Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(Dev Testing): feat: (IAC-1211) Add optional helm authentication for dark site OCI Container Registries #501

Open
wants to merge 11 commits into
base: staging
Choose a base branch
from
Open

(Dev Testing): feat: (IAC-1211) Add optional helm authentication for dark site OCI Container Registries #501

wants to merge 11 commits into from

Conversation

dhoucgitter
Copy link
Member

@dhoucgitter dhoucgitter commented Oct 24, 2023
edited
Loading

Changes

In order to deploy Viya4 to an dark site cluster, application images required for DAC deployments need to be loaded into a cloud container registry as a source of deployment images, ECR is a convenient container registry to use for AWS.

DAC can use the OCI protocol to retrieve image assets from the container registry during execution of the "baseline,viya,install" tasks.

To successfully retrieve container assets via OCI, DAC needs to authenticate via helm (using helm login) to the OCI registry prior to running the helm install tasks.

Tests

Scenario Method Image DAC tags V4_CFG_OCI_REGISTRY_URI value Authenticate helm task executed Task Output/Notes
1 ansible n/a viya,install <account_number>.dkr.ecr.us-west-2.amazonaws.com yes See internal ticket
2 ansible n/a viya,install none No
3 ansible n/a baseline,install <account_number>.dkr.ecr.us-west-2.amazonaws.com yes See internal ticket
4 ansible n/a baseline,install none No
5 docker 1211-5afde66 baseline,install none No First helm chart install attempt emits 401 Unauthorized error and DAC exits
6 docker 1211-5afde66 baseline,install <account_number>.dkr.ecr.us-west-2.amazonaws.com yes See internal ticket, All expected baseline helm charts were successfully installed from the OCI Elastic Container Registry URI provided using V4_CFG_CR_USER and V4_CFG_CR_PASSWORD for the Authenticate helm to OCI registry task

@dhoucgitter dhoucgitter self-assigned this Oct 24, 2023
@dhoucgitter dhoucgitter marked this pull request as draft October 24, 2023 20:31
@dhoucgitter dhoucgitter requested a review from canpmh October 31, 2023 13:38
@dhoucgitter dhoucgitter marked this pull request as ready for review October 31, 2023 17:23
@dhoucgitter dhoucgitter added documentation Improvements or additions to documentation enhancement New feature or request labels Oct 31, 2023
canpmh
canpmh reviewed Oct 31, 2023
View reviewed changes
Copy link

@canpmh canpmh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks ok to me, I don't have direct experience here though.

@mokamr
Copy link

mokamr commented Oct 31, 2023

What happens in a scenario where you have helm charts hosted on different registries other than the images? For example, if ECR is being used to hold helm charts while Nexus/Harbor/quay are being used to store images - how would we differ the authentication for the two respective registries if we only have one set of authentication variables -
V4_CFG_CR_USER
V4_CFG_CR_PASSWORD

Should we have something like -
V4_CFG_CR_OCI_USER
V4_CFG_CR_OCI_PASSWORD

@dhoucgitter
Copy link
Member Author

dhoucgitter commented Nov 1, 2023
edited
Loading

What happens in a scenario where you have helm charts hosted on different registries other than the images? For example, if ECR is being used to hold helm charts while Nexus/Harbor/quay are being used to store images - how would we differ the authentication for the two respective registries if we only have one set of authentication variables - V4_CFG_CR_USER V4_CFG_CR_PASSWORD

Should we have something like - V4_CFG_CR_OCI_USER V4_CFG_CR_OCI_PASSWORD

What happens in a scenario where you have helm charts hosted on different registries other than the images? For example, if ECR is being used to hold helm charts while Nexus/Harbor/quay are being used to store images - how would we differ the authentication for the two respective registries if we only have one set of authentication variables - V4_CFG_CR_USER V4_CFG_CR_PASSWORD

Should we have something like - V4_CFG_CR_OCI_USER V4_CFG_CR_OCI_PASSWORD

@mokamr, I had originally wondered whether or not having a separate set of credentials for the CR_OCI side could be necessary but wasn't sure about the use case. If the scenario that you cite is a likely one, it would make sense to have a separate USER and PASSWORD values. One question, If your deployment VM has direct access to images in those other locations, this wouldn't be a typical dark site scenario, would it?

@mokamr
Copy link

mokamr commented Nov 1, 2023

Yes, I agree, if your deployment VM can access helm charts from the public repo then there would be no reason for a customer to store their helm charts on some private registry. The deployment VM would be able to pull the charts locally. If the cluster is fully private with no public egress but the deployment machine has public egress then I wouldn't count it as a dark site scenario.

@dhoucgitter
Copy link
Member Author

Yes, I agree, if your deployment VM can access helm charts from the public repo then there would be no reason for a customer to store their helm charts on some private registry. The deployment VM would be able to pull the charts locally. If the cluster is fully private with no public egress but the deployment machine has public egress then I wouldn't count it as a dark site scenario.

Hi @mokamr, thanks, so following that logic, does that mean no need for a separate OCI credential set? Just confirming.

@mokamr
Copy link

mokamr commented Nov 1, 2023

Hi @dhoucgitter, once you set V4_CFG_OCI_REGISTRY_URI , will it be used to pull helm charts, and also be used to point baseline images to the private registry provided in the variable?

If V4_CFG_OCI_REGISTRY_URI is only intended to be used to pull helm charts for DaC, then in a scenario where the deployment client has public egress and can access the charts from the internet, it would make no sense for a customer to set V4_CFG_OCI_REGISTRY_URI let alone be worried about the separate OCI cred variables. However, the customer would still need to provide the baseline image locations to their private registry if their cluster does not have public egress.

@dhoucgitter dhoucgitter changed the title feat: (IAC-1211) Add optional helm authentication for dark site OCI Container Registries (Dev Testing): feat: (IAC-1211) Add optional helm authentication for dark site OCI Container Registries Apr 29, 2024
@dhoucgitter
Copy link
Member Author

All linter checks have passed for last weeks commit #501 (comment) based on latest review mtg with Thomas and Sally.

Need new sanity test results for the configuration variable changes those updates introduced to verify Ansible task behavior functions as expected with Dark Site flag defined and undefined.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@canpmh canpmh canpmh left review comments

@riragh riragh riragh approved these changes

@jarpat jarpat jarpat approved these changes

@thpang thpang Awaiting requested review from thpang

@sayeun sayeun Awaiting requested review from sayeun

Assignees

@dhoucgitter dhoucgitter

Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dhoucgitter @mokamr @canpmh @jarpat @riragh