 ++-- .../simple_zonal_with_asm/variables.tf | 5 ---- 8 files changed, 20 insertions(+), 28 deletions(-) diff --git a/examples/simple_zonal_with_asm/README.md b/examples/simple_zonal_with_asm/README.md index b0e9c64b77..e6ffd9bc6a 100644 --- a/examples/simple_zonal_with_asm/README.md +++ b/examples/simple_zonal_with_asm/README.md @@ -7,7 +7,6 @@ This example illustrates how to create a simple zonal cluster with ASM. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| asm\_version | ASM major version for example 1.9 | `any` | n/a | yes | | cluster\_name\_suffix | A suffix to append to the default cluster name | `string` | `""` | no | | ip\_range\_pods | The secondary ip range to use for pods | `any` | n/a | yes | | ip\_range\_services | The secondary ip range to use for services | `any` | n/a | yes | diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index c86ca31753..da8129bf6b 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -73,7 +73,6 @@ module "asm" { project_id = var.project_id location = module.gke.location enable_all = true - asm_version = "1.9" options = ["envoy-access-log"] outdir = "./${module.gke.name}-outdir-${var.asm_version}" } diff --git a/examples/simple_zonal_with_asm/variables.tf b/examples/simple_zonal_with_asm/variables.tf index abf125b43d..8e275434c5 100644 --- a/examples/simple_zonal_with_asm/variables.tf +++ b/examples/simple_zonal_with_asm/variables.tf @@ -48,10 +48,6 @@ variable "ip_range_services" { description = "The secondary ip range to use for services" } -variable "asm_version" { - description = "ASM major version for example 1.9" -} - variable "service_account" { description = "The GCP Service Account email address used to deploy ASM." type = string diff --git a/modules/asm/README.md b/modules/asm/README.md index 6ce59fbc83..8821e08725 100644 --- a/modules/asm/README.md +++ b/modules/asm/README.md @@ -55,7 +55,7 @@ To deploy this config: | ca\_certs | Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `map` | 
{
  "ca_cert": "none",
  "ca_key": "none",
  "cert_chain": "none",
  "root_cert": "none"
}
| no | | cluster\_endpoint | The GKE cluster endpoint. | `string` | n/a | yes | | cluster\_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes | -| custom\_overlays | Comma separated list of custom\_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file | `list` | 
[
  "none"
]
| no | +| custom\_overlays | Comma separated list of custom\_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file | `list` | `[]` | no | | enable\_all | Sets `--enable_all` option if true. | `bool` | `false` | no | | enable\_cluster\_labels | Sets `--enable_cluster_labels` option if true. | `bool` | `false` | no | | enable\_cluster\_roles | Sets `--enable_cluster_roles` option if true. | `bool` | `false` | no | @@ -69,7 +69,7 @@ To deploy this config: | managed | Whether the control plane should be managed. | `bool` | `false` | no | | managed\_control\_plane | ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional. | `bool` | `false` | no | | mode | ASM mode for deployment. Supported mode is `install` only. | `string` | `"install"` | no | -| options | Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features. | `list` | 
[
  "none"
]
| no | +| options | Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features. | `list` | `[]` | no | | outdir | Sets `--outdir` option. | `string` | `"none"` | no | | project\_id | The project in which the resource belongs. | `string` | n/a | yes | | service\_account | The GCP Service Account email address used to deploy ASM. | `string` | `""` | no | diff --git a/modules/asm/main.tf b/modules/asm/main.tf index eec2b789ba..d7cc15c1e0 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -19,17 +19,19 @@ data "google_project" "asm_project" { } locals { - options_to_string = join(",", var.options) - options_string = (local.options_to_string != "" ? join(",", var.options) : "none") - custom_overlays_to_string = join(",", var.custom_overlays) - custom_overlays_string = (local.custom_overlays_to_string != "" ? join(",", var.custom_overlays) : "none") - asm_git_tag_string = (var.asm_git_tag == "" ? "none" : var.asm_git_tag) - service_account_string = (var.service_account == "" ? "none" : var.service_account) - key_file_string = (var.key_file == "" ? "none" : var.key_file) - ca_cert = var.ca_certs["ca_cert"] - ca_key = var.ca_certs["ca_key"] - root_cert = var.ca_certs["root_cert"] - cert_chain = var.ca_certs["cert_chain"] + # options_to_string = join(",", var.options) + # options_string = (local.options_to_string != "" ? join(",", var.options) : "none") + options_string = length(var.options) > 0 ? join(",", var.options) : "none" + # custom_overlays_to_string = join(",", var.custom_overlays) + # custom_overlays_string = (local.custom_overlays_to_string != "" ? join(",", var.custom_overlays) : "none") + custom_overlays_string = length(var.custom_overlays) > 0 ? join(",", var.custom_overlays) : "none" + asm_git_tag_string = (var.asm_git_tag == "" ? "none" : var.asm_git_tag) + service_account_string = (var.service_account == "" ? "none" : var.service_account) + key_file_string = (var.key_file == "" ? "none" : var.key_file) + ca_cert = var.ca_certs["ca_cert"] + ca_key = var.ca_certs["ca_key"] + root_cert = var.ca_certs["root_cert"] + cert_chain = var.ca_certs["cert_chain"] } module "asm_install" { diff --git a/modules/asm/scripts/install_asm.sh b/modules/asm/scripts/install_asm.sh index 2dfb706a70..09dc4dfba2 100755 --- a/modules/asm/scripts/install_asm.sh +++ b/modules/asm/scripts/install_asm.sh @@ -200,5 +200,6 @@ fi # Echo the command before executing echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_APIS_COMMAND_SNIPPET} ${ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET}" -# #run the script with appropriate flags -./install_asm_"${ASM_VERSION}" --verbose --project_id "${PROJECT_ID}" --cluster_name "${CLUSTER_NAME}" --cluster_location "${CLUSTER_LOCATION}" --mode "${MODE}" "${MCP_COMMAND_SNIPPET}" "${OPTIONS_COMMAND_SNIPPET}" "${CUSTOM_OVERLAYS_COMMAND_SNIPPET}" "${OUTDIR_COMMAND_SNIPPET}" "${ENABLE_ALL_COMMAND_SNIPPET}" "${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET}" "${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET}" "${ENABLE_GCP_APIS_COMMAND_SNIPPET}" "${ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET}" "${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET}" "${ENABLE_REGISTRATION_COMMAND_SNIPPET}" "${CA_COMMAND_SNIPPET}" "${SERVICE_ACCOUNT_COMMAND_SNIPPET}" "${KEY_FILE_COMMAND_SNIPPET}" +# run the script with appropriate flags +# shellcheck disable=SC2086 +./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_APIS_COMMAND_SNIPPET} ${ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET} diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf index c17e2aa220..0b3b139c91 100644 --- a/modules/asm/variables.tf +++ b/modules/asm/variables.tf @@ -90,13 +90,13 @@ variable "managed_control_plane" { variable "options" { description = "Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features." type = list - default = ["none"] + default = [] } variable "custom_overlays" { description = "Comma separated list of custom_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file" type = list - default = ["none"] + default = [] } variable "skip_validation" { diff --git a/test/fixtures/simple_zonal_with_asm/variables.tf b/test/fixtures/simple_zonal_with_asm/variables.tf index 8ec5da3891..5096c09ca6 100644 --- a/test/fixtures/simple_zonal_with_asm/variables.tf +++ b/test/fixtures/simple_zonal_with_asm/variables.tf @@ -30,11 +30,6 @@ variable "zones" { default = ["us-central1-a", "us-central1-b", "us-central1-c"] } -variable "asm_version" { - description = "ASM major version for example 1.9" - default = "1.9" -} - variable "service_account" { description = "The GCP Service Account email address used to deploy ASM." type = string From 18c29037f28cb3cca505c9d8c22e457d210e5f65 Mon Sep 17 00:00:00 2001 From: coder Date: Thu, 20 May 2021 16:52:09 +0000 Subject: [PATCH 16/17] updated asm module --- examples/simple_zonal_with_asm/main.tf | 20 +++++++++++-------- modules/asm/main.tf | 14 +++++-------- modules/asm/scripts/install_asm.sh | 2 -- modules/asm/variables.tf | 19 +++++++----------- .../fixtures/simple_zonal_with_asm/example.tf | 1 - 5 files changed, 24 insertions(+), 32 deletions(-) diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index da8129bf6b..fb0193f1b3 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -67,12 +67,16 @@ module "gke" { } module "asm" { - source = "../../modules/asm" - cluster_name = module.gke.name - cluster_endpoint = module.gke.endpoint - project_id = var.project_id - location = module.gke.location - enable_all = true - options = ["envoy-access-log"] - outdir = "./${module.gke.name}-outdir-${var.asm_version}" + source = "../../modules/asm" + cluster_name = module.gke.name + cluster_endpoint = module.gke.endpoint + project_id = var.project_id + location = module.gke.location + enable_cluster_roles = true + enable_cluster_labels = true + enable_gcp_apis = true + enable_gcp_iam_roles = true + enable_gcp_components = true + options = ["envoy-access-log"] + outdir = "./${module.gke.name}-outdir-${var.asm_version}" } diff --git a/modules/asm/main.tf b/modules/asm/main.tf index d7cc15c1e0..b58837b1f6 100644 --- a/modules/asm/main.tf +++ b/modules/asm/main.tf @@ -19,19 +19,15 @@ data "google_project" "asm_project" { } locals { - # options_to_string = join(",", var.options) - # options_string = (local.options_to_string != "" ? join(",", var.options) : "none") - options_string = length(var.options) > 0 ? join(",", var.options) : "none" - # custom_overlays_to_string = join(",", var.custom_overlays) - # custom_overlays_string = (local.custom_overlays_to_string != "" ? join(",", var.custom_overlays) : "none") + options_string = length(var.options) > 0 ? join(",", var.options) : "none" custom_overlays_string = length(var.custom_overlays) > 0 ? join(",", var.custom_overlays) : "none" asm_git_tag_string = (var.asm_git_tag == "" ? "none" : var.asm_git_tag) service_account_string = (var.service_account == "" ? "none" : var.service_account) key_file_string = (var.key_file == "" ? "none" : var.key_file) - ca_cert = var.ca_certs["ca_cert"] - ca_key = var.ca_certs["ca_key"] - root_cert = var.ca_certs["root_cert"] - cert_chain = var.ca_certs["cert_chain"] + ca_cert = lookup(var.ca_certs, "ca_cert", "none") + ca_key = lookup(var.ca_certs, "ca_key", "none") + root_cert = lookup(var.ca_certs, "root_cert", "none") + cert_chain = lookup(var.ca_certs, "cert_chain", "none") } module "asm_install" { diff --git a/modules/asm/scripts/install_asm.sh b/modules/asm/scripts/install_asm.sh index 09dc4dfba2..b6a461a3d3 100755 --- a/modules/asm/scripts/install_asm.sh +++ b/modules/asm/scripts/install_asm.sh @@ -75,12 +75,10 @@ echo -e "ASM_GIT_TAG is $ASM_GIT_TAG" echo -e "SKIP_VALIDATION is $SKIP_VALIDATION" echo -e "_CI_NO_VALIDATE is $_CI_NO_VALIDATE" echo -e "OPTIONS_LIST is ${OPTIONS_LIST}" -# echo -e "OPTIONS is ${OPTIONS[@]}" echo -e "OPTIONS array length is ${#OPTIONS[@]}" # Create options command snippet item="${OPTIONS[*]}";OPTIONS_COMMAND=$(echo "--option" "${item// / --option }") echo -e "OPTIONS_COMMAND is $OPTIONS_COMMAND" -# echo -e "CUSTOM_OVERLAYS is ${CUSTOM_OVERLAYS[@]}" echo -e "CUSTOM_OVERLAYS array length is ${#CUSTOM_OVERLAYS[@]}" # Create custom_overlays command snippet item="${CUSTOM_OVERLAYS[*]}";CUSTOM_OVERLAYS_COMMAND=$(echo "--custom_overlay" "${item// / --custom_overlay }") diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf index 0b3b139c91..151fc1d7bd 100644 --- a/modules/asm/variables.tf +++ b/modules/asm/variables.tf @@ -162,16 +162,11 @@ variable "ca" { variable "ca_certs" { description = "Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca." type = map - default = { - "ca_cert" = "none" - "ca_key" = "none" - "root_cert" = "none" - "cert_chain" = "none" - } -} - -variable "managed" { - description = "Whether the control plane should be managed." - type = bool - default = false + default = {} + # default = { + # "ca_cert" = "none" + # "ca_key" = "none" + # "root_cert" = "none" + # "cert_chain" = "none" + # } } diff --git a/test/fixtures/simple_zonal_with_asm/example.tf b/test/fixtures/simple_zonal_with_asm/example.tf index 4e907450a5..30df325bd1 100644 --- a/test/fixtures/simple_zonal_with_asm/example.tf +++ b/test/fixtures/simple_zonal_with_asm/example.tf @@ -29,5 +29,4 @@ module "example" { subnetwork = google_compute_subnetwork.main.name ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name - asm_version = var.asm_version } From 2368f273be2f3eb1309cc2bc76bd6cfe857273bb Mon Sep 17 00:00:00 2001 From: coder Date: Thu, 20 May 2021 17:08:32 +0000 Subject: [PATCH 17/17] updated asm module --- examples/simple_zonal_with_asm/main.tf | 2 +- modules/asm/README.md | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index fb0193f1b3..3b68190c75 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -78,5 +78,5 @@ module "asm" { enable_gcp_iam_roles = true enable_gcp_components = true options = ["envoy-access-log"] - outdir = "./${module.gke.name}-outdir-${var.asm_version}" + outdir = "./${module.gke.name}-outdir" } diff --git a/modules/asm/README.md b/modules/asm/README.md index 8821e08725..c7282f6f07 100644 --- a/modules/asm/README.md +++ b/modules/asm/README.md @@ -52,7 +52,7 @@ To deploy this config: | asm\_git\_tag | ASM git tag to deploy. This module supports versions `1.8` and `1.9`. You can get the exact `asm_git_tag` by running the command `install_asm --version`. The ASM git tab should be of the form `1.9.3-asm.2+config5`. You can also see all ASM git tags by running `curl https://storage.googleapis.com/csm-artifacts/asm/STABLE_VERSIONS`. You must provide the full and exact git tag. This variable is optional. Leaving it empty (default) will download the latest `install_asm` script for the version provided by the `asm_version` variable. | `string` | `""` | no | | asm\_version | ASM version to deploy. This module supports versions `1.8` and `1.9`. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.9"` | no | | ca | Sets CA option. Possible values are `meshca` or `citadel`. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `string` | `"meshca"` | no | -| ca\_certs | Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `map` | 
{
  "ca_cert": "none",
  "ca_key": "none",
  "cert_chain": "none",
  "root_cert": "none"
}
| no | +| ca\_certs | Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `map` | `{}` | no | | cluster\_endpoint | The GKE cluster endpoint. | `string` | n/a | yes | | cluster\_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes | | custom\_overlays | Comma separated list of custom\_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file | `list` | `[]` | no | @@ -66,7 +66,6 @@ To deploy this config: | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no | | key\_file | The GCP Service Account credentials file path used to deploy ASM. | `string` | `""` | no | | location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes | -| managed | Whether the control plane should be managed. | `bool` | `false` | no | | managed\_control\_plane | ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional. | `bool` | `false` | no | | mode | ASM mode for deployment. Supported mode is `install` only. | `string` | `"install"` | no | | options | Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features. | `list` | `[]` | no |