feat: add option to use connect gateway (#155)

terraform-google-modules · Sep 11, 2023 · e3ea6e9 · e3ea6e9
1 parent 7c0ba9f
commit e3ea6e9
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 8 deletions.
diff --git a/modules/kubectl-wrapper/README.md b/modules/kubectl-wrapper/README.md
@@ -40,6 +40,7 @@ module "kubectl" {
 | service\_account\_key\_file | Path to service account key file to auth as for running `gcloud container clusters get-credentials`. | `string` | `""` | no |
 | skip\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl is already available outside the module) | `bool` | `true` | no |
 | upgrade | Whether to upgrade gcloud at runtime | `bool` | `true` | no |
+| use\_connect\_gateway | Use Connect Gateway to obtain credentials. The provided cluster\_name will be used as the fleet membership name. | `bool` | `false` | no |
 | use\_existing\_context | Use existing kubecontext to auth kube-api. | `bool` | `false` | no |
 | use\_tf\_google\_credentials\_env\_var | Use `GOOGLE_CREDENTIALS` environment variable to run `gcloud auth activate-service-account` with. Optional. | `bool` | `false` | no |
 

diff --git a/modules/kubectl-wrapper/main.tf b/modules/kubectl-wrapper/main.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2020 Google LLC
+ * Copyright 2020-2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,7 +15,8 @@
  */
 
 locals {
-  base_cmd = "${var.cluster_name} ${var.cluster_location} ${var.project_id} ${var.internal_ip} ${var.use_existing_context}"
+  connect_cmd = var.use_connect_gateway ? "fleet memberships" : "clusters"
+  base_cmd    = "${var.cluster_name} ${var.cluster_location} ${var.project_id} ${var.internal_ip} ${var.use_existing_context} ${local.connect_cmd}"
 }
 
 module "gcloud_kubectl" {

diff --git a/modules/kubectl-wrapper/scripts/kubectl_wrapper.sh b/modules/kubectl-wrapper/scripts/kubectl_wrapper.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright 2020 Google LLC
+# Copyright 2020-2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,7 +16,7 @@
 
 set -xeo pipefail
 
-if [ "$#" -lt 5 ]; then
+if [ "$#" -lt 6 ]; then
     >&2 echo "Not all expected arguments set."
     exit 1
 fi
@@ -26,10 +26,11 @@ LOCATION=$2
 PROJECT_ID=$3
 INTERNAL=$4
 USE_EXISTING_CONTEXT=$5
-ENABLE_IMPERSONATE_SERVICE_ACCOUNT=$6
-IMPERSONATE_SERVICE_ACCOUNT=$7
+CONNECT_CMD=$6
+ENABLE_IMPERSONATE_SERVICE_ACCOUNT=$7
+IMPERSONATE_SERVICE_ACCOUNT=$8
 
-shift 5
+shift 6
 
 if $USE_EXISTING_CONTEXT ;then
 
@@ -51,7 +52,7 @@ else
 
     LOCATION_TYPE=$(grep -o "-" <<< "${LOCATION}" | wc -l)
 
-    CMD="gcloud container clusters get-credentials ${CLUSTER_NAME} --project ${PROJECT_ID}"
+    CMD="gcloud container ${CONNECT_CMD} get-credentials ${CLUSTER_NAME} --project ${PROJECT_ID}"
     if [[ "${ENABLE_IMPERSONATE_SERVICE_ACCOUNT}" == true ]]; then
       CMD+=" --impersonate-service-account ${IMPERSONATE_SERVICE_ACCOUNT}"
       shift 2

diff --git a/modules/kubectl-wrapper/variables.tf b/modules/kubectl-wrapper/variables.tf
@@ -113,3 +113,9 @@ variable "impersonate_service_account" {
   description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
   default     = ""
 }
+
+variable "use_connect_gateway" {
+  type        = bool
+  description = "Use Connect Gateway to obtain credentials. The provided cluster_name will be used as the fleet membership name."
+  default     = false
+}