incalculable-camera-24952
06/28/2023, 6:18 PM// enable anthos service mesh
const gkehubApi = new gcp.projects.Service('gkehubApi', {
service: '<http://gkehub.googleapis.com|gkehub.googleapis.com>',
disableOnDestroy: false,
})
const meshConfigApi = new gcp.projects.Service('meshConfigApi', {
service: '<http://meshconfig.googleapis.com|meshconfig.googleapis.com>',
disableOnDestroy: false,
})
const meshCaApi = new gcp.projects.Service('meshCaApi', {
service: '<http://meshca.googleapis.com|meshca.googleapis.com>',
disableOnDestroy: false,
})
const feature = new gcp.gkehub.Feature(
'anthosServiceMesh',
{
name: 'servicemesh',
location: 'global',
},
{ dependsOn: [gkehubApi, meshConfigApi, meshCaApi] }
)
const membership = new gcp.gkehub.Membership(
'anthosServiceMeshMembership',
{
membershipId: 'cluster-mesh-membership',
endpoint: {
gkeCluster: {
resourceLink: pulumi.interpolate`//container.googleapis.com/${cluster.id}`,
},
},
},
{ dependsOn: [feature] }
)
const featureMembership = new gcp.gkehub.FeatureMembership('anthosServiceMeshFeatureMembership', {
feature: feature.name,
membership: membership.name,
location: 'global',
mesh: {
management: 'MANAGEMENT_AUTOMATIC',
},
})
const istioNS = new k8s.core.v1.Namespace(
'istioNS',
{
metadata: {
name: 'istio-system',
},
},
{ provider: clusterProvider, dependsOn: [clusterProvider] }
)
const cpr = new k8s.apiextensions.CustomResource(
'meshControlPlaneRevision',
{
apiVersion: '<http://mesh.cloud.google.com/v1beta1|mesh.cloud.google.com/v1beta1>',
kind: 'ControlPlaneRevision',
metadata: {
name: 'asm-managed',
namespace: istioNS.metadata.name,
annotations: {
'<http://mesh.cloud.google.com/vpcsc|mesh.cloud.google.com/vpcsc>': 'false',
},
labels: {
'<http://mesh.cloud.google.com/managed-cni-enabled|mesh.cloud.google.com/managed-cni-enabled>': 'true',
},
},
spec: {
type: 'managed_service',
channel: 'regular',
},
},
{ provider: clusterProvider, dependsOn: [clusterProvider] }
)
also, this has been imperfect but helpful for setting up an istio gateway to work with a gke Ingress + Managed Cert. GCLB communicates with backends in a secure context, and they don't validate certificates between GCLB frontend and the backend in your cluster, presumably because they already mitigate the possibility of MITM attacks in this context, so you provide your istio gateway with a self-signed cert according to google's docs (