Skip to content

Support all asm_install option #890

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 5 commits into from
Closed

Support all asm_install option #890

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a7ee0bd
[ASM] Support All asm_install's option
YpNo May 9, 2021
281a93e
Add informations in README
YpNo May 9, 2021
5bc40df
Fix README
YpNo May 9, 2021
60debb9
Fix README
YpNo May 9, 2021
516dbd9
Fix unused asm_dir option + support custom overlay
YpNo May 10, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 37 additions & 4 deletions modules/asm/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,29 @@ module "asm" {
}
```

Advanced example:
```tf
module "asm" {
source = "terraform-google-modules/kubernetes-engine/google//modules/asm"

project_id = "my-project-id"
cluster_name = "my-cluster-name"
location = module.gke.location
cluster_endpoint = module.gke.endpoint

asm_dir = "asm-dir-${module.gke.name}"
asm_version = "1.9"
managed = true
enable_registration = true
enable_cluster_roles = true
custom_overlay_file = "${path.cwd}/../asm/istio-operator.yaml"

depends_on = [
module.gke.google_container_node_pool
]
}
```

To deploy this config:
1. Run `terraform apply`

Expand All @@ -37,11 +60,20 @@ To deploy this config:

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| asm\_dir | Name of directory to keep ASM resource config files. | `string` | `"asm-dir"` | no |
| asm\_version | ASM version to deploy. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.8"` | no |
| asm\_dir | Name of directory to keep ASM resource config files. | `string` | `""` | no |
| asm\_version | ASM version to deploy. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.9"` | no |
| cluster\_endpoint | The GKE cluster endpoint. | `string` | n/a | yes |
| cluster\_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes |
| gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no |
| custom\_overlay\_file | Path of the custom overlay file. | `string` | `""` | no |
| disable\_canonical\_service | Whether the canonical service should be disabled. | `bool` | `false` | no |
| enable\_all | Whether you want to enable all asm script option. | `bool` | `false` | no |
| enable\_cluster\_labels | Whether the ASM's GKE cluster labels should be added. | `bool` | `false` | no |
| enable\_cluster\_roles | Whether the needed cluster roles should be added. | `bool` | `false` | no |
| enable\_gcp\_apis | Whether the needed GCP APIs should be activated. | `bool` | `false` | no |
| enable\_gcp\_components | Whether `workload_identity` and `stackdriver-kubernetes` should be activated. | `bool` | `false` | no |
| enable\_gcp\_iam\_roles | Whether the `resourcemanager.projectIamAdmin` IAM roles should be set. | `bool` | `false` | no |
| enable\_registration | Whether the cluster registration should be managed. | `bool` | `false` | no |
| gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"337.0.0"` | no |
| location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes |
| managed | Whether the control plane should be managed. | `bool` | `false` | no |
| project\_id | The project in which the resource belongs. | `string` | n/a | yes |
Expand All @@ -53,4 +85,5 @@ To deploy this config:
|------|-------------|
| asm\_wait | An output to use when you want to depend on ASM finishing |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

7 changes: 4 additions & 3 deletions modules/asm/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,13 @@ data "google_project" "asm_project" {
}

locals {
kubectl_create_command_base = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version}"
options = "\"${var.asm_dir}\" ${var.managed} ${var.enable_all} ${var.enable_cluster_labels} ${var.enable_cluster_roles} ${var.enable_gcp_apis} ${var.enable_gcp_iam_roles} ${var.enable_gcp_components} ${var.enable_registration} ${var.disable_canonical_service} \"${var.custom_overlay_file}\""
kubectl_create_command_base = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${local.options}"
}

module "asm_install" {
source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
version = "~> 2.0.2"
version = "~> 2.0.3"
module_depends_on = [var.cluster_endpoint]

gcloud_sdk_version = var.gcloud_sdk_version
Expand All @@ -35,6 +36,6 @@ module "asm_install" {
project_id = var.project_id
service_account_key_file = var.service_account_key_file

kubectl_create_command = var.managed ? "${local.kubectl_create_command_base} ${var.managed}" : local.kubectl_create_command_base
kubectl_create_command = local.kubectl_create_command_base
kubectl_destroy_command = "kubectl delete ns istio-system"
}
54 changes: 51 additions & 3 deletions modules/asm/scripts/install_asm.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,17 @@ PROJECT_ID=$1
CLUSTER_NAME=$2
CLUSTER_LOCATION=$3
ASM_VERSION=$4
MANAGED=$5
ASM_CONFIG_OUTPUT_PATH=$5
MANAGED=${6:-false}
ENABLE_ALL=${7:-false}
ENABLE_CLUSTER_LABELS=${8:-false}
ENABLE_CLUSTER_ROLES=${9:-false}
ENABLE_GCP_APIS=${10:-false}
ENABLE_GCP_IAM_ROLES=${11:-false}
ENABLE_GCP_COMPONENTS=${12:-false}
ENABLE_REGISTRATION=${13:-false}
DISABLE_CANNONICAL_SERVICE=${14:-false}
CUSTOM_OVERLAY_FILE=${15}
MODE="install"

# Download the correct version of the install_asm script
Expand All @@ -38,15 +48,53 @@ declare -a params=(
"--cluster_name ${CLUSTER_NAME}"
"--cluster_location ${CLUSTER_LOCATION}"
"--mode ${MODE}"
"--enable_cluster_labels"
"--enable_cluster_roles"
)

# Add the --output_dir param if ASM_CONFIG_OUTPUT_PATH is not empty
if [[ -n "${ASM_CONFIG_OUTPUT_PATH}" ]]; then
params+=("--output_dir ${ASM_CONFIG_OUTPUT_PATH}")
fi

# Add the --managed param if MANAGED is set to true
if [[ "${MANAGED}" == true ]]; then
params+=("--managed")
fi

# Add the --enable_all param if ENABLE_ALL is set to true
# Otherwise the script will check value of all "ENABLE_*" variables and add them to the command line if they are set to true
if [[ "${ENABLE_ALL}" == true ]]; then
params+=("--enable_all")
else
if [[ "${ENABLE_CLUSTER_LABELS}" == true ]]; then
params+=("--enable_cluster_labels")
fi
if [[ "${ENABLE_CLUSTER_ROLES}" == true ]]; then
params+=("--enable_cluster_roles")
fi
if [[ "${ENABLE_GCP_APIS}" == true ]]; then
params+=("--enable_gcp_apis")
fi
if [[ "${ENABLE_GCP_IAM_ROLES}" == true ]]; then
params+=("--enable_gcp_iam_roles")
fi
if [[ "${ENABLE_GCP_COMPONENTS}" == true ]]; then
params+=("--enable_gcp_components")
fi
if [[ "${ENABLE_REGISTRATION}" == true ]]; then
params+=("--enable_registration")
fi
fi

# Add --disable_canonical_service param if DISABLE_CANNONICAL_SERVICE is set to true
if [[ "${DISABLE_CANNONICAL_SERVICE}" == true ]]; then
params+=("--disable_canonical_service")
fi

# Add --custom_overlay param if file set with DISABLE_CANNONICAL_SERVICE variable exists
if [[ -f "${CUSTOM_OVERLAY_FILE}" ]]; then
params+=("--custom_overlay ${CUSTOM_OVERLAY_FILE}")
fi

# Run the script with appropriate flags
echo "Running ./install_asm" "${params[@]}"

Expand Down
60 changes: 57 additions & 3 deletions modules/asm/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,13 +37,13 @@ variable "location" {
variable "gcloud_sdk_version" {
description = "The gcloud sdk version to use. Minimum required version is 293.0.0"
type = string
default = "296.0.1"
default = "337.0.0"
}

variable "asm_dir" {
description = "Name of directory to keep ASM resource config files."
type = string
default = "asm-dir"
default = ""
}

variable "service_account_key_file" {
Expand All @@ -54,11 +54,65 @@ variable "service_account_key_file" {
variable "asm_version" {
description = "ASM version to deploy. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages"
type = string
default = "1.8"
default = "1.9"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: breaking change, this will result in delete and recreate

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe notice it in the release note ?
Should version change need to execute an upgrade instead ?

We can let "1.8" but we need to explain the risk and the workaround to upgrade or downgrade the version. I didnt try it.

}

variable "managed" {
description = "Whether the control plane should be managed."
type = bool
default = false
}

variable "enable_all" {
description = "Whether you want to enable all asm script option."
type = bool
default = false
}

variable "enable_cluster_labels" {
description = "Whether the ASM's GKE cluster labels should be added."
type = bool
default = false
}

variable "enable_cluster_roles" {
description = "Whether the needed cluster roles should be added."
type = bool
default = false
}

variable "enable_gcp_apis" {
description = "Whether the needed GCP APIs should be activated."
type = bool
default = false
}

variable "enable_gcp_iam_roles" {
description = "Whether the `resourcemanager.projectIamAdmin` IAM roles should be set."
type = bool
default = false
}

Comment on lines +84 to +95
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have disabled these options as we recommend managing most of these via Terraform and not via the ASM installer script. Generally we should try to use native Terraform resources to manage these as much as possible.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right but you should let the users choose. Perhaps they had not managed it (or don't want it) with Terraform.
Like enable_cluster_labels and enable_cluster_roles you've enabled it by default. The cluster roles should be managed with native terraform resources.
I hesitated for enable_cluster_labels because if you use it, it adds labels, yes, but for the next terraform apply, the gke module will try to delete those labels because it doesn't manage it itself. On the other hand, it requires to know and manage the labels earlier in the gke module.

When you follow the install_asm documentation, the default examples don't talk about those options and use the "default" installation (without any option).

Regards.

variable "enable_gcp_components" {
description = "Whether `workload_identity` and `stackdriver-kubernetes` should be activated."
type = bool
default = false
}

variable "enable_registration" {
description = "Whether the cluster registration should be managed."
type = bool
default = false
}

variable "disable_canonical_service" {
description = "Whether the canonical service should be disabled."
type = bool
default = false
}

variable "custom_overlay_file" {
description = "Path of the custom overlay file."
type = string
default = ""
}