How to allow security group to attach to load balancer with the baseline install? #682
Description
Viya4 Deployment Version Details
9.1.0
Ansible Variable File Details
DEPLOY: true # Set to false to stop at generating the manifest
LOADBALANCER_SOURCE_RANGES: ["10.177.21.0/24", "10.177.23.0/24"]
V4_DEPLOYMENT_OPERATOR_ENABLED: false
#V4_DEPLOYMENT_OPERATOR_SCOPE: "cluster"
#V4_DEPLOYMENT_OPERATOR_NAMESPACE: "sasoperator"
## Cloud
PROVIDER: aws
CLUSTER_NAME: 'sas4viya-nonprod-eks'
NAMESPACE: 'sasviya'
## Jump server
#JUMP_SVR_HOST: <IP address or FQDN for the jump server host>
#JUMP_SVR_USER: <SSH user to access the jump server host>
#JUMP_SVR_PRIVATE_KEY: <Path to the SSH user's private key to access the jump server host>
#JUMP_SVR_RWX_FILESTORE_PATH: '/viya-share'
## Storage
V4_CFG_MANAGE_STORAGE: true
V4_CFG_STORAGECLASS: 'sas'
V4_CFG_RWX_FILESTORE_PATH: '/pvs'
V4_CFG_RWX_FILESTORE_DATA_PATH: '/pvs/sasviya/data'
V4_CFG_RWX_FILESTORE_HOMES_PATH: '/pvs/sasviya/homes'
## SAS Software Order
V4_CFG_ORDER_NUMBER: 'xxx'
V4_CFG_CADENCE_NAME: lts
V4_CFG_CADENCE_VERSION: '2025.03'
V4_CFG_DEPLOYMENT_ASSETS: '/data/asset/SASViyaV4_xxx_deploymentAssets_1758669105143.tgz'
V4_CFG_LICENSE: '/data/asset/SASViyaV4_xxx_license.jwt'
V4_CFG_CERTS: '/data/asset/SASViyaV4_xxx_certs.zip'
## CR Access
#V4_CFG_CR_USER: <container_registry_user>
#V4_CFG_CR_PASSWORD: <container_registry_password>
#V4_CFG_CR_URL: <Container registry server>
## Ingress
V4_CFG_INGRESS_TYPE: 'ingress'
V4_CFG_INGRESS_FQDN: 'example.com'
V4_CFG_INGRESS_MODE: 'private'
INGRESS_NGINX_CHART_VERSION: '4.12.4'
V4_CFG_AWS_LB_SECURITY_GROUPS: ["sg-0af8d6b562579d051"]
V4_CFG_AWS_LB_SUBNETS: ["subnet-0f45aca7ee26490c8", "subnet-03c23d6e3adab2bd0"]
INGRESS_NGINX_AWS_LB_SUBNETS:
controller:
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-subnets: "{{ V4_CFG_AWS_LB_SUBNETS | join(',') }}"
service.beta.kubernetes.io/aws-load-balancer-security-groups: "{{ V4_CFG_AWS_LB_SECURITY_GROUPS | join(',') }}"
## Postgres
V4_CFG_POSTGRES_SERVERS:
default:
internal: true
## TLS
V4_CFG_TLS_GENERATOR: openssl
V4_CFG_TLS_MODE: 'full-stack'
## CAS
V4_CFG_CAS_WORKER_COUNT: '2'
## SAS/CONNECT
V4_CFG_CONNECT_ENABLE_LOADBALANCER: false
## Viya Start and Stop Schedule
## uncomment and update the values below with CronJob schedule expressions if you would
## like to start and stop your Viya Deployment on a schedule
# V4_CFG_VIYA_START_SCHEDULE: "0 7 * * 1-5"
# V4_CFG_VIYA_STOP_SCHEDULE: "0 19 * * 1-5"
## misc
V4_CFG_EMBEDDED_LDAP_ENABLE: true
V4_CFG_CONSUL_ENABLE_LOADBALANCER: false
V4_CFG_ELASTICSEARCH_ENABLE: true
Steps to Reproduce
We used viya4-iac-aws to deploy the infrastructure and then this to deploy baseline.
docker run --rm \
-e http_proxy=$http_proxy \
-e https_proxy=$https_proxy \
-e no_proxy=$no_proxy \
-e HTTP_PROXY=$HTTP_PROXY \
-e HTTPS_PROXY=$HTTPS_PROXY \
-e NO_PROXY=$NO_PROXY \
--group-add root \
--user $(id -u):$(id -g) \
--volume /home/alext/git:/data \
--volume /home/alext/git/sas4viya-nonprod-eks/dac-vars.yaml:/config/config \
--volume /home/alext/terraform/terraform.tfstate:/config/tfstate \
viya4-deployment --tags "baseline,install"
Expected Behavior
With the adding of INGRESS_NGINX_AWS_LB_SUBNETS, we thought the script will attach the given security group when creating the load balancer. We see the annotations have the security group but the load balancer does not have any security group attached.
Actual Behavior
Load balancer will have a given security group attached to it
Additional Context
Everything will need to go through proxy so we defined system variables like http_proxy, https_proxy, no_proxy, HTTP_PROXY, HTTPS_PROXY, NO_PROXY.
References
We looked at #616 but does not think it's applicable
Code of Conduct
- I agree to follow this project's Code of Conduct