Merge pull request #262 from sassoftware/staging

5.1.0 - July 21, 2022
sassoftware · Jul 21, 2022 · 8d90565 · 8d90565
2 parents 7bebc13 + a9ad934
commit 8d90565
Show file tree

Hide file tree

Showing 7 changed files with 16 additions and 13 deletions.
diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md
@@ -179,11 +179,11 @@ When setting V4_CFG_MANAGE_STORAGE to true, A new storage classes will be create
 
 ## TLS
 
-Viya 4 supports 2 different types of certificate generators, Cert-manager and openssl. The openssl certificate generator cannot be used in conjunction with the viya4-monitoring-kubernetes stack.
+Viya 4 supports 2 different types of certificate generators, cert-manager and openssl.
 
 | Name | Description | Type | Default | Required | Notes | Tasks |
 | :--- | ---: | ---: | ---: | ---: | ---: | ---: |
-| V4_CFG_TLS_GENERATOR | Which tool to use for certificate generation | string | cert-manager | false | Supported values: [`cert-manager`,`openssl`]. | viya, cluster-logging, cluster-monitoring |
+| V4_CFG_TLS_GENERATOR | Which tool to use for certificate generation | string | openssl | false | Supported values: [`cert-manager`,`openssl`]. | viya, cluster-logging, cluster-monitoring |
 | V4_CFG_TLS_MODE | Which TLS mode to configure | string | front-door | false | Supported values: [`full-stack`,`front-door`,`disabled.`] When deploying full-stack you must set V4_CFG_TLS_TRUSTED_CA_CERTS to trust external postgres server ca. | all |
 | V4_CFG_TLS_CERT | Path to ingress certificate file | string | | false | If specified, used instead of cert-manager issued certificates | viya |
 | V4_CFG_TLS_KEY | Path to ingress key file | string | | false | Required when V4_CFG_TLS_CERT is specified | viya |
@@ -279,7 +279,7 @@ V4_CFG_POSTGRES_SERVERS:
 
 | Name | Description | Type | Default | Required | Notes | Tasks |
 | :--- | ---: | ---: | ---: | ---: | ---: | ---: |
-| CERT_MANAGER_ENABLED | Whether to deploy tool | bool | true | false | | baseline |
+| CERT_MANAGER_ENABLED | Whether to deploy cert-manager into the cluster using helm | bool | false | false | Required if V4_CFG_TLS_GENERATOR is set to `cert-manager` and it's not already installed | baseline |
 | CERT_MANAGER_NAMESPACE | cert-manager helm install namespace | string | cert-manager | false | | baseline |
 | CERT_MANAGER_CHART_URL | cert-manager helm chart url | string | https://charts.jetstack.io/ | false | | baseline |
 | CERT_MANAGER_CHART_NAME| cert-manager helm chart name | string | cert-manager| false | | baseline |

diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml
@@ -1,10 +1,10 @@
 V4_CFG_TLS_MODE: "full-stack" # other valid values are front-door, ingress-only, and disabled
-V4_CFG_RWX_FILESTORE_ENDPOINT: /export
+V4_CFG_RWX_FILESTORE_PATH: /export
 V4_CFG_INGRESS_TYPE: ingress
 V4_CFG_INGRESS_MODE: public
 
 ## Cert-manager
-CERT_MANAGER_ENABLED: true
+CERT_MANAGER_ENABLED: false
 CERT_MANAGER_NAME: cert-manager
 CERT_MANAGER_NAMESPACE: cert-manager
 CERT_MANAGER_CHART_NAME: cert-manager
@@ -50,7 +50,7 @@ INGRESS_NGINX_CONFIG:
       externalTrafficPolicy: Local
       sessionAffinity: None
       loadBalancerSourceRanges: "{{ LOADBALANCER_SOURCE_RANGES |default(['0.0.0.0/0'], -1) }}"
-      annotation:
+      annotations:
 
     config:
       use-forwarded-headers: "true"

diff --git a/roles/monitoring/vars/main.yaml b/roles/monitoring/vars/main.yaml
@@ -17,6 +17,7 @@ logging_map:
     ES_METRICGETTER_PASSWD: "{{ V4M_METRICGETTER_PASSWORD }}"
     LOG_NS: "{{ V4M_LOGGING_NAMESPACE }}"
     KB_KNOWN_NODEPORT_ENABLE: "{{ V4M_KB_KNOWN_NODEPORT_ENABLE }}"
+    CERT_GENERATOR: "{{ 'openssl' if (V4_CFG_TLS_GENERATOR is not defined or V4_CFG_TLS_GENERATOR==None) else V4_CFG_TLS_GENERATOR }}"
 
 monitoring_env:
   USER_DIR: "{{ tmpdir.path }}"
@@ -27,3 +28,4 @@ monitoring_env:
   GRAFANA_ADMIN_PASSWORD: "{{ V4M_GRAFANA_PASSWORD }}"
   VIYA_NS: "{{ NAMESPACE }}"
   MON_NS: "{{ V4M_MONITORING_NAMESPACE }}"
+  CERT_GENERATOR: "{{ 'openssl' if (V4_CFG_TLS_GENERATOR is not defined or V4_CFG_TLS_GENERATOR==None) else V4_CFG_TLS_GENERATOR }}"
diff --git a/roles/vdm/defaults/main.yaml b/roles/vdm/defaults/main.yaml
@@ -36,7 +36,7 @@ V4_CFG_TLS_MODE: "front-door" # other valid values are full-stack, ingress-only,
 V4_CFG_TLS_CERT: null
 V4_CFG_TLS_KEY: null
 V4_CFG_TLS_TRUSTED_CA_CERTS: null
-V4_CFG_TLS_GENERATOR: cert-manager # [cert-manager,openssl]
+V4_CFG_TLS_GENERATOR: openssl # [cert-manager,openssl]
 
 V4_CFG_CONSUL_ENABLE_LOADBALANCER: false
 V4_CFG_EMBEDDED_LDAP_ENABLE: false

diff --git a/roles/vdm/tasks/deploy.yaml b/roles/vdm/tasks/deploy.yaml
@@ -13,7 +13,7 @@
 
 - name: prereqs - cluster-api
   ansible.builtin.shell: |
-    kubectl --kubeconfig {{ KUBECONFIG }} apply -n {{ NAMESPACE }} --selector="sas.com/admin=cluster-api" -f {{ DEPLOY_DIR }}/site.yaml
+    kubectl --kubeconfig {{ KUBECONFIG }} apply -n {{ NAMESPACE }} --selector="sas.com/admin=cluster-api" --server-side --force-conflicts -f {{ DEPLOY_DIR }}/site.yaml
     kubectl --kubeconfig {{ KUBECONFIG }} wait --for condition=established --timeout=60s -l "sas.com/admin=cluster-api" crd
   register: result
   failed_when:

diff --git a/roles/vdm/tasks/postgres/postgres.yaml b/roles/vdm/tasks/postgres/postgres.yaml
@@ -52,7 +52,7 @@
         - not internal_postgres
   when:
     - V4_CFG_CADENCE_VERSION is version('2021.1.4', "<")
-    - V4_CFG_CADENCE_NAME != "fast"
+    - V4_CFG_CADENCE_NAME|lower != "fast"
   tags:
     - install
     - uninstall
@@ -86,7 +86,7 @@
         internal: "{{ internal_postgres }}"
       with_dict: "{{ V4_CFG_POSTGRES_SERVERS }}"
   when:
-    - V4_CFG_CADENCE_VERSION is version('2021.1.4', ">=") or V4_CFG_CADENCE_NAME == "fast"
+    - V4_CFG_CADENCE_VERSION is version('2021.1.4', ">=") or V4_CFG_CADENCE_NAME|lower == "fast"
   tags:
     - install
     - uninstall

diff --git a/roles/vdm/tasks/tls.yaml b/roles/vdm/tasks/tls.yaml
@@ -11,7 +11,7 @@
     - V4_CFG_TLS_GENERATOR == "openssl"
     - V4_CFG_TLS_CERT is none or V4_CFG_TLS_KEY is none or V4_CFG_TLS_TRUSTED_CA_CERTS is none
     - V4_CFG_CADENCE_VERSION is version('2021.1', "<=")
-    - V4_CFG_CADENCE_NAME != "fast"
+    - V4_CFG_CADENCE_NAME|lower != "fast"
   tags:
     - install
     - uninstall
@@ -104,7 +104,7 @@
   when:
     - V4_CFG_TLS_MODE == "ingress-only"
     - V4_CFG_CADENCE_VERSION is version('2021.2.4', "<")
-    - V4_CFG_CADENCE_NAME != "fast"
+    - V4_CFG_CADENCE_NAME|lower != "fast"
   tags:
     - install
     - uninstall
@@ -200,7 +200,8 @@
     cadence_number: "{{ V4_CFG_CADENCE_VERSION }}"
     existing: "{{ vdm_overlays }}"
     add:
-      - { transformers: "cert-manager-provided-ingress-certificate.yaml", vdm: true, priority: 70 }
+      - { transformers: "cert-manager-provided-ingress-certificate.yaml", vdm: true, max: "2022.1", priority: 70 }
+      - { transformers: "overlays/cert-manager-provided-ingress-certificate/ingress-annotation-transformer.yaml", min: "2022.1.1", priority: 70 }
   when:
     - V4_CFG_TLS_MODE != "disabled"
     - (V4_CFG_TLS_CERT is none and V4_CFG_TLS_KEY is none and V4_CFG_TLS_GENERATOR == "cert-manager")