From 334dd40d946953007026e14e33b3a062c71d1410 Mon Sep 17 00:00:00 2001 From: Jay Patel <78554593+jarpat@users.noreply.github.com> Date: Fri, 5 May 2023 12:16:22 -0400 Subject: [PATCH 1/3] feat: (IAC-695) Add Support for K8s 1.26 (#169) --- Dockerfile | 9 +++++++-- README.md | 5 +++-- config/sample-input-tf-enterprise.tfvars | 2 +- docs/user/Kubeconfig.md | 18 ++++++++++++++++- examples/sample-input-byo.tfvars | 2 +- examples/sample-input-connect.tfvars | 2 +- examples/sample-input-ha.tfvars | 2 +- examples/sample-input-minimal.tfvars | 2 +- examples/sample-input.tfvars | 2 +- main.tf | 4 ++-- modules/kubeconfig/locals.tf | 25 ++++++++++++------------ 11 files changed, 47 insertions(+), 26 deletions(-) diff --git a/Dockerfile b/Dockerfile index 60c8a55..62916dc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,13 @@ +# Copyright © 2021-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + ARG TERRAFORM_VERSION=1.0.0 -ARG GCP_CLI_VERSION=409.0.0 +ARG GCP_CLI_VERSION=428.0.0 FROM hashicorp/terraform:$TERRAFORM_VERSION as terraform FROM google/cloud-sdk:$GCP_CLI_VERSION -ARG KUBECTL_VERSION=1.24.10 +ARG KUBECTL_VERSION=1.25.8 +ARG ENABLE_GKE_GCLOUD_AUTH_PLUGIN=True WORKDIR /viya4-iac-gcp @@ -19,5 +23,6 @@ RUN apt-get install -y jq \ && terraform init ENV TF_VAR_iac_tooling=docker +ENV USE_GKE_GCLOUD_AUTH_PLUGIN=$ENABLE_GKE_GCLOUD_AUTH_PLUGIN ENTRYPOINT ["/viya4-iac-gcp/docker-entrypoint.sh"] VOLUME ["/workspace"] diff --git a/README.md b/README.md index 77936ed..c1e325e 100644 --- a/README.md +++ b/README.md @@ -32,9 +32,10 @@ Operational knowledge of - Terraform or Docker - #### Terraform - [Terraform](https://www.terraform.io/downloads.html) - v1.0.0 - - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.24.10 + - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.25.8 - [jq](https://stedolan.github.io/jq/) - v1.6 - - [gcloud CLI](https://cloud.google.com/sdk/gcloud) - (optional - useful as an alternative to the Google Cloud Platform Portal) - v409.0.0 + - [gcloud CLI](https://cloud.google.com/sdk/gcloud) - (optional - useful as an alternative to the Google Cloud Platform Portal) - v428.0.0 + - [gke-gcloud-auth-plugin](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-access-for-kubectl#install_plugin) - (optional - only for provider based Kubernetes configuration files) - >= v1.26 - #### Docker - [Docker](https://docs.docker.com/get-docker/) diff --git a/config/sample-input-tf-enterprise.tfvars b/config/sample-input-tf-enterprise.tfvars index bd39eb0..e981bf6 100644 --- a/config/sample-input-tf-enterprise.tfvars +++ b/config/sample-input-tf-enterprise.tfvars @@ -38,7 +38,7 @@ create_static_kubeconfig = true # tags = {} # e.g., { "key1" = "value1", "key2" = "value2" } # GKE config -kubernetes_version = "1.24" +kubernetes_version = "1.25" default_nodepool_min_nodes = 1 default_nodepool_vm_type = "n2-standard-2" diff --git a/docs/user/Kubeconfig.md b/docs/user/Kubeconfig.md index 88adaaa..6aadf4c 100644 --- a/docs/user/Kubeconfig.md +++ b/docs/user/Kubeconfig.md @@ -2,6 +2,7 @@ ## Overview +### Notes - viya4-iac-gcp:1.0.0 The release of Kubernetes v1.19+ is dropping support for `basic authentication` via the --basic-auth-file flag. Release notes for that are [here](https://v1-19.docs.kubernetes.io/docs/setup/release/notes/#urgent-upgrade-notes) With the removal of this feature, the generation of the kube config file for the Infrastructure as Code (IaC) repositories will now support two new options while removing the basic auth feature. @@ -11,9 +12,24 @@ The options are: - Provider Based - Kubernetes Service Account and Cluster Role Binding +### Notes - viya4-iac-gcp:4.5.0 + +The release of kubectl v1.26 is dropping support for built-in provider-specific code in their project for authentication and instead opting for a plugin-based strategy. To quote this [Google blog post](https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke): + +>To ensure the separation between the open source version of Kubernetes and those versions that are customized by services providers like Google, the open source community is requiring that all provider-specific code that currently exists in the OSS code base be removed starting with v1.26. + +The options for creating the Kubernetes configuration file are still: + +- Provider Based +- Kubernetes Service Account and Cluster Role Binding + +However, the provider based kubernetes configuration file format will change to support the use of the `gke-gcloud-auth-plugin`. The `gke-gcloud-auth-plugin` binary is required to access any GKE clusters when using kubectl 1.26+ with a "provider based kubernetes configuration file. The "service account and cluster role binding" kubernetes configuration file variant remains the same and still does not require either `gcloud` or the `gke-gcloud-auth-plugin` binary to communicate with the cluster. + +In our included Dockerfile we included steps to ensure that the plugin is installed as well as enabled. If you are opting not to this project via a Docker container produced with our Dockerfile, you will need to take steps to install both `gcloud` and `gke-gcloud-auth-plugin` on your machine. Google has provided step-by-step instructions in a blog post to aid users with this transition. See [Google's Authentication Blog post](https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke). + ### Provider Based - Google Cloud Provider -This option creates a kube config file that utilizes the `gcloud` executable from Google. This method generates a `token` and `expiration date` that are embedded in the kube config file and are refreshed each time you use the kube config file to access your cluster. This `token` is tied to the current authentication method used for the provider so it's quite safe. +This option creates a kube config file that utilizes the `gcloud` and `gke-gcloud-auth-plugin` executables from Google. This method generates a `access_token` and `token_expiry` that is stored in an authentication cache file and are refreshed each time you use the kube config file to access your cluster. This `access_token` is tied to the current authentication method used for the provider, so it's quite safe. Portability is also limited given then file is tied to the authentication method used to create the file. diff --git a/examples/sample-input-byo.tfvars b/examples/sample-input-byo.tfvars index c1c2c3e..a7bf362 100644 --- a/examples/sample-input-byo.tfvars +++ b/examples/sample-input-byo.tfvars @@ -37,7 +37,7 @@ postgres_servers = { } # GKE config -kubernetes_version = "1.24" +kubernetes_version = "1.25" default_nodepool_min_nodes = 2 default_nodepool_vm_type = "e2-standard-8" diff --git a/examples/sample-input-connect.tfvars b/examples/sample-input-connect.tfvars index cc3ffd9..de49a48 100644 --- a/examples/sample-input-connect.tfvars +++ b/examples/sample-input-connect.tfvars @@ -27,7 +27,7 @@ postgres_servers = { } # GKE config -kubernetes_version = "1.24" +kubernetes_version = "1.25" default_nodepool_min_nodes = 2 default_nodepool_vm_type = "e2-standard-8" diff --git a/examples/sample-input-ha.tfvars b/examples/sample-input-ha.tfvars index 366c6aa..bd4cc5d 100644 --- a/examples/sample-input-ha.tfvars +++ b/examples/sample-input-ha.tfvars @@ -27,7 +27,7 @@ postgres_servers = { } # GKE config -kubernetes_version = "1.24" +kubernetes_version = "1.25" default_nodepool_min_nodes = 2 default_nodepool_vm_type = "e2-standard-8" diff --git a/examples/sample-input-minimal.tfvars b/examples/sample-input-minimal.tfvars index 92dc647..b156c6c 100644 --- a/examples/sample-input-minimal.tfvars +++ b/examples/sample-input-minimal.tfvars @@ -27,7 +27,7 @@ tags = {} # e.g., { "key1" = "value1", "key2" = "value2" } # } # GKE config -kubernetes_version = "1.24" +kubernetes_version = "1.25" default_nodepool_min_nodes = 1 default_nodepool_vm_type = "n2-standard-2" diff --git a/examples/sample-input.tfvars b/examples/sample-input.tfvars index 00f83d4..fb8df93 100644 --- a/examples/sample-input.tfvars +++ b/examples/sample-input.tfvars @@ -27,7 +27,7 @@ postgres_servers = { } # GKE config -kubernetes_version = "1.24" +kubernetes_version = "1.25" default_nodepool_min_nodes = 2 default_nodepool_vm_type = "e2-standard-8" diff --git a/main.tf b/main.tf index 8169636..e40303c 100644 --- a/main.tf +++ b/main.tf @@ -7,9 +7,9 @@ # GitHub Repository : https://github.com/terraform-google-modules # # Terraform Cloud : Credentials are supplied with GOOGLE_CREDENTIALS a single line JSON -# file contaiing the output of gcloud login. When copy the contents +# file containing the output of gcloud login. When copy the contents # of that output you must remove all newlines and store this as a single -# line entry as a varaible +# line entry as a variable # provider "google" { credentials = var.service_account_keyfile != null ? can(file(var.service_account_keyfile)) ? file(var.service_account_keyfile) : null : null diff --git a/modules/kubeconfig/locals.tf b/modules/kubeconfig/locals.tf index ac22a87..4c5da43 100644 --- a/modules/kubeconfig/locals.tf +++ b/modules/kubeconfig/locals.tf @@ -10,7 +10,7 @@ locals { service_account_secret_name = "${var.prefix}-sa-secret" # Service account secret token - sa_secret_token = lookup(kubernetes_secret.sa_secret.0.data, "token", "") + sa_secret_token = var.create_static_kubeconfig ? lookup(kubernetes_secret.sa_secret.0.data, "token", "") : "" # # Kubernetes configuration file - Provider based format. May use helper tools @@ -22,27 +22,26 @@ apiVersion: v1 clusters: - cluster: certificate-authority-data: ${var.cluster_ca_cert} - server: 'https://${var.cluster_endpoint}' -name: ${var.cluster_name} + server: '${var.cluster_endpoint}' + name: ${var.cluster_name} contexts: - context: cluster: ${var.cluster_name} user: ${var.cluster_name} -name: ${var.cluster_name} + name: ${var.cluster_name} current-context: ${var.cluster_name} kind: Config preferences: {} users: - name: ${var.cluster_name} -user: - auth-provider: - config: - cmd-args: config config-helper --format=json - cmd-path: gcloud - access-token: '{.credential.access_token}' - expiry-key: '{.credential.token_expiry}' - token-key: '{.credential.access_token}' - name: gcp + user: + exec: + apiVersion: client.authentication.k8s.io/v1beta1 + command: gke-gcloud-auth-plugin + installHint: Install gke-gcloud-auth-plugin for use with kubectl by following + https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke + provideClusterInfo: true + name: gcp EOT # From 03fa1eeddd06be95a68e4df2146f0529486f9d34 Mon Sep 17 00:00:00 2001 From: Jay Patel <78554593+jarpat@users.noreply.github.com> Date: Fri, 5 May 2023 13:24:44 -0400 Subject: [PATCH 2/3] feat!: (IAC-970) Update Terraform Version to 1.4.5 (#172) --- Dockerfile | 2 +- README.md | 2 +- versions.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 62916dc..8eb0626 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # Copyright © 2021-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 -ARG TERRAFORM_VERSION=1.0.0 +ARG TERRAFORM_VERSION=1.4.5 ARG GCP_CLI_VERSION=428.0.0 FROM hashicorp/terraform:$TERRAFORM_VERSION as terraform diff --git a/README.md b/README.md index c1e325e..23bca4b 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ Operational knowledge of - Terraform or Docker - #### Terraform - - [Terraform](https://www.terraform.io/downloads.html) - v1.0.0 + - [Terraform](https://www.terraform.io/downloads.html) - v1.4.5 - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.25.8 - [jq](https://stedolan.github.io/jq/) - v1.6 - [gcloud CLI](https://cloud.google.com/sdk/gcloud) - (optional - useful as an alternative to the Google Cloud Platform Portal) - v428.0.0 diff --git a/versions.tf b/versions.tf index 6da525d..c2efc22 100644 --- a/versions.tf +++ b/versions.tf @@ -2,7 +2,7 @@ # SPDX-License-Identifier: Apache-2.0 terraform { - required_version = ">= 1.0.0" + required_version = ">= 1.4.5" required_providers { google = { From 641957607b57f08bb7ed5b1de0aff035753d7be7 Mon Sep 17 00:00:00 2001 From: Jay Patel <78554593+jarpat@users.noreply.github.com> Date: Mon, 8 May 2023 14:09:34 -0400 Subject: [PATCH 3/3] Revert "feat!: (IAC-970) Update Terraform Version to 1.4.5 (#172)" (#174) This reverts commit 03fa1eeddd06be95a68e4df2146f0529486f9d34. --- Dockerfile | 2 +- README.md | 2 +- versions.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8eb0626..62916dc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # Copyright © 2021-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 -ARG TERRAFORM_VERSION=1.4.5 +ARG TERRAFORM_VERSION=1.0.0 ARG GCP_CLI_VERSION=428.0.0 FROM hashicorp/terraform:$TERRAFORM_VERSION as terraform diff --git a/README.md b/README.md index 23bca4b..c1e325e 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ Operational knowledge of - Terraform or Docker - #### Terraform - - [Terraform](https://www.terraform.io/downloads.html) - v1.4.5 + - [Terraform](https://www.terraform.io/downloads.html) - v1.0.0 - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) - v1.25.8 - [jq](https://stedolan.github.io/jq/) - v1.6 - [gcloud CLI](https://cloud.google.com/sdk/gcloud) - (optional - useful as an alternative to the Google Cloud Platform Portal) - v428.0.0 diff --git a/versions.tf b/versions.tf index c2efc22..6da525d 100644 --- a/versions.tf +++ b/versions.tf @@ -2,7 +2,7 @@ # SPDX-License-Identifier: Apache-2.0 terraform { - required_version = ">= 1.4.5" + required_version = ">= 1.0.0" required_providers { google = {