search

sassoftware / viya4-deployment

This project contains Ansible code that creates a baseline in an existing Kubernetes environment for use with the SAS Viya Platform, generates the manifest for an order, and then can also deploy that order into the Kubernetes environment specified.
Apache License 2.0
71 stars 64 forks source link

Can't use customer-provided-merge-sas-certframe-configmap.yaml #229

Closed FrederikVandenberghe closed 2 years ago

FrederikVandenberghe commented 2 years ago

Hi,

I'm using a custom customer-provided-merge-sas-certframe-configmap.yaml and used it with IaC scripts till now. However when using it with release 4.12.2 it's not working anyymore.

Could it be that in ../roles/vdm/tasks)/tls.yaml (Line 219)

Frederik.

thpang commented 2 years ago

Hi @sayeun I've assigned this to you. Seems like the new TLS code base is breaking an existing setup that worked prior to the change from cert-manager -> openssl. Can you have someone look at this. Thanks.

jarpat commented 2 years ago

Hey @FrederikVandenberghe, could you describe scenario on how you are using your custom customer-provided-merge-sas-certframe-configmap.yaml with the viya4-deployment code base that was working previously?

The typical workflow would be to set the the following: V4_CFG_TLS_GENERATOR, V4_CFG_TLS_DURATION, V4_CFG_TLS_ADDITIONAL_SAN_DNS, & V4_CFG_TLS_ADDITIONAL_SAN_IP in your ansible-vars.yaml

See CONFIG-VARS doc here for those variables: https://github.com/sassoftware/viya4-deployment/blob/main/docs/CONFIG-VARS.md#tls

The "tls - Configuring Certificate Attributes" Ansible task should then fill out the template we have for that file here: https://github.com/sassoftware/viya4-deployment/blob/main/roles/vdm/templates/generators/customer-provided-merge-sas-certframe-configmap.yaml

FrederikVandenberghe commented 2 years ago

I always used my own customer-provided-merge-sas-certframe-configmap.yaml and placed it in site-config/security folder. During viya4-deployment this yaml is then seen as a user-defined kustomization. In there I specify a additional san dns for TLS. I So far I didn’t use V4_CFG_TLS_ADDITIONAL_SAN_DNS. I might end up with same result but the way I used till now was working prior 4.12.2.

FrederikVandenberghe commented 2 years ago

To add on that: I do specify V4_CFG_TLS_CERT/V4_CFG_TLS_KEY in my ansible-vars-iac.yaml

jarpat commented 2 years ago

Thanks for the information @FrederikVandenberghe, one more question in the kustomization.yaml file that gets generated, under the "generators" section is "customer-provided-merge-sas-certframe-configmap.yaml" included at all? If so what's the path associated with that line.

FrederikVandenberghe commented 2 years ago

@jarpat I got error when the kustomization.yaml is generated. I guess because there's a conflict with the customer-provide-merge-sas-certframe-configmap.yaml I provided and the one generated by the Ansible script? The script is generating a merge-sas-certframe-configmap.yaml in tls.yaml in the block between line 210 and line 223. I think the merge-sas-certframe-configmap.yaml should not be generated when customer is providing a V4_CFG_TLS_CERT and V4_CFG_TLS_KEY and/or does not provide the V4_CFG_TLS_ADDITIONAL_SAN_DNS.

Here's is the error I saw: 2022-05-23T13:51:54.4194243Z TASK [vdm : kustomize - Generate kustomization.yaml] *** 2022-05-23T13:51:54.4195763Z changed: [localhost] 2022-05-23T13:51:54.4264711Z Monday 23 May 2022 13:51:54 +0000 (0:00:00.328) 0:00:29.274 **** 2022-05-23T13:52:13.8705398Z 2022-05-23T13:52:13.8707057Z TASK [vdm : kustomize - Generate deployment manifest] ** 2022-05-23T13:52:13.8712118Z fatal: [localhost]: FAILED! => {"changed": true, "cmd": ["kustomize", "build", "/data/hackinsas-demo-aks/hackinsas-demo", "--load_restrictor=none", "-o", "/data/hackinsas-demo-aks/hackinsas-demo/site.yaml"], "delta": "0:00:19.285087", "end": "2022-05-23 13:52:13.852050", "msg": "non-zero return code", "rc": 1, "start": "2022-05-23 13:51:54.566963", "stderr": "Error: loading generator plugins: accumulateFile \"merging resources from 'site-config/security/customer-provided-merge-sas-certframe-configmap.yaml': may not add resource with an already registered id: ~G_builtin_ConfigMapGenerator|~X|sas-certframe-user-config\", loader.New \"Error loading site-config/security/customer-provided-merge-sas-certframe-configmap.yaml with git: url lacks host: site-config/security/customer-provided-merge-sas-certframe-configmap.yaml, dir: got file 'customer-provided-merge-sas-certframe-configmap.yaml', but '/data/hackinsas-demo-aks/hackinsas-demo/site-config/security/customer-provided-merge-sas-certframe-configmap.yaml' must be a directory to be a root, get: invalid source string: site-config/security/customer-provided-merge-sas-certframe-configmap.yaml\"", "stderr_lines": ["Error: loading generator plugins: accumulateFile \"merging resources from 'site-config/security/customer-provided-merge-sas-certframe-configmap.yaml': may not add resource with an already registered id: ~G_builtin_ConfigMapGenerator|~X|sas-certframe-user-config\", loader.New \"Error loading site-config/security/customer-provided-merge-sas-certframe-configmap.yaml with git: url lacks host: site-config/security/customer-provided-merge-sas-certframe-configmap.yaml, dir: got file 'customer-provided-merge-sas-certframe-configmap.yaml', but '/data/hackinsas-demo-aks/hackinsas-demo/site-config/security/customer-provided-merge-sas-certframe-configmap.yaml' must be a directory to be a root, get: invalid source string: site-config/security/customer-provided-merge-sas-certframe-configmap.yaml\""], "stdout": "", "stdout_lines": []}

jarpat commented 2 years ago

Thanks for the error output. So upon inpection of the condtional you pointed on L219 is actually correct, it was actually incorrect earlier which had a side effect of allowing for you to provide your own customer-provided-merge-sas-certframe-configmap.yaml in the /site-config directory.

https://github.com/sassoftware/viya4-deployment/blob/c2c084eeb355fd70df309eebbb43af38ccec00b6/roles/vdm/tasks/tls.yaml#L219

The recommendated way to configurate customer-provided-merge-sas-certframe-configmap.yaml is still to set V4_CFG_TLS_GENERATOR, V4_CFG_TLS_DURATION, V4_CFG_TLS_ADDITIONAL_SAN_DNS, & V4_CFG_TLS_ADDITIONAL_SAN_IP in your ansible-vars.yaml Which will fill out a template that we have in the repo and produce an identical file to what you were providing earlier. https://github.com/sassoftware/viya4-deployment/blob/main/roles/vdm/templates/generators/customer-provided-merge-sas-certframe-configmap.yaml

On our end we are planning to write doc that states in a clear manner than any customizations files that we have tempalatized here https://github.com/sassoftware/viya4-deployment/tree/main/roles/vdm/templates are configured via exposed variables we have documented in the https://github.com/sassoftware/viya4-deployment/blob/main/docs/CONFIG-VARS.md file.

FrederikVandenberghe commented 2 years ago

Ok in that case you can close this issue.

jarpat commented 2 years ago

Closing, released as part of #242