Support for Istio service mesh manifests

[brettcurtis]

Summary by CodeRabbit

• New Features

  • Introduced a new input parameter node_location to specify the zone for cluster nodes.
  • Added Kubernetes manifest resources for Istio configuration including destination rules, gateways, peer authentication, and virtual services.
  • Expanded configuration options for Istio VirtualServices.
  • Added version information for the google provider and new resources in the regional onboarding module.

• Improvements

  • Enhanced documentation with new README files and updated existing ones to reflect changes.

• Bug Fixes

  • Adjusted configurations and removed commented lines for various resources to improve clarity and functionality.

[coderabbitai]

Walkthrough

The overall change adds a new node_location parameter to specify the zone for cluster nodes, updates the Terraform configurations and documentation for managing Istio resources, and enhances the regional onboarding process by including new provider versions and resources. These modifications improve the configuration flexibility and setup process for Istio and Kubernetes resources in a multi-region environment.

Changes

File(s)	Change Summary
regional/istio/README.md	Added a new node_location input parameter to the istio_remote_injection_path module.
regional/istio/locals.tf	Updated the assignment of multi_cluster_name based on the node_location condition.
regional/istio/manifests/README.md	Introduced a new README for managing Istio resources, detailing requirements, providers, modules, resources, inputs, and outputs.
regional/istio/manifests/main.tf	Added Kubernetes manifest resources for Istio configuration, including destination rules, gateways, peer authentication, and virtual services.
regional/istio/manifests/variables.tf	Introduced new variables for defining Istio VirtualServices configurations for GKE Info and regions.
regional/istio/variables.tf	Added a new variable node_location for defining the cluster node zone.
regional/onboarding/README.md	Updated the README to include the addition of provider version information and new resources for onboarding.
regional/onboarding/main.tf	Modified the configuration to remove commented lines, adjust indentation, and update configurations for Google service accounts and Kubernetes roles and bindings.

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[infracost]

💰 Infracost report

This pull request is aligned with your company's FinOps policies and the Well-Architected Framework.

_{This comment will be updated when code changes.}

[coderabbitai]

Actionable comments posted: 0

Outside diff range, codebase verification and nitpick comments (1)

regional/istio/manifests/README.md (1)

38-38: Correct the grammar in the description.

The word "failover" is a noun. The verb is spelled with a white space.

- The region to failover to
+ The region to fail over to

Tools

LanguageTool

[grammar] ~38-~38: The word “failover” is a noun. The verb is spelled with a white space.
Context: ..._failover_to_region) | The region to failover to | string | "" | no | | <a name="...

(NOUN_VERB_CONFUSION)

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 3c4b281 and 517defe.

Files selected for processing (8)

• regional/istio/README.md (1 hunks)
• regional/istio/locals.tf (1 hunks)
• regional/istio/manifests/README.md (1 hunks)
• regional/istio/manifests/main.tf (1 hunks)
• regional/istio/manifests/variables.tf (1 hunks)
• regional/istio/variables.tf (1 hunks)
• regional/onboarding/README.md (2 hunks)
• regional/onboarding/main.tf (3 hunks)

Additional context used

LanguageTool

regional/istio/manifests/README.md

[grammar] ~38-~38: The word “failover” is a noun. The verb is spelled with a white space.
Context: ..._failover_to_region) | The region to failover to | string | "" | no | | <a name="...

(NOUN_VERB_CONFUSION)

Additional comments not posted (25)

regional/istio/locals.tf (2)

14-14: LGTM! Verify the usage of node_location.

The conditional assignment to the name variable is correct.

However, ensure that node_location is properly defined and used elsewhere in the codebase.

Verification successful

---

LGTM! The node_location variable is properly defined and used throughout the codebase.

• regional/variables.tf
• regional/main.tf
• tests/fixtures/gke_fleet_host/regional/main.tf
• regional/locals.tf
• regional/istio/variables.tf

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `node_location` in the codebase.

# Test: Search for the `node_location` variable. Expect: Proper definition and usage.
rg --type terraform $'node_location'

Length of output: 69

---

Script:

#!/bin/bash
# Description: Verify the usage of `node_location` in the codebase.

# Test: Search for the `node_location` variable in .tf files. Expect: Proper definition and usage.
rg 'node_location' --glob '*.tf'

Length of output: 664

---

15-15: LGTM! Verify the usage of multi_cluster_name.

The update to the multi_cluster_name variable is correct.

However, ensure that the multi_cluster_name variable is used correctly elsewhere in the codebase.

Verification successful

---

The usage of multi_cluster_name is correct.

The variable multi_cluster_name is properly defined and used within the codebase.

• Definition: multi_cluster_name = "${var.cluster_prefix}-${var.region}-${var.environment}"
• Usage: value = local.multi_cluster_name

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `multi_cluster_name` in the codebase.

# Test: Search for the `multi_cluster_name` variable. Expect: Proper usage.
rg --type terraform $'multi_cluster_name'

Length of output: 74

---

Script:

#!/bin/bash
# Description: Verify the usage of `multi_cluster_name` in the codebase.

# Find all Terraform files and search for the `multi_cluster_name` variable within them.
fd -e tf -e tfvars -x rg 'multi_cluster_name' {}

Length of output: 170

---

Script:

#!/bin/bash
# Description: Provide more context around the usage of `multi_cluster_name`.

# Find all Terraform files and search for the `multi_cluster_name` variable within them, including context lines.
fd -e tf -e tfvars -x rg -A 5 -B 5 'multi_cluster_name' {}

Length of output: 544

regional/istio/manifests/variables.tf (7)

24-30: LGTM! Verify the usage of gke_info_istio_virtual_services.

The variable definition is correct.

However, ensure that the variable is used correctly elsewhere in the codebase.

Verification successful

---

The variable gke_info_istio_virtual_services is used correctly in the codebase.

• Defined in regional/istio/manifests/variables.tf.
• Used in regional/istio/manifests/main.tf within a kubernetes_manifest resource block.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `gke_info_istio_virtual_services` in the codebase.

# Test: Search for the `gke_info_istio_virtual_services` variable. Expect: Proper usage.
rg --type terraform $'gke_info_istio_virtual_services'

Length of output: 87

---

Script:

#!/bin/bash
# Description: Verify the usage of `gke_info_istio_virtual_services` in the codebase.

# Test: Search for the `gke_info_istio_virtual_services` variable. Expect: Proper usage.
rg 'gke_info_istio_virtual_services'

Length of output: 1389

---

1-7: LGTM! Verify the usage of common_gke_info_istio_virtual_services.

The variable definition is correct.

However, ensure that the variable is used correctly elsewhere in the codebase.

Verification successful

---

The variable common_gke_info_istio_virtual_services is used correctly in the codebase.

• regional/istio/manifests/main.tf: The variable is used in a for_each statement to merge it with another variable for creating Istio VirtualServices.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `common_gke_info_istio_virtual_services` in the codebase.

# Test: Search for the `common_gke_info_istio_virtual_services` variable. Expect: Proper usage.
rg --type terraform $'common_gke_info_istio_virtual_services'

Length of output: 94

---

Script:

#!/bin/bash
# Description: Verify the usage of `common_gke_info_istio_virtual_services` in the codebase.

# Test: Search for the `common_gke_info_istio_virtual_services` variable in Terraform files.
rg 'common_gke_info_istio_virtual_services' --glob '*.tf' -A 5

Length of output: 960

---

32-36: LGTM! Verify the usage of istio_failover_from_region.

The variable definition is correct.

However, ensure that the variable is used correctly elsewhere in the codebase.

Verification successful

---

LGTM!

The variable istio_failover_from_region is correctly defined, used, and documented in the codebase.

• Definition: regional/istio/manifests/variables.tf
• Usage: regional/istio/manifests/main.tf
• Documentation: regional/istio/manifests/README.md

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `istio_failover_from_region` in the codebase.

# Test: Search for the `istio_failover_from_region` variable. Expect: Proper usage.
rg --type terraform $'istio_failover_from_region'

Length of output: 82

---

Script:

#!/bin/bash
# Description: Verify the usage of `istio_failover_from_region` in the codebase.

# Test: Search for the `istio_failover_from_region` variable. Expect: Proper usage.
rg 'istio_failover_from_region'

Length of output: 409

---

18-22: LGTM! Verify the usage of environment.

The variable definition is correct.

However, ensure that the variable is used correctly elsewhere in the codebase.

Verification successful

---

The environment variable is used correctly throughout the codebase.

• value = var.environment
• \"DD_ENV\":\"${var.environment}\"
• multi_cluster_name = "${var.cluster_prefix}-${var.region}-${var.environment}"

These usages are consistent with Terraform practices.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `environment` in the codebase.

# Test: Search for the `environment` variable. Expect: Proper usage.
rg --type terraform $'environment'

Length of output: 67

---

Script:

#!/bin/bash
# Description: Verify the usage of `environment` in the Terraform codebase.

# Find all Terraform files and search for the `environment` variable.
fd -e tf -x rg 'environment' {}

Length of output: 498

---

9-16: LGTM! Verify the usage of common_istio_virtual_services.

The variable definition is correct.

However, ensure that the variable is used correctly elsewhere in the codebase.

Verification successful

---

LGTM! The variable common_istio_virtual_services is used correctly in the codebase.

• The variable is defined properly in variables.tf.
• It is referenced and used correctly in main.tf within a kubernetes_manifest resource block.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `common_istio_virtual_services` in the codebase.

# Test: Search for the `common_istio_virtual_services` variable. Expect: Proper usage.
rg --type terraform $'common_istio_virtual_services'

Length of output: 85

---

Script:

#!/bin/bash
# Description: Verify the usage of `common_istio_virtual_services` in the codebase.

# Test: Search for the `common_istio_virtual_services` variable. Expect: Proper usage.
rg 'common_istio_virtual_services'

Length of output: 639

---

Script:

#!/bin/bash
# Description: Extract the context around the usage of `common_istio_virtual_services` in main.tf

# Test: Extract lines around the usage of `common_istio_virtual_services` in main.tf
rg 'common_istio_virtual_services' -A 5 -B 5 regional/istio/manifests/main.tf

Length of output: 332

---

38-42: LGTM! Verify the usage of istio_failover_to_region.

The variable definition is correct.

However, ensure that the variable is used correctly elsewhere in the codebase.

Verification successful

---

The variable istio_failover_to_region is correctly defined and used in the codebase.

• regional/istio/manifests/main.tf: "to" = var.istio_failover_to_region
• regional/istio/manifests/variables.tf: The variable definition.
• regional/istio/manifests/README.md: Documentation of the variable.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `istio_failover_to_region` in the codebase.

# Test: Search for the `istio_failover_to_region` variable. Expect: Proper usage.
rg --type terraform $'istio_failover_to_region'

Length of output: 80

---

Script:

#!/bin/bash
# Description: Verify the usage of `istio_failover_to_region` in the codebase.

# Test: Search for the `istio_failover_to_region` variable. Expect: Proper usage.
rg -t hcl 'istio_failover_to_region'

Length of output: 64

---

Script:

#!/bin/bash
# Description: Verify the usage of `istio_failover_to_region` in the codebase.

# Test: Search for the `istio_failover_to_region` variable. Expect: Proper usage.
rg 'istio_failover_to_region'

Length of output: 395

---

44-51: LGTM! Verify the usage of istio_virtual_services.

The variable definition is correct.

However, ensure that the variable is used correctly elsewhere in the codebase.

Verification successful

Let's re-run the search for istio_virtual_services without specifying the file type.

---

Let's extract the relevant lines from the main.tf file to verify the usage of istio_virtual_services.

---

The usage of the istio_virtual_services variable is correct.

The variable is correctly used in the kubernetes_manifest resource with the for_each statement to merge region-specific and common virtual services.

• regional/istio/manifests/main.tf: Verified correct usage in the kubernetes_manifest resource.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `istio_virtual_services` in the codebase.

# Test: Search for the `istio_virtual_services` variable. Expect: Proper usage.
rg --type terraform $'istio_virtual_services'

Length of output: 78

---

Script:

#!/bin/bash
# Description: Verify the usage of `istio_virtual_services` in the codebase.

# Test: Search for the `istio_virtual_services` variable. Expect: Proper usage.
rg 'istio_virtual_services'

Length of output: 2718

---

Script:

#!/bin/bash
# Description: Extract relevant lines from the main.tf file to verify the usage of `istio_virtual_services`.

# Extract lines containing the usage of `istio_virtual_services` and surrounding context.
rg 'istio_virtual_services' -A 5 -B 5 regional/istio/manifests/main.tf

Length of output: 644

regional/onboarding/main.tf (5)

4-8: LGTM! Verify the usage of kubernetes_namespace_v1.

The changes improve readability and maintainability.

However, ensure that the resource is used correctly elsewhere in the codebase.

Verification successful

---

The usage of kubernetes_namespace_v1 is verified and appears to be consistent throughout the codebase.

The resource is referenced multiple times in regional/onboarding/main.tf and documented in regional/onboarding/README.md.

• regional/onboarding/main.tf
• regional/onboarding/README.md

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `kubernetes_namespace_v1` in the codebase.

# Test: Search for the `kubernetes_namespace_v1` resource. Expect: Proper usage.
rg --type terraform $'kubernetes_namespace_v1'

Length of output: 79

---

Script:

#!/bin/bash
# Description: Verify the usage of `kubernetes_namespace_v1` in the codebase.

# Test: Search for the `kubernetes_namespace_v1` resource in all files. Expect: Proper usage.
rg 'kubernetes_namespace_v1'

Length of output: 1106

---

77-95: LGTM! Verify the usage of kubernetes_role_binding_v1.

The changes improve readability and maintainability.

However, ensure that the resource is used correctly elsewhere in the codebase.

Verification successful

---

The usage of kubernetes_role_binding_v1 is verified and correct.

The resource is properly referenced in the main.tf file and documented in the README.md.

• regional/onboarding/main.tf
• regional/onboarding/README.md

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `kubernetes_role_binding_v1` in the codebase.

# Test: Search for the `kubernetes_role_binding_v1` resource. Expect: Proper usage.
rg --type terraform $'kubernetes_role_binding_v1'

Length of output: 82

---

Script:

#!/bin/bash
# Description: Verify the usage of `kubernetes_role_binding_v1` in the codebase.

# Test: Search for the `kubernetes_role_binding_v1` resource. Expect: Proper usage.
rg 'kubernetes_role_binding_v1' -A 5 -B 5

Length of output: 2184

---

4-8: LGTM! Verify the usage of google_service_account.

The changes improve readability and maintainability.

However, ensure that the data source is used correctly elsewhere in the codebase.

Verification successful

---

The google_service_account data source is used correctly throughout the codebase.

The search results indicate that google_service_account is integrated and referenced in multiple files, including variables.tf, outputs.tf, and main.tf, among others. This confirms that the data source is being utilized appropriately.

• variables.tf
• outputs.tf
• main.tf
• regional/main.tf
• tests/fixtures/gke_fleet_host/regional_onboarding/main.tf

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `google_service_account` in the codebase.

# Test: Search for the `google_service_account` data source. Expect: Proper usage.
rg --type terraform $'google_service_account'

Length of output: 78

---

Script:

#!/bin/bash
# Description: Verify the usage of `google_service_account` in the codebase.

# Test: Search for the `google_service_account` data source. Expect: Proper usage.
rg 'google_service_account' --glob '*.tf' -A 3

Length of output: 7696

---

68-68: LGTM! Verify the usage of kubernetes_role_v1.

The changes are correct and follow Kubernetes syntax.

However, ensure that the resource is used correctly elsewhere in the codebase.

---

100-112: LGTM! Verify the usage of kubernetes_service_account_v1.

The changes improve readability and maintainability.

However, ensure that the resource is used correctly elsewhere in the codebase.

Verification successful

---

The kubernetes_service_account_v1 resource is used correctly in the codebase.

The resource and its associated variables are referenced appropriately in various .tf files, ensuring proper integration and usage.

• regional/onboarding/main.tf
• regional/onboarding/variables.tf
• tests/fixtures/gke_fleet_host/regional_onboarding/main.tf
• tests/fixtures/gke_fleet_host/outputs.tf
• tests/fixtures/gke_fleet_member/outputs.tf
• outputs.tf
• main.tf

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `kubernetes_service_account_v1` in the codebase.

# Test: Search for the `kubernetes_service_account_v1` resource. Expect: Proper usage.
rg --type terraform $'kubernetes_service_account_v1'

Length of output: 85

---

Script:

#!/bin/bash
# Description: Verify the usage of `kubernetes_service_account_v1` in the codebase.

# Test: Search for the `kubernetes_service_account_v1` resource. Expect: Proper usage.
rg 'kubernetes_service_account_v1' --glob '*.tf' -A 5

Length of output: 347

---

Script:

#!/bin/bash
# Description: Verify the usage of `workload_identity` in the codebase.

# Test: Search for references to `workload_identity` resource. Expect: Proper usage.
rg 'workload_identity' --glob '*.tf' -A 5

Length of output: 5320

regional/onboarding/README.md (1)

14-14: LGTM! Verify the compatibility of the google provider version.

The addition is correct and follows Terraform syntax.

However, ensure that the provider version is compatible with the rest of the codebase.

#!/bin/bash
# Description: Verify the compatibility of the `google` provider version in the codebase.

# Test: Search for the `google` provider version. Expect: Proper compatibility.

<details>
<summary>Verification successful</summary>



---

<!-- [monologue]
[task review_file_1/1] Verify the compatibility of the `google` provider version.
[observations] The changelog for the `google` provider version 5.36.0 includes new resources, improvements, and bug fixes. There are no breaking changes mentioned in the changelog.
[analysis] Since there are no breaking changes listed in the changelog, the upgrade to version 5.36.0 should be compatible with the existing codebase. The improvements and bug fixes should enhance the functionality without causing issues.
[actions] Conclude the verification process and generate the final response indicating that the verification is successful.
-->

**The `google` provider version 5.36.0 is compatible with the existing codebase.**

The changelog indicates new resources, improvements, and bug fixes without any breaking changes. The upgrade should enhance functionality without causing issues.

- 

</details>


<details>
<summary>Scripts executed</summary>

The following scripts were executed for the analysis:



---

Script:

```shell
#!/bin/bash
# Description: Verify the compatibility of the `google` provider version in the codebase.

# Search for the `google` provider configuration in Terraform files
rg 'provider\s+"google"' -A 5 --glob '*.tf'

# Search for any usage of the `google` provider in Terraform files
rg 'google_' --glob '*.tf'

Length of output: 9721

---

Script:

#!/bin/bash
# Description: Fetch the release notes or changelog for the `google` provider version 5.36.0.

# Fetch the release notes or changelog for the `google` provider version 5.36.0
curl -s https://registry.terraform.io/providers/hashicorp/google/5.36.0/docs | grep -i "changelog\|release notes"

Length of output: 115

---

Script:

#!/bin/bash
# Description: Fetch the changelog for the `google` provider version 5.36.0 from the GitHub repository.

# Fetch the changelog for the `google` provider version 5.36.0
curl -s https://api.github.com/repos/hashicorp/terraform-provider-google/releases/tags/v5.36.0 | jq -r '.body'

Length of output: 3769

regional/istio/manifests/README.md (2)

18-27: Resources section looks good!

The added resources are correctly documented with accurate links to the Terraform registry.

---

31-39: Inputs section looks good!

The added input variables are correctly documented with accurate descriptions and types.

Tools

LanguageTool

[grammar] ~38-~38: The word “failover” is a noun. The verb is spelled with a white space.
Context: ..._failover_to_region) | The region to failover to | string | "" | no | | <a name="...

(NOUN_VERB_CONFUSION)

regional/istio/variables.tf (1)

159-163: Variable definition looks good!

The new variable node_location is correctly defined with an accurate description and default value.

regional/istio/manifests/main.tf (6)

4-57: Resource definition looks good!

The istio_cluster_services_destination_rule resource is correctly defined with accurate specifications and variable references.

---

59-79: Resource definition looks good!

The istio_kubernetes_default_destination_rule resource is correctly defined with accurate specifications.

---

81-119: Resource definition looks good!

The istio_gateway resource is correctly defined with accurate specifications.

---

121-137: Resource definition looks good!

The istio_peer_authentication resource is correctly defined with accurate specifications.

---

139-175: Resource definition looks good!

The istio_virtual_services resource is correctly defined with accurate specifications and variable references.

---

177-217: Resource definition looks good!

The gke_info_istio_virtual_services resource is correctly defined with accurate specifications and variable references.

regional/istio/README.md (1)

67-67: Input parameter looks good!

The new input parameter node_location is correctly documented with an accurate description and default value.