feat(anthos-attached-clusters): add attached-install-mesh module (#710)

Author: apeabody

.gitignore

@@ -26,6 +26,8 @@ credentials_file.json
 .kitchen
 **ci-abm*.json
 out.json
+.tmp
+.cache
 
 files.log
 legacy_headder_check.log

anthos-attached-clusters/kind/README.md

@@ -59,7 +59,10 @@ The other examples and module limit dependancies to terraform core providers, bu
 |------|-------------|------|---------|:--------:|
 | gcp\_location | GCP location to create the attached resource in | `string` | `"us-west1"` | no |
 | gcp\_project\_id | The GCP project id where the cluster will be registered | `string` | n/a | yes |
+| kind\_api\_server\_address | Kind cluster API server address | `string` | `null` | no |
+| kind\_api\_server\_port | Kind cluster API server port | `number` | `null` | no |
 | kind\_node\_image | The image used for the kind cluster | `string` | `"kindest/node:v1.28.0"` | no |
+| kubeconfig\_path | The kubeconfig path. | `string` | `null` | no |
 | name\_prefix | Common prefix to use for generating names | `string` | n/a | yes |
 | platform\_version | Platform version of the attached cluster resource | `string` | `"1.28.0-gke.3"` | no |
 

anthos-attached-clusters/kind/main.tf

@@ -26,7 +26,7 @@ resource "kind_cluster" "cluster" {
   name       = local.cluster_name
   node_image = var.kind_node_image
 
-  kubeconfig_path = "${path.root}/.tmp/kube/${local.cluster_name}"
+  kubeconfig_path = var.kubeconfig_path != null ? var.kubeconfig_path : "${path.root}/.tmp/kube/${local.cluster_name}"
 
   wait_for_ready = true
 
@@ -36,6 +36,10 @@ resource "kind_cluster" "cluster" {
     feature_gates = {
       KubeletInUserNamespace : "true"
     }
+    networking {
+      api_server_address = var.kind_api_server_address
+      api_server_port    = var.kind_api_server_port
+    }
   }
 }
 
@@ -67,8 +71,6 @@ data "google_project" "project" {
   project_id = var.gcp_project_id
 }
 
-
-
 module "oidc" {
   source = "./oidc"
 
@@ -78,7 +80,6 @@ module "oidc" {
   client_key             = kind_cluster.cluster.client_key
 }
 
-
 resource "google_container_attached_cluster" "primary" {
   name             = local.cluster_name
   project          = data.google_project.project.project_id
@@ -119,6 +120,14 @@ resource "google_container_attached_cluster" "primary" {
   ]
 }
 
+module "install-mesh" {
+  source = "../modules/attached-install-mesh"
 
+  kubeconfig = kind_cluster.cluster.kubeconfig_path
+  context    = local.cluster_context
+  fleet_id   = data.google_project.project.project_id
 
-
+  depends_on = [
+    google_container_attached_cluster.primary
+  ]
+}

anthos-attached-clusters/kind/oidc/main.tf

@@ -30,15 +30,11 @@ data "http" "issuer" {
   client_key = var.client_key
 }
 
-locals {
-  issuer_json = jsondecode(data.http.issuer.response_body)
-}
-
 data "http" "jwks" {
 
   provider = http-full
 
-  url = local.issuer_json.jwks_uri
+  url = "${var.endpoint}/openid/v1/jwks"
   request_headers = {
     content-type = "application/json"
   }

anthos-attached-clusters/kind/oidc/outputs.tf

@@ -15,7 +15,7 @@
  */
 
 output "issuer" {
-  value = local.issuer_json.issuer
+  value = jsondecode(data.http.issuer.response_body).issuer
 }
 
 output "jwks" {

anthos-attached-clusters/kind/oidc/providers.tf

@@ -23,4 +23,3 @@ terraform {
   }
   required_version = ">= 0.13"
 }
-

anthos-attached-clusters/kind/oidc/variables.tf

@@ -18,7 +18,6 @@ variable "endpoint" {
   type = string
 }
 
-
 variable "cluster_ca_certificate" {
   type = string
 }
@@ -30,5 +29,3 @@ variable "client_certificate" {
 variable "client_key" {
   type = string
 }
-
-

anthos-attached-clusters/kind/variables.tf

@@ -36,12 +36,26 @@ variable "platform_version" {
   default     = "1.28.0-gke.3"
 }
 
-
 variable "kind_node_image" {
   description = "The image used for the kind cluster"
   type        = string
   default     = "kindest/node:v1.28.0"
 }
 
+variable "kind_api_server_address" {
+  description = "Kind cluster API server address"
+  type        = string
+  default     = null
+}
 
+variable "kind_api_server_port" {
+  description = "Kind cluster API server port"
+  type        = number
+  default     = null
+}
 
+variable "kubeconfig_path" {
+  description = "The kubeconfig path."
+  type        = string
+  default     = null
+}

anthos-attached-clusters/modules/attached-install-mesh/main.tf

@@ -0,0 +1,246 @@
+/**
+ * Copyright 2018-2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  tmp_credentials_path = "${path.module}/terraform-google-credentials.json"
+  cache_path           = "${path.module}/.cache/${random_id.cache.hex}"
+  gcloud_tar_path      = "${local.cache_path}/google-cloud-sdk.tar.gz"
+  gcloud_bin_path      = "${local.cache_path}/google-cloud-sdk/bin"
+  gcloud_bin_abs_path  = abspath(local.gcloud_bin_path)
+
+  gcloud              = "${local.gcloud_bin_path}/gcloud"
+  gcloud_download_url = var.gcloud_download_url != null ? var.gcloud_download_url : "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-${var.gcloud_sdk_version}-${var.platform}-x86_64.tar.gz"
+  jq_platform         = var.platform == "darwin" ? "osx-amd" : var.platform
+  jq_download_url     = var.jq_download_url != null ? var.jq_download_url : "https://github.com/stedolan/jq/releases/download/jq-${var.jq_version}/jq-${local.jq_platform}64"
+  asmcli_download_url = var.asmcli_download_url != null ? var.asmcli_download_url : "https://storage.googleapis.com/csm-artifacts/asm/asmcli_${var.asmcli_version}"
+
+  cmd_entrypoint  = "${local.gcloud_bin_path}/asmcli"
+  create_cmd_body = "install --kubeconfig ${var.kubeconfig} --context ${var.context} --fleet_id ${var.fleet_id} --platform multicloud --enable_cluster_labels --enable_namespace_creation --enable_gcp_components --enable_cluster_roles --ca mesh_ca --option attached-cluster"
+
+  wait = length(null_resource.additional_components[*].triggers) + length(
+    null_resource.gcloud_auth_service_account_key_file[*].triggers,
+    ) + length(null_resource.gcloud_auth_google_credentials[*].triggers,
+  ) + length(null_resource.run_command[*].triggers)
+
+  prepare_cache_command                        = "mkdir -p ${local.cache_path}"
+  download_gcloud_command                      = "curl -sL -o ${local.cache_path}/google-cloud-sdk.tar.gz ${local.gcloud_download_url}"
+  download_jq_command                          = "curl -sL -o ${local.cache_path}/jq ${local.jq_download_url} && chmod +x ${local.cache_path}/jq"
+  download_asmcli_command                      = "curl -sL -o ${local.cache_path}/asmcli ${local.asmcli_download_url} && chmod +x ${local.cache_path}/asmcli"
+  decompress_command                           = "tar -xzf ${local.gcloud_tar_path} -C ${local.cache_path} && cp ${local.cache_path}/jq ${local.cache_path}/google-cloud-sdk/bin/ && cp ${local.cache_path}/asmcli ${local.cache_path}/google-cloud-sdk/bin/"
+  additional_components_command                = "${path.module}/scripts/check_components.sh ${local.gcloud} kubectl"
+  gcloud_auth_service_account_key_file_command = "${local.gcloud} auth activate-service-account --key-file ${var.service_account_key_file}"
+  activate_service_account                     = var.activate_service_account ? "${local.gcloud} auth activate-service-account --key-file ${local.tmp_credentials_path}" : "true"
+  gcloud_auth_google_credentials_command       = <<-EOT
+    printf "%s" "$GOOGLE_CREDENTIALS" > ${local.tmp_credentials_path} && \
+    ${local.activate_service_account}
+  EOT
+
+}
+
+resource "random_id" "cache" {
+  byte_length = 4
+}
+
+resource "null_resource" "prepare_cache" {
+  triggers = {
+    arguments             = md5(local.create_cmd_body)
+    prepare_cache_command = local.prepare_cache_command
+  }
+
+  provisioner "local-exec" {
+    when    = create
+    command = self.triggers.prepare_cache_command
+  }
+}
+
+resource "null_resource" "download_gcloud" {
+  triggers = {
+    arguments               = md5(local.create_cmd_body)
+    download_gcloud_command = local.download_gcloud_command
+    version                 = var.gcloud_sdk_version
+  }
+
+  provisioner "local-exec" {
+    when    = create
+    command = self.triggers.download_gcloud_command
+  }
+
+  depends_on = [null_resource.prepare_cache]
+}
+
+resource "null_resource" "download_jq" {
+  triggers = {
+    arguments           = md5(local.create_cmd_body)
+    download_jq_command = local.download_jq_command
+    version             = var.jq_version
+  }
+
+  provisioner "local-exec" {
+    when    = create
+    command = self.triggers.download_jq_command
+  }
+
+  depends_on = [null_resource.prepare_cache]
+}
+
+resource "null_resource" "download_asmcli" {
+  triggers = {
+    arguments               = md5(local.create_cmd_body)
+    download_asmcli_command = local.download_asmcli_command
+    version                 = var.asmcli_version
+  }
+
+  provisioner "local-exec" {
+    when    = create
+    command = self.triggers.download_asmcli_command
+  }
+
+  depends_on = [null_resource.prepare_cache]
+}
+
+resource "null_resource" "decompress" {
+  triggers = {
+    arguments               = md5(local.create_cmd_body)
+    decompress_command      = local.decompress_command
+    download_gcloud_command = local.download_gcloud_command
+    download_jq_command     = local.download_jq_command
+    download_asmcli_command = local.download_asmcli_command
+  }
+
+  provisioner "local-exec" {
+    when    = create
+    command = self.triggers.decompress_command
+  }
+
+  depends_on = [null_resource.download_gcloud, null_resource.download_jq, null_resource.download_asmcli]
+}
+
+resource "null_resource" "additional_components" {
+  depends_on = [null_resource.decompress]
+
+  triggers = {
+    arguments                     = md5(local.create_cmd_body)
+    additional_components_command = local.additional_components_command
+  }
+
+  provisioner "local-exec" {
+    when    = create
+    command = self.triggers.additional_components_command
+  }
+}
+
+resource "null_resource" "gcloud_auth_service_account_key_file" {
+  count      = length(var.service_account_key_file) > 0 ? 1 : 0
+  depends_on = [null_resource.decompress]
+
+  triggers = {
+    arguments                                    = md5(local.create_cmd_body)
+    gcloud_auth_service_account_key_file_command = local.gcloud_auth_service_account_key_file_command
+  }
+
+  provisioner "local-exec" {
+    when    = create
+    command = self.triggers.gcloud_auth_service_account_key_file_command
+  }
+}
+
+resource "null_resource" "gcloud_auth_google_credentials" {
+  count      = var.use_tf_google_credentials_env_var ? 1 : 0
+  depends_on = [null_resource.decompress]
+
+  triggers = {
+    arguments                              = md5(local.create_cmd_body)
+    gcloud_auth_google_credentials_command = local.gcloud_auth_google_credentials_command
+  }
+
+  provisioner "local-exec" {
+    when    = create
+    command = self.triggers.gcloud_auth_google_credentials_command
+  }
+}
+
+resource "null_resource" "run_command" {
+  depends_on = [
+    null_resource.decompress,
+    null_resource.additional_components,
+    null_resource.gcloud_auth_google_credentials,
+    null_resource.gcloud_auth_service_account_key_file
+  ]
+
+  triggers = {
+    arguments           = md5(local.create_cmd_body)
+    cmd_entrypoint      = local.cmd_entrypoint
+    create_cmd_body     = local.create_cmd_body
+    gcloud_bin_abs_path = local.gcloud_bin_abs_path
+  }
+
+  provisioner "local-exec" {
+    when    = create
+    command = <<-EOT
+    PATH=${self.triggers.gcloud_bin_abs_path}:$PATH
+    ${self.triggers.cmd_entrypoint} ${self.triggers.create_cmd_body}
+    EOT
+    environment = {
+      PROJECT_ID = ""
+    }
+  }
+
+}
+
+resource "null_resource" "gcloud_auth_google_credentials_destroy" {
+  count = var.use_tf_google_credentials_env_var ? 1 : 0
+  triggers = {
+    gcloud_auth_google_credentials_command = local.gcloud_auth_google_credentials_command
+  }
+  provisioner "local-exec" {
+    when    = destroy
+    command = self.triggers.gcloud_auth_google_credentials_command
+  }
+}
+
+resource "null_resource" "gcloud_auth_service_account_key_file_destroy" {
+  count = length(var.service_account_key_file) > 0 ? 1 : 0
+  triggers = {
+    gcloud_auth_service_account_key_file_command = local.gcloud_auth_service_account_key_file_command
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = self.triggers.gcloud_auth_service_account_key_file_command
+  }
+}
+
+resource "null_resource" "additional_components_destroy" {
+  triggers = {
+    additional_components_command = local.additional_components_command
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = self.triggers.additional_components_command
+  }
+}
+
+resource "null_resource" "decompress_destroy" {
+  triggers = {
+    decompress_command = local.decompress_command
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = self.triggers.decompress_command
+  }
+}