feat: add enable_namespace_creation flag for ASM module (terraform-google-modules#968)

ZhengzheYang · web-flow · commit 8764b76a25be · 2021-08-05T15:34:23.000-05:00
* add enable_namespace_creation flag and start testing with 1.10

* address comments
diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf
@@ -67,15 +67,16 @@ module "gke" {
 }
 
 module "asm" {
-  source                = "../../modules/asm"
-  cluster_name          = module.gke.name
-  cluster_endpoint      = module.gke.endpoint
-  project_id            = var.project_id
-  location              = module.gke.location
-  enable_cluster_roles  = true
-  enable_cluster_labels = true
-  enable_gcp_apis       = true
-  enable_gcp_components = true
-  options               = ["envoy-access-log"]
-  outdir                = "./${module.gke.name}-outdir"
+  source                    = "../../modules/asm"
+  cluster_name              = module.gke.name
+  cluster_endpoint          = module.gke.endpoint
+  project_id                = var.project_id
+  location                  = module.gke.location
+  enable_cluster_roles      = true
+  enable_cluster_labels     = true
+  enable_gcp_apis           = true
+  enable_gcp_components     = true
+  enable_namespace_creation = true
+  options                   = ["envoy-access-log"]
+  outdir                    = "./${module.gke.name}-outdir"
 }
diff --git a/modules/asm/README.md b/modules/asm/README.md
@@ -49,8 +49,8 @@ To deploy this config:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| asm\_git\_tag | ASM git tag to deploy. This module supports versions `1.8` and `1.9`. You can get the exact `asm_git_tag` by running the command `install_asm --version`. The ASM git tab should be of the form `1.9.3-asm.2+config5`. You can also see all ASM git tags by running `curl https://storage.googleapis.com/csm-artifacts/asm/STABLE_VERSIONS`. You must provide the full and exact git tag. This variable is optional. Leaving it empty (default) will download the latest `install_asm` script for the version provided by the `asm_version` variable. | `string` | `""` | no |
-| asm\_version | ASM version to deploy. This module supports versions `1.8` and `1.9`. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.9"` | no |
+| asm\_git\_tag | ASM git tag to deploy. This module supports versions `1.8`, `1.9` and `1.10`. You can get the exact `asm_git_tag` by running the command `install_asm --version`. The ASM git tab should be of the form `1.9.3-asm.2+config5`. You can also see all ASM git tags by running `curl https://storage.googleapis.com/csm-artifacts/asm/STABLE_VERSIONS`. You must provide the full and exact git tag. This variable is optional. Leaving it empty (default) will download the latest `install_asm` script for the version provided by the `asm_version` variable. | `string` | `""` | no |
+| asm\_version | ASM version to deploy. This module supports versions `1.8`, `1.9` and `1.10`. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.9"` | no |
 | ca | Sets CA option. Possible values are `meshca` or `citadel`. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `string` | `"meshca"` | no |
 | ca\_certs | Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `map(any)` | `{}` | no |
 | cluster\_endpoint | The GKE cluster endpoint. | `string` | n/a | yes |
@@ -62,6 +62,7 @@ To deploy this config:
 | enable\_gcp\_apis | Sets `--enable_gcp_apis` option if true. | `bool` | `false` | no |
 | enable\_gcp\_components | Sets --enable\_gcp\_components option if true. Can be true or false. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `bool` | `false` | no |
 | enable\_gcp\_iam\_roles | Grants IAM roles required for ASM if true. If enable\_gcp\_iam\_roles, one of impersonate\_service\_account, service\_account, or iam\_member must be set. | `bool` | `false` | no |
+| enable\_namespace\_creation | Sets `--enable_namespace_creation` option if true. | `bool` | `false` | no |
 | enable\_registration | Sets `--enable_registration` option if true. | `bool` | `false` | no |
 | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no |
 | iam\_member | The GCP member email address to grant IAM roles to. If impersonate\_service\_account or service\_account is set, roles are granted to that SA. | `string` | `""` | no |
diff --git a/modules/asm/main.tf b/modules/asm/main.tf
@@ -29,6 +29,7 @@ locals {
   root_cert              = lookup(var.ca_certs, "root_cert", "none")
   cert_chain             = lookup(var.ca_certs, "cert_chain", "none")
   revision_name_string   = (var.revision_name == "" ? "none" : var.revision_name)
+  asm_minor_version      = tonumber(split(".", var.asm_version)[1])
   # https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages/blob/1cf61b679cd369f42a0e735f8e201de1a6a6433b/scripts/asm-installer/install_asm#L1970
   iam_roles = [
     "roles/container.admin",
@@ -48,6 +49,8 @@ locals {
   asm_iam_member = var.enable_gcp_iam_roles ? coalesce(var.impersonate_service_account, var.service_account, var.iam_member) : ""
   # compute any additonal resources that ASM provisioner should depend on
   additional_depends_on = concat(var.enable_gcp_apis ? [module.asm-services[0].project_id] : [], local.asm_iam_member != "" ? [for k, v in google_project_iam_member.asm_iam : v.etag] : [])
+  # base command template for ASM installation
+  kubectl_create_command_base = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${local.service_account_string} ${local.key_file_string} ${local.asm_git_tag_string} ${local.revision_name_string}"
 }
 
 resource "google_project_iam_member" "asm_iam" {
@@ -97,6 +100,7 @@ module "asm_install" {
   service_account_key_file    = var.service_account_key_file
   impersonate_service_account = var.impersonate_service_account
 
-  kubectl_create_command  = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${local.service_account_string} ${local.key_file_string} ${local.asm_git_tag_string} ${local.revision_name_string}"
+  # enable_namespace_creation flag is only available starting 1.10
+  kubectl_create_command  = (local.asm_minor_version > 9 ? "${local.kubectl_create_command_base} ${var.enable_namespace_creation}" : local.kubectl_create_command_base)
   kubectl_destroy_command = "${path.module}/scripts/destroy_asm.sh"
 }
diff --git a/modules/asm/scripts/install_asm.sh b/modules/asm/scripts/install_asm.sh
@@ -45,6 +45,7 @@ SERVICE_ACCOUNT=${21}
 KEY_FILE=${22}
 ASM_GIT_TAG=${23}
 REVISION_NAME=${24}
+ENABLE_NAMESPACE_CREATION=${25}
 
 # Set SKIP_VALIDATION variable
 if [[ ${SKIP_VALIDATION} = "true" ]]; then
@@ -91,6 +92,7 @@ echo -e "ENABLE_CLUSTER_ROLES is $ENABLE_CLUSTER_ROLES"
 echo -e "ENABLE_CLUSTER_LABELS is $ENABLE_CLUSTER_LABELS"
 echo -e "ENABLE_GCP_COMPONENTS is $ENABLE_GCP_COMPONENTS"
 echo -e "ENABLE_REGISTRATION is $ENABLE_REGISTRATION"
+echo -e "ENABLE_NAMESPACE_CREATION is $ENABLE_NAMESPACE_CREATION"
 echo -e "OUTDIR is $OUTDIR"
 echo -e "SERVICE_ACCOUNT is $SERVICE_ACCOUNT"
 echo -e "KEY_FILE is $KEY_FILE"
@@ -176,6 +178,12 @@ else
     ENABLE_REGISTRATION_COMMAND_SNIPPET="--enable_registration"
 fi
 
+if [[ "${ENABLE_NAMESPACE_CREATION}" = true ]]; then
+    ENABLE_NAMESPACE_CREATION_COMMAND_SNIPPET="--enable_namespace_creation"
+else
+    ENABLE_NAMESPACE_CREATION_COMMAND_SNIPPET=""
+fi
+
 if [[ "${OUTDIR}" = "none" ]]; then
     OUTDIR_COMMAND_SNIPPET=""
 else
@@ -196,8 +204,8 @@ else
 fi
 
 # Echo the command before executing
-echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${CA_CERTS_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET} ${REVISION_NAME_COMMAND_SNIPPET}"
+echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${ENABLE_NAMESPACE_CREATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${CA_CERTS_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET} ${REVISION_NAME_COMMAND_SNIPPET}"
 
 # run the script with appropriate flags
 # shellcheck disable=SC2086
-./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${CA_CERTS_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET}  ${REVISION_NAME_COMMAND_SNIPPET}
+./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${ENABLE_NAMESPACE_CREATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${CA_CERTS_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET}  ${REVISION_NAME_COMMAND_SNIPPET}
diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf
@@ -52,13 +52,13 @@ variable "service_account_key_file" {
 }
 
 variable "asm_version" {
-  description = "ASM version to deploy. This module supports versions `1.8` and `1.9`. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages"
+  description = "ASM version to deploy. This module supports versions `1.8`, `1.9` and `1.10`. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages"
   type        = string
   default     = "1.9"
 }
 
 variable "asm_git_tag" {
-  description = "ASM git tag to deploy. This module supports versions `1.8` and `1.9`. You can get the exact `asm_git_tag` by running the command `install_asm --version`. The ASM git tab should be of the form `1.9.3-asm.2+config5`. You can also see all ASM git tags by running `curl https://storage.googleapis.com/csm-artifacts/asm/STABLE_VERSIONS`. You must provide the full and exact git tag. This variable is optional. Leaving it empty (default) will download the latest `install_asm` script for the version provided by the `asm_version` variable."
+  description = "ASM git tag to deploy. This module supports versions `1.8`, `1.9` and `1.10`. You can get the exact `asm_git_tag` by running the command `install_asm --version`. The ASM git tab should be of the form `1.9.3-asm.2+config5`. You can also see all ASM git tags by running `curl https://storage.googleapis.com/csm-artifacts/asm/STABLE_VERSIONS`. You must provide the full and exact git tag. This variable is optional. Leaving it empty (default) will download the latest `install_asm` script for the version provided by the `asm_version` variable."
   type        = string
   default     = ""
 }
@@ -153,6 +153,12 @@ variable "enable_registration" {
   default     = false
 }
 
+variable "enable_namespace_creation" {
+  description = "Sets `--enable_namespace_creation` option if true."
+  type        = bool
+  default     = false
+}
+
 variable "outdir" {
   description = "Sets `--outdir` option."
   type        = string
