feat(bootstrap): TF changes for GCP CAPI migration (#835)

davidspek · web-flow · commit 103f43235d5e · 2023-09-06T14:16:44.000+02:00
Signed-off-by: David van der Spek &lt;vanderspek.david@gmail.com&gt;
diff --git a/bootstrap/plural/recipes/gcp-cluster-api-simple-test.yaml b/bootstrap/plural/recipes/gcp-cluster-api-simple-test.yaml
@@ -16,7 +16,7 @@ sections:
           message: must begin with a lowercase letter, and can only contain lowercase letters, numbers or hyphens after
     items:
       - type: TERRAFORM
-        name: gcp-bootstrap-cluster-api
+        name: gcp-bootstrap
       - type: HELM
         name: bootstrap
       - type: HELM
diff --git a/bootstrap/terraform/gcp-bootstrap-cluster-api/deps.yaml b/bootstrap/terraform/gcp-bootstrap-cluster-api/deps.yaml
diff --git a/bootstrap/terraform/gcp-bootstrap-cluster-api/main.tf b/bootstrap/terraform/gcp-bootstrap-cluster-api/main.tf
diff --git a/bootstrap/terraform/gcp-bootstrap-cluster-api/terraform.tfvars b/bootstrap/terraform/gcp-bootstrap-cluster-api/terraform.tfvars
diff --git a/bootstrap/terraform/gcp-bootstrap-cluster-api/variables.tf b/bootstrap/terraform/gcp-bootstrap-cluster-api/variables.tf
diff --git a/bootstrap/terraform/gcp-bootstrap/README.md b/bootstrap/terraform/gcp-bootstrap/README.md
@@ -1,3 +1,3 @@
 # GCP Kubernetes bootstrapping
 
-Provisions a gke cluster with node pool, along with default networking etc.
+Provisions a gke cluster with node pool, along with default networking etc.
diff --git a/bootstrap/terraform/gcp-bootstrap/deps.yaml b/bootstrap/terraform/gcp-bootstrap/deps.yaml
@@ -2,13 +2,14 @@ apiVersion: plural.sh/v1alpha1
 kind: Dependencies
 metadata:
   description: Creates a GKE cluster and adds initial configuration
-  version: 0.2.23
+  version: 0.2.24
 spec:
   dependencies: []
   providers:
   - gcp
   outputs:
     cluster: cluster
     vpc_network: vpc_network
+    capi_sa_workload_identity_email: capi_sa_workload_identity_email
   provider_wirings:
     cluster: module.gcp-bootstrap.cluster
diff --git a/bootstrap/terraform/gcp-bootstrap/locals.tf b/bootstrap/terraform/gcp-bootstrap/locals.tf
@@ -5,4 +5,4 @@ locals {
   services_cidr_name = "${var.gcp_region}-${var.cluster_name}-services"
   vpc_network_name   = var.vpc_network_name != "" ? var.vpc_network_name : "${var.vpc_name_prefix}-network"
   vpc_subnetwork_name = var.vpc_subnetwork_name != "" ? var.vpc_subnetwork_name : "${var.vpc_name_prefix}-subnetwork"
-}
+}
diff --git a/bootstrap/terraform/gcp-bootstrap/main.tf b/bootstrap/terraform/gcp-bootstrap/main.tf
@@ -1,4 +1,5 @@
 resource "google_compute_network" "vpc_network" {
+  count                   = var.cluster_api ? 0 : 1
   name                    = local.vpc_network_name
   auto_create_subnetworks = "false"
 
@@ -13,11 +14,10 @@ resource "google_compute_network" "vpc_network" {
 }
 
 resource "google_compute_subnetwork" "vpc_subnetwork" {
-  name = local.vpc_subnetwork_name
-
+  count         = var.cluster_api ? 0 : 1
+  name          = local.vpc_subnetwork_name
   ip_cidr_range = var.vpc_subnetwork_cidr_range
-
-  network = google_compute_network.vpc_network.name
+  network       = one(google_compute_network.vpc_network[*].name)
 
   secondary_ip_range {
     range_name    = local.pods_cidr_name
@@ -44,14 +44,15 @@ resource "google_compute_subnetwork" "vpc_subnetwork" {
 }
 
 module "gke" {
+  count                      = var.cluster_api ? 0 : 1
   source                     = "github.com/pluralsh/terraform-google-kubernetes-engine?ref=filestore-csi-driver"
   project_id                 = var.gcp_project_id
   name                       = var.cluster_name
   region                     = local.gcp_region
-  network                    = google_compute_network.vpc_network.name
-  subnetwork                 = google_compute_subnetwork.vpc_subnetwork.name
-  ip_range_pods              = google_compute_subnetwork.vpc_subnetwork.secondary_ip_range[0].range_name
-  ip_range_services          = google_compute_subnetwork.vpc_subnetwork.secondary_ip_range[1].range_name
+  network                    = one(google_compute_network.vpc_network[*].name)
+  subnetwork                 = one(google_compute_subnetwork.vpc_subnetwork[*].name)
+  ip_range_pods              = one(google_compute_subnetwork.vpc_subnetwork[*].secondary_ip_range[0].range_name)
+  ip_range_services          = one(google_compute_subnetwork.vpc_subnetwork[*].secondary_ip_range[1].range_name)
   horizontal_pod_autoscaling = true
   http_load_balancing        = true
   remove_default_node_pool   = true
@@ -69,7 +70,7 @@ module "gke" {
     },
     var.cluster_labels,
   )
-  grant_registry_access      = var.grant_registry_access
+  grant_registry_access = var.grant_registry_access
 
   node_pools = var.node_pools
 
@@ -88,18 +89,40 @@ module "gke" {
 }
 
 resource "kubernetes_namespace" "bootstrap" {
+  count = var.cluster_api ? 0 : 1
+
   metadata {
     name = var.namespace
 
     labels = {
       "app.kubernetes.io/managed-by" = "plural"
-      "app.plural.sh/name" = "bootstrap"
+      "app.plural.sh/name"           = "bootstrap"
     }
   }
 
   depends_on = [module.gke.endpoint]
 }
 
+resource "kubernetes_service_account" "certmanager" {
+  count = var.cluster_api ? 0 : 1
+  metadata {
+    name      = "certmanager"
+    namespace = var.namespace
+
+    annotations = {
+      "iam.gke.io/gcp-service-account" = module.certmanager-workload-identity.gcp_service_account_email
+    }
+  }
+
+  depends_on = [kubernetes_namespace.bootstrap]
+}
+
+data "google_container_cluster" "cluster" {
+  count    = var.cluster_api ? 1 : 0
+  name     = var.cluster_name
+  location = var.gcp_region
+}
+
 module "externaldns-workload-identity" {
   source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
   name                = "${var.cluster_name}-externaldns"
@@ -139,15 +162,20 @@ module "certmanager-workload-identity" {
   depends_on = [google_project_service.iam]
 }
 
-resource "kubernetes_service_account" "certmanager" {
-  metadata {
-    name      = "certmanager"
-    namespace = var.namespace
-
-    annotations = {
-      "iam.gke.io/gcp-service-account" = module.certmanager-workload-identity.gcp_service_account_email
-    }
-  }
+module "capi-workload-identity" {
+  source              = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
+  name                = "${var.cluster_name}-cluster-api-provider-gcp"
+  namespace           = var.namespace
+  project_id          = var.gcp_project_id
+  use_existing_k8s_sa = true
+  annotate_k8s_sa     = false
+  k8s_sa_name         = "bootstrap-cluster-api-provider-gcp"
+  roles               = [
+    "roles/iam.serviceAccountUser",
+    "roles/iam.workloadIdentityUser",
+    "roles/compute.admin",
+    "roles/container.admin",
+  ]
 
-  depends_on = [kubernetes_namespace.bootstrap]
-}
+  module_depends_on = [google_project_service.iam]
+}
diff --git a/bootstrap/terraform/gcp-bootstrap/moved.tf b/bootstrap/terraform/gcp-bootstrap/moved.tf
@@ -0,0 +1,51 @@
+/** main.tf **/
+moved {
+  from = google_compute_network.vpc_network
+  to = google_compute_network.vpc_network[0]
+}
+
+moved {
+  from = google_compute_subnetwork.vpc_subnetwork
+  to = google_compute_subnetwork.vpc_subnetwork[0]
+}
+
+moved {
+  from = module.gke
+  to = module.gke[0]
+}
+
+moved {
+  from = kubernetes_namespace.bootstrap
+  to = kubernetes_namespace.bootstrap[0]
+}
+
+moved {
+  from = kubernetes_service_account.certmanager
+  to = kubernetes_service_account.certmanager[0]
+}
+
+/** services.tf **/
+moved {
+  from = google_project_service.gcr
+  to = google_project_service.gcr[0]
+}
+
+moved {
+  from = google_project_service.container
+  to = google_project_service.container[0]
+}
+
+moved {
+  from = google_project_service.storage
+  to = google_project_service.storage[0]
+}
+
+moved {
+  from = google_project_service.dns
+  to = google_project_service.dns[0]
+}
+
+moved {
+  from = google_project_service.compute
+  to = google_project_service.compute[0]
+}
diff --git a/bootstrap/terraform/gcp-bootstrap/network.tf b/bootstrap/terraform/gcp-bootstrap/network.tf
@@ -1,23 +1,23 @@
 resource "google_compute_router" "router" {
-  count   = var.enable_nat ? 1 : 0
+  count   = var.cluster_api ? 0 : var.enable_nat ? 1 : 0
   name    = "${local.vpc_network_name}-router"
-  region  = google_compute_subnetwork.vpc_subnetwork.region
-  network = google_compute_network.vpc_network.id
+  region  = one(google_compute_subnetwork.vpc_subnetwork[*].region)
+  network = one(google_compute_network.vpc_network[*].id)
 }
 
 resource "google_compute_address" "static_external_address" {
-  count  = var.enable_nat ? var.num_static_ips : 0
+  count  = var.cluster_api ? 0 : var.enable_nat ? var.num_static_ips : 0
   name   = "${var.cluster_name}-static-ip"
   region = local.gcp_region
 }
 
 resource "google_compute_router_nat" "nat" {
-  count                              = var.enable_nat ? 1 : 0
+  count                              = var.cluster_api ? 0 : var.enable_nat ? 1 : 0
   name                               = "${local.vpc_network_name}-nat"
-  router                             = google_compute_router.router[0].name
-  region                             = google_compute_router.router[0].region
+  router                             = one(google_compute_router.router[*].name)
+  region                             = one(google_compute_router.router[*].region)
   nat_ip_allocate_option             = "MANUAL_ONLY"
-  nat_ips                            = google_compute_address.static_external_address.*.self_link
+  nat_ips                            = one(google_compute_address.static_external_address[*].self_link)
   min_ports_per_vm                   = 64
   source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
 
diff --git a/bootstrap/terraform/gcp-bootstrap/outputs.tf b/bootstrap/terraform/gcp-bootstrap/outputs.tf
@@ -1,9 +1,12 @@
-
 output "cluster" {
-  value = module.gke
+  value = var.cluster_api ? merge(one(data.google_container_cluster.cluster[*]), {ca_certificate=one(data.google_container_cluster.cluster[*]).master_auth.0.cluster_ca_certificate}) : one(module.gke[*])
   sensitive = true
 }
 
 output "vpc_network" {
-  value = google_compute_network.vpc_network
-}
+  value = one(google_compute_network.vpc_network[*])
+}
+
+output "capi_sa_workload_identity_email" {
+  value = module.capi-workload-identity.gcp_service_account_email
+}
diff --git a/bootstrap/terraform/gcp-bootstrap/services.tf b/bootstrap/terraform/gcp-bootstrap/services.tf
@@ -1,5 +1,5 @@
-
 resource "google_project_service" "gcr" {
+  count = var.cluster_api ? 0 : 1
   project = var.gcp_project_id
   service = "artifactregistry.googleapis.com"
 
@@ -12,6 +12,7 @@ resource "google_project_service" "gcr" {
 }
 
 resource "google_project_service" "container" {
+  count = var.cluster_api ? 0 : 1
   project = var.gcp_project_id
   service = "container.googleapis.com"
 
@@ -36,6 +37,7 @@ resource "google_project_service" "iam" {
 }
 
 resource "google_project_service" "storage" {
+  count = var.cluster_api ? 0 : 1
   project = var.gcp_project_id
   service = "storage.googleapis.com"
 
@@ -48,6 +50,7 @@ resource "google_project_service" "storage" {
 }
 
 resource "google_project_service" "dns" {
+  count = var.cluster_api ? 0 : 1
   project = var.gcp_project_id
   service = "dns.googleapis.com"
 
@@ -60,6 +63,7 @@ resource "google_project_service" "dns" {
 }
 
 resource "google_project_service" "compute" {
+  count = var.cluster_api ? 0 : 1
   project = var.gcp_project_id
   service = "compute.googleapis.com"
 
@@ -69,4 +73,4 @@ resource "google_project_service" "compute" {
   }
 
   disable_on_destroy = false
-}
+}
diff --git a/bootstrap/terraform/gcp-bootstrap/terraform.tfvars b/bootstrap/terraform/gcp-bootstrap/terraform.tfvars
@@ -4,9 +4,12 @@ cluster_name = {{ .Cluster | quote }}
 vpc_name_prefix = {{ .Values.vpc_name | quote }}
 externaldns_sa_name = "{{ .Cluster }}-externaldns"
 gcp_region = {{ .Region | quote }}
+{{- if .ClusterAPI }}
+cluster_api = {{ .ClusterAPI }}
+{{- end }}
 {{- if fileExists $tfOutput }}
 {{- $bootstrapOutputs := .Applications.TerraformValues "bootstrap" }}
-{{- if $bootstrapOutputs }}
+{{- if and $bootstrapOutputs (not .ClusterAPI) }}
 network_policy_enabled = {{ $bootstrapOutputs.cluster.network_policy_enabled }}
 {{- if eq $bootstrapOutputs.cluster.datapath_provider "" }}
 datapath_provider = "DATAPATH_PROVIDER_UNSPECIFIED"
diff --git a/bootstrap/terraform/gcp-bootstrap/variables.tf b/bootstrap/terraform/gcp-bootstrap/variables.tf
@@ -343,7 +343,6 @@ variable "regional_cluster" {
   default     = true
 }
 
-
 variable "cluster_zones" {
   type        = list(string)
   description = "The zones to host the cluster in (optional if regional cluster / required if zonal)"
@@ -360,3 +359,9 @@ variable "grant_registry_access" {
   description = "Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles."
   default     = false
 }
+
+variable "cluster_api" {
+  type = bool
+  description = "Whether cluster has been migrated to be controlled by the Cluster API or not"
+  default = false
+}

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`# GCP Kubernetes bootstrapping`
`2`	`2`
`3`		`-Provisions a gke cluster with node pool, along with default networking etc.`
	`3`	`+Provisions a gke cluster with node pool, along with default networking etc.`