0:dZddlmZddlmZddlmZddlZddlZddlZddlZddl m Z ddl m Z ddlmZdd lmZddlm Zdd lmZdd lmZdd lmZdd lmZdZdZdZdZdZdZdZ dZ!dZ"dZ#dZ$dZ%dZ&dZ'dZ(dZ)dZ*dZ+d Z,ejZd!gd"Z.d#Z/d$Z0d%Z1d&Z2d'Z3d(Z4d)Z5d*Z6d+Z7d,Z8d-Z9d.Z:d/Z;d0Zd3Z?d4Z@d5ZAGd6d7eBZCd8ZDGd9d:ejZFGd;dejZHy)?z6Utils for mesh flag in the instance template commands.)absolute_import)division)unicode_literalsN)util)service_proxy_aux_data)api_util) kube_util) exceptions)execution_utils)yaml)fileszistio-eastwestgatewayzYgs://gce-service-proxy/service-proxy-agent/releases/service-proxy-agent-asm-{}-stable.tgzzKgs://gce-service-proxy/service-proxy-agent-installer/releases/installer.tgzzgce-service-proxy-asm-version"gce-service-proxy-installer-bucketzgce-service-proxy-agent-bucketzservice.istio.io/canonical-namez#service.istio.io/canonical-revisionzapp.kubernetes.io/namezapp.kubernetes.io/versionISTIO_META_CLOUDRUN_ADDR CLOUDRUN_ADDR15012z (.*)\/(.*)z#\/\/gkehub(.*).googleapis.com\/(.*)z:(.*)-zistio-sidecar-injectoristiodzmeshconfig.googleapis.com:443ServiceProxyMetadataArgs) asm_version project_idexpansionagateway_ipservice_proxy_api_serveridentity_providerservice_accountasm_proxy_configmcp_env_config trust_domainmesh_idnetwork asm_labels workload_nameworkload_namespacecanonical_servicecanonical_revision asm_revision root_certctjt|}|r"|jd|jdfSt j dj |)zParses the workload value to workload namespace and name. Args: workload: The workload value with namespace/name format. Returns: workload namespace and workload name. Raises: Error: if the workload value is invalid. zSvalue workload: {} is invalid. Workload value should have the formatnamespace/name.)research_WORKLOAD_PATTERNgroupr Errorformat)workloadworkload_matchs Flib/googlecloudsdk/command_lib/compute/instance_templates/mesh_util.py ParseWorkloadr2Ms[99.9.    "N$8$8$; ;;x( **ctjt|}|r|jdSt j dj |)apGet membership name from an owner id value. Args: owner_id: The owner ID value of a membership. e.g., //gkehub.googleapis.com/projects/123/locations/global/memberships/test. Returns: The full resource name of the membership, e.g., projects/foo/locations/global/memberships/name. Raises: Error: if the membership name cannot be parsed. r(zvalue owner_id: {} is invalid.)r)r*_GKEHUB_PATTERNr,r r-r.)owner_idmembership_matchs r1_ParseMembershipNamer8asJYY9  ! !! $$&--h7 99r3c|s td tj|}t |ddd}|s tdt|}tj|}|js$t jdj |d j |j|S#tj$r*}t jdj ||d}~wwxYw) aRGet the identity provider for the VMs. Args: membership_manifest: The membership manifest from the cluster. workload_namespace: The namespace of the VM workload. Returns: The identity provider value to be used on the VM connected to the cluster. Raises: ClusterError: If the membership manifest cannot be read. z2Cannot verify an empty membership from the clusterz&Invalid membership from the cluster {}NspecowneridznInvalid membership does not have an owner id. Please make sure your cluster is correctly registered and retry.zwInvalid membership {} does not have a unique_Id field. Please make sure your cluster is correctly registered and retry.z {}@google@{}) ClusterErrorr loadr-r r._GetNestedKeyFromManifestr8r GetMembershipuniqueId)membership_manifestr!membership_dataer6membership_name memberships r1_GetVMIdentityProviderrGvs  K LLQii 34O 'vw.(    !!)2/%%o6*      3396/3J LL   z224F GG% Q   0778KLa QQQsB++C(>%C##C(cn |d}|S#ttf$r|ricYStjdwxYw)zRetrieve proxy config from a mesh config. Args: is_mcp: Whether the control plane is managed or not. mesh_config: A mesh config from the cluster. Returns: proxy_config: The proxy config from the mesh config. defaultConfigz8Proxy config cannot be found in the Anthos Service Mesh.KeyError TypeErrorr r-)is_mcp mesh_config proxy_configs r1_RetrieveProxyConfigrPsRD/L  I D i   B DDDs  44cj |d}|S#ttf$r|rYytjdwxYw)zRetrieve trust domain from a mesh config. Args: is_mcp: Whether the control plane is managed or not. mesh_config: A mesh config from the cluster. Returns: trust_domain: The trust domain from the mesh config. trustDomainNz8Trust Domain cannot be found in the Anthos Service Mesh.rJ)rMrNrs r1_RetrieveTrustDomainrSsPD}-L  I D    B DDDs  22ct||} |d}|S#ttf$r|rYytjdwxYw)zRetrieve mesh id from a mesh config. Args: is_mcp: Whether the control plane is managed or not. mesh_config: A mesh config from the cluster. Returns: mesh_id: The mesh id from the mesh config. meshIdNz3Mesh ID cannot be found in the Anthos Service Mesh.)rPrKrLr r-)rMrNrOrs r1_RetrieveMeshIdrVsX&fk:,?8$G . I ?    = ???s >>cPtd|}|i}|jdtS)zGet the discovery address used in the MCP installation. Args: mesh_config: A mesh config from the cluster. Returns: The discovery address. T)rMrNdiscoveryAddress)rPget _MCP_ADDRESS)rNrOs r1_RetrieveDiscoveryAddressr[s1&T{K,L   ,l ;;r3c,|j|}|ryy)zCheck if ASM control plane is managed. Args: kube_client: A kubernetes client for the cluster. revision: The ASM revision to check for control plane type. Returns: True if the control plane is MCP, otherwise False. TF)RetrieveMutatingWebhookURL) kube_clientrevisionurls r1_IsMCPras ..x8#  r3c|s td tj|}t |ddd}|S#tj$r*}t jdj |d}~wwxYw)zGet the workload labels from a workload manifest. Args: workload_manifest: The manifest of the workload. Returns: The workload labels. Raises: WorkloadError: If the workload manifest cannot be read. 0Cannot verify an empty workload from the cluster$Invalid workload from the cluster {}Nr:metadatalabels WorkloadErrorr r>r-r r.r?)workload_manifest workload_datarDworkload_labelss r1_GetWorkloadLabelsrls  J KKIII/0M .mVZ.68/  I   .55mDa III4A1%A,,A1c0t|}t||S)zGet the canonical service name of the workload. Args: workload_name: The name of the workload. workload_manifest: The manifest of the workload. Returns: The canonical service name of the workload. )rl_ExtractCanonicalServiceName)r rirks r1_GetCanonicalServiceNamerp"s''89/ %o} EEr3c.t|}t|S)zGet the canonical service revision of the workload. Args: workload_manifest: The manifest of the workload. Returns: The canonical service revision of the workload. )rl _ExtractCanonicalServiceRevision)rirks r1_GetCanonicalServiceRevisionrs1s''89/ )/ ::r3c|s|S|jt}|r|S|jt}|r|S|jd}|r|S|S)zGet the canonical service name of the workload. Args: workload_labels: A map of workload labels. workload_name: The name of the workload. Returns: The canonical service name of the workload. app)rY#_ISTIO_CANONICAL_SERVICE_NAME_LABEL_KUBERNETES_APP_NAME_LABEL)rkr svcs r1roro?s]  ?@# J67# JE"# J r3c|sy|jt}|r|S|jt}|r|S|jd}|r|Sy)zGet the canonical service revision of the workload. Args: workload_labels: A map of workload labels. Returns: The canonical service revision of the workload. latestversion)rY'_ISTIO_CANONICAL_SERVICE_REVISION_LABEL_KUBERNETES_APP_VERSION_LABEL)rkrevs r1rrrr[sW  CD# J9:# JI&# J r3c|s td tj|}t |dddd}|dk7r td y#tj$r*}t jdj ||d}~wwxYw) z(Verify VM workload setup in the cluster.rcrdNr:re annotationsz*security.cloud.google.com/IdentityProvidergooglezUnable to find the GCE IdentityProvider in the specified WorkloadGroup. Please make sure the GCE IdentityProvider is specified in the WorkloadGroup.rg)rirjrDidentity_provider_values r1VerifyWorkloadSetuprvs  J KKMII/0M 6VZ24( ) **) M   .556GH! MMMsAB%A<<Bc|s td tj|}t |ddd}|s td|S#tj$r*}t jdj ||d}~wwxYw)z;Retrieve the Anthos Service Mesh revision for the workload.z1Cannot verify an empty namespace from the clusterz%Invalid namespace from the cluster {}Nrerfz istio.io/revzWorkload namespace does not have an Anthos Service Mesh revision label. Please make sure the namespace is labeled and try again.rg)namespace_manifestnamespace_datarDworkload_revisions r1RetrieveWorkloadRevisionrs  K LLOYY12N 0 08.J  4 55  O   /667IJA OOOsAA>%A99A>c|s td tj|}t |ddd}|S#tj$r*}t jdj ||d}~wwxYw)z3Retrieve the service account used for the workload.rcrdNr:templateserviceAccountrg)rirjrDrs r1_RetrieveWorkloadServiceAccountrs  J KKMII/0M .mVZ.>@/  M   .556GH! MMMrmc D|r#d} d} d} t| }|j| }not|jvr|jt} n|j | } |j } |j } dj| t}d}t||}t|}t|| }t|| }t|| }|jdd}t|}t!||}t#|}t%| || |||||||||||||| | S)z?Retrieve the necessary metadata to configure the service proxy.Nz{}:{}/)r[RetrieveEnvConfig'_GCE_SERVICE_PROXY_ASM_VERSION_METADATAreRetrieveASMVersionRetrieveExpansionGatewayIPRetrieveKubernetesRootCertr._ISTIO_DISCOVERY_PORTrGrrPrSrVsplitrlrprsr)argsrMr^rnetwork_resourcer!r rirBr$rNrrr%r env_configrrrrrrrr"r#s r1_RetrieveServiceProxyMetadatarsN KI8E..|%fk:, FK 0'  " "3 ' +'!"34*.}>OP34EF !:35M*:JGWj-+-?  r3c |jr |j}ntj}|j|t<|j |t <tj|d}tj}d|d<|j|jdd|d<i|d<|j}|stj}d |vrtj|d <ntj|d |d <|d }|j|d <|j|d <d |d <d |d<|j|d<|j|d<|j|d<|j r|j |d<|j"r|j"|d<dj%|j&|j|d<|j|d<|j |d<||d<|j(dk(rd|d<n|j(|d<tj}tj} d| d<d| d<|rmd d!t*j,iig| d"<|j/|j0t2|vr|t2|t4<d#|j6vrt8|j6d#<nd d!t*j:j%|j<|j($iig| d"<|j>|d%<|j@|j6d&<tB|j6vr0tDj%|j>|j6tB<| g|d'<||d(<d |j6d)<d |j6d*<d+|j6d,<tj||j6d-<tj|d|j6d.<|jFtj|_#|j|jFd0<|j|jFd1<|j"r|j"|jFd2<n=tIjJ|j&} d3j%| |jFd2<d4|jFd.<y/)5zCModify the instance template to include the service proxy metadata.T) sort_keysONmodeinfo)rz api-serverz log-levelz proxy-specservice proxyMetadataISTIO_META_WORKLOAD_NAME POD_NAMESPACEtrueUSE_TOKEN_FOR_CSRISTIO_META_DNS_CAPTUREISTIO_META_AUTO_REGISTER_GROUPSERVICE_ACCOUNTCREDENTIAL_IDENTITY_PROVIDER TRUST_DOMAINISTIO_META_MESH_ID{}-{}ISTIO_META_NETWORKCANONICAL_SERVICECANONICAL_REVISIONISTIO_METAJSON_LABELSdefault ASM_REVISIONzinstall-gce-service-proxy-agentname INSTALLED desired_state scriptRunscript installStepsr) ingress_ipr$ISTIO_META_ISTIO_VERSIONrootcertsoftwareRecipesz asm-configzenable-osconfigzenable-guest-attributestaskszosconfig-disabled-featureszgce-software-declarationzgce-service-proxyNasm_service_nameasm_service_namespacerzproj-{}z asm-istiod)&r collections OrderedDictr"rvr#r|jsondumpsrrrr r!rrrrr.rr$r.startup_script_for_asm_service_proxy_installerupdater_CLOUDRUN_ADDR_KEY_ISTIO_META_CLOUDRUN_ADDR_KEYre$_SERVICE_PROXY_INSTALLER_BUCKET_NAME$startup_script_for_asm_service_proxyrrr%(_GCE_SERVICE_PROXY_AGENT_BUCKET_METADATA_SERVICE_PROXY_BUCKET_NAMErf project_utilGetProjectNumber) rrM metadata_argsrasm_labels_stringservice_proxy_configrOproxy_metadatagce_software_declarationservice_proxy_agent_recipeproject_numbers r1_ModifyInstanceTemplaters))J((*J.;-L-L )+2?1Q1Q -/jjt<$002!%v&&!::(|$ %'y!//, **,LL($/$;$;$=L!$/$;$;_%%'L! 0./"+8+@+@N'()0 5 5*7.%&(5(G(G.$%)6)I)I.%&,=.()9,%'N>"%2%?%?N>"(446*668'HV$0;_-  &?? 32~.-667^+6D 7n23+4==@ . mm89  &KK,AA!.!;!;= 32~.2?1J1JN-. - 7 7DMM*/t}}D)// 0I0IJ mm 242L0L,-'3|$%+$--!"-3$--)*07$--,-.2jj/ $--*+'+zzd(,$--#$ [[))+DK$1$C$C$++ !)6)I)I$++%&*22DKK "22=3K3KLN&--n=DKK %1$++!"r3c `t||} t|| ||||||||| } t|| | y)z@Configure the provided instance template args with ASM metadata.N)rarr) rr^rrr!r rirBr$rNrMservice_proxy_metadata_argss r1ConfigureInstanceTemplater`sF +| ,& = FK-=-): @@ Jr3c|jgdd\}}|r)d|vrytjdj|y)z*Verifies if GKE Hub membership CRD exists.)rY1customresourcedefinitions.v1.apiextensions.k8s.ior NrFz'Error retrieving the Membership CRD: {}Trrrrs r1r z%KubernetesClient._MembershipCRDExistssT    #$(*FAs s     3 : :3 ? AA r3c|js td|jgdd\}}|r3d|vr tdtjdj ||S)z/Get the YAML output of the IdentityProvider CR.zoIdentityProvider CRD is not found in the cluster. Please install Anthos Service Mesh with VM support and retry.)rY+identityproviders.security.cloud.google.comrrr NrzfGCE identity provider is not found in the cluster. Please install Anthos Service Mesh with VM support.zAError retrieving IdentityProvider google in default namespace: {})_IdentityProviderCRDExistsr=rr r-r.r s r1GetIdentityProviderCRz&KubernetesClient.GetIdentityProviderCRs  * * ,  ; << !"&(HC s  BC C    M 6#;  Jr3c|jgdd\}}|r)d|vrytjdj|y)z)Verifies if Identity Provider CRD exists.)rYrrNrFz.Error retrieving the Identity Provider CRD: {}Trrs r1rz+KubernetesClient._IdentityProviderCRDExistssT    89=?FAs s     : A A# F HH r3c |js td|jdd|d|ddgd\}}|rEd|vrtd j ||t j d j ||||S) z6Get the YAML output of the specified WorkloadGroup CR.z\WorkloadGroup CRD is not found in the cluster. Please install Anthos Service Mesh and retry.rY"workloadgroups.networking.istio.iorrr NrzhWorkloadGroup {} in namespace {} is not found in the cluster. Please create the WorkloadGroup and retry.z5Error retrieving WorkloadGroup {} in namespace {}: {})_WorkloadGroupCRDExistsr=rrhr.r r-)rr!r rrs r1GetWorkloadGroupCRz#KubernetesClient.GetWorkloadGroupCRs  ' ' )  + ,, 3]DD&!  HC s  BBH&1C34 4    A H H/ 6 77 Jr3c|jgdd\}}|r)d|vrytjdj|y)z%Verifies if WorkloadGroup CRD exists.)rYrrNrFz*Error retrieving the WorkloadGroup CRD: {}Trrs r1rz(KubernetesClient._WorkloadGroupCRDExistssT    /046FAs s     6 = =c B DD r3c|jddtddgd\}}|r)d|vrytjdj |y ) z8Verifies if the ASM Expansion Gateway deployment exists.rYdeployr istio-systemNrFz5Error retrieving the expansion gateway deployment: {}Tr_EXPANSION_GATEWAY_NAMEr r-r.rs r1 ExpansionGatewayDeploymentExistsz1KubernetesClient.ExpansionGatewayDeploymentExists)s\    14H$PFAs s     A H H M OO r3c|jddtddgd\}}|r)d|vrytjdj |y ) z5Verifies if the ASM Expansion Gateway service exists.rYrrrNrFz2Error retrieving the expansion gateway service: {}Trrs r1ExpansionGatewayServiceExistsz.KubernetesClient.ExpansionGatewayServiceExists4s\     2D.I4QFAs s     > E Ec J LL r3c J|jstdjt|j stdjt|j ddtddddgd \}}|r$t jd j||S) z4Retrieves the expansion gateway IP from the cluster.ztThe gateway {} deployment is not found in the cluster. Please install Anthos Service Mesh with VM support and retry.zqThe gateway {} service is not found in the cluster. Please install Anthos Service Mesh with VM support and retry.rYrxrrrz-jsonpath={.status.loadBalancer.ingress[0].ip}Nz)Error retrieving expansion gateway IP: {})r!r=r.r r#rr r-r s r1rz+KubernetesClient.RetrieveExpansionGatewayIP?s  0 0 2  CCI6%D' ((  - - /  CCI6%D' ((  u-t^T7!  HC    5 < )rr_env_config_namerrrs r1rz"KubernetesClient.RetrieveEnvConfig~s9o 1o  _dN ! #$(*HC s  )+ +    C J Js $ %%A99S>j  ::A    3 : :3 ? AAAs <B8C c |dk(rd}ndj|}|jdd|dddd gd \}}|rBd |vrtd j|tjd j| t j |}|S#t j$r%tjdj|wxYw)z.Retrieves the MeshConfig for the ASM revision.ristiozistio-{}rYr&rrrzjsonpath={.data.mesh}Nrr*z5Error retrieving the mesh config from the cluster: {}z(Invalid mesh config from the cluster: {}r0)rr_mesh_config_namerrrNs r1RetrieveMeshConfigz#KubernetesClient.RetrieveMeshConfigs9 #**84  -t^ & ()-/HC s  )+ +    A H H  BIIcNk  ::B    4 ; ;C @ BBBs ;B8C cz|dk(rt}ndjt|}djt|}|jdd|ddgd\}}|jdd|ddgd\}}|rH|rFd|vrd|vrt d j|t j d j||r|S|S) z7Retrieves the Mutating Webhook URL used for a revision.rrrYmutatingwebhookconfigurationrz(jsonpath={.webhooks[0].clientConfig.url}Nrr*zHError retrieving the mutating webhook configuration from the cluster: {})_INCLUSTER_WEBHOOK_PREFIXr._MCP_WEBHOOK_PREFIXrr=r r-)rr_incluster_webhook mcp_webhook incluster_out incluster_errmcp_outmcp_errs r1r]z+KubernetesClient.RetrieveMutatingWebhookURLs93!..)BHM..!4h?K#'#3#3 .0A 9 ;<@$B M='' . 9 ;<@BGW } $w)> )+ +     & ((  Nr3ctjg}|jr|jd|jg|jr|jd|jg|jd|j g|j|t j}t j}tj|d|j|j|}|dk7r0|js |jdj||dk(r|jnd|dk7r|jfSdfS) aBRuns a kubectl command with the cluster referenced by this client. Args: args: command line arguments to pass to kubectl stdin: text to be passed to kubectl via stdin Returns: The contents of stdout if the return code is 0, stderr (or a fabricated error if stderr is empty) otherwise z --contextz --kubeconfigz--request-timeoutT)no_exitout_funcerr_funcin_strrz"kubectl exited with return code {}N) c_utilCheckKubectlInstalledrextendrrioStringIOr Execwritegetvaluer.)rrstdincmdrr returncodes r1rzKubernetesClient._RunKubectls  ' ' ) *C || jj+t||,-  jj.$//23JJ#T%9%9:;JJt ++-C ++-C %% TCII %JQs||~ ii4;;JGH'1_3<<>$ q9< 9 ##" ##r3r)__name__ __module__ __qualname____doc__rrrrrr rr rrrrr!r#rrrrr5r]rrr3r1rroso5" ' 2.( * ,   . 5688@#r3rcd|D]}t|tsy ||}|S#t$rYywxYw)aGet the value of a key path from a dict. Args: manifest: the dict representation of a manifest *keys: an ordered list of items in the nested key Returns: The value of the nested key in the manifest. None, if the nested key does not exist. N) isinstancedictrK)manifestkeyskeys r1r?r?sDc h % #h  /  s " //ceZdZdZy)PermissionsErrorz3Class for errors raised when verifying permissions.NrPrQrRrSrr3r1r[r[ s;r3r[ceZdZdZy)r=z5Class for errors raised when verifying cluster setup.Nr\rr3r1r=r=s=r3r=ceZdZdZy)rhz6Class for errors raised when verifying workload setup.Nr\rr3r1rhrhs>r3rh)IrS __future__rrrrrHrr) googlecloudsdk.api_lib.containerrrE5googlecloudsdk.command_lib.compute.instance_templatesr*googlecloudsdk.command_lib.container.fleetrr r#googlecloudsdk.command_lib.projectsrgooglecloudsdk.corer r r googlecloudsdk.core.utilr r rrr,_GCE_SERVICE_PROXY_INSTALLER_BUCKET_METADATArrvr|rwr}rrrr+r5r+r8r9rZ namedtuplerr2r8rGrPrSrVr[rarlrprsrorrrrrrrrobjectrr?r-r[r=rhrr3r1ris=&' ;X?QD*/$*1,%+J'(-+K(&G#*O'5 ; :$!8 4. 1;112LO*(9*$HN**.<(*6 F ;86***  0fz2z EE#vE#P *:##>?J$$?r3