# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. timeout: 14400s # 2hr substitutions: _PROJECT_ID: ${PROJECT_ID} _DEBUG_SKIP_INFRA: "false" # used to skip infra portions while testing asm and gateway deployments only _VPC: "true" _GKE: "true" _KUBE_VERSION: 1.28.7-gke.1026000 # via: https://cloud.google.com/kubernetes-engine/docs/release-notes tags: - infra-main-terraform steps: # Build GCS storage bucket for TF state, project files, vars.sh etc # This step creates a GCS storage bucket in the project with the name of project ID. # This step creates the following resources: # GCS storage bucket (with versioning enabled) named PROJECT_ID. - name: "gcr.io/cloud-builders/gcloud" id: "infra-create-gcs" entrypoint: bash args: - -c - | exec gcloud builds submit --config builds/terraform/infra-create-gcs.yaml --substitutions=_PROJECT_ID=${_PROJECT_ID} # Enable APIs - name: "gcr.io/cloud-builders/gcloud" id: "infra-enable-apis" entrypoint: bash args: - -c - | [[ "${_DEBUG_SKIP_INFRA}" == "true" ]] && exit 0 exec gcloud builds submit --config builds/terraform/infra-enable-apis.yaml --substitutions=_PROJECT_ID=${_PROJECT_ID} # Create CloudSource repos, artifact registries and triggers - name: "gcr.io/cloud-builders/gcloud" id: "infra-create-repos" entrypoint: bash args: - -c - | [[ "${_DEBUG_SKIP_INFRA}" == "true" ]] && exit 0 exec gcloud builds submit --config builds/terraform/infra-create-repos.yaml --substitutions=_PROJECT_ID=${_PROJECT_ID} # Create VPC - name: "gcr.io/cloud-builders/gcloud" id: "infra-create-vpc" entrypoint: bash args: - -c - | [[ "${_DEBUG_SKIP_INFRA}" == "true" ]] && exit 0 [[ "${_VPC}" == "false" ]] && exit 0 exec gcloud builds submit --config builds/terraform/infra-create-vpc.yaml --substitutions=_PROJECT_ID=${_PROJECT_ID} # Create GKE clusters - name: "gcr.io/cloud-builders/gcloud" id: "infra-create-gke" entrypoint: bash args: - -c - | [[ "${_DEBUG_SKIP_INFRA}" == "true" ]] && exit 0 [[ "${_GKE}" == "false" ]] && exit 0 exec gcloud builds submit --config builds/terraform/infra-create-gke.yaml --substitutions=_PROJECT_ID=${_PROJECT_ID},_KUBE_VERSION=${_KUBE_VERSION} # Confirm Mesh on GKE # This step confirms that ASM managed control plane (MCP) is successfully Provisioned on prod GKE clusters. - name: "gcr.io/cloud-builders/gcloud" id: "infra-features-gke-prod-mesh-confirm" entrypoint: bash args: - -c - | [[ "${_DEBUG_SKIP_INFRA}" == "true" ]] && exit 0 exec gcloud builds submit --config builds/infra-features-gke-prod-mesh-confirm.yaml --substitutions=_PROJECT_ID=${_PROJECT_ID} # Configure Mesh (multicluster and telemetry) on GKE # This step configures multicluster service discovery and access logging/tracing on the GKE clusters. # This step creates the following resources: # 1. Patches the existing asm-options configmap with multicluster_mode: connected. # 2. Updates the istio-asm-managed configmap with access logging and tracing to stackdriver - name: "gcr.io/cloud-builders/gcloud" id: "infra-features-gke-prod-mesh-config" entrypoint: bash args: - -c - | exec gcloud builds submit --config builds/infra-features-gke-prod-mesh-config.yaml --substitutions=_PROJECT_ID=${_PROJECT_ID} # Configure Mesh Gateways via ACM ConfigSync # This step deploys ASM ingress gateways on all apps clusters. # This step creates the following resources: # 1. Ingress gateway Deployment, Service and ServiceExport. # 2. Required Role and RoleBinding for the KSA for all the gateways. - name: "gcr.io/cloud-builders/gcloud" id: "infra-features-gke-mesh-gateways" entrypoint: bash args: - -c - | exec gcloud builds submit --config builds/infra-features-gke-mesh-gateways.yaml --substitutions=_PROJECT_ID=${_PROJECT_ID} # Confirm Mesh gateways on GKE - prod # This step confirms that the ASM ingress gateway and the multicluster gateway are up and running on the prod GKE clusters. - name: "gcr.io/cloud-builders/gcloud" id: "infra-features-gke-mesh-gateways-prod" entrypoint: bash args: - -c - | exec gcloud builds submit --config builds/infra-features-gke-mesh-gateways-prod.yaml --substitutions=_PROJECT_ID=${_PROJECT_ID} # Deploy MC Gateway to Config cluster - name: "gcr.io/cloud-builders/gcloud" id: "infra-features-gke-gateways" entrypoint: bash args: - -c - | exec gcloud builds submit --config builds/infra-features-gke-gateway.yaml --substitutions=_PROJECT_ID=${_PROJECT_ID} # Give the MCI service account the necessary roles - name: "gcr.io/cloud-builders/gcloud" id: "infra-sa-gke-roles" entrypoint: bash args: - -c - | exec gcloud builds submit --config builds/infra-sa-gke-mci-roles.yaml --substitutions=_PROJECT_ID=${_PROJECT_ID}