Added OpenShift GCP supplemental values #237
Conversation
getting-started/templates/Openshift-GCP/os_gcp_supplemental_values.yaml
Outdated
Show resolved
Hide resolved
getting-started/templates/Openshift-GCP/os_gcp_supplemental_values.yaml
Outdated
Show resolved
Hide resolved
getting-started/templates/Openshift-GCP/os_gcp_supplemental_values.yaml
Outdated
Show resolved
Hide resolved
getting-started/templates/GCP/Openshift/openshift_supplemental_values.yaml
Outdated
Show resolved
Hide resolved
getting-started/templates/GCP/Openshift/openshift_supplemental_values.yaml
Outdated
Show resolved
Hide resolved
getting-started/templates/GCP/Openshift/openshift_supplemental_values.yaml
Outdated
Show resolved
Hide resolved
getting-started/templates/OpenShift/openshift_supplemental_values.yaml
Outdated
Show resolved
Hide resolved
| - name: cloud-sql-auth-proxy | ||
| image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 | ||
| volumeMounts: | ||
| # This volume mount is required for the proxy to authenticate with cloudSQL using a service account key file. |
There was a problem hiding this comment.
Isn't this token volume mount only required for workload identity?
There was a problem hiding this comment.
Yes, added comment for the same
| secret: | ||
| secretName: <secret-name> # <ATTENTION> - Enter the secret name where config.json is added. | ||
|
|
||
| connectionInfo: |
There was a problem hiding this comment.
Looks like these are not the right values for grafana.
Check here
There was a problem hiding this comment.
The values for grafana database have been modified
| serviceTCP: | ||
| type: LoadBalancer | ||
|
|
||
| nbexecservice: |
There was a problem hiding this comment.
nbexec (has direct s3 dependency), dfs and dremio in dfs too have GCS dependency. Can we also include them?
There was a problem hiding this comment.
Added s3 dependency for nbexecservice. The GCS guide has not been included in this PR for DFS as the support is not fully available yet. Refer PR description for more info.
| argo: | ||
| ## Configure GCS access. | ||
| ## | ||
| artifactRepository: |
There was a problem hiding this comment.
s3 dependency for Argo in nbexec is no longer required. We can remove this
| ## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern | ||
| sidecars: | ||
| - name: cloud-sql-auth-proxy | ||
| image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 |
There was a problem hiding this comment.
lets remove the tag from here and replace with a placeholder and attention comment
| - name: cloud-sql-auth-proxy | ||
| image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 | ||
| volumeMounts: | ||
| # This volume mount is required for the proxy to authenticate with cloudSQL using Workload Identity Federation config file. |
There was a problem hiding this comment.
| # This volume mount is required for the proxy to authenticate with cloudSQL using Workload Identity Federation config file. | |
| # This volume mount is required for the proxy to authenticate with Cloud SQL using Workload Identity Federation by providing a short-lived token for authentication. |
| - name: <token-volume-name> # <ATTENTION> - Enter the volume name where the token is available | ||
| mountPath: <token-mount-path> # <ATTENTION> - Enter the path where the token should be mounted | ||
| readOnly: true | ||
| # This volume mount is required for the proxy to authenticate with cloudSQL using service account key file or Workload Identity Federation. |
There was a problem hiding this comment.
| # This volume mount is required for the proxy to authenticate with cloudSQL using service account key file or Workload Identity Federation. | |
| # This volume mount is required for the proxy to set up Cloud SQL authentication, using either a service account key file or a Workload Identity Federation config file. |
| mountPath: /secrets/ | ||
| readOnly: true | ||
| env: | ||
| # This env variable is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. |
There was a problem hiding this comment.
Lets use Cloud SQL in all places instead of 'cloudSQL'
| env: | ||
| # This env variable is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. | ||
| - name: "GOOGLE_APPLICATION_CREDENTIALS" | ||
| value: /secrets/<secret-key> # <ATTENTION> - Enter the file name which was used as the key while creating the secret |
There was a problem hiding this comment.
| value: /secrets/<secret-key> # <ATTENTION> - Enter the file name which was used as the key while creating the secret | |
| value: /secrets/<secret-key> # <ATTENTION> - Enter the config json file name which was used as the key while creating the secret |
|
|
||
| # The credentials file is required for the proxy to authenticate using a service account key file. | ||
| # Not required if Workload Identity federation is used for authentication. | ||
| - "--credentials-file=/secrets/<secret-key>" # <ATTENTION> - Enter the file name which was used as the key while creating the secret |
There was a problem hiding this comment.
| - "--credentials-file=/secrets/<secret-key>" # <ATTENTION> - Enter the file name which was used as the key while creating the secret | |
| - "--credentials-file=/secrets/<secret-key>" # <ATTENTION> - Enter the service account key file name which was used as the key while creating the secret |
|
|
||
| ## Extra volumes that can be used in sidecars | ||
| extraVolumes: | ||
| # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. |
There was a problem hiding this comment.
update the comments as already suggested in the mounts
| audience: <audience-name> # <ATTENTION> - Enter the audience name for the projected service account token | ||
| expirationSeconds: 3600 | ||
| path: token | ||
| # This volume is required for the proxy to authenticate with cloudSQL using a service account key file. |
There was a problem hiding this comment.
update the comment as suggested in mounts.
Also this is for both sa key file and WIF config json
| host: "storage.googleapis.com" | ||
| region: <region> # <ATTENTION> - Enter the region where the GCS bucket is located | ||
|
|
||
| saltmaster: |
There was a problem hiding this comment.
is this expected to change based on the cloud provider?
What does this Pull Request accomplish?
The supplemental values for GCP and OpenShift has been added with examples for GCS Storage and adding cloud SQL auth proxy container.
Note: GCS support is not yet added to dataframe service as the service uses S3 DeleteObjects API which is not supported by GCS S3 interoperable XML API, refer this for more information. The respective documentation for the dataframe service will be updated once we add this support.
Why should this Pull Request be merged?
This acts as an additional values file while SLE is installed in Openshift cluster or GKE cluster on GCP
What testing has been done?
NA