feat: (IAC-1211) Add optional helm authentication for dark site OCI C…

…ontainer Registries
sassoftware · Oct 24, 2023 · f67c5cb · f67c5cb
1 parent 45c19c8
commit f67c5cb
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 2 deletions.
diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md
@@ -15,6 +15,7 @@ Supported configuration variables are listed in the table below.  All variables
   - [SAS Software Order](#sas-software-order)
   - [SAS API Access](#sas-api-access)
   - [Container Registry Access](#container-registry-access)
+  - [OCI Container Registry Access](#oci-container-registry-access)
   - [Ingress](#ingress)
   - [Monitoring and Logging](#monitoring-and-logging)
     - [Monitoring](#monitoring)
@@ -147,6 +148,11 @@ When V4_CFG_MANAGE_STORAGE is set to `true`, the `sas` and `pg-storage` storage
 | V4_CFG_CR_PASSWORD | Container registry password | string | | false | By default, credentials are included in the downloaded deployment assets. | viya |
 | V4_CFG_CR_URL | Container registry server | string | https://cr.sas.com | false | | viya |
 
+## OCI Container Registry Access
+| Name | Description | Type | Default | Required | Notes | Tasks |
+| :--- | ---: | ---: | ---: | ---: | ---: | ---: |
+| V4_CFG_OCI_REGISTRY_URI | OCI Container registry URI | string | | false | Container registry housing OCI images used for dark site deployments  | baseline, viya |
+
 ## Ingress
 
 | Name | Description | Type | Default | Required | Notes | Tasks |
@@ -334,9 +340,9 @@ V4_CFG_POSTGRES_SERVERS:
 | :--- |------------:| ---: | ---: | ---: | ---: | ---: |
 | V4_WORKLOAD_ORCHESTRATOR_ENABLED | Enables the [SAS Workload Orchestrator](https://documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=dplyml0phy0dkr&docsetTarget=n08u2yg8tdkb4jn18u8zsi6yfv3d.htm#p1vo217m7ffso5n11vxwsyycw4tg) service and configures the required ClusterRole and ClusterRoleBinding used by the daemon. Setting this to false will disable SAS Workload Orchestrator service entirely | bool | true | false | This flag is only applicable for cadences 2023.08 and newer, this flag will perform no action on older cadences. | viya |
 
-The SAS Workload Orchestrator Service is used to manage workload started on demand through the launcher service. As of cadence 2023.08 this feature is now deployed by default. The SAS Workload Orchestrator daemons require information about resources on the nodes that can be used to run jobs. In order to obtain accurate resource information, it requires a ClusterRole and a ClusterRoleBinding to the SAS Workload Orchestrator service account which will be automatically configured by this project if you set `V4_WORKLOAD_ORCHESTRATOR_ENABLED` to true. 
+The SAS Workload Orchestrator Service is used to manage workload started on demand through the launcher service. As of cadence 2023.08 this feature is now deployed by default. The SAS Workload Orchestrator daemons require information about resources on the nodes that can be used to run jobs. In order to obtain accurate resource information, it requires a ClusterRole and a ClusterRoleBinding to the SAS Workload Orchestrator service account which will be automatically configured by this project if you set `V4_WORKLOAD_ORCHESTRATOR_ENABLED` to true.
 
-Additional documentation for the SAS Workload Orchestrator Service can be found here in the [SAS Viya Platform Operations documentation](https://documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=dplyml0phy0dkr&docsetTarget=n08u2yg8tdkb4jn18u8zsi6yfv3d.htm#p1vo217m7ffso5n11vxwsyycw4tg). 
+Additional documentation for the SAS Workload Orchestrator Service can be found here in the [SAS Viya Platform Operations documentation](https://documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=dplyml0phy0dkr&docsetTarget=n08u2yg8tdkb4jn18u8zsi6yfv3d.htm#p1vo217m7ffso5n11vxwsyycw4tg).
 
 ## Miscellaneous
 

diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml
@@ -7,6 +7,7 @@ V4_CFG_RWX_FILESTORE_PATH: /export
 V4_CFG_INGRESS_TYPE: ingress
 V4_CFG_INGRESS_MODE: public
 V4_CFG_MANAGE_STORAGE: true
+V4_CFG_OCI_REGISTRY_URI: null
 
 ## Cert-manager
 CERT_MANAGER_NAME: cert-manager

diff --git a/roles/baseline/tasks/main.yaml b/roles/baseline/tasks/main.yaml
@@ -3,6 +3,22 @@
 
 
 ---
+- name: Authenticate helm to V4_CFG_OCI_REGISTRY_URI
+  when:
+    - V4_CFG_OCI_REGISTRY_URI is defined
+    - V4_CFG_OCI_REGISTRY_URI is not none
+    - V4_CFG_CR_USER is defined
+    - V4_CFG_CR_USER is not none
+    - V4_CFG_CR_PASSWORD is defined
+    - V4_CFG_CR_PASSWORD is not none
+  command:
+    cmd: |
+      helm registry login {{ V4_CFG_OCI_REGISTRY_URI }} -u {{ V4_CFG_CR_USER }} --password-stdin
+  args:
+    stdin: "{{ V4_CFG_CR_PASSWORD }}"
+  tags:
+    - baseline
+
 - name: Include nfs-subdir-external-provisioner
   include_tasks:
     file: nfs-subdir-external-provisioner.yaml

diff --git a/roles/vdm/defaults/main.yaml b/roles/vdm/defaults/main.yaml
@@ -19,6 +19,8 @@ V4_CFG_CR_PASSWORD: null
 V4_CFG_CR_URL: https://cr.sas.com
 V4_CFG_CR_HOST: '{{ V4_CFG_CR_URL | regex_replace("^https?:\/\/(.*)\/?", "\1") }}'
 
+V4_CFG_OCI_REGISTRY_URI: null
+
 V4_CFG_SAS_API_KEY: null
 V4_CFG_SAS_API_SECRET: null
 

diff --git a/roles/vdm/tasks/main.yaml b/roles/vdm/tasks/main.yaml
@@ -63,6 +63,24 @@
     - uninstall
     - update
 
+- name: Authenticate helm to V4_CFG_OCI_REGISTRY_URI
+  when:
+    - V4_CFG_OCI_REGISTRY_URI is defined
+    - V4_CFG_OCI_REGISTRY_URI is not none
+    - V4_CFG_CR_USER is defined
+    - V4_CFG_CR_USER is not none
+    - V4_CFG_CR_PASSWORD is defined
+    - V4_CFG_CR_PASSWORD is not none
+  command:
+    cmd: |
+      helm registry login {{ V4_CFG_OCI_REGISTRY_URI }} -u {{ V4_CFG_CR_USER }} --password-stdin
+  args:
+    stdin: "{{ V4_CFG_CR_PASSWORD }}"
+  tags:
+    - install
+    - uninstall
+    - update
+
 - name: CR access
   when:
     - V4_CFG_CR_USER is not none