Add Meshconfig initialize resource

[sthomson-wyn]

Checklist

• [X] I did not find a related open enhancement request.
• [X] I understand that enhancement requests filed in the GitHub repository are by default low priority.
• [X] If this request is time-sensitive, I have submitted a corresponding issue with GCP support.

Describe the feature or resource

Add a resource for the meshconfig initialize url

There is currently no analogue in the cli or terraform for this... a chance for config connector to get a leg up :)

Please add a resource to perform the call described here: https://cloud.google.com/service-mesh/docs/unified-install/project-cluster-setup#set_up_your_cluster

curl --request POST  \
 --header "Authorization: Bearer $(gcloud auth print-access-token)" \
 --header "Content-Type: application/json" \
 --data '{"workloadIdentityPools":["FLEET_PROJECT_ID.hub.id.goog","FLEET_PROJECT_ID.svc.id.goog","PROJECT_ID.svc.id.goog"]}' \
 "https://meshconfig.googleapis.com/v1alpha1/projects/PROJECT_ID:initialize"

Additional information

No response

Importance

This is a pain point. It is necessary to call this api in order to set up ASM in a cluster

[maqiuyujoyce]

Hi @sthomson-wyn , thank you for your feedback. Could you share more details about your use case with this command? I took a look at the instructions, it looks like this is a one-off imperative call used to set up the fleet project, but it's unclear whether this API endpoint (or if there is any other API endpoint) should be used for drift correction. So I wondered how the declarative tooling can help here.

If you believe this is a resource that Config Connector should support, then could you you file an enhancement request with Terraform (if there isn't one yet)? New Config Connector resources need to be implemented based on existing Terraform resources.

Note that timelines for Terraform resource requests can be pretty unpredictable. We recommend making the contribution yourself if possible (which we would also highly appreciate!). Otherwise, we'll keep you posted on updates.

[sthomson-wyn]

You're correct that this endpoint is unlikely to be able to used with drift detection.

However, as confirmed with gcp support, this curl call is the only way to create the serviceAccount:service-{proj-number}@gcp-sa-mesh-dataplane.iam.gserviceaccount.com resource

So as far as resolving drift... one would have to just hit the initialize endpoint ad infinitum

This poor design is ultimately upstream from this project... but that would be the only way to create this necessary service account (necessary for asm)

I will see about getting this into terraform. thanks!

[maqiuyujoyce]

Hi @sthomson-wyn , is this initialize step a requirement for all users who need to use meshconfig.googleapis.com? If so, would it make sense to just make it part of the service enablement?

If so, would be great if you can provide the feedback to the Meshconfig API team via Cloud support so that this can be improved in the API layer.

[djazayeri]

@sthomson-wyn is your goal to enable ASM with an in-cluster control plane, on a GKE cluster? And are you using config connector to install/manage the control plane?

[diviner524]

Will we run into the same problem if the Service Mesh feature is enabled through GKE Hub feature membership?

https://cloud.google.com/config-connector/docs/reference/resource-docs/gkehub/gkehubfeaturemembership#service_mesh_feature_membership

[djazayeri]

If you register your cluster with Fleet, and enable the Mesh feature (i.e. only the "Before you begin" step at https://cloud.google.com/service-mesh/docs/managed/provision-managed-anthos-service-mesh#enable_the_fleet_feature), then this will automatically ensure that meshconfig initialize gets called, and you don't have to call curl. You can do this declaratively via https://cloud.google.com/config-connector/docs/reference/resource-docs/gkehub/gkehubfeaturemembership#service_mesh_feature_membership or via https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_hub_feature#example-usage---enable-anthos-service-mesh (setting "management=automatic" would enable Managed Anthos Service Mesh, so you don't want to do that here).