feat!: Updated ASM terraform module for 1.8 and 1.9 (#895)

* updated asm module

* updated asm module

* updated asm module

* updated asm module

* updated asm module

* updated asm module

* updated asm module

* updated asm module

* updated asm module

* updated asm module

* updated asm module

* updated asm module

* updated asm module

* updated asm module

* updated asm module

* updated asm module

* updated asm module

Co-authored-by: coder <[email protected]>
Co-authored-by: Bharath KKB <[email protected]>

Author: 3 people

examples/simple_zonal_with_asm/README.md

@@ -13,6 +13,7 @@ This example illustrates how to create a simple zonal cluster with ASM.
 | network | The VPC network to host the cluster in | `any` | n/a | yes |
 | project\_id | The project ID to host the cluster in | `any` | n/a | yes |
 | region | The region to host the cluster in | `any` | n/a | yes |
+| service\_account | The GCP Service Account email address used to deploy ASM. | `string` | `""` | no |
 | subnetwork | The subnetwork to host the cluster in | `any` | n/a | yes |
 | zones | The zone to host the cluster in (required if is a zonal cluster) | `list(string)` | n/a | yes |
 

examples/simple_zonal_with_asm/main.tf

@@ -67,9 +67,16 @@ module "gke" {
 }
 
 module "asm" {
-  source           = "../../modules/asm"
-  cluster_name     = module.gke.name
-  cluster_endpoint = module.gke.endpoint
-  project_id       = var.project_id
-  location         = module.gke.location
+  source                = "../../modules/asm"
+  cluster_name          = module.gke.name
+  cluster_endpoint      = module.gke.endpoint
+  project_id            = var.project_id
+  location              = module.gke.location
+  enable_cluster_roles  = true
+  enable_cluster_labels = true
+  enable_gcp_apis       = true
+  enable_gcp_iam_roles  = true
+  enable_gcp_components = true
+  options               = ["envoy-access-log"]
+  outdir                = "./${module.gke.name}-outdir"
 }

examples/simple_zonal_with_asm/variables.tf

@@ -47,3 +47,9 @@ variable "ip_range_pods" {
 variable "ip_range_services" {
   description = "The secondary ip range to use for services"
 }
+
+variable "service_account" {
+  description = "The GCP Service Account email address used to deploy ASM."
+  type        = string
+  default     = ""
+}

examples/simple_zonal_with_asm/versions.tf

@@ -15,5 +15,5 @@
  */
 
 terraform {
-  required_version = ">=0.12"
+  required_version = ">=0.13"
 }

modules/asm/README.md

@@ -1,51 +1,79 @@
 # Terraform Kubernetes Engine ASM Submodule
 
-This module installs [Anthos Service Mesh](https://cloud.google.com/service-mesh/docs) (ASM) in a Kubernetes cluster.
+This module installs [Anthos Service Mesh](https://cloud.google.com/service-mesh/docs) (ASM) in a Kubernetes Engine (GKE) cluster.
 
-Specifically, this module automates installing the ASM Istio Operator on your cluster ([installing ASM](https://cloud.google.com/service-mesh/docs/install))
+Specifically, this module automates installing the ASM Istio Operator on your cluster ([installing ASM](https://cloud.google.com/service-mesh/docs/install)).
 
 ## Usage
 
-There is a [full example](../../examples/simple_zonal_with_asm) provided. Simple usage is as follows:
+There is a [full example](../../examples/simple_zonal_with_asm) provided. Detailed usage example is as follows:
 
 ```tf
 module "asm" {
-  source           = "terraform-google-modules/kubernetes-engine/google//modules/asm"
+  source                = "terraform-google-modules/kubernetes-engine/google//modules/asm"
 
-  project_id       = "my-project-id"
-  cluster_name     = "my-cluster-name"
-  location         = module.gke.location
-  cluster_endpoint = module.gke.endpoint
+  project_id            = "my-project-id"
+  cluster_name          = "my-cluster-name"
+  location              = module.gke.location
+  cluster_endpoint      = module.gke.endpoint
+  enable_all            = false
+  enable_cluster_roles  = true
+  enable_cluster_labels = false
+  enable_gcp_apis       = false
+  enable_gcp_iam_roles  = true
+  enable_gcp_components = true
+  enable_registration   = false
+  managed_control_plane = false
+  options               = ["envoy-access-log,egressgateways"]
+  custom_overlays       = ["./custom_ingress_gateway.yaml"]
+  skip_validation       = true
+  outdir                = "./${module.gke.name}-outdir-${var.asm_version}"
 }
 ```
 
 To deploy this config:
+
 1. Run `terraform apply`
 
 ## Requirements
 
-- Anthos Service Mesh [requires](https://cloud.google.com/service-mesh/docs/gke-install-existing-cluster#requirements) an active Anthos license.
+- Anthos Service Mesh on GCP no longer requires an active Anthos license. You can use Anthos Service Mesh as a standalone product on GCP (on GKE) or as part of your Anthos subscription for hybrid and multi-cloud architectures.
 - GKE cluster must have minimum four nodes.
 - Minimum machine type is `e2-standard-4`.
 - GKE cluster must be enrolled in a release channel. ASM does not support static version.
 - ASM on a private GKE cluster requires adding a firewall rule to open port 15017 if you want to use [automatic sidecar injection](https://cloud.google.com/service-mesh/docs/proxy-injection).
-- Only one ASM per Google Cloud project is supported.
-
+- One ASM mesh per Google Cloud project is supported.
 
  <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| asm\_dir | Name of directory to keep ASM resource config files. | `string` | `"asm-dir"` | no |
-| asm\_version | ASM version to deploy. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.8"` | no |
+| asm\_git\_tag | ASM git tag to deploy. This module supports versions `1.8` and `1.9`. You can get the exact `asm_git_tag` by running the command `install_asm --version`. The ASM git tab should be of the form `1.9.3-asm.2+config5`. You can also see all ASM git tags by running `curl https://storage.googleapis.com/csm-artifacts/asm/STABLE_VERSIONS`. You must provide the full and exact git tag. This variable is optional. Leaving it empty (default) will download the latest `install_asm` script for the version provided by the `asm_version` variable. | `string` | `""` | no |
+| asm\_version | ASM version to deploy. This module supports versions `1.8` and `1.9`. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.9"` | no |
+| ca | Sets CA option. Possible values are `meshca` or `citadel`. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `string` | `"meshca"` | no |
+| ca\_certs | Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `map` | `{}` | no |
 | cluster\_endpoint | The GKE cluster endpoint. | `string` | n/a | yes |
 | cluster\_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes |
+| custom\_overlays | Comma separated list of custom\_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file | `list` | `[]` | no |
+| enable\_all | Sets `--enable_all` option if true. | `bool` | `false` | no |
+| enable\_cluster\_labels | Sets `--enable_cluster_labels` option if true. | `bool` | `false` | no |
+| enable\_cluster\_roles | Sets `--enable_cluster_roles` option if true. | `bool` | `false` | no |
+| enable\_gcp\_apis | Sets `--enable_gcp_apis` option if true. | `bool` | `false` | no |
+| enable\_gcp\_components | Sets --enable\_gcp\_components option if true. Can be true or false. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `bool` | `false` | no |
+| enable\_gcp\_iam\_roles | Sets `--enable_gcp_iam_roles` option if true. | `bool` | `false` | no |
+| enable\_registration | Sets `--enable_registration` option if true. | `bool` | `false` | no |
 | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no |
+| key\_file | The GCP Service Account credentials file path used to deploy ASM. | `string` | `""` | no |
 | location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes |
-| managed | Whether the control plane should be managed. | `bool` | `false` | no |
+| managed\_control\_plane | ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional. | `bool` | `false` | no |
+| mode | ASM mode for deployment. Supported mode is `install` only. | `string` | `"install"` | no |
+| options | Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features. | `list` | `[]` | no |
+| outdir | Sets `--outdir` option. | `string` | `"none"` | no |
 | project\_id | The project in which the resource belongs. | `string` | n/a | yes |
+| service\_account | The GCP Service Account email address used to deploy ASM. | `string` | `""` | no |
 | service\_account\_key\_file | Path to service account key file to auth as for running `gcloud container clusters get-credentials`. | `string` | `""` | no |
+| skip\_validation | Sets `_CI_NO_VALIDATE` variable. Determines whether the script should perform validation checks for prerequisites such as IAM roles, Google APIs etc. | `bool` | `false` | no |
 
 ## Outputs
 

modules/asm/main.tf

@@ -19,7 +19,15 @@ data "google_project" "asm_project" {
 }
 
 locals {
-  kubectl_create_command_base = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version}"
+  options_string         = length(var.options) > 0 ? join(",", var.options) : "none"
+  custom_overlays_string = length(var.custom_overlays) > 0 ? join(",", var.custom_overlays) : "none"
+  asm_git_tag_string     = (var.asm_git_tag == "" ? "none" : var.asm_git_tag)
+  service_account_string = (var.service_account == "" ? "none" : var.service_account)
+  key_file_string        = (var.key_file == "" ? "none" : var.key_file)
+  ca_cert                = lookup(var.ca_certs, "ca_cert", "none")
+  ca_key                 = lookup(var.ca_certs, "ca_key", "none")
+  root_cert              = lookup(var.ca_certs, "root_cert", "none")
+  cert_chain             = lookup(var.ca_certs, "cert_chain", "none")
 }
 
 module "asm_install" {
@@ -35,6 +43,6 @@ module "asm_install" {
   project_id               = var.project_id
   service_account_key_file = var.service_account_key_file
 
-  kubectl_create_command  = var.managed ? "${local.kubectl_create_command_base} ${var.managed}" : local.kubectl_create_command_base
+  kubectl_create_command  = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_apis} ${var.enable_gcp_iam_roles} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${local.service_account_string} ${local.key_file_string} ${local.asm_git_tag_string}"
   kubectl_destroy_command = "kubectl delete ns istio-system"
 }

modules/asm/scripts/install_asm.sh

@@ -16,7 +16,7 @@
 
 set -e
 
-if [ "$#" -lt 4 ]; then
+if [ "$#" -lt 5 ]; then
     >&2 echo "Not all expected arguments set."
     exit 1
 fi
@@ -25,31 +25,179 @@ PROJECT_ID=$1
 CLUSTER_NAME=$2
 CLUSTER_LOCATION=$3
 ASM_VERSION=$4
-MANAGED=$5
-MODE="install"
-
-# Download the correct version of the install_asm script
-curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_VERSION}" > install_asm
-chmod u+x install_asm
-
-declare -a params=(
-    "--verbose"
-    "--project_id ${PROJECT_ID}"
-    "--cluster_name ${CLUSTER_NAME}"
-    "--cluster_location ${CLUSTER_LOCATION}"
-    "--mode ${MODE}"
-    "--enable_cluster_labels"
-    "--enable_cluster_roles"
-)
-
-# Add the --managed param if MANAGED is set to true
-if [[ "${MANAGED}" == true ]]; then
-    params+=("--managed")
-fi
-
-# Run the script with appropriate flags
-echo "Running ./install_asm" "${params[@]}"
-
-# Disable shell linting. Other forms will prevent the command to work
-# shellcheck disable=SC2046,SC2116
-./install_asm $(echo "${params[@]}")
+MODE=$5
+MCP=$6
+SKIP_VALIDATION=$7
+OPTIONS_LIST=$8
+CUSTOM_OVERLAYS_LIST=$9
+ENABLE_ALL=${10}
+ENABLE_CLUSTER_ROLES=${11}
+ENABLE_CLUSTER_LABELS=${12}
+ENABLE_GCP_APIS=${13}
+ENABLE_GCP_IAM_ROLES=${14}
+ENABLE_GCP_COMPONENTS=${15}
+ENABLE_REGISTRATION=${16}
+OUTDIR=${17}
+CA=${18}
+CA_CERT=${19}
+CA_KEY=${20}
+ROOT_CERT=${21}
+CERT_CHAIN=${22}
+SERVICE_ACCOUNT=${23}
+KEY_FILE=${24}
+ASM_GIT_TAG=${25}
+
+# Set SKIP_VALIDATION variable
+if [[ ${SKIP_VALIDATION} = "true" ]]; then
+    export _CI_NO_VALIDATE=1
+else
+    export _CI_NO_VALIDATE=0
+fi
+
+# Create bash arrays from options and custom_overlays lists
+if [[ ${OPTIONS_LIST} ]]; then
+    IFS=',' read -r -a OPTIONS <<< "${OPTIONS_LIST}"
+elif [[ ${OPTIONS_LIST} = "" ]]; then
+    read -r -a OPTIONS <<< "none"
+fi
+
+if [[ ${CUSTOM_OVERLAYS_LIST} ]]; then
+    IFS=',' read -r -a CUSTOM_OVERLAYS <<< "${CUSTOM_OVERLAYS_LIST}"
+else
+    read -r -a CUSTOM_OVERLAYS <<< "none"
+fi
+
+# Echo all values
+echo -e "MODE is $MODE"
+echo -e "MCP is $MCP"
+echo -e "ASM_VERSION is $ASM_VERSION"
+echo -e "ASM_GIT_TAG is $ASM_GIT_TAG"
+echo -e "SKIP_VALIDATION is $SKIP_VALIDATION"
+echo -e "_CI_NO_VALIDATE is $_CI_NO_VALIDATE"
+echo -e "OPTIONS_LIST is ${OPTIONS_LIST}"
+echo -e "OPTIONS array length is ${#OPTIONS[@]}"
+# Create options command snippet
+item="${OPTIONS[*]}";OPTIONS_COMMAND=$(echo "--option" "${item// / --option }")
+echo -e "OPTIONS_COMMAND is $OPTIONS_COMMAND"
+echo -e "CUSTOM_OVERLAYS array length is ${#CUSTOM_OVERLAYS[@]}"
+# Create custom_overlays command snippet
+item="${CUSTOM_OVERLAYS[*]}";CUSTOM_OVERLAYS_COMMAND=$(echo "--custom_overlay" "${item// / --custom_overlay }")
+echo -e "CUSTOM_OVERLAYS_COMMAND is $CUSTOM_OVERLAYS_COMMAND"
+echo -e "ENABLE_ALL is $ENABLE_ALL"
+echo -e "ENABLE_CLUSTER_ROLES is $ENABLE_CLUSTER_ROLES"
+echo -e "ENABLE_CLUSTER_LABELS is $ENABLE_CLUSTER_LABELS"
+echo -e "ENABLE_GCP_APIS is $ENABLE_GCP_APIS"
+echo -e "ENABLE_GCP_IAM_ROLES is $ENABLE_GCP_IAM_ROLES"
+echo -e "ENABLE_GCP_COMPONENTS is $ENABLE_GCP_COMPONENTS"
+echo -e "ENABLE_REGISTRATION is $ENABLE_REGISTRATION"
+echo -e "OUTDIR is $OUTDIR"
+echo -e "SERVICE_ACCOUNT is $SERVICE_ACCOUNT"
+echo -e "KEY_FILE is $KEY_FILE"
+
+#download the correct version of the install_asm script
+if [[ "${ASM_GIT_TAG}" = "none" ]]; then
+    echo -e "Downloading install_asm with latest git tag..."
+    curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_VERSION}" > install_asm_"${ASM_VERSION}"
+    chmod u+x install_asm_"${ASM_VERSION}"
+else
+    ASM_GIT_TAG_FIXED=$(sed 's/+/-/g' <<<"$ASM_GIT_TAG")
+    echo -e "Downloading install_asm with git tag $ASM_GIT_TAG..."
+    curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_GIT_TAG_FIXED}" > install_asm_"${ASM_VERSION}"
+    chmod u+x install_asm_"${ASM_VERSION}"
+fi
+
+# Craft MCP section for install_asm
+if [[ "${MCP}" = true ]]; then
+    MCP_COMMAND_SNIPPET="--managed"
+else
+    MCP_COMMAND_SNIPPET=""
+fi
+
+# Craft service_account section for install_asm
+if [[ "${SERVICE_ACCOUNT}" = "none" ]]; then
+    SERVICE_ACCOUNT_COMMAND_SNIPPET=""
+else
+    SERVICE_ACCOUNT_COMMAND_SNIPPET="--service_account ${SERVICE_ACCOUNT}"
+fi
+
+# Craft key_file section for install_asm
+if [[ "${KEY_FILE}" = "none" ]]; then
+    KEY_FILE_COMMAND_SNIPPET=""
+else
+    KEY_FILE_COMMAND_SNIPPET="--key_file $(pwd)/${KEY_FILE}"
+fi
+
+# Craft options section for install_asm
+if [[ "${OPTIONS_COMMAND}" = "--option none" ]]; then
+    OPTIONS_COMMAND_SNIPPET=""
+else
+    OPTIONS_COMMAND_SNIPPET="${OPTIONS_COMMAND}"
+fi
+
+if [[ "${CUSTOM_OVERLAYS_COMMAND}" = "--custom_overlay none" ]]; then
+    CUSTOM_OVERLAYS_COMMAND_SNIPPET=""
+else
+    CUSTOM_OVERLAYS_COMMAND_SNIPPET="${CUSTOM_OVERLAYS_COMMAND}"
+fi
+
+if [[ "${ENABLE_ALL}" = false ]]; then
+    ENABLE_ALL_COMMAND_SNIPPET=""
+else
+    ENABLE_ALL_COMMAND_SNIPPET="--enable_all"
+fi
+
+if [[ "${ENABLE_CLUSTER_ROLES}" = false ]]; then
+    ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET=""
+else
+    ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET="--enable_cluster_roles"
+fi
+
+if [[ "${ENABLE_CLUSTER_LABELS}" = false ]]; then
+    ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET=""
+else
+    ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET="--enable_cluster_labels"
+fi
+
+if [[ "${ENABLE_GCP_APIS}" = false ]]; then
+    ENABLE_GCP_APIS_COMMAND_SNIPPET=""
+else
+    ENABLE_GCP_APIS_COMMAND_SNIPPET="--enable_gcp_apis"
+fi
+
+if [[ "${ENABLE_GCP_IAM_ROLES}" = false ]]; then
+    ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET=""
+else
+    ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET="--enable_gcp_iam_roles"
+fi
+
+if [[ "${ENABLE_GCP_COMPONENTS}" = false ]]; then
+    ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET=""
+else
+    ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET="--enable_gcp_components"
+fi
+
+if [[ "${ENABLE_REGISTRATION}" = false ]]; then
+    ENABLE_REGISTRATION_COMMAND_SNIPPET=""
+else
+    ENABLE_REGISTRATION_COMMAND_SNIPPET="--enable_registration"
+fi
+
+if [[ "${OUTDIR}" = "none" ]]; then
+    OUTDIR_COMMAND_SNIPPET=""
+else
+    OUTDIR_COMMAND_SNIPPET="--output_dir ${OUTDIR}"
+    mkdir -p "${OUTDIR}"
+fi
+
+if [[ "${CA}" = "citadel" ]]; then
+    CA_COMMAND_SNIPPET="--ca citadel --ca_cert ${CA_CERT} --ca_key ${CA_KEY} --root_cert ${ROOT_CERT} --cert_chain ${CERT_CHAIN}"
+else
+    CA_COMMAND_SNIPPET=""
+fi
+
+# Echo the command before executing
+echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_APIS_COMMAND_SNIPPET} ${ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET}"
+
+# run the script with appropriate flags
+# shellcheck disable=SC2086
+./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_APIS_COMMAND_SNIPPET} ${ENABLE_GCP_IAM_ROLES_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET}