Merge pull request #324 from terraform-google-modules/feature/acm

Add submodule to set up ACM

Author: morgante

.kitchen.yml

@@ -85,6 +85,7 @@ suites:
           backend: local
           controls:
             - gcloud
+            - acm
         - name: gcp
           backend: gcp
           controls:

autogen/main.tf

@@ -92,7 +92,7 @@ locals {
   cluster_output_zones          = local.cluster_output_regional_zones
 
 {% if private_cluster %}
-  cluster_output_endpoint = var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.endpoint
+  cluster_output_endpoint = var.deploy_using_private_endpoint ? google_container_cluster.primary.private_cluster_config.0.private_endpoint : google_container_cluster.primary.private_cluster_config.0.public_endpoint
 {% else %}
   cluster_output_endpoint = google_container_cluster.primary.endpoint
 {% endif %}

build/int.cloudbuild.yaml

@@ -14,6 +14,9 @@
 
 timeout: 12600s
 steps:
+- id: download acm
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && download_acm']
 - id: prepare
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && prepare_environment']
@@ -306,6 +309,6 @@ tags:
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.6'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.5.4'
 options:
   machineType: 'N1_HIGHCPU_8'

build/lint.cloudbuild.yaml

@@ -24,4 +24,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.6'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.5.4'

examples/simple_zonal/README.md renamed to examples/simple_zonal_with_acm/README.md

@@ -1,16 +1,22 @@
 # Simple Zonal Cluster
 
-This example illustrates how to create a simple cluster.
+This example illustrates how to create a simple cluster and install [Anthos Config Management](https://cloud.google.com/anthos-config-management/docs/).
+
+It incorporates the standard cluster module and the [ACM install module](../../modules/acm).
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| acm\_policy\_dir | Subfolder containing configs in ACM Git repo | string | `"foo-corp"` | no |
+| acm\_sync\_branch | Anthos config management Git branch | string | `"1.0.0"` | no |
+| acm\_sync\_repo | Anthos config management Git repo | string | `"[email protected]:GoogleCloudPlatform/csp-config-management.git"` | no |
 | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
 | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes |
 | network | The VPC network to host the cluster in | string | n/a | yes |
+| operator\_path | Path to the operator yaml config. If unset, will download from GCS releases. | string | `"null"` | no |
 | project\_id | The project ID to host the cluster in | string | n/a | yes |
 | region | The region to host the cluster in | string | n/a | yes |
 | subnetwork | The subnetwork to host the cluster in | string | n/a | yes |
@@ -20,6 +26,7 @@ This example illustrates how to create a simple cluster.
 
 | Name | Description |
 |------|-------------|
+| acm\_git\_creds\_public | Public key of SSH keypair to allow the Anthos Operator to authenticate to your Git repository. |
 | ca\_certificate |  |
 | client\_token |  |
 | cluster\_name | Cluster name |

examples/simple_zonal_with_acm/acm.tf

@@ -0,0 +1,27 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "acm" {
+  source           = "../../modules/acm"
+  project_id       = var.project_id
+  location         = module.gke.location
+  cluster_name     = module.gke.name
+  sync_repo        = var.acm_sync_repo
+  sync_branch      = var.acm_sync_branch
+  policy_dir       = var.acm_policy_dir
+  cluster_endpoint = module.gke.endpoint
+  operator_path    = var.operator_path
+}

examples/simple_zonal/main.tf renamed to examples/simple_zonal_with_acm/main.tf

@@ -33,3 +33,8 @@ output "service_account" {
   value       = module.gke.service_account
 }
 
+output "acm_git_creds_public" {
+  description = "Public key of SSH keypair to allow the Anthos Operator to authenticate to your Git repository."
+  value       = module.acm.git_creds_public
+}
+

examples/simple_zonal/outputs.tf renamed to examples/simple_zonal_with_acm/outputs.tf

@@ -48,3 +48,26 @@ variable "ip_range_services" {
   description = "The secondary ip range to use for pods"
 }
 
+variable "acm_sync_repo" {
+  description = "Anthos config management Git repo"
+  type        = string
+  default     = "[email protected]:GoogleCloudPlatform/csp-config-management.git"
+}
+
+variable "acm_sync_branch" {
+  description = "Anthos config management Git branch"
+  type        = string
+  default     = "1.0.0"
+}
+
+variable "acm_policy_dir" {
+  description = "Subfolder containing configs in ACM Git repo"
+  type        = string
+  default     = "foo-corp"
+}
+
+variable "operator_path" {
+  description = "Path to the operator yaml config. If unset, will download from GCS releases."
+  type        = string
+  default     = null
+}

examples/simple_zonal/test_outputs.tf renamed to examples/simple_zonal_with_acm/test_outputs.tf

@@ -0,0 +1,3 @@
+# This fill will be always downloaded by terraform local-exec command from gc bucket
+config-management-operator.yaml
+/terraform.tfvars

examples/simple_zonal/variables.tf renamed to examples/simple_zonal_with_acm/variables.tf

@@ -0,0 +1,65 @@
+# Terraform Kubernetes Engine ACM Submodule
+
+This module installs [Anthos Config Management](https://cloud.google.com/anthos-config-management/docs/) (ACM) in a Kubernetes cluster.
+
+Specifically, this module automates the following steps for [installing ACM](https://cloud.google.com/anthos-config-management/docs/how-to/installing):
+1. Installing the ACM Operator on your cluster.
+2. Generating an SSH key for accessing Git and providing it to the Operator
+3. Configuring the Operator to connect to your ACM repository
+
+## Usage
+
+There is a [full example](../../examples/simple_zonal) provided. Simple usage is as follows:
+
+```tf
+module "acm" {
+  source           = "terraform-google-modules/kubernetes-engine/google//modules/acm"
+
+  project_id       = "my-project-id"
+  cluster_name     = "my-cluster-name"
+  location         = module.gke.location
+  cluster_endpoint = module.gke.endpoint
+
+  sync_repo        = "[email protected]:GoogleCloudPlatform/csp-config-management.git"
+  sync_branch      = "1.0.0"
+  policy_dir       = "foo-corp"
+}
+```
+
+To deploy this config:
+1. Run `terraform apply`
+2. Inspect the `git_creds_public` [output](#outputs) to retrieve the public key used for accessing Git. Whitelist this key for access to your Git repo. Instructions for some popular Git hosting providers are included for convenience:
+
+  * [Cloud Souce Repositories](https://cloud.google.com/source-repositories/docs/authentication#ssh)
+  * [Bitbucket](https://confluence.atlassian.com/bitbucket/set-up-an-ssh-key-728138079.html)
+  * [GitHub](https://help.github.com/articles/adding-a-new-ssh-key-to-your-github-account/)
+  * [Gitlab](https://docs.gitlab.com/ee/ssh/)
+
+## Whitelisting
+Note that installing Anthos Config Management [requires](https://cloud.google.com/anthos-config-management/docs/how-to/installing#local_environment) an active Anthos license.
+By default, this module will attempt to download the ACM operator from Google directly—meaning your Terraform service account needs to be whitelisted for ACM access. If this is an issue, you can predownload the operator yourself then set the `operator_path` variable to point to the file location.
+
+ <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cluster\_endpoint | Kubernetes cluster endpoint. | string | n/a | yes |
+| cluster\_name | The unique name to identify the cluster in ACM. | string | n/a | yes |
+| create\_ssh\_key | Controls whether a key will be generated for Git authentication | bool | `"true"` | no |
+| enable\_policy\_controller | Whether to enable the ACM Policy Controller on the cluster | bool | `"true"` | no |
+| install\_template\_library | Whether to install the default Policy Controller template library | bool | `"true"` | no |
+| location | The location (zone or region) this cluster has been created in. | string | n/a | yes |
+| operator\_path | Path to the operator yaml config. If unset, will download from GCS releases. | string | `"null"` | no |
+| policy\_dir | Subfolder containing configs in ACM Git repo | string | n/a | yes |
+| project\_id | The project in which the resource belongs. | string | n/a | yes |
+| sync\_branch | ACM repo Git branch | string | `"master"` | no |
+| sync\_repo | ACM Git repo address | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| git\_creds\_public | Public key of SSH keypair to allow the Anthos Operator to authenticate to your Git repository. |
+
+ <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/acm/.gitignore

@@ -0,0 +1,121 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  cluster_endpoint       = "https://${var.cluster_endpoint}"
+  token                  = data.google_client_config.default.access_token
+  cluster_ca_certificate = data.google_container_cluster.primary.master_auth.0.cluster_ca_certificate
+  private_key            = var.create_ssh_key ? tls_private_key.git_creds[0].private_key_pem : ""
+  download_operator      = var.operator_path == null ? true : false
+  operator_path          = local.download_operator ? "${path.module}/config-management-operator.yaml" : var.operator_path
+}
+
+data "google_container_cluster" "primary" {
+  name     = var.cluster_name
+  project  = var.project_id
+  location = var.location
+}
+
+data "google_client_config" "default" {
+}
+
+resource "tls_private_key" "git_creds" {
+  count     = var.create_ssh_key ? 1 : 0
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "null_resource" "acm_operator_config" {
+  count = local.download_operator ? 1 : 0
+
+  provisioner "local-exec" {
+    command = "gsutil cp gs://config-management-release/released/latest/config-management-operator.yaml ${path.module}/config-management-operator.yaml"
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = "rm -f ${path.module}/config-management-operator.yaml"
+  }
+}
+
+resource "null_resource" "acm_operator" {
+  provisioner "local-exec" {
+    command = "${path.module}/scripts/kubectl_wrapper.sh ${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl apply -f ${local.operator_path}"
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = "${path.module}/scripts/kubectl_wrapper.sh ${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl delete -f ${local.operator_path}"
+  }
+
+  depends_on = [
+    null_resource.acm_operator_config,
+    data.google_client_config.default,
+    data.google_container_cluster.primary,
+  ]
+}
+
+resource "null_resource" "git_creds_secret" {
+  count = var.create_ssh_key ? 1 : 0
+
+  provisioner "local-exec" {
+    command = "${path.module}/scripts/kubectl_wrapper.sh ${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl create secret generic git-creds -n=config-management-system --from-literal=ssh='${local.private_key}'"
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = "${path.module}/scripts/kubectl_wrapper.sh ${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl delete secret git-creds -n=config-management-system"
+  }
+
+  depends_on = [
+    null_resource.acm_operator
+  ]
+}
+
+data "template_file" "acm_config" {
+  template = file("${path.module}/templates/acm-config.yml.tpl")
+
+  vars = {
+    cluster_name             = var.cluster_name
+    sync_repo                = var.sync_repo
+    sync_branch              = var.sync_branch
+    policy_dir               = var.policy_dir
+    secret_type              = var.create_ssh_key ? "ssh" : "none"
+    enable_policy_controller = var.enable_policy_controller ? "true" : "false"
+    install_template_library = var.install_template_library ? "true" : "false"
+  }
+}
+
+resource "null_resource" "acm_config" {
+  triggers = {
+    config = data.template_file.acm_config.rendered
+  }
+
+  provisioner "local-exec" {
+    command = "echo '${data.template_file.acm_config.rendered}' | ${path.module}/scripts/kubectl_wrapper.sh ${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl apply -f -"
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = "echo '${data.template_file.acm_config.rendered}' | ${path.module}/scripts/kubectl_wrapper.sh ${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl delete -f -"
+  }
+
+  depends_on = [
+    null_resource.acm_operator,
+    null_resource.git_creds_secret,
+  ]
+}
+

modules/acm/README.md

@@ -0,0 +1,21 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "git_creds_public" {
+  description = "Public key of SSH keypair to allow the Anthos Operator to authenticate to your Git repository."
+  value       = var.create_ssh_key ? tls_private_key.git_creds.*.public_key_openssh : null
+}
+