search

sassoftware / viya4-deployment

This project contains Ansible code that creates a baseline in an existing Kubernetes environment for use with the SAS Viya Platform, generates the manifest for an order, and then can also deploy that order into the Kubernetes environment specified.
Apache License 2.0
70 stars 64 forks source link

feat: (IAC-696) DAC - Install gke-gcloud-auth-plugin with viya4-deployment for K8s v1.26 #435

Closed dhoucgitter closed 1 year ago

dhoucgitter commented 1 year ago

Changes

Existing versions of kubectl and custom Kubernetes clients contain provider-specific code to manage authentication between the client and Google Kubernetes Engine. Starting with v1.26, that authentication code will no longer be included as part of the OSS kubectl. The gke-gcloud-auth-plugin will fill the gap for the authentication code that is being removed from kubectl.

viya4-deployment supports using two types of GKE kubernetes configuration files, also known as kubeconfig files. The gke-gcloud-auth-plugin binary is required to access a GKE clusters when using kubectl 1.26+ with a "provider based" kubernetes configuration file. The "service account and cluster role binding" kubernetes configuration file variant remains the same and still does not require either gcloud or the gke-gcloud-auth-plugin binary to communicate with the cluster. The gke-gcloud-auth-plugin binary will now be installed as part of the viya4-deployment docker container and is available to the gcloud and kubectl binaries within the container. If a viya4-deployment user has chosen to use a provider based kubernetes configuration file and runs viya4-deployment via Ansible, they will need to install the gcloud binary and gke-gcloud-auth-plugin using the documented instructions. See doc here: https://github.com/sassoftware/viya4-deployment/pull/435/files#diff-8a22ddc8bcdf8b5b392d4e76e637e4e6fd79cba9ebf343dddef54713b947a293R20

Related viya4-iac-gcp changes

Updates in the PR for viya4-iac-gcp have been made to how the Provider based kubernetes configuration file is generated. The format has been updated to support the use of the gke-gcloud-auth-plugin. The gke-gcloud-auth-plugin allows client authentication to 1.26 GKE clusters with provider based kubernetes configuration files since provider specific authentication code will not be included with OSS kubectl any longer.

Tests

Scenario Task Deployment method Task tags Security KUBECONFIG V4_CFG_CLOUD_SERVICE_ACCOUNT_NAME gcloud version gke-gcloud-auth-plugin kubectl version k8s version Orchestration Provider Cadence INGRESS_NGINX_CHART_VERSION Notes
1 OOTB docker baseline,viya,install front door TLS non-static kubeconfig (auth-plugin) sa_name@project_name.iam.gserviceaccount.com 427.0.0 0.5.2 (reported from gcloud version ) 1.25.8 1.26.3 deploy GCP Fast 4.5.2
2 OOTB docker baseline,viya,install same as above static kubeconfig n/a 428.0.0 0.5.2 1.25.8 1.26.3 deploy GCP Fast 4.5.2
3 OOTB ansible baseline,viya,install front door TLS non-static kubeconfig (auth-plugin) sa_name@project_name.iam.gserviceaccount.com 427.0.0 0.5.2 1.25.5 1.26.3 deploy GCP Fast 4.5.2 Ansible deployment method with non-static kubeconfig is not supported
4 OOTB ansible baseline,viya,install same as above static kubeconfig n/a 428.0.0 0.5.2 1.25.8 1.26.3 deploy GCP Fast 4.5.2
5 OOTB docker viya, install front door TLS non-static kubeconfig (auth-plugin) sa_name@project_name.iam.gserviceaccount.com 428.0.0 0.5.2 1.25.8 1.26.3 DO GCP Fast 4.5.2
6 logging/ monitoring docker baseline,cluster-logging,cluster-monitoring,viya,install front door TLS non-static kubeconfig (auth-plugin) sa_name@project_name.iam.gserviceaccount.com 428.0.0 0.5.2 1.25.8 1.26.3 deploy GCP Fast 4.6.0
7 OOTB 1.25 cluster docker baseline,viya,install front door TLS static kubeconfig n/a 428.0.0 0.5.2 1.25.8 1.25.8-gke deploy GCP stable:2023.04 4.6.0
8 OOTB 1.24 cluster docker baseline,viya,install front door TLS static kubeconfig n/a 428.0.0 0.5.2 1.25.8 1.24.12-gke.1000 DO GCP stable:2023.04 4.6.0