add gke hub registration

Author: bharathkkb

examples/simple_regional_with_asm/main.tf

@@ -28,17 +28,19 @@ data "google_project" "project" {
 }
 
 module "gke" {
-  source            = "../../modules/beta-public-cluster/"
-  project_id        = var.project_id
-  name              = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  regional          = true
-  region            = var.region
-  network           = var.network
-  subnetwork        = var.subnetwork
-  ip_range_pods     = var.ip_range_pods
-  ip_range_services = var.ip_range_services
-  network_policy    = false
-  cluster_resource_labels={"mesh_id":"proj-${data.google_project.project.number}"}
+  source     = "../../modules/beta-public-cluster/"
+  project_id = var.project_id
+  name       = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
+  regional   = true
+  #TESTING
+  kubernetes_version      = "1.15.11-gke.12"
+  region                  = var.region
+  network                 = var.network
+  subnetwork              = var.subnetwork
+  ip_range_pods           = var.ip_range_pods
+  ip_range_services       = var.ip_range_services
+  network_policy          = false
+  cluster_resource_labels = { "mesh_id" : "proj-${data.google_project.project.number}" }
   node_pools = [
     {
       name         = "asm-node-pool"

modules/asm/main.tf

@@ -32,12 +32,33 @@ module "asm_install" {
 }
 
 resource "google_service_account" "gke_hub_sa" {
-  account_id   = "gke-hub-sa"
-  display_name = "Service Account"
+  account_id   = var.gke_hub_sa_name
+  display_name = "Service Account for GKE Hub Registration"
 }
 
 resource "google_project_iam_member" "gke_hub_member" {
   project = var.project_id
   role    = "roles/gkehub.connect"
   member  = "serviceAccount:${google_service_account.gke_hub_sa.email}"
 }
+
+resource "google_service_account_key" "gke_hub_key" {
+  service_account_id = google_service_account.gke_hub_sa.name
+}
+
+module "gke_hub_registration" {
+  source  = "terraform-google-modules/gcloud/google"
+  version = "~> 1.0"
+
+  platform                          = "linux"
+  gcloud_sdk_version                = "292.0.0"
+  skip_download                     = var.skip_gcloud_download
+  upgrade                           = false
+  use_tf_google_credentials_env_var = true
+  module_depends_on                 = [module.asm_install.wait]
+
+  create_cmd_entrypoint  = "${path.module}/scripts/gke_hub_registration.sh"
+  create_cmd_body        = "${var.gke_hub_membership_name} ${var.location} ${var.cluster_name} ${google_service_account_key.gke_hub_key.private_key}"
+  destroy_cmd_entrypoint = "gcloud"
+  destroy_cmd_body       = "container hub memberships unregister ${var.gke_hub_membership_name} --gke-cluster=${var.location}/${var.cluster_name}"
+}

modules/asm/scripts/gke_hub_registration.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# Copyright 2018 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+if [ "$#" -lt 4 ]; then
+    >&2 echo "Not all expected arguments set."
+    exit 1
+fi
+
+MEMBERSHIP_NAME=$1
+CLUSTER_LOCATION=$2
+CLUSTER_NAME=$3
+SERVICE_ACCOUNT_KEY=$4
+
+#write temp key, cleanup at exit
+tmp_file=$(mktemp)
+trap "rm -rf $tmp_file" EXIT
+echo ${SERVICE_ACCOUNT_KEY} | base64 --decode > $tmp_file
+
+gcloud container hub memberships register ${MEMBERSHIP_NAME} --gke-cluster=${CLUSTER_LOCATION}/${CLUSTER_NAME} --service-account-key-file=${tmp_file} --quiet

modules/asm/variables.tf

@@ -39,4 +39,22 @@ variable "asm_release_channel" {
   description = "ASM Release Channel (REGULAR/RAPID/STABLE)"
   type        = string
   default     = "REGULAR"
+}
+
+variable "enable_gke_hub_registration" {
+  description = "Enables GKE Hub Registration when set to true"
+  type        = bool
+  default     = true
+}
+
+variable "gke_hub_sa_name" {
+  description = "Name for the GKE Hub SA stored as a secret `creds-gcp` in the `gke-connect` namespace."
+  type        = string
+  default     = "gke-hub-sa"
+}
+
+variable "gke_hub_membership_name" {
+  description = "Memebership name that uniquely represents the cluster being registered on the Hub"
+  type        = string
+  default     = "gke-asm-membership"
 }

test/fixtures/simple_regional_with_asm/example.tf

@@ -17,7 +17,7 @@
 module "example" {
   source = "../../../examples/simple_regional_with_asm"
 
-  project_id          = var.project_ids[0]
+  project_id          = var.project_ids[2]
   cluster_name_suffix = "-${random_string.suffix.result}"
   region              = var.region
   network             = google_compute_network.main.name

test/fixtures/simple_regional_with_asm/network.tf

@@ -22,7 +22,7 @@ resource "random_string" "suffix" {
 
 provider "google" {
   version = "~> 3.16.0"
-  project = var.project_ids[0]
+  project = var.project_ids[2]
 }
 
 resource "google_compute_network" "main" {

test/fixtures/simple_regional_with_asm/outputs.tf

@@ -78,7 +78,3 @@ output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
   value       = module.example.service_account
 }
-
-output "registry_project_id" {
-  value = var.registry_project_id
-}

test/fixtures/simple_regional_with_asm/variables.tf

@@ -29,8 +29,3 @@ variable "zones" {
   description = "The GCP zones to create and test resources in, for applicable tests"
   default     = ["us-central1-a", "us-central1-b", "us-central1-c"]
 }
-
-variable "compute_engine_service_accounts" {
-  type        = list(string)
-  description = "The email addresses of the service account to associate with the GKE cluster"
-}

test/setup/iam.tf

@@ -27,15 +27,18 @@ locals {
     "roles/iam.serviceAccountUser",
     "roles/compute.viewer",
     "roles/resourcemanager.projectIamAdmin",
-    "roles/composer.worker",
-    "roles/gkehub.admin",
-    "roles/iam.serviceAccountKeyAdmin",
-    "roles/serviceusage.serviceUsageAdmin",
+  ]
+  # roles as documented https://cloud.google.com/service-mesh/docs/gke-install-new-cluster#setting_up_your_project
+  int_asm_required_roles = [
     "roles/editor",
+    "roles/container.admin",
+    "roles/resourcemanager.projectIamAdmin",
+    "roles/iam.serviceAccountAdmin",
+    "roles/iam.serviceAccountKeyAdmin",
+    "roles/gkehub.admin",
   ]
 }
 
-
 resource "random_id" "random_suffix" {
   byte_length = 2
 }
@@ -58,6 +61,12 @@ resource "google_service_account" "gke_sa_2" {
   display_name = "gke-sa-int-test-p2"
 }
 
+resource "google_service_account" "gke_sa_asm" {
+  project      = module.gke-project-asm.project_id
+  account_id   = "gke-sa-int-test-asm-${random_id.random_suffix.hex}"
+  display_name = "gke-sa-int-test-asm"
+}
+
 resource "google_project_iam_member" "int_test_1" {
   count = length(local.int_required_roles)
 
@@ -74,6 +83,14 @@ resource "google_project_iam_member" "int_test_2" {
   member  = "serviceAccount:${google_service_account.int_test.email}"
 }
 
+resource "google_project_iam_member" "int_test_asm" {
+  for_each = toset(concat(local.int_required_roles, local.int_asm_required_roles))
+
+  project = module.gke-project-asm.project_id
+  role    = each.value
+  member  = "serviceAccount:${google_service_account.int_test.email}"
+}
+
 resource "google_service_account_key" "int_test" {
   service_account_id = google_service_account.int_test.id
 }

test/setup/main.tf

@@ -67,3 +67,30 @@ module "gke-project-2" {
     "storage-api.googleapis.com",
   ]
 }
+
+# apis as documented https://cloud.google.com/service-mesh/docs/gke-install-new-cluster#setting_up_your_project
+module "gke-project-asm" {
+  source  = "terraform-google-modules/project-factory/google"
+  version = "~> 3.0"
+
+  name              = "ci-gke-asm"
+  random_project_id = true
+  org_id            = var.org_id
+  folder_id         = var.folder_id
+  billing_account   = var.billing_account
+
+  activate_apis = [
+    "container.googleapis.com",
+    "compute.googleapis.com",
+    "monitoring.googleapis.com",
+    "logging.googleapis.com",
+    "meshca.googleapis.com",
+    "meshtelemetry.googleapis.com",
+    "meshconfig.googleapis.com",
+    "iamcredentials.googleapis.com",
+    "anthos.googleapis.com",
+    "gkeconnect.googleapis.com",
+    "gkehub.googleapis.com",
+    "cloudresourcemanager.googleapis.com",
+  ]
+}

test/setup/outputs.tf

@@ -15,7 +15,7 @@
  */
 
 output "project_ids" {
-  value = [module.gke-project-1.project_id, module.gke-project-2.project_id]
+  value = [module.gke-project-1.project_id, module.gke-project-2.project_id, module.gke-project-asm.project_id]
 }
 
 output "sa_key" {
@@ -24,7 +24,7 @@ output "sa_key" {
 }
 
 output "compute_engine_service_accounts" {
-  value = [google_service_account.gke_sa_1.email, google_service_account.gke_sa_2.email]
+  value = [google_service_account.gke_sa_1.email, google_service_account.gke_sa_2.email, google_service_account.gke_sa_asm.email]
 }
 
 output "registry_project_id" {