This project contains Ansible code that creates a baseline in an existing Kubernetes environment for use with the SAS Viya Platform, generates the manifest for an order, and then can also deploy that order into the Kubernetes environment specified.
Apache License 2.0
70
stars
64
forks
source link
feat: (IAC-696) DAC - Install gke-gcloud-auth-plugin with viya4-deployment for K8s v1.26 #435
Existing versions of kubectl and custom Kubernetes clients contain provider-specific code to manage authentication between the client and Google Kubernetes Engine. Starting with v1.26, that authentication code will no longer be included as part of the OSS kubectl. The gke-gcloud-auth-plugin will fill the gap for the authentication code that is being removed from kubectl.
viya4-deployment supports using two types of GKE kubernetes configuration files, also known as kubeconfig files. The gke-gcloud-auth-plugin binary is required to access a GKE clusters when using kubectl 1.26+ with a "provider based" kubernetes configuration file. The "service account and cluster role binding" kubernetes configuration file variant remains the same and still does not require either gcloud or the gke-gcloud-auth-plugin binary to communicate with the cluster.
The gke-gcloud-auth-plugin binary will now be installed as part of the viya4-deployment docker container and is available to the gcloud and kubectl binaries within the container.
If a viya4-deployment user has chosen to use a provider based kubernetes configuration file and runs viya4-deployment via Ansible, they will need to install the gcloud binary and gke-gcloud-auth-plugin using the documented instructions.
See doc here: https://github.com/sassoftware/viya4-deployment/pull/435/files#diff-8a22ddc8bcdf8b5b392d4e76e637e4e6fd79cba9ebf343dddef54713b947a293R20
Related viya4-iac-gcp changes
Updates in the PR for viya4-iac-gcp have been made to how the Provider based kubernetes configuration file is generated. The format has been updated to support the use of the gke-gcloud-auth-plugin. The gke-gcloud-auth-plugin allows client authentication to 1.26 GKE clusters with provider based kubernetes configuration files since provider specific authentication code will not be included with OSS kubectl any longer.
Tests
Scenario
Task
Deployment method
Task tags
Security
KUBECONFIG
V4_CFG_CLOUD_SERVICE_ACCOUNT_NAME
gcloud version
gke-gcloud-auth-plugin
kubectl version
k8s version
Orchestration
Provider
Cadence
INGRESS_NGINX_CHART_VERSION
Notes
1
OOTB
docker
baseline,viya,install
front door TLS
non-static kubeconfig (auth-plugin)
sa_name@project_name.iam.gserviceaccount.com
427.0.0
0.5.2 (reported from gcloud version )
1.25.8
1.26.3
deploy
GCP
Fast
4.5.2
2
OOTB
docker
baseline,viya,install
same as above
static kubeconfig
n/a
428.0.0
0.5.2
1.25.8
1.26.3
deploy
GCP
Fast
4.5.2
3
OOTB
ansible
baseline,viya,install
front door TLS
non-static kubeconfig (auth-plugin)
sa_name@project_name.iam.gserviceaccount.com
427.0.0
0.5.2
1.25.5
1.26.3
deploy
GCP
Fast
4.5.2
Ansible deployment method with non-static kubeconfig is not supported
Changes
Existing versions of kubectl and custom Kubernetes clients contain provider-specific code to manage authentication between the client and Google Kubernetes Engine. Starting with v1.26, that authentication code will no longer be included as part of the OSS kubectl. The
gke-gcloud-auth-plugin
will fill the gap for the authentication code that is being removed from kubectl.viya4-deployment supports using two types of GKE kubernetes configuration files, also known as kubeconfig files. The
gke-gcloud-auth-plugin
binary is required to access a GKE clusters when using kubectl 1.26+ with a "provider based" kubernetes configuration file. The "service account and cluster role binding" kubernetes configuration file variant remains the same and still does not require eithergcloud
or thegke-gcloud-auth-plugin
binary to communicate with the cluster. Thegke-gcloud-auth-plugin
binary will now be installed as part of the viya4-deployment docker container and is available to thegcloud
and kubectl binaries within the container. If a viya4-deployment user has chosen to use a provider based kubernetes configuration file and runs viya4-deployment via Ansible, they will need to install thegcloud
binary andgke-gcloud-auth-plugin
using the documented instructions. See doc here: https://github.com/sassoftware/viya4-deployment/pull/435/files#diff-8a22ddc8bcdf8b5b392d4e76e637e4e6fd79cba9ebf343dddef54713b947a293R20Related viya4-iac-gcp changes
Updates in the PR for viya4-iac-gcp have been made to how the Provider based kubernetes configuration file is generated. The format has been updated to support the use of the
gke-gcloud-auth-plugin
. Thegke-gcloud-auth-plugin
allows client authentication to 1.26 GKE clusters with provider based kubernetes configuration files since provider specific authentication code will not be included with OSS kubectl any longer.Tests