josueetcom/cloudbuild-provision-cluster-with-sidecars.yaml

## cloudbuild-provision-cluster-with-sidecars.yaml
# NOTE: This is a modification of:
# https://github.com/GoogleCloudPlatform/cloud-run-anthos-reference-web-app/blob/master/cloudbuild-provision-cluster.yaml
#
# That includes additional steps to install the Istio sidecar injector webhook per :
# https://cloud.google.com/solutions/authorizing-access-to-cloud-run-on-gke-services-using-istio#installing_the_istio_sidecar_injector_webhook


# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

## The steps in this Cloud Build script set up the cluster
## to be used by the project. This script is separate
## from the regular infrastructure setup because it is intended
## to be a one-time setup, whereas the steps in cloudbuild.yaml
## are repeatable.

steps:
## CLUSTER CREATE ##

# Create a new cluster with the appropriate configuration for this application
- name: 'gcr.io/cloud-builders/gcloud'
  id: Create Cluster
  waitFor: ['-']
  args: [
    'beta', 'container', 'clusters', 'create', '${_CLUSTER_NAME}',
    '--addons', 'HorizontalPodAutoscaling,HttpLoadBalancing,CloudRun',
    '--machine-type', 'e2-standard-4',
    '--num-nodes', '3',
    '--cluster-version', '${_CLUSTER_GKE_VERSION}',
    '--enable-stackdriver-kubernetes',
    '--identity-namespace', '${PROJECT_ID}.svc.id.goog',
    '--enable-ip-alias',
    '--zone', '${_CLUSTER_LOCATION}'
  ]

## SERVICE ACCOUNT SETUP

# Create a service account for Config Connecter (if one does not already exist)
- name: 'gcr.io/cloud-builders/gcloud'
  id: Create Config Connector service account
  waitFor: ['-']
  entrypoint: /bin/bash
  args:
  - '-c'
  - |
      gcloud iam service-accounts describe cnrm-system@${PROJECT_ID}.iam.gserviceaccount.com || gcloud iam service-accounts create cnrm-system

# Set up IAM role bindings for Config Connector
# See: https://cloud.google.com/iam/docs/understanding-roles#primitive_role_definitions
- name: 'gcr.io/cloud-builders/gcloud'
  id: Grant Owner permissions
  waitFor: ['Create Config Connector service account']
  args: [
      'projects','add-iam-policy-binding','${PROJECT_ID}',
      '--member=serviceAccount:cnrm-system@${PROJECT_ID}.iam.gserviceaccount.com',
      '--role=roles/owner'
  ]

# Set up the Workload Identity binding for Config Connector on the cluster
# See: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
- name: 'gcr.io/cloud-builders/gcloud'
  id: Create IAM policy binding
  waitFor: ['Create Config Connector service account', 'Create Cluster']
  args: [
      'iam','service-accounts','add-iam-policy-binding','cnrm-system@${PROJECT_ID}.iam.gserviceaccount.com',
      '--member=serviceAccount:${PROJECT_ID}.svc.id.goog[cnrm-system/cnrm-controller-manager]',
      '--role=roles/iam.workloadIdentityUser'
  ]

## CONFIG CONNECTOR INSTALL
# See: https://cloud.google.com/config-connector/docs/how-to/install-upgrade-uninstall#installing_kcc

# Download the latest release of Config Connector
- name: 'gcr.io/cloud-builders/gsutil'
  id: Download Config Connector
  waitFor: ['-']
  args: ['cp', 'gs://cnrm/latest/release-bundle.tar.gz', 'release-bundle.tar.gz']

# Extract the release artifacts
- name: 'alpine'
  id: Extract Config Connector
  waitFor: ['Download Config Connector']
  entrypoint: /bin/tar
  args: ['zxvf','release-bundle.tar.gz']

# Substitute project ID into the YAML definitions
- name: 'alpine'
  id: Process Manifest
  waitFor: ['Extract Config Connector']
  entrypoint: /bin/ash
  args:
  - '-c'
  - |
      sed -i 's/${PROJECT_ID?}/${PROJECT_ID}/' install-bundle-workload-identity/0-cnrm-system.yaml

# Install Config Connector on the cluster
- name: 'gcr.io/cloud-builders/kubectl'
  id: Install Config Connector
  waitFor: ['Create Cluster','Process Manifest']
  args: ['apply', '-f', 'install-bundle-workload-identity/']
  env:
    - 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
    - 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

# Verify Config Connector Installation
- name: 'gcr.io/cloud-builders/kubectl'
  id: Wait Config Connector
  waitFor: ['Install Config Connector']
  args: ['wait', '-n', 'cnrm-system', '--for=condition=Ready', 'pod', '--all', '--timeout=5m']
  env:
    - 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
    - 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

# Create the web application namespace
- name: 'gcr.io/cloud-builders/kubectl'
  id: Create Namespace
  waitFor: ['Create Cluster']
  args: ['create', 'namespace', '${_NAMESPACE}']
  env:
    - 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
    - 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

# Mark the namespace as managed by Config Connector
- name: 'gcr.io/cloud-builders/kubectl'
  id: Annotate Namespace
  waitFor: ['Create Namespace']
  args: ['annotate', 'namespace', '${_NAMESPACE}', 'cnrm.cloud.google.com/project-id=${PROJECT_ID}']
  env:
    - 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
    - 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

# Add a Standalone NEG to the cluster ingress
# See: https://cloud.google.com/kubernetes-engine/docs/how-to/standalone-neg
- name: 'gcr.io/cloud-builders/kubectl'
  id: Create NEG
  waitFor: ['Create Cluster']
  args: ['annotate', '--overwrite', '--namespace=${_ISTIO_INGRESS_NAMESPACE}', 'service', '${_ISTIO_INGRESS_SERVICE}', 'cloud.google.com/neg={"exposed_ports": {"80":{}}}']
  env:
    - 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
    - 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

# Restrict cluster ingress firewall rules to just GCLB's published ranges:
# https://cloud.google.com/load-balancing/docs/https#source_ip_addresses
- name: 'gcr.io/cloud-builders/gcloud'
  id: Restrict Cluster Ingress
  entrypoint: /bin/bash
  args:
  - '-c'
  - |
      # Wait for the firewall rule associated with the current cluster creation to be created
      # so that it's restricted along with any other cluster ingress firewalls that might apply.
      CLUSTER_CREATE_TIME=$(gcloud container clusters describe ${_CLUSTER_NAME} --zone=${_CLUSTER_LOCATION} --format="value(createTime)")
      while [[ -z $(gcloud compute firewall-rules list \
          --filter="name:k8s-fw AND targetTags.list()~^gke-${_CLUSTER_NAME}-[0-9a-z]*-node$ AND creationTimestamp>=$${CLUSTER_CREATE_TIME}" \
          --format="value(name)") ]]; \
      do \
        echo "unable to find cluster ingress firewall. Sleeping 10s..."; \
        sleep 10s;  \
      done; \
      for firewall in $(gcloud compute firewall-rules list \
          --filter="name:k8s-fw AND targetTags.list()~^gke-${_CLUSTER_NAME}-[0-9a-z]*-node$" \
          --format="value(name)");
      do \
        gcloud compute firewall-rules update "$firewall" --source-ranges=35.191.0.0/16,130.211.0.0/22; \
      done;

# ===========================================================================
# ========== BEGIN ISTIO 1.4 SIDECAR INJECTOR WEBHOOK INSTALLATION ==========
# ===========================================================================

# Build a Helm image if it doesn't exist
# https://github.com/GoogleCloudPlatform/cloud-builders-community/tree/master/helm#building-this-builder
- name: 'gcr.io/cloud-builders/gcloud'
  id: Build Helm Image
  waitFor: ['-']
  entrypoint: /bin/bash
  args:
  - '-c'
  - |
    if ! [[ $(gcloud container images list --filter="name=gcr.io/${PROJECT_ID}/helm") ]]; then \
      git clone https://github.com/GoogleCloudPlatform/cloud-builders-community.git; \
      cd cloud-builders-community/helm; \
      gcloud builds submit . --config=cloudbuild.yaml; \
    fi

# The rest of these steps follow:
# https://cloud.google.com/solutions/authorizing-access-to-cloud-run-on-gke-services-using-istio#installing_the_istio_sidecar_injector_webhook
- name: 'gcr.io/cloud-builders/kubectl'
  id: Add self as cluster admin
  waitFor: ['Create Cluster']
  entrypoint: /bin/bash
  args:
    - '-c'
    - |
      kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user $(gcloud config get-value core/account)
  env:
    - 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
    - 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

- name: 'gcr.io/cloud-builders/kubectl'
  id: Get Istio version
  waitFor: ['Add self as cluster admin']
  entrypoint: /bin/bash
  args:
    - '-c'
    - |
      ISTIO_PACKAGE=$(kubectl -n gke-system get deployments istio-pilot \
          -o jsonpath="{.spec.template.spec.containers[0].image}" | \
          cut -d':' -f2)
      ISTIO_VERSION=$(echo $$ISTIO_PACKAGE | cut -d'-' -f1)
      echo ISTIO_VERSION=$$ISTIO_VERSION,ISTIO_PACKAGE=$$ISTIO_PACKAGE
      echo $$ISTIO_PACKAGE > istio.package
      echo $$ISTIO_VERSION > istio.version
  env:
    - 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
    - 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

- name: 'gcr.io/cloud-builders/gsutil'
  id: Extract Istio
  waitFor: ['Get Istio version']
  entrypoint: /bin/bash
  args:
    - '-c'
    - |
      ISTIO_VERSION=$(cat istio.version)
      gsutil -m cp gs://istio-release/releases/$$ISTIO_VERSION/istio-$$ISTIO_VERSION-linux.tar.gz - | tar zx

- name: 'gcr.io/${PROJECT_ID}/helm'
  id: Create Istio sidecar manifest
  waitFor: ['Build Helm Image', 'Extract Istio']
  entrypoint: /bin/bash
  args:
    - '-c'
    - |
      ISTIO_PACKAGE=$(cat istio.package)
      ISTIO_VERSION=$(cat istio.version)
      helm template \
          --namespace gke-system \
          --set global.hub=gcr.io/gke-release/istio \
          --set global.tag=$$ISTIO_PACKAGE \
          --set pilot.enabled=false \
          --set security.enabled=true \
          --set sidecarInjectorWebhook.enabled=true \
          --set sidecarInjectorWebhook.rewriteAppHTTPProbe=true \
          --values istio-$$ISTIO_VERSION/install/kubernetes/helm/istio/values-istio-minimal.yaml \
          istio-$$ISTIO_VERSION/install/kubernetes/helm/istio > istio-sidecar-injector-webhook.yaml

- name: 'gcr.io/cloud-builders/kubectl'
  id: Apply Istio sidecar manifest
  waitFor: ['Create Istio sidecar manifest']
  args: ['apply', '-f', 'istio-sidecar-injector-webhook.yaml']
  env:
    - 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
    - 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

# Inject the Istio sidecar proxy to all pods in the namespace
# https://cloud.google.com/solutions/authorizing-access-to-cloud-run-on-gke-services-using-istio#deploying_a_sample_service
- name: 'gcr.io/cloud-builders/kubectl'
  id: Inject Istio sidecar to Namespace
  waitFor: ['Create Namespace', 'Apply Istio sidecar manifest']
  args: ['label', 'namespace', '${_NAMESPACE}', 'istio-injection=enabled']
  env:
    - 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
    - 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

# ===========================================================================
# ==========  END ISTIO 1.4 SIDECAR INJECTOR WEBHOOK INSTALLATION  ==========
# ===========================================================================
	# NOTE: This is a modification of:
	# https://github.com/GoogleCloudPlatform/cloud-run-anthos-reference-web-app/blob/master/cloudbuild-provision-cluster.yaml
	#
	# That includes additional steps to install the Istio sidecar injector webhook per :
	# https://cloud.google.com/solutions/authorizing-access-to-cloud-run-on-gke-services-using-istio#installing_the_istio_sidecar_injector_webhook


	# Copyright 2020 Google LLC
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	## The steps in this Cloud Build script set up the cluster
	## to be used by the project. This script is separate
	## from the regular infrastructure setup because it is intended
	## to be a one-time setup, whereas the steps in cloudbuild.yaml
	## are repeatable.

	steps:
	## CLUSTER CREATE ##

	# Create a new cluster with the appropriate configuration for this application
	- name: 'gcr.io/cloud-builders/gcloud'
	id: Create Cluster
	waitFor: ['-']
	args: [
	'beta', 'container', 'clusters', 'create', '${_CLUSTER_NAME}',
	'--addons', 'HorizontalPodAutoscaling,HttpLoadBalancing,CloudRun',
	'--machine-type', 'e2-standard-4',
	'--num-nodes', '3',
	'--cluster-version', '${_CLUSTER_GKE_VERSION}',
	'--enable-stackdriver-kubernetes',
	'--identity-namespace', '${PROJECT_ID}.svc.id.goog',
	'--enable-ip-alias',
	'--zone', '${_CLUSTER_LOCATION}'
	]

	## SERVICE ACCOUNT SETUP

	# Create a service account for Config Connecter (if one does not already exist)
	- name: 'gcr.io/cloud-builders/gcloud'
	id: Create Config Connector service account
	waitFor: ['-']
	entrypoint: /bin/bash
	args:
	- '-c'
	- \|
	gcloud iam service-accounts describe cnrm-system@${PROJECT_ID}.iam.gserviceaccount.com \|\| gcloud iam service-accounts create cnrm-system

	# Set up IAM role bindings for Config Connector
	# See: https://cloud.google.com/iam/docs/understanding-roles#primitive_role_definitions
	- name: 'gcr.io/cloud-builders/gcloud'
	id: Grant Owner permissions
	waitFor: ['Create Config Connector service account']
	args: [
	'projects','add-iam-policy-binding','${PROJECT_ID}',
	'--member=serviceAccount:cnrm-system@${PROJECT_ID}.iam.gserviceaccount.com',
	'--role=roles/owner'
	]

	# Set up the Workload Identity binding for Config Connector on the cluster
	# See: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
	- name: 'gcr.io/cloud-builders/gcloud'
	id: Create IAM policy binding
	waitFor: ['Create Config Connector service account', 'Create Cluster']
	args: [
	'iam','service-accounts','add-iam-policy-binding','cnrm-system@${PROJECT_ID}.iam.gserviceaccount.com',
	'--member=serviceAccount:${PROJECT_ID}.svc.id.goog[cnrm-system/cnrm-controller-manager]',
	'--role=roles/iam.workloadIdentityUser'
	]

	## CONFIG CONNECTOR INSTALL
	# See: https://cloud.google.com/config-connector/docs/how-to/install-upgrade-uninstall#installing_kcc

	# Download the latest release of Config Connector
	- name: 'gcr.io/cloud-builders/gsutil'
	id: Download Config Connector
	waitFor: ['-']
	args: ['cp', 'gs://cnrm/latest/release-bundle.tar.gz', 'release-bundle.tar.gz']

	# Extract the release artifacts
	- name: 'alpine'
	id: Extract Config Connector
	waitFor: ['Download Config Connector']
	entrypoint: /bin/tar
	args: ['zxvf','release-bundle.tar.gz']

	# Substitute project ID into the YAML definitions
	- name: 'alpine'
	id: Process Manifest
	waitFor: ['Extract Config Connector']
	entrypoint: /bin/ash
	args:
	- '-c'
	- \|
	sed -i 's/${PROJECT_ID?}/${PROJECT_ID}/' install-bundle-workload-identity/0-cnrm-system.yaml

	# Install Config Connector on the cluster
	- name: 'gcr.io/cloud-builders/kubectl'
	id: Install Config Connector
	waitFor: ['Create Cluster','Process Manifest']
	args: ['apply', '-f', 'install-bundle-workload-identity/']
	env:
	- 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
	- 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

	# Verify Config Connector Installation
	- name: 'gcr.io/cloud-builders/kubectl'
	id: Wait Config Connector
	waitFor: ['Install Config Connector']
	args: ['wait', '-n', 'cnrm-system', '--for=condition=Ready', 'pod', '--all', '--timeout=5m']
	env:
	- 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
	- 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

	# Create the web application namespace
	- name: 'gcr.io/cloud-builders/kubectl'
	id: Create Namespace
	waitFor: ['Create Cluster']
	args: ['create', 'namespace', '${_NAMESPACE}']
	env:
	- 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
	- 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

	# Mark the namespace as managed by Config Connector
	- name: 'gcr.io/cloud-builders/kubectl'
	id: Annotate Namespace
	waitFor: ['Create Namespace']
	args: ['annotate', 'namespace', '${_NAMESPACE}', 'cnrm.cloud.google.com/project-id=${PROJECT_ID}']
	env:
	- 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
	- 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

	# Add a Standalone NEG to the cluster ingress
	# See: https://cloud.google.com/kubernetes-engine/docs/how-to/standalone-neg
	- name: 'gcr.io/cloud-builders/kubectl'
	id: Create NEG
	waitFor: ['Create Cluster']
	args: ['annotate', '--overwrite', '--namespace=${_ISTIO_INGRESS_NAMESPACE}', 'service', '${_ISTIO_INGRESS_SERVICE}', 'cloud.google.com/neg={"exposed_ports": {"80":{}}}']
	env:
	- 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
	- 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

	# Restrict cluster ingress firewall rules to just GCLB's published ranges:
	# https://cloud.google.com/load-balancing/docs/https#source_ip_addresses
	- name: 'gcr.io/cloud-builders/gcloud'
	id: Restrict Cluster Ingress
	entrypoint: /bin/bash
	args:
	- '-c'
	- \|
	# Wait for the firewall rule associated with the current cluster creation to be created
	# so that it's restricted along with any other cluster ingress firewalls that might apply.
	CLUSTER_CREATE_TIME=$(gcloud container clusters describe ${_CLUSTER_NAME} --zone=${_CLUSTER_LOCATION} --format="value(createTime)")
	while [[ -z $(gcloud compute firewall-rules list \
	--filter="name:k8s-fw AND targetTags.list()~^gke-${_CLUSTER_NAME}-[0-9a-z]*-node$ AND creationTimestamp>=$${CLUSTER_CREATE_TIME}" \
	--format="value(name)") ]]; \
	do \
	echo "unable to find cluster ingress firewall. Sleeping 10s..."; \
	sleep 10s; \
	done; \
	for firewall in $(gcloud compute firewall-rules list \
	--filter="name:k8s-fw AND targetTags.list()~^gke-${_CLUSTER_NAME}-[0-9a-z]*-node$" \
	--format="value(name)");
	do \
	gcloud compute firewall-rules update "$firewall" --source-ranges=35.191.0.0/16,130.211.0.0/22; \
	done;

	# ===========================================================================
	# ========== BEGIN ISTIO 1.4 SIDECAR INJECTOR WEBHOOK INSTALLATION ==========
	# ===========================================================================

	# Build a Helm image if it doesn't exist
	# https://github.com/GoogleCloudPlatform/cloud-builders-community/tree/master/helm#building-this-builder
	- name: 'gcr.io/cloud-builders/gcloud'
	id: Build Helm Image
	waitFor: ['-']
	entrypoint: /bin/bash
	args:
	- '-c'
	- \|
	if ! [[ $(gcloud container images list --filter="name=gcr.io/${PROJECT_ID}/helm") ]]; then \
	git clone https://github.com/GoogleCloudPlatform/cloud-builders-community.git; \
	cd cloud-builders-community/helm; \
	gcloud builds submit . --config=cloudbuild.yaml; \
	fi

	# The rest of these steps follow:
	# https://cloud.google.com/solutions/authorizing-access-to-cloud-run-on-gke-services-using-istio#installing_the_istio_sidecar_injector_webhook
	- name: 'gcr.io/cloud-builders/kubectl'
	id: Add self as cluster admin
	waitFor: ['Create Cluster']
	entrypoint: /bin/bash
	args:
	- '-c'
	- \|
	kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user $(gcloud config get-value core/account)
	env:
	- 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
	- 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

	- name: 'gcr.io/cloud-builders/kubectl'
	id: Get Istio version
	waitFor: ['Add self as cluster admin']
	entrypoint: /bin/bash
	args:
	- '-c'
	- \|
	ISTIO_PACKAGE=$(kubectl -n gke-system get deployments istio-pilot \
	-o jsonpath="{.spec.template.spec.containers[0].image}" \| \
	cut -d':' -f2)
	ISTIO_VERSION=$(echo $$ISTIO_PACKAGE \| cut -d'-' -f1)
	echo ISTIO_VERSION=$$ISTIO_VERSION,ISTIO_PACKAGE=$$ISTIO_PACKAGE
	echo $$ISTIO_PACKAGE > istio.package
	echo $$ISTIO_VERSION > istio.version
	env:
	- 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
	- 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

	- name: 'gcr.io/cloud-builders/gsutil'
	id: Extract Istio
	waitFor: ['Get Istio version']
	entrypoint: /bin/bash
	args:
	- '-c'
	- \|
	ISTIO_VERSION=$(cat istio.version)
	gsutil -m cp gs://istio-release/releases/$$ISTIO_VERSION/istio-$$ISTIO_VERSION-linux.tar.gz - \| tar zx

	- name: 'gcr.io/${PROJECT_ID}/helm'
	id: Create Istio sidecar manifest
	waitFor: ['Build Helm Image', 'Extract Istio']
	entrypoint: /bin/bash
	args:
	- '-c'
	- \|
	ISTIO_PACKAGE=$(cat istio.package)
	ISTIO_VERSION=$(cat istio.version)
	helm template \
	--namespace gke-system \
	--set global.hub=gcr.io/gke-release/istio \
	--set global.tag=$$ISTIO_PACKAGE \
	--set pilot.enabled=false \
	--set security.enabled=true \
	--set sidecarInjectorWebhook.enabled=true \
	--set sidecarInjectorWebhook.rewriteAppHTTPProbe=true \
	--values istio-$$ISTIO_VERSION/install/kubernetes/helm/istio/values-istio-minimal.yaml \
	istio-$$ISTIO_VERSION/install/kubernetes/helm/istio > istio-sidecar-injector-webhook.yaml

	- name: 'gcr.io/cloud-builders/kubectl'
	id: Apply Istio sidecar manifest
	waitFor: ['Create Istio sidecar manifest']
	args: ['apply', '-f', 'istio-sidecar-injector-webhook.yaml']
	env:
	- 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
	- 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

	# Inject the Istio sidecar proxy to all pods in the namespace
	# https://cloud.google.com/solutions/authorizing-access-to-cloud-run-on-gke-services-using-istio#deploying_a_sample_service
	- name: 'gcr.io/cloud-builders/kubectl'
	id: Inject Istio sidecar to Namespace
	waitFor: ['Create Namespace', 'Apply Istio sidecar manifest']
	args: ['label', 'namespace', '${_NAMESPACE}', 'istio-injection=enabled']
	env:
	- 'CLOUDSDK_COMPUTE_ZONE=${_CLUSTER_LOCATION}'
	- 'CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}'

	# ===========================================================================
	# ========== END ISTIO 1.4 SIDECAR INJECTOR WEBHOOK INSTALLATION ==========
	# ===========================================================================