Skip to content

How to allow security group to attach to load balancer with the baseline install? #682

@xelat

Description

@xelat

Viya4 Deployment Version Details

9.1.0

Ansible Variable File Details

DEPLOY: true # Set to false to stop at generating the manifest
LOADBALANCER_SOURCE_RANGES: ["10.177.21.0/24", "10.177.23.0/24"]
V4_DEPLOYMENT_OPERATOR_ENABLED: false
#V4_DEPLOYMENT_OPERATOR_SCOPE: "cluster"
#V4_DEPLOYMENT_OPERATOR_NAMESPACE: "sasoperator"

## Cloud
PROVIDER: aws
CLUSTER_NAME: 'sas4viya-nonprod-eks'
NAMESPACE: 'sasviya'

## Jump server
#JUMP_SVR_HOST: <IP address or FQDN for the jump server host>
#JUMP_SVR_USER: <SSH user to access the jump server host>
#JUMP_SVR_PRIVATE_KEY: <Path to the SSH user's private key to access the jump server host>
#JUMP_SVR_RWX_FILESTORE_PATH: '/viya-share'

## Storage
V4_CFG_MANAGE_STORAGE: true
V4_CFG_STORAGECLASS: 'sas'
V4_CFG_RWX_FILESTORE_PATH: '/pvs'
V4_CFG_RWX_FILESTORE_DATA_PATH: '/pvs/sasviya/data'
V4_CFG_RWX_FILESTORE_HOMES_PATH: '/pvs/sasviya/homes'

## SAS Software Order
V4_CFG_ORDER_NUMBER: 'xxx'
V4_CFG_CADENCE_NAME: lts
V4_CFG_CADENCE_VERSION: '2025.03'
V4_CFG_DEPLOYMENT_ASSETS: '/data/asset/SASViyaV4_xxx_deploymentAssets_1758669105143.tgz'
V4_CFG_LICENSE: '/data/asset/SASViyaV4_xxx_license.jwt'
V4_CFG_CERTS: '/data/asset/SASViyaV4_xxx_certs.zip'

## CR Access
#V4_CFG_CR_USER: <container_registry_user>
#V4_CFG_CR_PASSWORD: <container_registry_password>
#V4_CFG_CR_URL: <Container registry server>

## Ingress
V4_CFG_INGRESS_TYPE: 'ingress'
V4_CFG_INGRESS_FQDN: 'example.com'
V4_CFG_INGRESS_MODE: 'private'
INGRESS_NGINX_CHART_VERSION: '4.12.4'
V4_CFG_AWS_LB_SECURITY_GROUPS: ["sg-0af8d6b562579d051"]
V4_CFG_AWS_LB_SUBNETS: ["subnet-0f45aca7ee26490c8", "subnet-03c23d6e3adab2bd0"]
INGRESS_NGINX_AWS_LB_SUBNETS:
  controller:
    service:
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-subnets: "{{ V4_CFG_AWS_LB_SUBNETS | join(',') }}"
        service.beta.kubernetes.io/aws-load-balancer-security-groups: "{{ V4_CFG_AWS_LB_SECURITY_GROUPS | join(',') }}"

## Postgres
V4_CFG_POSTGRES_SERVERS:
  default:
    internal: true

## TLS
V4_CFG_TLS_GENERATOR: openssl
V4_CFG_TLS_MODE: 'full-stack'

## CAS
V4_CFG_CAS_WORKER_COUNT: '2'

## SAS/CONNECT
V4_CFG_CONNECT_ENABLE_LOADBALANCER: false

## Viya Start and Stop Schedule
## uncomment and update the values below with CronJob schedule expressions if you would
## like to start and stop your Viya Deployment on a schedule
# V4_CFG_VIYA_START_SCHEDULE: "0 7 * * 1-5"
# V4_CFG_VIYA_STOP_SCHEDULE: "0 19 * * 1-5"

## misc
V4_CFG_EMBEDDED_LDAP_ENABLE: true
V4_CFG_CONSUL_ENABLE_LOADBALANCER: false
V4_CFG_ELASTICSEARCH_ENABLE: true

Steps to Reproduce

We used viya4-iac-aws to deploy the infrastructure and then this to deploy baseline.

docker run --rm \
  -e http_proxy=$http_proxy \
  -e https_proxy=$https_proxy \
  -e no_proxy=$no_proxy \
  -e HTTP_PROXY=$HTTP_PROXY \
  -e HTTPS_PROXY=$HTTPS_PROXY \
  -e NO_PROXY=$NO_PROXY \
  --group-add root \
  --user $(id -u):$(id -g) \
  --volume /home/alext/git:/data \
  --volume /home/alext/git/sas4viya-nonprod-eks/dac-vars.yaml:/config/config \
  --volume /home/alext/terraform/terraform.tfstate:/config/tfstate \
  viya4-deployment --tags "baseline,install"

Expected Behavior

With the adding of INGRESS_NGINX_AWS_LB_SUBNETS, we thought the script will attach the given security group when creating the load balancer. We see the annotations have the security group but the load balancer does not have any security group attached.

Image

Actual Behavior

Load balancer will have a given security group attached to it

Additional Context

Everything will need to go through proxy so we defined system variables like http_proxy, https_proxy, no_proxy, HTTP_PROXY, HTTPS_PROXY, NO_PROXY.

References

We looked at #616 but does not think it's applicable

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingnewAdded to an issue when it's new ;)staleOpen for 30 days with no activity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions