feat: (IAC-897) Annotate NGINX to indicate the desired subnets to pro…

…vision LBs internal IP addrs from
sassoftware · Feb 8, 2024 · 357bbda · 357bbda
1 parent a5220c6
commit 357bbda
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md
@@ -16,6 +16,7 @@ Supported configuration variables are listed in the table below.  All variables
   - [SAS API Access](#sas-api-access)
   - [Container Registry Access](#container-registry-access)
   - [Ingress](#ingress)
+  - [Load Balancer](#load-balancer)
   - [Monitoring and Logging](#monitoring-and-logging)
     - [Monitoring](#monitoring)
     - [Logging](#logging)
@@ -155,6 +156,13 @@ When V4_CFG_MANAGE_STORAGE is set to `true`, the `sas` and `pg-storage` storage
 | V4_CFG_INGRESS_FQDN | FQDN to the ingress for SAS Vya installation | string | | true | | viya |
 | V4_CFG_INGRESS_MODE | Whether to create a public or private Loadbalancer endpoint | string | "public" | false | Possible values: "public", "private". Setting this option to "private" adds options to the ingress controller that create a LoadBalancer with private IP address(es) only. | baseline |
 
+## Load Balancer
+
+| Name | Description | Type | Default | Required | Notes | Tasks |
+| :--- | ---: | ---: | ---: | ---: | ---: | ---: |
+| V4_CFG_AWS_LB_SUBNETS | The AWS subnets and by association the AWS availability zones to deploy the load balancing service to. Specifying a subnet value or values for this variable takes precedence over the Subnet Discovery method described in [AWS docs](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html) and eliminates the need to tag AWS subnets as documented in scenario 2 of this [table](https://github.com/sassoftware/viya4-iac-aws/blob/main/docs/user/BYOnetwork.md#supported-scenarios-and-requirements-for-using-existing-network-resources) | string | | false | The value is either a comma separated list of subnet IDs, or a comma separated list of subnet names. | baseline |
+
+
 ## Monitoring and Logging
 
 | Name | Description | Type | Default | Required | Notes | Tasks |

diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml
@@ -7,6 +7,7 @@ V4_CFG_RWX_FILESTORE_PATH: /export
 V4_CFG_INGRESS_TYPE: ingress
 V4_CFG_INGRESS_MODE: public
 V4_CFG_MANAGE_STORAGE: true
+V4_CFG_AWS_LB_SUBNETS: ""
 
 ## Cert-manager
 CERT_MANAGER_NAME: cert-manager
@@ -81,6 +82,13 @@ INGRESS_NGINX_AWS_NLB_CONFIG:
       annotations:
         service.beta.kubernetes.io/aws-load-balancer-type: nlb
 
+# Update LB for AWS, specify subnets to allocate internal IPs from
+INGRESS_NGINX_AWS_LB_SUBNETS:
+  controller:
+    service:
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-subnets: "{{ V4_CFG_AWS_LB_SUBNETS }}"
+
 # Ingress-nginx - CVE-2021-25742 Mitigation
 INGRESS_NGINX_CVE_2021_25742_PATCH:
   controller:

diff --git a/roles/baseline/tasks/ingress-nginx.yaml b/roles/baseline/tasks/ingress-nginx.yaml
@@ -46,6 +46,16 @@
     - install
     - update
 
+- name: Update INGRESS_NGINX_CONFIG annotations to include INGRESS_NGINX_AWS_LB_SUBNETS
+  set_fact:
+    INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_AWS_LB_SUBNETS, recursive=True) }}"
+  when:
+    - PROVIDER == "aws"
+    - V4_CFG_AWS_LB_SUBNETS|length != 0
+  tags:
+    - install
+    - update
+
 - name: Update INGRESS_NGINX_CONFIG to add Azure load-balancer health probe request path
   set_fact:
     INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_AZURE_LB_HEALTH_PROBE_CONFIG, recursive=True) }}"