feat: configure service mesh for the fl use case

platforms/gke/base/core/gke_enterprise/servicemesh/feature.tf

@@ -33,4 +33,8 @@ resource "google_gke_hub_feature_membership" "cluster_servicemesh" {
   location   = google_gke_hub_feature.servicemesh.location
   membership = data.google_container_cluster.cluster.name
   project    = google_project_service.mesh_googleapis_com.project
+
+  mesh {
+    management = "MANAGEMENT_AUTOMATIC"
+  }
 }

platforms/gke/base/use-cases/federated-learning/common.sh

@@ -62,6 +62,7 @@ core_platform_terraservices=(
   "gke_enterprise/fleet_membership"
   "gke_enterprise/configmanagement/oci"
   "gke_enterprise/policycontroller"
+  "gke_enterprise/servicemesh"
 )
 
 # shellcheck disable=SC2034 # Variable is used in other scripts

platforms/gke/base/use-cases/federated-learning/terraform/config_management/files/common/servicemesh/egress-gateway.yaml

@@ -0,0 +1,171 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-egress
+  labels:
+    tenant-ns: "false"
+    # Allow Cloud Service Mesh to manage the workloads in the namespace
+    # Ref: https://cloud.google.com/service-mesh/docs/managed/select-a-release-channel#injection_labels
+    istio.io/rev: asm-managed
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: istio-egressgateway
+  namespace: istio-egress
+spec:
+  type: ClusterIP
+  selector:
+    app: istio-egressgateway
+    istio: egressgateway
+  ports:
+    - name: http2
+      port: 80
+      protocol: TCP
+      targetPort: 8080
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 8443
+    - name: status-port
+      port: 15021
+      protocol: TCP
+      targetPort: 15021
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: istio-egressgateway
+  namespace: istio-egress
+spec:
+  maxReplicas: 5
+  minReplicas: 3
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: istio-egressgateway
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 80
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istio-egressgateway
+  namespace: istio-egress
+spec:
+  selector:
+    matchLabels:
+      app: istio-egressgateway
+      istio: egressgateway
+  strategy:
+    rollingUpdate:
+      maxSurge: 100%
+      maxUnavailable: 25%
+  template:
+    metadata:
+      annotations:
+        # This is required to tell Cloud Service Mesh to inject the gateway with
+        # the required configuration.
+        inject.istio.io/templates: gateway
+      labels:
+        app: istio-egressgateway
+        istio: egressgateway
+    spec:
+      serviceAccountName: istio-egressgateway-service-account
+      containers:
+        - name: istio-proxy
+          # The image will automatically update each time the pod starts
+          image: auto
+          resources:
+            limits:
+              cpu: 2000m
+              memory: 1024Mi
+            requests:
+              cpu: 100m
+              memory: 128Mi
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              # Deploy these Pods only in the system node pool
+              - matchExpressions:
+                  - key: resource-type
+                    operator: In
+                    values:
+                      - system
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: istio-egressgateway
+  namespace: istio-egress
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app: istio-egressgateway
+      istio: egressgateway
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: istio-egressgateway-sds
+  namespace: istio-egress
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istio-egressgateway-sds
+  namespace: istio-egress
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: istio-egressgateway-sds
+subjects:
+  - kind: ServiceAccount
+    name: istio-egressgateway-service-account
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: istio-egressgateway-service-account
+  namespace: istio-egress
+---
+# Load balance traffic to the egress gateway, and enable mTLS
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: target-egress-gateway
+  namespace: istio-system
+spec:
+  host: istio-egressgateway.istio-egress.svc.cluster.local
+  subsets:
+    - name: target-egress-gateway-mTLS
+      trafficPolicy:
+        loadBalancer:
+          simple: ROUND_ROBIN
+        tls:
+          mode: ISTIO_MUTUAL

platforms/gke/base/use-cases/federated-learning/terraform/config_management/files/common/servicemesh/mesh-configuration.yaml

@@ -0,0 +1,75 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Configure:
+# - Enable proxy access logs: https://cloud.google.com/service-mesh/docs/observability/access-logs
+# - Enable Cloud Trace on Cloud Service Mesh: https://cloud.google.com/service-mesh/docs/observability/accessing-traces
+# - Minimum TLS version: https://cloud.google.com/service-mesh/docs/enable-optional-features-managed#configure_the_minimum_tls_version_for_your_workloads
+# - Outbound traffic policy: https://cloud.google.com/service-mesh/docs/enable-optional-features-managed#outbound_traffic_policy
+# Keep the istio-asm-managed and the istio-asm-managed-rapid ConfigMaps in sync
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-asm-managed
+  namespace: istio-system
+data:
+  mesh: |-
+    accessLogFile: /dev/stdout
+    defaultConfig:
+      tracing:
+        stackdriver: {}
+    meshMTLS:
+      minProtocolVersion: TLSV1_3
+    outboundTrafficPolicy:
+      mode: REGISTRY_ONLY
+---
+# Duplicate ConfigMap because of a known issue with the TRAFFIC_DIRECTOR control
+# plane implementation: https://cloud.google.com/service-mesh/docs/enable-optional-features-managed
+# If you are using that implementation, then you must make changes in the
+# istio-asm-managed-rapid configmap, even if you are using a channel other than
+# rapid.
+# Keep the istio-asm-managed and the istio-asm-managed-rapid ConfigMaps in sync
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-asm-managed-rapid
+  namespace: istio-system
+data:
+  mesh: |-
+    meshMTLS:
+      minProtocolVersion: TLSV1_3
+    outboundTrafficPolicy:
+      mode: REGISTRY_ONLY
+---
+# Enforce a mesh-wide policy to only allow mTLS, and forbid plain-text traffic
+# Ref (scope): https://cloud.google.com/service-mesh/docs/security/configuring-mtls#enforce_mesh-wide_mtls
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: default
+  namespace: istio-system
+spec:
+  mtls:
+    mode: STRICT
+---
+# By default, allow nothing if there are no other ALLOW policies.
+# Applies to all pods in the mesh because it's deployed in the root namespace.
+# Ref: https://cloud.google.com/service-mesh/docs/security/authorization-policy-overview#allow_nothing
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-nothing
+  namespace: istio-system
+spec:
+  action: ALLOW

platforms/gke/base/use-cases/federated-learning/terraform/config_management/files/common/servicemesh/service-entries.yaml

@@ -0,0 +1,60 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Add the metadata server to the service registry
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: metadata-google-internal
+  namespace: istio-system
+  labels:
+    # Show this service and its telemetry in the Anthos Service Mesh page of the Google Cloud console
+    service.istio.io/canonical-name: metadata.google.internal
+spec:
+  hosts:
+    - metadata.google.internal
+  addresses:
+    - 169.254.169.254
+  ports:
+    - number: 80
+      name: http
+      protocol: HTTP
+    - number: 443
+      name: tls
+      protocol: TLS
+  resolution: DNS
+  location: MESH_EXTERNAL
+---
+# Add the private Google APIs endpoints to the service registry
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: private-googleapis-com
+  namespace: istio-system
+  labels:
+    # Show this service and its telemetry in the Anthos Service Mesh page of the Google Cloud console
+    service.istio.io/canonical-name: googleapis.com
+spec:
+  hosts:
+    - private.googleapis.com
+    - storage.googleapis.com
+  ports:
+    - number: 80
+      name: http
+      protocol: HTTP
+    - number: 443
+      name: tls
+      protocol: TLS
+  resolution: DNS
+  location: MESH_EXTERNAL

platforms/gke/base/use-cases/federated-learning/terraform/config_management/templates/namespace_configuration/authorization-policy.yaml

@@ -0,0 +1,27 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+# Allow traffic within namespace
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-within-namespace
+  namespace: ${namespace_name}
+spec:
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            namespaces:
+              - ${namespace_name}