Resource alignment (#7)

osinfra-io · Aug 11, 2024 · 8f29080 · 8f29080
1 parent 697fffa
commit 8f29080
Show file tree

Hide file tree

Showing 8 changed files with 130 additions and 8 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -29,7 +29,7 @@ repos:
       - id: terraform_docs
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: 3.2.217
+    rev: 3.2.219
     hooks:
       - id: checkov
         verbose: true

diff --git a/README.md b/README.md
@@ -73,7 +73,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 5.38.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 5.40.0 |
 
 ### Modules
 

diff --git a/regional/README.md b/regional/README.md
@@ -11,8 +11,8 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 5.38.0 |
-| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.14.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 5.40.0 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.14.1 |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.31.0 |
 
 ## Modules
@@ -32,6 +32,8 @@ No modules.
 | [kubernetes_manifest.istio_gateway_backendconfig](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
 | [kubernetes_manifest.istio_gateway_frontendconfig](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
 | [kubernetes_manifest.istio_gateway_managed_certificate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_manifest.istio_gateway_mci](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_manifest.istio_gateway_mcs](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
 | [kubernetes_manifest.istio_service_exports](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
 | [kubernetes_namespace_v1.istio_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
 | [kubernetes_namespace_v1.istio_system](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
@@ -52,6 +54,7 @@ No modules.
 | <a name="input_istio_gateway_cpu_limit"></a> [istio\_gateway\_cpu\_limit](#input\_istio\_gateway\_cpu\_limit) | The CPU limit for the Istio gateway | `string` | `"2000m"` | no |
 | <a name="input_istio_gateway_cpu_request"></a> [istio\_gateway\_cpu\_request](#input\_istio\_gateway\_cpu\_request) | The CPU request for the Istio gateway | `string` | `"100m"` | no |
 | <a name="input_istio_gateway_dns"></a> [istio\_gateway\_dns](#input\_istio\_gateway\_dns) | Map of attributes for the Istio gateway domain names, it is also used to create the managed certificate resource | <pre>map(object({<br>    managed_zone = string<br>    project      = string<br>  }))</pre> | `{}` | no |
+| <a name="input_istio_gateway_mci_global_address"></a> [istio\_gateway\_mci\_global\_address](#input\_istio\_gateway\_mci\_global\_address) | The IP address for the Istio Gateway multi-cluster ingress | `string` | `""` | no |
 | <a name="input_istio_gateway_memory_limit"></a> [istio\_gateway\_memory\_limit](#input\_istio\_gateway\_memory\_limit) | The memory limit for the Istio gateway | `string` | `"1024Mi"` | no |
 | <a name="input_istio_gateway_memory_request"></a> [istio\_gateway\_memory\_request](#input\_istio\_gateway\_memory\_request) | The memory request for the Istio gateway | `string` | `"128Mi"` | no |
 | <a name="input_istio_pilot_autoscale_min"></a> [istio\_pilot\_autoscale\_min](#input\_istio\_pilot\_autoscale\_min) | The minimum number of Istio pilot replicas to run | `number` | `1` | no |
@@ -68,6 +71,7 @@ No modules.
 | <a name="input_istio_remote_injection_url"></a> [istio\_remote\_injection\_url](#input\_istio\_remote\_injection\_url) | The sidecar injector mutating webhook configuration clientConfig.url value | `string` | `""` | no |
 | <a name="input_istio_version"></a> [istio\_version](#input\_istio\_version) | The version of istio to install | `string` | `"1.22.2"` | no |
 | <a name="input_labels"></a> [labels](#input\_labels) | A map of key/value pairs to assign to the resources being created | `map(string)` | `{}` | no |
+| <a name="input_multi_cluster_service_clusters"></a> [multi\_cluster\_service\_clusters](#input\_multi\_cluster\_service\_clusters) | List of clusters to be included in the MultiClusterService | <pre>list(object({<br>    link = string<br>  }))</pre> | `[]` | no |
 | <a name="input_node_location"></a> [node\_location](#input\_node\_location) | The zone in which the cluster's nodes should be located. If not specified, the cluster's nodes are located across zones in the region | `string` | `null` | no |
 | <a name="input_project"></a> [project](#input\_project) | The ID of the project in which the resource belongs | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The region in which the resource belongs | `string` | n/a | yes |

diff --git a/regional/helm/gateway.yml b/regional/helm/gateway.yml
@@ -16,6 +16,7 @@ podAnnotations:
     ]
 
   ad.datadoghq.com/istio-proxy.logs: '[{"source":"envoy"}]'
+  # proxy.istio.io/config: '{"tracing":{"datadog"}}'
 
 podDisruptionBudget:
   maxUnavailable: 1

diff --git a/regional/helm/istiod.yml b/regional/helm/istiod.yml
@@ -1,6 +1,6 @@
 global:
   proxy:
-    tracer: none
+    tracer: datadog
 
   meshID: default
   network: standard-shared
@@ -9,6 +9,7 @@ meshConfig:
   accessLogFile: /dev/stdout
   defaultConfig:
     proxyMetadata:
+      DD_REMOTE_CONFIGURATION_ENABLED: "false"
       ISTIO_META_DNS_CAPTURE: "true"
       ISTIO_META_DNS_AUTO_ALLOCATE: "true"
 
@@ -35,7 +36,7 @@ pilot:
     ad.datadoghq.com/discovery.logs: '[{"source":"istio"}]'
 
   podLabels:
-    tags.datadoghq.com/service: istiod
+    tags.datadoghq.com/service: istio-control-plane
     tags.datadoghq.com/source: istio
 
   rollingMaxSurge: 100%

diff --git a/regional/main.tf b/regional/main.tf
@@ -205,6 +205,16 @@ resource "helm_release" "gateway" {
     value = local.istio_gateway_datadog_apm_env
   }
 
+  set {
+    name  = "podAnnotations.proxy\\.istio\\.io/config"
+    value = <<EOF
+    proxyMetadata:
+      DD_ENV: ${var.environment}
+      DD_SERVICE: istio-gateway
+      DD_VERSION: ${var.istio_version}
+    EOF
+  }
+
   values = [
     file("${path.module}/helm/gateway.yml")
   ]
@@ -321,6 +331,91 @@ resource "kubernetes_manifest" "istio_gateway_managed_certificate" {
   }
 }
 
+resource "kubernetes_manifest" "istio_gateway_mcs" {
+  count = var.enable_istio_gateway ? 1 : 0
+
+  manifest = {
+    apiVersion = "networking.gke.io/v1"
+    kind       = "MultiClusterService"
+
+    metadata = {
+      name      = "istio-gateway-mcs"
+      namespace = "istio-ingress"
+      annotations = {
+        "cloud.google.com/backend-config" = jsonencode({ "default" = "${kubernetes_manifest.istio_gateway_backendconfig[0].manifest.metadata.name}" })
+        "cloud.google.com/neg"            = jsonencode({ "ingress" = true })
+        "networking.gke.io/app-protocols" = jsonencode({ "https" = "HTTPS" })
+      }
+    }
+
+    spec = {
+      template = {
+        spec = {
+          selector = {
+            app   = "gateway"
+            istio = "gateway"
+          }
+
+          ports = [
+            {
+              name       = "https"
+              port       = 443
+              protocol   = "TCP"
+              targetPort = 443
+            }
+          ]
+        }
+      }
+
+      clusters = var.multi_cluster_service_clusters
+    }
+  }
+}
+
+resource "kubernetes_manifest" "istio_gateway_mci" {
+  count = var.enable_istio_gateway ? 1 : 0
+
+  manifest = {
+    apiVersion = "networking.gke.io/v1"
+    kind       = "MultiClusterIngress"
+
+    metadata = {
+      name      = "istio-gateway-mci"
+      namespace = "istio-ingress"
+      annotations = {
+        "networking.gke.io/frontend-config"  = kubernetes_manifest.istio_gateway_frontendconfig[0].manifest.metadata.name
+        "networking.gke.io/pre-shared-certs" = "istio-gateway-mci"
+        "networking.gke.io/static-ip"        = var.istio_gateway_mci_global_address
+      }
+    }
+
+    spec = {
+      template = {
+        spec = {
+          backend = {
+            serviceName = kubernetes_manifest.istio_gateway_mcs[0].manifest.metadata.name
+            servicePort = kubernetes_manifest.istio_gateway_mcs[0].manifest.spec.template.spec.ports[0].port
+          }
+          rules = [
+            {
+              http = {
+                paths = [
+                  {
+                    backend = {
+                      serviceName = kubernetes_manifest.istio_gateway_mcs[0].manifest.metadata.name
+                      servicePort = kubernetes_manifest.istio_gateway_mcs[0].manifest.spec.template.spec.ports[0].port
+                    }
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      }
+    }
+  }
+}
+
 resource "kubernetes_manifest" "istio_service_exports" {
   count = var.istio_external_istiod ? 1 : 0
 

diff --git a/regional/variables.tf b/regional/variables.tf
@@ -72,6 +72,12 @@ variable "istio_gateway_dns" {
   default = {}
 }
 
+variable "istio_gateway_mci_global_address" {
+  description = "The IP address for the Istio Gateway multi-cluster ingress"
+  type        = string
+  default     = ""
+}
+
 variable "istio_gateway_memory_request" {
   description = "The memory request for the Istio gateway"
   type        = string
@@ -168,6 +174,14 @@ variable "labels" {
   default     = {}
 }
 
+variable "multi_cluster_service_clusters" {
+  description = "List of clusters to be included in the MultiClusterService"
+  type = list(object({
+    link = string
+  }))
+  default = []
+}
+
 variable "node_location" {
   description = "The zone in which the cluster's nodes should be located. If not specified, the cluster's nodes are located across zones in the region"
   type        = string

diff --git a/tests/fixtures/primary/regional/main.tf b/tests/fixtures/primary/regional/main.tf
@@ -73,6 +73,13 @@ module "test" {
   istio_remote_injection_path  = var.istio_remote_injection_path
   istio_remote_injection_url   = var.istio_remote_injection_url
   labels                       = local.labels
-  project                      = var.project
-  region                       = var.region
+
+  multi_cluster_service_clusters = [
+    {
+      "link" = "mock-region/mock-cluster"
+    }
+  ]
+
+  project = var.project
+  region  = var.region
 }