From f67c5cbf82ca789561259032e69856ec7383abba Mon Sep 17 00:00:00 2001 From: dhoucgitter Date: Tue, 24 Oct 2023 19:59:43 +0000 Subject: [PATCH] feat: (IAC-1211) Add optional helm authentication for dark site OCI Container Registries --- docs/CONFIG-VARS.md | 10 ++++++++-- roles/baseline/defaults/main.yml | 1 + roles/baseline/tasks/main.yaml | 16 ++++++++++++++++ roles/vdm/defaults/main.yaml | 2 ++ roles/vdm/tasks/main.yaml | 18 ++++++++++++++++++ 5 files changed, 45 insertions(+), 2 deletions(-) diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index fc7baaee..48e47a7c 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -15,6 +15,7 @@ Supported configuration variables are listed in the table below. All variables - [SAS Software Order](#sas-software-order) - [SAS API Access](#sas-api-access) - [Container Registry Access](#container-registry-access) + - [OCI Container Registry Access](#oci-container-registry-access) - [Ingress](#ingress) - [Monitoring and Logging](#monitoring-and-logging) - [Monitoring](#monitoring) @@ -147,6 +148,11 @@ When V4_CFG_MANAGE_STORAGE is set to `true`, the `sas` and `pg-storage` storage | V4_CFG_CR_PASSWORD | Container registry password | string | | false | By default, credentials are included in the downloaded deployment assets. | viya | | V4_CFG_CR_URL | Container registry server | string | https://cr.sas.com | false | | viya | +## OCI Container Registry Access +| Name | Description | Type | Default | Required | Notes | Tasks | +| :--- | ---: | ---: | ---: | ---: | ---: | ---: | +| V4_CFG_OCI_REGISTRY_URI | OCI Container registry URI | string | | false | Container registry housing OCI images used for dark site deployments | baseline, viya | + ## Ingress | Name | Description | Type | Default | Required | Notes | Tasks | @@ -334,9 +340,9 @@ V4_CFG_POSTGRES_SERVERS: | :--- |------------:| ---: | ---: | ---: | ---: | ---: | | V4_WORKLOAD_ORCHESTRATOR_ENABLED | Enables the [SAS Workload Orchestrator](https://documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=dplyml0phy0dkr&docsetTarget=n08u2yg8tdkb4jn18u8zsi6yfv3d.htm#p1vo217m7ffso5n11vxwsyycw4tg) service and configures the required ClusterRole and ClusterRoleBinding used by the daemon. Setting this to false will disable SAS Workload Orchestrator service entirely | bool | true | false | This flag is only applicable for cadences 2023.08 and newer, this flag will perform no action on older cadences. | viya | -The SAS Workload Orchestrator Service is used to manage workload started on demand through the launcher service. As of cadence 2023.08 this feature is now deployed by default. The SAS Workload Orchestrator daemons require information about resources on the nodes that can be used to run jobs. In order to obtain accurate resource information, it requires a ClusterRole and a ClusterRoleBinding to the SAS Workload Orchestrator service account which will be automatically configured by this project if you set `V4_WORKLOAD_ORCHESTRATOR_ENABLED` to true. +The SAS Workload Orchestrator Service is used to manage workload started on demand through the launcher service. As of cadence 2023.08 this feature is now deployed by default. The SAS Workload Orchestrator daemons require information about resources on the nodes that can be used to run jobs. In order to obtain accurate resource information, it requires a ClusterRole and a ClusterRoleBinding to the SAS Workload Orchestrator service account which will be automatically configured by this project if you set `V4_WORKLOAD_ORCHESTRATOR_ENABLED` to true. -Additional documentation for the SAS Workload Orchestrator Service can be found here in the [SAS Viya Platform Operations documentation](https://documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=dplyml0phy0dkr&docsetTarget=n08u2yg8tdkb4jn18u8zsi6yfv3d.htm#p1vo217m7ffso5n11vxwsyycw4tg). +Additional documentation for the SAS Workload Orchestrator Service can be found here in the [SAS Viya Platform Operations documentation](https://documentation.sas.com/?cdcId=itopscdc&cdcVersion=default&docsetId=dplyml0phy0dkr&docsetTarget=n08u2yg8tdkb4jn18u8zsi6yfv3d.htm#p1vo217m7ffso5n11vxwsyycw4tg). ## Miscellaneous diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml index d9cd7636..e7654af1 100644 --- a/roles/baseline/defaults/main.yml +++ b/roles/baseline/defaults/main.yml @@ -7,6 +7,7 @@ V4_CFG_RWX_FILESTORE_PATH: /export V4_CFG_INGRESS_TYPE: ingress V4_CFG_INGRESS_MODE: public V4_CFG_MANAGE_STORAGE: true +V4_CFG_OCI_REGISTRY_URI: null ## Cert-manager CERT_MANAGER_NAME: cert-manager diff --git a/roles/baseline/tasks/main.yaml b/roles/baseline/tasks/main.yaml index 9ec61392..1067cf53 100644 --- a/roles/baseline/tasks/main.yaml +++ b/roles/baseline/tasks/main.yaml @@ -3,6 +3,22 @@ --- +- name: Authenticate helm to V4_CFG_OCI_REGISTRY_URI + when: + - V4_CFG_OCI_REGISTRY_URI is defined + - V4_CFG_OCI_REGISTRY_URI is not none + - V4_CFG_CR_USER is defined + - V4_CFG_CR_USER is not none + - V4_CFG_CR_PASSWORD is defined + - V4_CFG_CR_PASSWORD is not none + command: + cmd: | + helm registry login {{ V4_CFG_OCI_REGISTRY_URI }} -u {{ V4_CFG_CR_USER }} --password-stdin + args: + stdin: "{{ V4_CFG_CR_PASSWORD }}" + tags: + - baseline + - name: Include nfs-subdir-external-provisioner include_tasks: file: nfs-subdir-external-provisioner.yaml diff --git a/roles/vdm/defaults/main.yaml b/roles/vdm/defaults/main.yaml index 94e3319a..cf8dba8e 100644 --- a/roles/vdm/defaults/main.yaml +++ b/roles/vdm/defaults/main.yaml @@ -19,6 +19,8 @@ V4_CFG_CR_PASSWORD: null V4_CFG_CR_URL: https://cr.sas.com V4_CFG_CR_HOST: '{{ V4_CFG_CR_URL | regex_replace("^https?:\/\/(.*)\/?", "\1") }}' +V4_CFG_OCI_REGISTRY_URI: null + V4_CFG_SAS_API_KEY: null V4_CFG_SAS_API_SECRET: null diff --git a/roles/vdm/tasks/main.yaml b/roles/vdm/tasks/main.yaml index 4054ae9c..64f5ac60 100644 --- a/roles/vdm/tasks/main.yaml +++ b/roles/vdm/tasks/main.yaml @@ -63,6 +63,24 @@ - uninstall - update +- name: Authenticate helm to V4_CFG_OCI_REGISTRY_URI + when: + - V4_CFG_OCI_REGISTRY_URI is defined + - V4_CFG_OCI_REGISTRY_URI is not none + - V4_CFG_CR_USER is defined + - V4_CFG_CR_USER is not none + - V4_CFG_CR_PASSWORD is defined + - V4_CFG_CR_PASSWORD is not none + command: + cmd: | + helm registry login {{ V4_CFG_OCI_REGISTRY_URI }} -u {{ V4_CFG_CR_USER }} --password-stdin + args: + stdin: "{{ V4_CFG_CR_PASSWORD }}" + tags: + - install + - uninstall + - update + - name: CR access when: - V4_CFG_CR_USER is not none