Merge pull request #176 from sassoftware/staging

4.5.0 - May 18, 2023
sassoftware · May 18, 2023 · 3d204d5 · 3d204d5
2 parents 935f826 + 6419576
commit 3d204d5
Show file tree

Hide file tree

Showing 11 changed files with 47 additions and 26 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,9 +1,13 @@
+# Copyright © 2021-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
 ARG TERRAFORM_VERSION=1.0.0
-ARG GCP_CLI_VERSION=409.0.0
+ARG GCP_CLI_VERSION=428.0.0
 FROM hashicorp/terraform:$TERRAFORM_VERSION as terraform
 
 FROM google/cloud-sdk:$GCP_CLI_VERSION
-ARG KUBECTL_VERSION=1.24.10
+ARG KUBECTL_VERSION=1.25.8
+ARG ENABLE_GKE_GCLOUD_AUTH_PLUGIN=True
 
 WORKDIR /viya4-iac-gcp
 
@@ -19,5 +23,6 @@ RUN apt-get install -y jq \
   && terraform init
 
 ENV TF_VAR_iac_tooling=docker
+ENV USE_GKE_GCLOUD_AUTH_PLUGIN=$ENABLE_GKE_GCLOUD_AUTH_PLUGIN
 ENTRYPOINT ["/viya4-iac-gcp/docker-entrypoint.sh"]
 VOLUME ["/workspace"]
diff --git a/README.md b/README.md
@@ -32,9 +32,10 @@ Operational knowledge of
 - Terraform or Docker
   - #### Terraform
     - [Terraform](https://www.terraform.io/downloads.html) - v1.0.0
-    - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.24.10
+    - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.25.8
     - [jq](https://stedolan.github.io/jq/) - v1.6
-    - [gcloud CLI](https://cloud.google.com/sdk/gcloud) - (optional - useful as an alternative to the Google Cloud Platform Portal) - v409.0.0
+    - [gcloud CLI](https://cloud.google.com/sdk/gcloud) - (optional - useful as an alternative to the Google Cloud Platform Portal) - v428.0.0
+    - [gke-gcloud-auth-plugin](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-access-for-kubectl#install_plugin) - (optional - only for provider based Kubernetes configuration files) - >= v1.26
   - #### Docker
     - [Docker](https://docs.docker.com/get-docker/)
 

diff --git a/config/sample-input-tf-enterprise.tfvars b/config/sample-input-tf-enterprise.tfvars
@@ -38,7 +38,7 @@ create_static_kubeconfig = true
 # tags = {} # e.g., { "key1" = "value1", "key2" = "value2" }
 
 # GKE config
-kubernetes_version         = "1.24"
+kubernetes_version         = "1.25"
 default_nodepool_min_nodes = 1
 default_nodepool_vm_type   = "n2-standard-2"
 

diff --git a/docs/user/Kubeconfig.md b/docs/user/Kubeconfig.md
@@ -2,6 +2,7 @@
 
 ## Overview
 
+### Notes - viya4-iac-gcp:1.0.0
 The release of Kubernetes v1.19+ is dropping support for `basic authentication` via the --basic-auth-file flag. Release notes for that are [here](https://v1-19.docs.kubernetes.io/docs/setup/release/notes/#urgent-upgrade-notes)
 
 With the removal of this feature, the generation of the kube config file for the Infrastructure as Code (IaC) repositories will now support two new options while removing the basic auth feature.
@@ -11,9 +12,24 @@ The options are:
 - Provider Based
 - Kubernetes Service Account and Cluster Role Binding
 
+### Notes - viya4-iac-gcp:4.5.0
+
+The release of kubectl v1.26 is dropping support for built-in provider-specific code in their project for authentication and instead opting for a plugin-based strategy. To quote this [Google blog post](https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke): 
+
+>To ensure the separation between the open source version of Kubernetes and those versions that are customized by services providers like Google, the open source community is requiring that all provider-specific code that currently exists in the OSS code base be removed starting with v1.26.
+
+The options for creating the Kubernetes configuration file are still:
+
+- Provider Based
+- Kubernetes Service Account and Cluster Role Binding
+
+However, the provider based kubernetes configuration file format will change to support the use of the `gke-gcloud-auth-plugin`. The `gke-gcloud-auth-plugin` binary is required to access any GKE clusters when using kubectl 1.26+ with a "provider based kubernetes configuration file. The "service account and cluster role binding" kubernetes configuration file variant remains the same and still does not require either `gcloud` or the `gke-gcloud-auth-plugin` binary to communicate with the cluster.
+
+In our included Dockerfile we included steps to ensure that the plugin is installed as well as enabled. If you are opting not to this project via a Docker container produced with our Dockerfile, you will need to take steps to install both `gcloud` and `gke-gcloud-auth-plugin` on your machine. Google has provided step-by-step instructions in a blog post to aid users with this transition. See [Google's Authentication Blog post](https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke).
+
 ### Provider Based - Google Cloud Provider
 
-This option creates a kube config file that utilizes the `gcloud` executable from Google. This method generates a `token` and `expiration date` that are embedded in the kube config file and are refreshed each time you use the kube config file to access your cluster. This `token` is tied to the current authentication method used for the provider so it's quite safe.
+This option creates a kube config file that utilizes the `gcloud` and  `gke-gcloud-auth-plugin` executables from Google. This method generates a `access_token` and `token_expiry` that is stored in an authentication cache file and are refreshed each time you use the kube config file to access your cluster. This `access_token` is tied to the current authentication method used for the provider, so it's quite safe.
 
 Portability is also limited given then file is tied to the authentication method used to create the file.
 

diff --git a/examples/sample-input-byo.tfvars b/examples/sample-input-byo.tfvars
@@ -37,7 +37,7 @@ postgres_servers = {
 }
 
 # GKE config
-kubernetes_version         = "1.24"
+kubernetes_version         = "1.25"
 default_nodepool_min_nodes = 2
 default_nodepool_vm_type   = "e2-standard-8"
 

diff --git a/examples/sample-input-connect.tfvars b/examples/sample-input-connect.tfvars
@@ -27,7 +27,7 @@ postgres_servers = {
 }
 
 # GKE config
-kubernetes_version         = "1.24"
+kubernetes_version         = "1.25"
 default_nodepool_min_nodes = 2
 default_nodepool_vm_type   = "e2-standard-8"
 

diff --git a/examples/sample-input-ha.tfvars b/examples/sample-input-ha.tfvars
@@ -27,7 +27,7 @@ postgres_servers = {
 }
 
 # GKE config
-kubernetes_version         = "1.24"
+kubernetes_version         = "1.25"
 default_nodepool_min_nodes = 2
 default_nodepool_vm_type   = "e2-standard-8"
 

diff --git a/examples/sample-input-minimal.tfvars b/examples/sample-input-minimal.tfvars
@@ -27,7 +27,7 @@ tags = {} # e.g., { "key1" = "value1", "key2" = "value2" }
 # }
 
 # GKE config
-kubernetes_version         = "1.24"
+kubernetes_version         = "1.25"
 default_nodepool_min_nodes = 1
 default_nodepool_vm_type   = "n2-standard-2"
 

diff --git a/examples/sample-input.tfvars b/examples/sample-input.tfvars
@@ -27,7 +27,7 @@ postgres_servers = {
 }
 
 # GKE config
-kubernetes_version         = "1.24"
+kubernetes_version         = "1.25"
 default_nodepool_min_nodes = 2
 default_nodepool_vm_type   = "e2-standard-8"
 

diff --git a/main.tf b/main.tf
@@ -7,9 +7,9 @@
 # GitHub Repository  : https://github.com/terraform-google-modules
 #
 # Terraform Cloud : Credentials are supplied with GOOGLE_CREDENTIALS a single line JSON
-#                   file contaiing the output of gcloud login. When copy the contents
+#                   file containing the output of gcloud login. When copy the contents
 #                   of that output you must remove all newlines and store this as a single
-#                   line entry as a varaible
+#                   line entry as a variable
 #
 provider "google" {
   credentials = var.service_account_keyfile != null ? can(file(var.service_account_keyfile)) ? file(var.service_account_keyfile) : null : null

diff --git a/modules/kubeconfig/locals.tf b/modules/kubeconfig/locals.tf
@@ -10,7 +10,7 @@ locals {
   service_account_secret_name = "${var.prefix}-sa-secret"
 
   # Service account secret token
-  sa_secret_token = lookup(kubernetes_secret.sa_secret.0.data, "token", "")
+  sa_secret_token = var.create_static_kubeconfig ? lookup(kubernetes_secret.sa_secret.0.data, "token", "") : ""
 
   #
   # Kubernetes configuration file - Provider based format. May use helper tools
@@ -22,27 +22,26 @@ apiVersion: v1
 clusters:
 - cluster:
     certificate-authority-data: ${var.cluster_ca_cert}
-    server: 'https://${var.cluster_endpoint}'
-name: ${var.cluster_name}
+    server: '${var.cluster_endpoint}'
+  name: ${var.cluster_name}
 contexts:
 - context:
     cluster: ${var.cluster_name}
     user: ${var.cluster_name}
-name: ${var.cluster_name}
+  name: ${var.cluster_name}
 current-context: ${var.cluster_name}
 kind: Config
 preferences: {}
 users:
 - name: ${var.cluster_name}
-user:
-    auth-provider:
-    config:
-        cmd-args: config config-helper --format=json
-        cmd-path: gcloud
-        access-token: '{.credential.access_token}'
-        expiry-key: '{.credential.token_expiry}'
-        token-key: '{.credential.access_token}'
-    name: gcp
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: gke-gcloud-auth-plugin
+      installHint: Install gke-gcloud-auth-plugin for use with kubectl by following
+        https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
+      provideClusterInfo: true
+      name: gcp
 EOT
 
   #