├── .circleci
    └── config.yml
├── .gitignore
├── LICENSE
├── README.md
├── docs
    ├── index.yaml
    └── istio-1.0.1.tgz
├── main.tf
├── outputs.tf
├── scripts
    ├── check-version.sh
    └── gh-publish.sh
├── variables.tf
└── version
    └── version


/.circleci/config.yml:
--------------------------------------------------------------------------------
  1 | 
  2 | aliases:
  3 |   - &curl-install
  4 |     name: Install curl
  5 |     command: apk update && apk add curl
  6 | 
  7 | version: 2
  8 | jobs:
  9 |   fmt:
 10 |     docker:
 11 |       - image: hashicorp/terraform:light
 12 |     steps:
 13 |       - checkout
 14 |       - run:
 15 |           name: Check terraform formatting
 16 |           command: '[ -z "$(terraform fmt -write=false)" ] || { terraform fmt -write=false -diff; exit 1; }'
 17 | 
 18 |   validate:
 19 |     docker:
 20 |       - image: richardalberto/terraform-helm:1.1.0
 21 |     steps:
 22 |       - checkout
 23 |       - run:
 24 |           name: Validate terrafrom files
 25 |           command: |
 26 |             terraform init -input=false
 27 |             terraform validate
 28 |           environment:
 29 |             TF_VAR_gcp_project: project
 30 |             TF_VAR_gcp_region: region
 31 |             TF_VAR_min_node_count: 1
 32 |             TF_VAR_master_username: username
 33 |             TF_VAR_helm_repository: repository
 34 |             TF_VAR_istio_version: version
 35 |             TF_VAR_master_password: password
 36 |             TF_VAR_cluster_region: zone
 37 |             TF_VAR_max_node_count: 1
 38 |             TF_VAR_cluster_name: name
 39 | 
 40 |   lint:
 41 |     docker:
 42 |       - image: wata727/tflint:0.7.2
 43 |     steps:
 44 |       - checkout
 45 |       - run:
 46 |           name: lint
 47 |           command: |
 48 |             tflint *.tf
 49 | 
 50 |   check-version:
 51 |     docker:
 52 |       - image: alpine
 53 |     steps:
 54 |       - checkout
 55 |       - run: *curl-install
 56 |       - run:
 57 |           name: Check version doesn't exists already
 58 |           command: scripts/check-version.sh
 59 | 
 60 |   e2e:
 61 |     docker:
 62 |       - image: google/cloud-sdk
 63 |     environment:
 64 |       GCP_REGION: us-east1
 65 |       HELM_REPOSITORY: https://richardalberto.github.io/terraform-google-kubernetes-istio
 66 |       GOOGLE_APPLICATION_CREDENTIALS: svc-account.json
 67 |     steps:
 68 |       - checkout
 69 |       - run:
 70 |           name: Activate service account for gcloud
 71 |           command: |-
 72 |             echo $GCLOUD_SERVICE_KEY | base64 -d > $GOOGLE_APPLICATION_CREDENTIALS
 73 |             gcloud auth activate-service-account --key-file $GOOGLE_APPLICATION_CREDENTIALS
 74 |       - run:
 75 |           name: Install terraform
 76 |           command: |-
 77 |             apt update && apt install unzip
 78 | 
 79 |             curl https://releases.hashicorp.com/terraform/0.11.8/terraform_0.11.8_linux_amd64.zip > /tmp/terraform.zip
 80 |             unzip /tmp/terraform.zip && chmod +x terraform
 81 |             mv terraform /usr/local/bin/
 82 |       - run:
 83 |           name: Install helm
 84 |           command: |-
 85 |             curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash
 86 |             helm init --client-only
 87 |       - run:
 88 |           name: Terraform apply
 89 |           command: |-
 90 |             terraform init
 91 |             terraform apply -auto-approve \
 92 |               -var "gcp_project=$GCP_PROJECT" \
 93 |               -var "gcp_region=$GCP_REGION" \
 94 |               -var "cluster_name=tf-gc-k8s-istio-${CIRCLE_BRANCH}" \
 95 |               -var "master_username=$CLUSTER_USERNAME" \
 96 |               -var "master_password=$CLUSTER_PASSWORD" \
 97 |               -var "cluster_region=$GCP_REGION" \
 98 |               -var "helm_repository=$HELM_REPOSITORY" \
 99 |               -var "istio_version=1.0.1" \
100 |               -var "min_node_count=1" \
101 |               -var "max_node_count=3"
102 |       - run:
103 |           name: Terrafrom destroy
104 |           command: |-
105 |             terraform destroy -auto-approve
106 |           when: always
107 |       - run:
108 |           name: Cleanup
109 |           command: |-
110 |             gcloud container clusters delete tf-gc-k8s-istio-${CIRCLE_BRANCH} --project $GCP_PROJECT --region $GCP_REGION --quiet || true
111 |           when: always
112 | 
113 |   publish-github-release:
114 |     docker:
115 |       - image: alpine
116 |     steps:
117 |       - checkout
118 |       - run: *curl-install
119 |       - run:
120 |           name: "Publish Release on GitHub"
121 |           command: scripts/gh-publish.sh
122 | 
123 | 
124 | workflows:
125 |   version: 2
126 |   build-n-release:
127 |     jobs:
128 |       - lint
129 |       - validate
130 |       - fmt
131 |       - check-version
132 |       - e2e:
133 |           requires:
134 |             - lint
135 |             - validate
136 |             - fmt
137 |             - check-version
138 |       - publish-github-release:
139 |           requires:
140 |             - e2e
141 |           filters:
142 |             branches:
143 |               only: master


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | #  Local .terraform directories
 2 | **/.terraform/*
 3 | 
 4 | # .tfstate files
 5 | *.tfstate
 6 | *.tfstate.*
 7 | 
 8 | # .tfvars files
 9 | *.tfvars
10 | 
11 | # .tfvars files
12 | *.tfvars
13 | 
14 | svc-account.json


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 Richard Alberto
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # terraform-google-kubernetes-istio [![CircleCI](https://circleci.com/gh/richardalberto/terraform-google-kubernetes-istio/tree/master.svg?style=svg)](https://circleci.com/gh/richardalberto/terraform-google-kubernetes-istio/tree/master)
 2 | Create a kubernetes cluster with istio enabled
 3 | 
 4 | ## Usage
 5 | ```
 6 | module "k8s_cluster" {
 7 |   source = "github.com/richardalberto/terraform-google-kubernetes-istio"
 8 | 
 9 |   gcp_project = "google-project-id"
10 |   gcp_region  = "us-east4"
11 |   
12 |   cluster_name    = "test-cluster"
13 |   cluster_region  = "us-east4"
14 |   node_count      = 1
15 |   master_username = "admin"
16 |   master_password = "this_is_a_pretty_long_password_we_will_should_change!"
17 | 
18 |   helm_repository = "https://chart-repo.storage.googleapis.com"
19 | }
20 | ```
21 | 


--------------------------------------------------------------------------------
/docs/index.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | entries:
 3 |   istio:
 4 |   - apiVersion: v1
 5 |     appVersion: 1.0.1
 6 |     created: 2018-09-19T19:42:05.622972727-04:00
 7 |     description: Helm chart for all istio components
 8 |     digest: db4516f24a103274bd8f067e950db93b217f2ca6738b991e892e233de21d449c
 9 |     engine: gotpl
10 |     icon: https://istio.io/favicons/android-192x192.png
11 |     keywords:
12 |     - istio
13 |     - security
14 |     - sidecarInjectorWebhook
15 |     - mixer
16 |     - pilot
17 |     - galley
18 |     name: istio
19 |     sources:
20 |     - http://github.com/istio/istio
21 |     tillerVersion: '>=2.7.2-0'
22 |     urls:
23 |     - https://richardalberto.github.io/terraform-google-kubernetes-istio/istio-1.0.1.tgz
24 |     version: 1.0.1
25 | generated: 2018-09-19T19:42:05.615092799-04:00
26 | 


--------------------------------------------------------------------------------
/docs/istio-1.0.1.tgz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/richardalberto/terraform-google-kubernetes-istio/eed09d9d68f357f4622e8a05a79b1bfc427782ae/docs/istio-1.0.1.tgz


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
 1 | provider "google" {
 2 |   version = "~> 1.17"
 3 | 
 4 |   project = "${var.gcp_project}"
 5 |   region  = "${var.gcp_region}"
 6 | }
 7 | 
 8 | provider "kubernetes" {
 9 |   version = "~> 1.2"
10 | 
11 |   host     = "https://${google_container_cluster.gke_cluster.endpoint}"
12 |   username = "${var.master_username}"
13 |   password = "${var.master_password}"
14 | 
15 |   client_certificate     = "${base64decode(google_container_cluster.gke_cluster.master_auth.0.client_certificate)}"
16 |   client_key             = "${base64decode(google_container_cluster.gke_cluster.master_auth.0.client_key)}"
17 |   cluster_ca_certificate = "${base64decode(google_container_cluster.gke_cluster.master_auth.0.cluster_ca_certificate)}"
18 | }
19 | 
20 | resource "google_container_cluster" "gke_cluster" {
21 |   name               = "${var.cluster_name}"
22 |   region             = "${var.gcp_region}"
23 |   min_master_version = "${var.master_version}"
24 | 
25 |   master_auth {
26 |     username = "${var.master_username}"
27 |     password = "${var.master_password}"
28 |   }
29 | 
30 |   lifecycle {
31 |     ignore_changes = ["node_pool"]
32 |   }
33 | 
34 |   node_pool {
35 |     name = "default-pool"
36 |   }
37 | }
38 | 
39 | resource "google_container_node_pool" "gke_node_pool" {
40 |   name       = "${var.cluster_name}-pool"
41 |   region     = "${var.gcp_region}"
42 |   cluster    = "${google_container_cluster.gke_cluster.name}"
43 |   node_count = "${var.min_node_count}"
44 | 
45 |   autoscaling {
46 |     min_node_count = "${var.min_node_count}"
47 |     max_node_count = "${var.max_node_count}"
48 |   }
49 | 
50 |   node_config {
51 |     oauth_scopes = [
52 |       "https://www.googleapis.com/auth/compute",
53 |       "https://www.googleapis.com/auth/devstorage.read_only",
54 |       "https://www.googleapis.com/auth/logging.write",
55 |       "https://www.googleapis.com/auth/monitoring",
56 |     ]
57 |   }
58 | }
59 | 
60 | resource "null_resource" "install_istio" {
61 |   triggers {
62 |     cluster_ep = "${google_container_cluster.gke_cluster.endpoint}"
63 |   }
64 | 
65 |   provisioner "local-exec" {
66 |     command = <<EOT
67 |       echo "$${CA_CERTIFICATE}" > ca.crt
68 |       kubectl config --kubeconfig=ci set-cluster k8s --server=$${K8S_SERVER} --certificate-authority=ca.crt
69 |       kubectl config --kubeconfig=ci set-credentials admin --username=$${K8S_USERNAME} --password=$${K8S_PASSWORD}
70 |       kubectl config --kubeconfig=ci set-context k8s-ci --cluster=k8s --namespace=default --user=admin
71 |       kubectl config --kubeconfig=ci use-context k8s-ci
72 |       export KUBECONFIG=ci
73 | 
74 |       kubectl create serviceaccount --namespace kube-system tiller || true
75 |       kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller || true
76 |       helm init --upgrade --service-account tiller --wait
77 | 
78 |       helm repo add kubernetes-istio-module $${HELM_REPO}
79 |       helm repo update
80 | 
81 |       kubectl create ns istio-system || true
82 |       helm upgrade istio kubernetes-istio-module/istio --install --wait \
83 |           --namespace istio-system \
84 |           --version $${ISTIO_VERSION}
85 |     EOT
86 | 
87 |     environment {
88 |       CA_CERTIFICATE = "${base64decode(google_container_cluster.gke_cluster.master_auth.0.cluster_ca_certificate)}"
89 |       K8S_SERVER     = "https://${google_container_cluster.gke_cluster.endpoint}"
90 |       K8S_USERNAME   = "${var.master_username}"
91 |       K8S_PASSWORD   = "${var.master_password}"
92 |       HELM_REPO      = "${var.helm_repository}"
93 |       ISTIO_VERSION  = "${var.istio_version}"
94 |     }
95 |   }
96 | 
97 |   depends_on = ["google_container_node_pool.gke_node_pool"]
98 | }
99 | 


--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
 1 | output "url" {
 2 |   value = "https://${google_container_cluster.gke_cluster.endpoint}"
 3 | }
 4 | 
 5 | output "admin_username" {
 6 |   value = "${var.master_username}"
 7 | }
 8 | 
 9 | output "admin_password" {
10 |   value = "${var.master_password}"
11 | }
12 | 
13 | output "client_certificate" {
14 |   value = "${base64decode(google_container_cluster.gke_cluster.master_auth.0.client_certificate)}"
15 | }
16 | 
17 | output "client_key" {
18 |   value = "${base64decode(google_container_cluster.gke_cluster.master_auth.0.client_key)}"
19 | }
20 | 
21 | output "cluster_ca_certificate" {
22 |   value = "${base64decode(google_container_cluster.gke_cluster.master_auth.0.cluster_ca_certificate)}"
23 | }
24 | 
25 | output "kube_config" {
26 |   value = <<EOT
27 | apiVersion: v1
28 | clusters:
29 | - cluster:
30 |     certificate-authority-data: ${google_container_cluster.gke_cluster.master_auth.0.cluster_ca_certificate}
31 |     server: https://${google_container_cluster.gke_cluster.endpoint}
32 |   name: kubernetes
33 | contexts:
34 | - context:
35 |     cluster: kubernetes
36 |     user: admin
37 |   name: context
38 | current-context: context
39 | kind: Config
40 | preferences: {}
41 | users:
42 | - name: admin
43 |   user:
44 |     password: ${var.master_username}
45 |     username: ${var.master_password}
46 | EOT
47 | }
48 | 


--------------------------------------------------------------------------------
/scripts/check-version.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | 
3 | version=$(cat version/version)
4 | ! curl -fs -o /dev/null https://api.github.com/repos/richardalberto/terraform-google-kubernetes-istio/releases/tags/${version} || {
5 |   echo "Release ${version} exists already. Please update version/version with a valid release number."
6 |   exit 1
7 | }
8 | echo "Ok"


--------------------------------------------------------------------------------
/scripts/gh-publish.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 |             
 3 | VERSION=$(cat version/version)
 4 | DATA=$(cat <<-EOM
 5 |   {
 6 |     "tag_name": "$VERSION",
 7 |     "target_commitish": "${CIRCLE_SHA1}",
 8 |     "name": "${VERSION}",
 9 |     "body": "",
10 |     "draft": false,
11 |     "prerelease": false
12 |   }
13 | EOM
14 | )
15 | curl --data "${DATA}" https://api.github.com/repos/${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}/releases?access_token=${GITHUB_TOKEN}


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "gcp_project" {
 2 |   description = "The name of the GCP Project where all resources will be launched."
 3 | }
 4 | 
 5 | variable "gcp_region" {
 6 |   description = "The region in which all GCP resources will be launched."
 7 |   default     = "us-east1"
 8 | }
 9 | 
10 | variable "cluster_name" {
11 |   description = "GKE cluster name"
12 | }
13 | 
14 | variable "master_version" {
15 |   description = "Kubernetes cluster master version"
16 |   default     = "1.10.7-gke.2"
17 | }
18 | 
19 | variable "master_username" {
20 |   description = "GKE cluster master username"
21 | }
22 | 
23 | variable "master_password" {
24 |   description = "GKE cluster master password"
25 | }
26 | 
27 | variable "cluster_region" {
28 |   description = "GKE cluster region"
29 | }
30 | 
31 | variable "helm_repository" {
32 |   description = "Helm repository where the istio chart release is published"
33 |   default     = "https://richardalberto.github.io/terraform-google-kubernetes-istio"
34 | }
35 | 
36 | variable "istio_version" {
37 |   description = "Istio chart version"
38 |   default     = "1.0.1"
39 | }
40 | 
41 | variable "min_node_count" {
42 |   description = "GKE cluster initial node count and min node count value"
43 |   default     = 1
44 | }
45 | 
46 | variable "max_node_count" {
47 |   description = "GKE cluster maximun node autoscaling count"
48 |   default     = 3
49 | }
50 | 


--------------------------------------------------------------------------------
/version/version:
--------------------------------------------------------------------------------
1 | 1.5.3


--------------------------------------------------------------------------------