From 357bbdad08fe94b6c377ad1157c2ce8d06d5b1db Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Thu, 8 Feb 2024 14:15:57 -0500 Subject: [PATCH] feat: (IAC-897) Annotate NGINX to indicate the desired subnets to provision LBs internal IP addrs from --- docs/CONFIG-VARS.md | 8 ++++++++ roles/baseline/defaults/main.yml | 8 ++++++++ roles/baseline/tasks/ingress-nginx.yaml | 10 ++++++++++ 3 files changed, 26 insertions(+) diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index 76700a55..a01672b9 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -16,6 +16,7 @@ Supported configuration variables are listed in the table below. All variables - [SAS API Access](#sas-api-access) - [Container Registry Access](#container-registry-access) - [Ingress](#ingress) + - [Load Balancer](#load-balancer) - [Monitoring and Logging](#monitoring-and-logging) - [Monitoring](#monitoring) - [Logging](#logging) @@ -155,6 +156,13 @@ When V4_CFG_MANAGE_STORAGE is set to `true`, the `sas` and `pg-storage` storage | V4_CFG_INGRESS_FQDN | FQDN to the ingress for SAS Vya installation | string | | true | | viya | | V4_CFG_INGRESS_MODE | Whether to create a public or private Loadbalancer endpoint | string | "public" | false | Possible values: "public", "private". Setting this option to "private" adds options to the ingress controller that create a LoadBalancer with private IP address(es) only. | baseline | +## Load Balancer + +| Name | Description | Type | Default | Required | Notes | Tasks | +| :--- | ---: | ---: | ---: | ---: | ---: | ---: | +| V4_CFG_AWS_LB_SUBNETS | The AWS subnets and by association the AWS availability zones to deploy the load balancing service to. Specifying a subnet value or values for this variable takes precedence over the Subnet Discovery method described in [AWS docs](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html) and eliminates the need to tag AWS subnets as documented in scenario 2 of this [table](https://github.com/sassoftware/viya4-iac-aws/blob/main/docs/user/BYOnetwork.md#supported-scenarios-and-requirements-for-using-existing-network-resources) | string | | false | The value is either a comma separated list of subnet IDs, or a comma separated list of subnet names. | baseline | + + ## Monitoring and Logging | Name | Description | Type | Default | Required | Notes | Tasks | diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml index 3c052391..edb8112c 100644 --- a/roles/baseline/defaults/main.yml +++ b/roles/baseline/defaults/main.yml @@ -7,6 +7,7 @@ V4_CFG_RWX_FILESTORE_PATH: /export V4_CFG_INGRESS_TYPE: ingress V4_CFG_INGRESS_MODE: public V4_CFG_MANAGE_STORAGE: true +V4_CFG_AWS_LB_SUBNETS: "" ## Cert-manager CERT_MANAGER_NAME: cert-manager @@ -81,6 +82,13 @@ INGRESS_NGINX_AWS_NLB_CONFIG: annotations: service.beta.kubernetes.io/aws-load-balancer-type: nlb +# Update LB for AWS, specify subnets to allocate internal IPs from +INGRESS_NGINX_AWS_LB_SUBNETS: + controller: + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-subnets: "{{ V4_CFG_AWS_LB_SUBNETS }}" + # Ingress-nginx - CVE-2021-25742 Mitigation INGRESS_NGINX_CVE_2021_25742_PATCH: controller: diff --git a/roles/baseline/tasks/ingress-nginx.yaml b/roles/baseline/tasks/ingress-nginx.yaml index 531db930..3c69b4eb 100644 --- a/roles/baseline/tasks/ingress-nginx.yaml +++ b/roles/baseline/tasks/ingress-nginx.yaml @@ -46,6 +46,16 @@ - install - update +- name: Update INGRESS_NGINX_CONFIG annotations to include INGRESS_NGINX_AWS_LB_SUBNETS + set_fact: + INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_AWS_LB_SUBNETS, recursive=True) }}" + when: + - PROVIDER == "aws" + - V4_CFG_AWS_LB_SUBNETS|length != 0 + tags: + - install + - update + - name: Update INGRESS_NGINX_CONFIG to add Azure load-balancer health probe request path set_fact: INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_AZURE_LB_HEALTH_PROBE_CONFIG, recursive=True) }}"