feat: Hub registration using kubeconfig and labels support (terraform-google-modules#785)

* initial support for using kubecontext for hub registration * Tested with GKE using kubectl * Tested with GKE using kubectl * Fixed typo in README * Fixed formatting errors * Fixed formatting errors * Fixed formatting and renamed example to be more consistent * Fixed formatting and renamed example to be more consistent * remove test files * fixed typo in README * use a flag to switch gke vs kubeconfig instead of having two scripts * Update modules/hub/scripts/gke_hub_registration.sh specify PROJECT_ID to be more specific Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com> * Update modules/hub/scripts/gke_hub_unregister.sh fix number of arguments check Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com> * update simple_zonal_with_hub_kubeconfig to use kind cluster Co-authored-by: Abhinav Rau <arau@google.com> Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com> Co-authored-by: Morgante Pell <morgantep@google.com>

Author: 4 people

examples/simple_zonal_with_hub_kubeconfig/README.md

@@ -0,0 +1,35 @@
+# Kind Cluster Registered using kubeconfig
+
+This example illustrates how to register a non-GKE Kubernetes Cluster with [Anthos](https://cloud.google.com/anthos/multicluster-management/environs) a.k.a Attached cluster.
+
+It creates a [kind](https://kind.sigs.k8s.io/) cluster, sets current kubecontext to the cluster and registers the cluster using the [Hub registration module](../../modules/hub).
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| project\_id | The project ID (environ) to register the cluster in | `any` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| kubernetes\_endpoint | Kube API endpoint for the kind cluster |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure
+
+Example:
+
+```
+terraform init
+
+terraform apply \
+ -var project_id=${PROJECT} \
+```

examples/simple_zonal_with_hub_kubeconfig/hub.tf

@@ -0,0 +1,27 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "hub" {
+ source = "../../modules/hub"
+ project_id = var.project_id
+ location = "remote"
+ cluster_name = kind_cluster.test-cluster.name
+ cluster_endpoint = kind_cluster.test-cluster.endpoint
+ gke_hub_membership_name = kind_cluster.test-cluster.name
+ gke_hub_sa_name = "sa-for-kind-cluster-membership"
+ use_kubeconfig = true
+ labels = "testlabel=usekubecontext"
+}

examples/simple_zonal_with_hub_kubeconfig/main.tf

@@ -0,0 +1,45 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_providers {
+ kind = {
+ source = "kyma-incubator/kind"
+ version = "0.0.6"
+ }
+ }
+}
+provider "kind" {}
+
+# creating a cluster with kind of the name "test-cluster" with kubernetes version v1.18.4 and two nodes
+resource "kind_cluster" "test-cluster" {
+ name = "test-cluster"
+ node_image = "kindest/node:v1.18.4"
+ wait_for_ready = true
+ kind_config {
+ kind = "Cluster"
+ api_version = "kind.x-k8s.io/v1alpha4"
+ node {
+ role = "control-plane"
+ }
+ node {
+ role = "worker"
+ }
+ }
+ provisioner "local-exec" {
+ command = "kubectl config set-context kind-test-cluster"
+ }
+}

examples/simple_zonal_with_hub_kubeconfig/outputs.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "kubernetes_endpoint" {
+ value = kind_cluster.test-cluster.endpoint
+ description = "Kube API endpoint for the kind cluster"
+}

examples/simple_zonal_with_hub_kubeconfig/variables.tf

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+ description = "The project ID (environ) to register the cluster in"
+}

modules/hub/README.md

@@ -6,7 +6,7 @@ Specifically, this module automates the following steps for [registering a clust
 
 ## Usage
 
-There is a [full example](../../examples/simple_zonal_with_asm) provided. Simple usage is as follows:
+There is [GKE full example](../../examples/simple_zonal_with_asm) and a [Generic K8s example](../../examples/simple_zonal_with_hub_kubeconfig) provided. Simple usage is as follows:
 
 ```tf
 module "hub" {
@@ -37,13 +37,15 @@ To deploy this config:
 | cluster\_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes |
 | enable\_gke\_hub\_registration | Enables GKE Hub Registration when set to true | `bool` | `true` | no |
 | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no |
-| gke\_hub\_membership\_name | Memebership name that uniquely represents the cluster being registered on the Hub | `string` | `"gke-hub-membership"` | no |
+| gke\_hub\_membership\_name | Membership name that uniquely represents the cluster being registered on the Hub | `string` | `"gke-hub-membership"` | no |
 | gke\_hub\_sa\_name | Name for the GKE Hub SA stored as a secret `creds-gcp` in the `gke-connect` namespace. | `string` | `"gke-hub-sa"` | no |
+| labels | Comma separated labels in the format name=value to apply to cluster in the GCP Console. | `string` | `""` | no |
 | location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes |
 | module\_depends\_on | List of modules or resources this module depends on. | `list` | `[]` | no |
 | project\_id | The project in which the resource belongs. | `string` | n/a | yes |
 | sa\_private\_key | Private key for service account base64 encoded. Required only if `use_existing_sa` is set to `true`. | `string` | `null` | no |
 | use\_existing\_sa | Uses an existing service account to register membership. Requires sa\_private\_key | `bool` | `false` | no |
+| use\_kubeconfig | Use existing kubeconfig to register membership. Set this to true for non GKE clusters. Assumes kubectl context is set to cluster to register. | `bool` | `false` | no |
 | use\_tf\_google\_credentials\_env\_var | Optional GOOGLE\_CREDENTIALS environment variable to be activated. | `bool` | `false` | no |
 
 ## Outputs

modules/hub/main.tf

@@ -16,6 +16,12 @@
 
 locals {
  gke_hub_sa_key = var.use_existing_sa ? var.sa_private_key : google_service_account_key.gke_hub_key[0].private_key
+
+ is_gke_flag = var.use_kubeconfig ? 0 : 1
+ create_cmd_gke_entrypoint = "${path.module}/scripts/gke_hub_registration.sh"
+ create_cmd_gke_body = "${local.is_gke_flag} ${var.gke_hub_membership_name} ${var.location} ${var.cluster_name} ${local.gke_hub_sa_key} ${var.project_id} ${var.labels}"
+ destroy_gke_entrypoint = "${path.module}/scripts/gke_hub_unregister.sh"
+ destroy_gke_body = "${local.is_gke_flag} ${var.gke_hub_membership_name} ${var.location} ${var.cluster_name} ${var.project_id}"
 }
 
 data "google_client_config" "default" {
@@ -50,8 +56,8 @@ module "gke_hub_registration" {
  use_tf_google_credentials_env_var = var.use_tf_google_credentials_env_var
  module_depends_on = concat([var.cluster_endpoint], var.module_depends_on)
 
- create_cmd_entrypoint = "${path.module}/scripts/gke_hub_registration.sh"
- create_cmd_body = "${var.gke_hub_membership_name} ${var.location} ${var.cluster_name} ${local.gke_hub_sa_key} ${var.project_id}"
- destroy_cmd_entrypoint = "gcloud"
- destroy_cmd_body = "container hub memberships unregister ${var.gke_hub_membership_name} --gke-cluster=${var.location}/${var.cluster_name} --project ${var.project_id}"
+ create_cmd_entrypoint = local.create_cmd_gke_entrypoint
+ create_cmd_body = local.create_cmd_gke_body
+ destroy_cmd_entrypoint = local.destroy_gke_entrypoint
+ destroy_cmd_body = local.destroy_gke_body
 }

modules/hub/scripts/gke_hub_registration.sh

@@ -15,16 +15,18 @@
 
 set -e
 
-if [ "$#" -lt 4 ]; then
+if [ "$#" -lt 5 ]; then
  >&2 echo "Not all expected arguments set."
  exit 1
 fi
 
-MEMBERSHIP_NAME=$1
-CLUSTER_LOCATION=$2
-CLUSTER_NAME=$3
-SERVICE_ACCOUNT_KEY=$4
-PROJECT_ID=$5
+GKE_CLUSTER_FLAG=$1
+MEMBERSHIP_NAME=$2
+CLUSTER_LOCATION=$3
+CLUSTER_NAME=$4
+SERVICE_ACCOUNT_KEY=$5
+PROJECT_ID=$6
+LABELS=$7
 
 #write temp key, cleanup at exit
 tmp_file=$(mktemp)
@@ -33,4 +35,20 @@ trap "rm -rf $tmp_file" EXIT
 base64 --help | grep "\--decode" && B64_ARG="--decode" || B64_ARG="-d"
 echo "${SERVICE_ACCOUNT_KEY}" | base64 ${B64_ARG} > "$tmp_file"
 
-gcloud container hub memberships register "${MEMBERSHIP_NAME}" --gke-cluster="${CLUSTER_LOCATION}"/"${CLUSTER_NAME}" --service-account-key-file="${tmp_file}" --project="${PROJECT_ID}" --quiet
+if [[ ${GKE_CLUSTER_FLAG} == 1 ]]; then
+ echo "Registering GKE Cluster."
+ gcloud container hub memberships register "${MEMBERSHIP_NAME}" --gke-cluster="${CLUSTER_LOCATION}"/"${CLUSTER_NAME}" --service-account-key-file="${tmp_file}" --project="${PROJECT_ID}" --quiet
+else
+ echo "Registering a non-GKE Cluster. Using current-context to register Hub membership."
+ #Get the kubeconfig
+ CONTEXT=$(kubectl config current-context)
+ gcloud container hub memberships register "${MEMBERSHIP_NAME}" --context="${CONTEXT}" --service-account-key-file="${tmp_file}" --project="${PROJECT_ID}" --quiet
+fi
+
+
+# Add labels to the registered cluster
+if [ -z ${LABELS+x} ]; then
+ echo "No hub labels to apply."
+else
+ gcloud container hub memberships update "${MEMBERSHIP_NAME}" --update-labels "$LABELS" --project="${PROJECT_ID}"
+fi

modules/hub/scripts/gke_hub_unregister.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# Copyright 2018 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+if [ "$#" -lt 5 ]; then
+ >&2 echo "Not all expected arguments set."
+ exit 1
+fi
+
+GKE_CLUSTER_FLAG=$1
+MEMBERSHIP_NAME=$2
+CLUSTER_LOCATION=$3
+CLUSTER_NAME=$4
+PROJECT_ID=$5
+
+
+
+if [[ ${GKE_CLUSTER_FLAG} == 1 ]]; then
+ echo "Un-Registering GKE Cluster."
+ gcloud container hub memberships unregister "${MEMBERSHIP_NAME}" --gke-cluster="${CLUSTER_LOCATION}"/"${CLUSTER_NAME}" --project "${PROJECT_ID}"
+else
+ echo "Un-Registering a non-GKE Cluster. Using current-context to unregister Hub membership."
+ #Get Current context
+ CONTEXT=$(kubectl config current-context)
+ gcloud container hub memberships unregister "${MEMBERSHIP_NAME}" --context="${CONTEXT}" --project="${PROJECT_ID}"
+fi

modules/hub/variables.tf

@@ -59,7 +59,7 @@ variable "gke_hub_sa_name" {
 }
 
 variable "gke_hub_membership_name" {
- description = "Memebership name that uniquely represents the cluster being registered on the Hub"
+ description = "Membership name that uniquely represents the cluster being registered on the Hub"
  type = string
  default = "gke-hub-membership"
 }
@@ -81,3 +81,14 @@ variable "module_depends_on" {
  type = list
  default = []
 }
+
+variable "use_kubeconfig" {
+ description = "Use existing kubeconfig to register membership. Set this to true for non GKE clusters. Assumes kubectl context is set to cluster to register."
+ default = false
+}
+
+variable "labels" {
+ description = "Comma separated labels in the format name=value to apply to cluster in the GCP Console."
+ type = string
+ default = ""
+}