Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Home
- /
- About N224
12-22-2023
N224
Obsidian | Level 7
Member since
02-14-2020
- 17 Posts
- 1 Likes Given
- 2 Solutions
- 7 Likes Received
-
Latest posts by N224
Subject Views Posted 3112 11-11-2021 03:33 AM 3231 11-08-2021 09:58 AM 2996 11-07-2021 06:34 PM 1233 11-07-2021 06:33 PM 3378 11-07-2021 06:32 PM 1262 11-07-2021 03:09 PM 3061 11-04-2021 03:40 AM 3089 11-03-2021 09:06 PM 3143 11-02-2021 04:52 PM 3188 11-02-2021 04:39 PM -
Activity Feed for N224
- Got a Like for [VIYA4] Deploy Viya 4 Anywhere - Tutorial, Script, Locally or in cloud :). 11-23-2021 08:32 AM
- Got a Like for [VIYA4] Deploy Viya 4 Anywhere - Tutorial, Script, Locally or in cloud :). 11-16-2021 02:07 PM
- Posted Re: [VIYA4] Deploy Viya 4 Anywhere - Tutorial, Script, Locally or in cloud :) on Administration and Deployment. 11-11-2021 03:33 AM
- Posted Re: [VIYA4] Deploy Viya 4 Anywhere - Tutorial, Script, Locally or in cloud :) on Administration and Deployment. 11-08-2021 09:58 AM
- Got a Like for [VIYA4] Deploy Viya 4 Anywhere - Tutorial, Script, Locally or in cloud :). 11-08-2021 03:21 AM
- Posted Re: VIYA4 SingleMachineDeployment Script | sas-consul-client secret error on Administration and Deployment. 11-07-2021 06:34 PM
- Posted Re: Deploy SAS Viya 4 on Oracle Cloud on Administration and Deployment. 11-07-2021 06:33 PM
- Posted [VIYA4] Deploy Viya 4 Anywhere - Tutorial, Script, Locally or in cloud :) on Administration and Deployment. 11-07-2021 06:32 PM
- Posted Re: Deploy SAS Viya 4 on Oracle Cloud on Administration and Deployment. 11-07-2021 03:09 PM
- Posted Re: VIYA4 SingleMachineDeployment Script | sas-consul-client secret error on Administration and Deployment. 11-04-2021 03:40 AM
- Posted Re: VIYA4 SingleMachineDeployment Script | sas-consul-client secret error on Administration and Deployment. 11-03-2021 09:06 PM
- Posted Re: VIYA4 SingleMachineDeployment Script | sas-consul-client secret error on Administration and Deployment. 11-02-2021 04:52 PM
- Liked Re: VIYA4 SingleMachineDeployment Script | sas-consul-client secret error for gwootton. 11-02-2021 04:51 PM
- Got a Like for Re: VIYA4 SingleMachineDeployment Script | sas-consul-client secret error. 11-02-2021 04:48 PM
- Posted Re: VIYA4 SingleMachineDeployment Script | sas-consul-client secret error on Administration and Deployment. 11-02-2021 04:39 PM
- Posted Re: VIYA4 SingleMachineDeployment Script | sas-consul-client secret error on Administration and Deployment. 11-02-2021 02:42 PM
- Posted Re: VIYA4 SingleMachineDeployment Script | sas-consul-client secret error on Administration and Deployment. 11-02-2021 03:34 AM
- Posted Re: VIYA4 SingleMachineDeployment Script | sas-consul-client secret error on Administration and Deployment. 11-02-2021 03:31 AM
- Got a Like for VIYA4 SingleMachineDeployment Script | sas-consul-client secret error. 10-31-2021 09:58 PM
- Posted VIYA4 SingleMachineDeployment Script | sas-consul-client secret error on Administration and Deployment. 10-31-2021 06:20 PM
-
Posts I Liked
Subject Likes Author Latest Post 1 -
My Liked Posts
Subject Likes Posted 3 11-07-2021 06:32 PM 2 11-02-2021 04:39 PM 1 10-31-2021 06:20 PM 1 02-23-2020 06:03 AM
11-11-2021
03:33 AM
Hey @gwootton , I've reviewed configuration and :
1. Line with kubectl apply -f CAAtuhority.yaml could be disabled in order to prevent creating sandbox namespace with custom CA and sas-viya-issuer
2. I haven't found any official clues about kustomize version, where did you find that ? I looked through 2021.1.6 deployment guide and found none.
In some days I will open project on gitlab with scripts 🙂
... View more
11-08-2021
09:58 AM
I will look into documentation and verify scripts, if some steps should be changed - I'll update it 😉
... View more
11-07-2021
06:34 PM
[VIYA4] Deploy Viya 4 Anywhere - Tutorial, Script,... - SAS Support Communities
here comes full script
... View more
11-07-2021
06:33 PM
[VIYA4] Deploy Viya 4 Anywhere - Tutorial, Script,... - SAS Support Communities
I posted it 🙂 check this out
... View more
11-07-2021
06:32 PM
3 Likes
This article is designed to share an idea of testing/working with Viya4 on custom made environments, locally, in cloud, or wherever.
First of all prepare 4 VMs, 12 vCPU, 24 GB RAM each. Ubuntu 20.04 LTS. Here's my example:
# 1. VMKUB01 Master node : Ubuntu 20.04 LTS, 500 GB Storage Space, 24 GB RAM, 12 vCPU
# 2. VMKUB02 Worker node 1 : Ubuntu 20.04 LTS, 200 GB Storage Space, 24 GB RAM, 12 vCPU
# 3. VMKUB03 Worker node 2 : Ubuntu 20.04 LTS, 200 GB Storage Space, 24 GB RAM, 12 vCPU
# 4. VMKUB03 Worker node 3 : Ubuntu 20.04 LTS, 200 GB Storage Space, 24 GB RAM, 12 vCPU
You cannot deploy Viya4 on single machine, kubernetes doesn't allow to run 110+ pods on one node :). You could use whole script or do this step by step to better understand what's going on.
Remember that 80% is preparing cluster.. 20% is Viya files configuration and deployment.
Scripts and whole idea are designed in some steps:
Prepare VMs.
Prepare files from portal.
1st Script on master node:
# Step 1 , preinstall
# Step 2 , Kubernets install
# Step 3, turn off swap
# Step 4, OS Tuning
# Step 5, Installing more packets
# Step 6, Docker install
# Step 7, create kubernetes cluster
# Step 8, Install kubernetes networking - calico and metallb
# Step 9, Install helm
# Step 10, Install ingress
# Step 11, Install and configure NFS Server
# Step 12, Install NFS Subdir External Provisoiner
# Step 13, Creating pod security policies
# Step 14, check if NFS works
# Step 15, SCP files to workers
Script on each worker node:
# Step 1 , preinstall
# Step 2 , Kubernets install
# Step 3, turn off swap
# Step 4, OS Tuning
# Step 5, Installing more packets
# Step 6, Docker install
# Step 7, Joining kubernetes cluster
Now you should be able to list working nodes
sudo su -l root
root@vmkub01:~# kubectl get nodes
NAME STATUS ROLES AGE VERSION
vmkub01 Ready control-plane,master 2d15h v1.21.5
vmkub02 Ready <none> 2d15h v1.21.5
vmkub03 Ready <none> 2d15h v1.21.5
vmkub04 Ready <none> 2d15h v1.21.5
Install portainer (it's quite helpful)
root@vmkub01:~# kubectl get all -n portainer
NAME READY STATUS RESTARTS AGE
pod/portainer-5d6dbf85dd-2mdtl 1/1 Running 1 2d15h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/portainer LoadBalancer 10.111.183.207 10.0.110.101 9000:31659/TCP,9443:31248/TCP,8000:30691/TCP 2d15h
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/portainer 1/1 1 1 2d15h
NAME DESIRED CURRENT READY AGE
replicaset.apps/portainer-5d6dbf85dd 1 1 1 2d15h
2nd Script on Master node:
# Step 1, Install Kustomize
# Step 2, Install CertManager
# Step 3, Create CA and Issuer with CertManager for full-TLS deployment
# Step 4, deploying operator
# Step 5, building directory structure
# Step 6, Installation
# Namespace
# Ingress
# TLS
# StorageClass
# License
# SAS Orchestration
# Install
After some time check status of sasoperator with
kubectl -n sasoperator get sasdeployment
root@vmkub01:~# kubectl -n sasoperator get sasdeployment
NAME STATE CADENCENAME CADENCEVERSION CADENCERELEASE AGE
sas-viya SUCCEEDED stable 2021.1.6 20211104.1636065570555 2d11h
I really enjoyed watching progress with portainer 🙂
Prepare deployment files from portal (mine are):
License file : SASViyaV4_9XXXXX_0_stable_2021.1.6_license_2021-10-21T071701.jwt
Certs file : SASViyaV4_9XXXXX_certs.zip
TGZ file : SASViyaV4_9XXXXX_0_stable_2021.1.6_20211020.1634741786565_deploymentAssets_2021-10-21T071710.tgz
At the installation time use same account (it helps a lot) with same pw at each machine. My account is called gabos
After successful OS installation log in via ssh by your account on Master node.
Copy via scp or any other manager your deployment files to /home/gabos/ (your account ofc)
Edit new file (vi script.sh), paste whole script below and edit it with your needs (variables), make it executable (chmod +x script.sh), and run.
1st Script on master node :
#!/bin/bash
# This script is designed and released by Gabos Software, feel free to use it and make it better
## Configuration section, it has important variables in order to prepare whole environment.
# It's hardcoded for environemnt like :
# 1. VMKUB01 Master node : Ubuntu 20.04 LTS, 500 GB Storage Space, 24 GB RAM, 12 vCPU
# 2. VMKUB02 Worker node 1 : Ubuntu 20.04 LTS, 200 GB Storage Space, 24 GB RAM, 12 vCPU
# 3. VMKUB03 Worker node 2 : Ubuntu 20.04 LTS, 200 GB Storage Space, 24 GB RAM, 12 vCPU
# 4. VMKUB03 Worker node 3 : Ubuntu 20.04 LTS, 200 GB Storage Space, 24 GB RAM, 12 vCPU
# I prepared all OSes with user account called "gabos"
# HOST
export NAZWADNS="vmkub01.local" # This is the dns name by that you want to connect to your website , you will access SAS Viya only by this name like https://vmkub01.local , remember that this name should resolv loadbalancer IP address at the host station connection to Viya
export KUBEJOIN="/home/gabos/KUBEJOIN.log" # This is path used where would be located file with kubernetes access token
# NFS :
export STORAGEFOLDER="/home/saspodstorage" # This folder would be created in order to store presistents volumes for NFS server
export NFSRULES="*(rw,sync,no_subtree_check,crossmnt,fsid=0)" # you shouldn't touch this
export NFSNETWORK="10.0.110.0/24" # it's no longer used, NFS would be accessbile "world"-style
export NFSSERVER="10.0.110.95" # This is yout VMKUB01 - master node, nfs server IP
# NODES :
export WORKER1="10.0.110.96" # first worker node
export WORKER1DNS="vmkub02.local" # it wouldn't be used but in any case - fill this
export WORKER2="10.0.110.97" # second worker node
export WORKER2DNS="vmkub03.local" # it wouldn't be used but in any case - fill this
export WORKER3="10.0.110.98" # third worker node
export WORKER3DNS="vmkub04.local" # it wouldn't be used but in any case - fill this
export KUBEJOINREMOTE1="gabos@$WORKER1:/home/gabos/KUBEJOIN.log" # here is path for kubejoin.log file in worker1, te file will be send via scp from master to worker
export KUBEJOINREMOTE2="gabos@$WORKER2:/home/gabos/KUBEJOIN.log" # here is path for kubejoin.log file in worker2, te file will be send via scp from master to worker
export KUBEJOINREMOTE3="gabos@$WORKER3:/home/gabos/KUBEJOIN.log" # here is path for kubejoin.log file in worker3, te file will be send via scp from master to worker
# KUBERNETES :
export NETWORKCIDR="192.168.0.0/16" # this is inner kubernetes network, used when kubeadm create command goes in
export NETWORKADDR="10.0.110.95" # should me the same as NFSSERVER , it's master node IP Address
export METALLBADDR="10.0.110.100-10.0.110.120" # you should provide some addresses for load balancers, this ip will be used for ingress nginx to route your traffic.
export SASNAMESPACE="sasoperator" # this is namespace for sasoperator and sas deployment, you shouldn't change it
# -------------------------------------------------------------------------------------------------------------------------------------
# !!!!!!!!!!! DO NOT TOUCH THE VARIABLES BELOW !!!!!!!!!!!!
export PREINST1="vim git curl wget pip apt-transport-https nfs-common"
export PREINST2="gnupg2 software-properties-common ca-certificates"
export DOCKERINST="containerd.io docker-ce docker-ce-cli"
export KUBEVERSION="1.21.5-00"
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Step 1 , preinstall
echo -e "Preinstalling \v packets\v"
sudo apt update
sudo apt -y install $PREINST1
clear
# --------------------------------------------------------
# Step 2 , Kubernets install
echo -e "Installing kubernetes\v"
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt update
sudo apt-get install -y kubelet=$KUBEVERSION kubectl=$KUBEVERSION kubeadm=$KUBEVERSION
sudo apt-mark hold kubelet kubeadm kubectl
clear
# --------------------------------------------------------
# Step 3, turn off swap
echo -e "Turning\v off\v SWAPu\v"
sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
sudo swapoff -a
clear
# --------------------------------------------------------
# Step 4, OS Tuning
echo -e "Tuning\v OS\v"
sudo modprobe overlay
sudo modprobe br_netfilter
sudo tee /etc/sysctl.d/kubernetes.conf<<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
sudo sysctl --system
clear
# --------------------------------------------------------
# Step, 5 Installing more packets
echo -e "Installing \v packets 2 \v"
sudo apt install -y $PREINST2
clear
# --------------------------------------------------------
# Step 6, Docker install
echo -e "Installing \v Docker\v"
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt update
sudo apt install -y $DOCKERINST
sudo mkdir -p /etc/systemd/system/docker.service.d
sudo tee /etc/docker/daemon.json <<EOF
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2"
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
sudo systemctl enable docker
clear
# --------------------------------------------------------
# Step 7, create kubernetes cluster
echo -e "Rozpoczynam\v konfigurajce\v Kubernetes\v"
sudo systemctl enable kubelet
sudo kubeadm config images pull
sudo kubeadm init --pod-network-cidr=$NETWORKCIDR --apiserver-advertise-address=$NETWORKADDR >> $KUBEJOIN
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
echo "export KUBECONFIG=$HOME/.kube/config" | tee -a ~/.bashrc
clear
# --------------------------------------------------------
# Step 8, Install kubernetes networking - calico and metallb
echo -e "Kubernets \v configuration\v"
wget https://docs.projectcalico.org/manifests/calico.yaml
kubectl apply -f calico.yaml
kubectl taint nodes --all node-role.kubernetes.io/master-
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.10.3/manifests/namespace.yaml
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.10.3/manifests/metallb.yaml
sudo tee metallbcm.yml << EOF
apiVersion: v1
kind: ConfigMap
metadata:
namespace: metallb-system
name: config
data:
config: |
address-pools:
- name: default
protocol: layer2
addresses:
- $METALLBADDR
EOF
kubectl create -f metallbcm.yml
clear
# --------------------------------------------------------
# Step 9, Install helm
echo -e "Installing\v HELM\v"
curl https://baltocdn.com/helm/signing.asc | sudo apt-key add -
echo "deb https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
sudo apt-get update
sudo apt-get install helm
clear
# --------------------------------------------------------
# Step 10, Install ingress
echo -e "Ingress\v Nginx 0.43 \v"
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.43.0/deploy/static/provider/baremetal/deploy.yaml
sed -i 's/NodePort/LoadBalancer/g' deploy.yaml
kubectl create ns ingress-nginx
kubectl apply -f deploy.yaml
kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \
--timeout=180s
clear
# --------------------------------------------------------
# Step 11, Install and configure NFS Server
echo -e "NFS \v"
sudo apt -y install nfs-kernel-server
sudo cat /proc/fs/nfsd/versions
sudo mkdir -p /srv/nfs4/nfs-share
sudo mkdir -p $STORAGEFOLDER
sudo mount --bind $STORAGEFOLDER /srv/nfs4/nfs-share
sudo echo "$STORAGEFOLDER /srv/nfs4/nfs-share none bind 0 0" >> /etc/fstab
sudo mount -a
sudo ufw allow from $NFSNETWORK to any port nfs
sudo echo "/srv/nfs4/nfs-share $NFSRULES" >> /etc/exports
sudo chmod 777 -R $STORAGEFOLDER
sudo exportfs -ar
sudo exportfs -v
sudo systemctl restart nfs-server
sleep 1m
clear
# --------------------------------------------------------
# Step 12, Install NFS Subdir External Provisoiner
kubectl create ns $SASNAMESPACE
echo -e "NFS \v Subdir \v Subdir \v External \v Provisioner"
helm repo add nfs-subdir-external-provisioner https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
helm repo update
helm install nfs-subdir-external-provisioner nfs-subdir-external-provisioner/nfs-subdir-external-provisioner \
--set nfs.server=$NFSSERVER \
--set nfs.path=/srv/nfs4/nfs-share \
--set storageClass.defaultClass=true \
--set storageClass.accessModes=ReadWriteMany \
--namespace $SASNAMESPACE
# --------------------------------------------------------
# Step 13, Creating pod security policies
echo -e "PSP\v"
tee psp-privileged.yaml << EOF
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
EOF
tee psp-baseline.yaml << EOF
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: baseline
annotations:
# Optional: Allow the default AppArmor profile, requires setting the default.
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: false
# The moby default capability set, minus NET_RAW
allowedCapabilities:
- 'CHOWN'
- 'DAC_OVERRIDE'
- 'FSETID'
- 'FOWNER'
- 'MKNOD'
- 'SETGID'
- 'SETUID'
- 'SETFCAP'
- 'SETPCAP'
- 'NET_BIND_SERVICE'
- 'SYS_CHROOT'
- 'KILL'
- 'AUDIT_WRITE'
# Allow all volume types except hostpath
volumes:
# 'core' volume types
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that ephemeral CSI drivers & persistentVolumes set up by the cluster admin are safe to use.
- 'csi'
- 'persistentVolumeClaim'
- 'ephemeral'
# Allow all other non-hostpath volume types.
- 'awsElasticBlockStore'
- 'azureDisk'
- 'azureFile'
- 'cephFS'
- 'cinder'
- 'fc'
- 'flexVolume'
- 'flocker'
- 'gcePersistentDisk'
- 'gitRepo'
- 'glusterfs'
- 'iscsi'
- 'nfs'
- 'photonPersistentDisk'
- 'portworxVolume'
- 'quobyte'
- 'rbd'
- 'scaleIO'
- 'storageos'
- 'vsphereVolume'
hostNetwork: false
hostIPC: false
hostPID: false
readOnlyRootFilesystem: false
runAsUser:
rule: 'RunAsAny'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
# The PSP SELinux API cannot express the SELinux Pod Security Standards,
# so if using SELinux, you must choose a more restrictive default.
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
EOF
tee psp-restricted.yaml << EOF
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that ephemeral CSI drivers & persistentVolumes set up by the cluster admin are safe to use.
- 'csi'
- 'persistentVolumeClaim'
- 'ephemeral'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
EOF
kubectl apply -f psp-restricted.yaml
kubectl apply -f psp-baseline.yaml
kubectl apply -f psp-privileged.yaml
kubectl get psp restricted -o custom-columns=NAME:.metadata.name,"SECCOMP":".metadata.annotations.seccomp\.security\.alpha\.kubernetes\.io/allowedProfileNames"
clear
# --------------------------------------------------------
# Step 14, check if NFS works
sudo tee test-pod.yaml << EOF
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: test-claim
spec:
accessModes:
- ReadWriteOnce
storageClassName: nfs-client
resources:
requests:
storage: 1Mi
---
kind: Pod
apiVersion: v1
metadata:
name: test-pod
spec:
containers:
- name: test-pod
image: gcr.io/google_containers/busybox:1.24
command:
- "/bin/sh"
args:
- "-c"
- "touch /mnt/SUCCESS && exit 0 || exit 1"
volumeMounts:
- name: nfs-pvc
mountPath: "/mnt"
restartPolicy: "Never"
volumes:
- name: nfs-pvc
persistentVolumeClaim:
claimName: test-claim
EOF
kubectl apply -f test-pod.yaml -n sasoperator
sleep 1m
kubectl describe pod test-pod -n sasoperator
clear
# --------------------------------------------------------
# Step 15, SCP files to workers
scp $KUBEJOIN $KUBEJOINREMOTE1
scp $KUBEJOIN $KUBEJOINREMOTE2
scp $KUBEJOIN $KUBEJOINREMOTE3
# --------------------------------------------------------
1st Script on each worker :
#!/bin/bash
# This script is designed and released by Gabos Software, feel free to use it and make it better
## Configuration section, it has important variables in order to prepare whole environment.
# It's hardcoded for environemnt like :
# 1. VMKUB01 Master node : Ubuntu 20.04 LTS, 500 GB Storage Space, 24 GB RAM, 12 vCPU
# 2. VMKUB02 Worker node 1 : Ubuntu 20.04 LTS, 200 GB Storage Space, 24 GB RAM, 12 vCPU
# 3. VMKUB03 Worker node 2 : Ubuntu 20.04 LTS, 200 GB Storage Space, 24 GB RAM, 12 vCPU
# 4. VMKUB03 Worker node 3 : Ubuntu 20.04 LTS, 200 GB Storage Space, 24 GB RAM, 12 vCPU
# I prepared all OSes with user account called "gabos"
# HOST
export KUBEJOIN="/home/gabos/KUBEJOIN.log" # local path to kubejoin file (scped before)
# !!!!!!!!!!! DO NOT TOUCH THE VARIABLES BELOW !!!!!!!!!!!!
export PREINST1="vim git curl wget pip apt-transport-https nfs-common"
export PREINST2="gnupg2 software-properties-common ca-certificates"
export DOCKERINST="containerd.io docker-ce docker-ce-cli"
export KUBEVERSION="1.21.5-00"
# -----------------------------------------------------------------
# Step 1 , preinstall
echo -e "Preinstall\v 1\v"
sudo apt update
sudo apt -y install $PREINST1
clear
# Step 2 , Kubernets install
echo -e "Installing kubernetes\v"
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt update
sudo apt-get install -y kubelet=$KUBEVERSION kubectl=$KUBEVERSION kubeadm=$KUBEVERSION
sudo apt-mark hold kubelet kubeadm kubectl
clear
# --------------------------------------------------------
# Step 3, turn off swap
echo -e "Turning\v off\v SWAPu\v"
sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
sudo swapoff -a
clear
# --------------------------------------------------------
# Step 4, OS Tuning
echo -e "Tuning\v OS\v"
sudo modprobe overlay
sudo modprobe br_netfilter
sudo tee /etc/sysctl.d/kubernetes.conf<<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
sudo sysctl --system
clear
# --------------------------------------------------------
# Step, 5 Installing more packets
echo -e "Installing \v packets 2 \v"
sudo apt install -y $PREINST2
clear
# --------------------------------------------------------
# Step 6, Docker install
echo -e "Installing \v Docker\v"
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt update
sudo apt install -y $DOCKERINST
sudo mkdir -p /etc/systemd/system/docker.service.d
sudo tee /etc/docker/daemon.json <<EOF
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2"
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
sudo systemctl enable docker
clear
# --------------------------------------------------------
# Step 7, joining kubernetes cluster
echo -e "Joining \v kuberenets cluster\v"
sudo systemctl enable kubelet
cat $KUBEJOIN | grep 'kubeadm join' -A 1$
export JOINCMD=$(cat $KUBEJOIN | grep 'kubeadm join' -A 1)
export JOINCMD=$(echo $JOINCMD | sed 's/\\//g')
sudo $JOINCMD
# --------------------------------------------------------
2nd Script on master node :
#!/bin/bash
# This script is designed and released by Gabos Software, feel free to use it and make it better
## Configuration section, it has important variables in order to prepare whole environment.
# It's hardcoded for environemnt like :
# 1. VMKUB01 Master node : Ubuntu 20.04 LTS, 500 GB Storage Space, 24 GB RAM, 12 vCPU
# 2. VMKUB02 Worker node 1 : Ubuntu 20.04 LTS, 200 GB Storage Space, 24 GB RAM, 12 vCPU
# 3. VMKUB03 Worker node 2 : Ubuntu 20.04 LTS, 200 GB Storage Space, 24 GB RAM, 12 vCPU
# 4. VMKUB03 Worker node 3 : Ubuntu 20.04 LTS, 200 GB Storage Space, 24 GB RAM, 12 vCPU
# I prepared all OSes with user account called "gabos"
export NAZWADNS="vmkub01.local" # This is the dns name by that you want to connect to your website , you will access SAS Viya only by this name like https://vmkub01.local , remember that this name should resolv loadbalancer IP address at the host station connection to Viya
# Config
export SCIEZKA="/home/gabos" # work folder where are all the files
export PLIKDEPLOY="SASViyaV4_9XXXX_0_stable_2021.1.6_20211020.1634741786565_deploymentAssets_2021-10-21T071710.tgz" # tgz deploy file
export PLIKLICENCJA="SASViyaV4_9XXXX_0_stable_2021.1.6_license_2021-10-21T071701.jwt" # license file
export PLIKCERTS="SASViyaV4_9XXXX_certs.zip" # certs file
export SASNAMESPACE="sasoperator" # this is namespace for sasoperator and sas deployment, you shouldn't change it
export CADENCE="stable" # installation type, it could be lts or stable, read about it in documentation or just copy from deploy file name
export CADENCEVERSION="2021.1.6" # full version description, read about it in documentation or just copy from deploy file name
# all of the files should be in path called "SCIEZKA"
# Step 1, Install Kustomize
snap install kustomize
# Step 2, Install CertManager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.5.4 \
--set installCRDs=true
# Step 3, Create CA and Issuer with CertManager for full-TLS deployment
cd $SCIEZKA
kubectl create namespace sandbox
tee CAAuthority.yaml << EOF
apiVersion: v1
kind: Namespace
metadata:
name: sandbox
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-selfsigned-ca
namespace: sandbox
spec:
isCA: true
commonName: my-selfsigned-ca
secretName: root-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: sas-viya-issuer
namespace: sandbox
spec:
ca:
secretName: root-secret
EOF
kubectl apply -f CAAuthority.yaml -n sandbox
# Step 4, deploying operator
cd $SCIEZKA
mkdir operator-deploy
cp $PLIKDEPLOY operator-deploy
cd operator-deploy
tar xvfz $PLIKDEPLOY
cp -r sas-bases/examples/deployment-operator/deploy/* .
chmod +w site-config/transformer.yaml
# Zmiana wartosci dla namespace i clusterbinding
sed -i 's/{{ NAME-OF-CLUSTERROLEBINDING }}/sasoperator/g' site-config/transformer.yaml
sed -i 's/{{ NAME-OF-NAMESPACE }}/sasoperator/g' site-config/transformer.yaml
kustomize build . | kubectl -n sasoperator apply -f -
kubectl get all -n sasoperator
# ------------------
# Step 5, building directory structure
cd $SCIEZKA
mkdir deploy
cp $PLIKDEPLOY deploy
cd deploy
tar xvfz $PLIKDEPLOY
rm -rf $PLIKDEPLOY
mkdir site-config
# -------------------------
# Step 6, Installation
cd $SCIEZKA
cd deploy
tee kustomization.yaml << EOF
namespace: {{ NAME-OF-NAMESPACE }}
resources:
- sas-bases/base
- sas-bases/overlays/cert-manager-issuer
- sas-bases/overlays/network/networking.k8s.io
- sas-bases/overlays/cas-server
- sas-bases/overlays/internal-postgres
# If your deployment contains programming-only offerings only, comment out the next line
- sas-bases/overlays/internal-elasticsearch
- sas-bases/overlays/update-checker
- sas-bases/overlays/cas-server/auto-resources
configurations:
- sas-bases/overlays/required/kustomizeconfig.yaml
transformers:
# If your deployment does not support privileged containers or if your deployment
# contains programming-only offerings, comment out the next line
- sas-bases/overlays/internal-elasticsearch/sysctl-transformer.yaml
- sas-bases/overlays/required/transformers.yaml
- site-config/security/cert-manager-provided-ingress-certificate.yaml
- sas-bases/overlays/cas-server/auto-resources/remove-resources.yaml
# If your deployment contains programming-only offerings only, comment out the next line
- sas-bases/overlays/internal-elasticsearch/internal-elasticsearch-transformer.yaml
# Mount information
# - site-config/{{ DIRECTORY-PATH }}/cas-add-host-mount.yaml
components:
- sas-bases/components/security/core/base/full-stack-tls
- sas-bases/components/security/network/networking.k8s.io/ingress/nginx.ingress.kubernetes.io/full-stack-tls
patches:
- path: site-config/storageclass.yaml
target:
kind: PersistentVolumeClaim
annotationSelector: sas.com/component-name in (sas-backup-job,sas-data-quality-services,sas-commonfiles,sas-cas-operator,sas-pyconfig)
# License information
# secretGenerator:
# - name: sas-license
# type: sas.com/license
# behavior: merge
# files:
# - SAS_LICENSE=license.jwt
configMapGenerator:
- name: ingress-input
behavior: merge
literals:
- INGRESS_HOST={{ NAME-OF-INGRESS-HOST }}
- name: sas-shared-config
behavior: merge
literals:
- SAS_SERVICES_URL=https://{{ NAME-OF-INGRESS-HOST }}:{{ PORT }}
# - SAS_URL_EXTERNAL_VIYA={{ EXTERNAL-PROXY-URL }}
EOF
# Change {{ NAME-OF-NAMESPACE }}
sed -i 's/{{ NAME-OF-NAMESPACE }}/sasoperator/g' kustomization.yaml
# Del auto-resources
sed -i '/auto-resources/d' kustomization.yaml
# Ingress
export INGRESS_HOST=$(kubectl -n ingress-nginx get service ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[*].ip}')
sed -i "s/{{ NAME-OF-INGRESS-HOST }}/$NAZWADNS/g" kustomization.yaml
export INGRESS_HTTPS_PORT=$(kubectl -n ingress-nginx get service ingress-nginx-controller -o jsonpath='{.spec.ports[?(@.name=="https")].port}')
sed -i "s/{{ PORT }}/$INGRESS_HTTPS_PORT/g" kustomization.yaml
# TLS
cd $SCIEZKA
cd deploy
mkdir site-config/security
cp sas-bases/examples/security/cert-manager-provided-ingress-certificate.yaml site-config/security/cert-manager-provided-ingress-certificate.yaml
sed -i "s/{{ CERT-MANAGER-ISSUER-NAME }}/sas-viya-issuer/g" site-config/security/cert-manager-provided-ingress-certificate.yaml
sed -i "s/{{ CERT-MANAGER_ISSUER_NAME }}/sas-viya-issuer/g" site-config/security/cert-manager-provided-ingress-certificate.yaml
# StorageClass
cd $SCIEZKA
cd deploy
export STORAGECLASS=$(kubectl get storageclass -o jsonpath='{.items[*].metadata.name}')
tee site-config/storageclass.yaml << EOF
kind: RWXStorageClass
apiVersion: storage.k8s.io/v1beta1
metadata:
name: wildcard
spec:
storageClassName: $STORAGECLASS
EOF
# License
cd $SCIEZKA
mkdir license
cp $PLIKLICENCJA license
# SAS Orchestration
docker pull cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-orchestration:1.64.0-20211012.1634057996496
docker tag cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-orchestration:1.64.0-20211012.1634057996496 sas-orchestration
mkdir /home/user
mkdir /home/user/kubernetes
cp $HOME/.kube/config /home/user/kubernetes/config
chmod 777 /home/user/kubernetes/config
kubectl get psp restricted -o custom-columns=NAME:.metadata.name,"SECCOMP":".metadata.annotations.seccomp\.security\.alpha\.kubernetes\.io/allowedProfileNames"
cd $SCIEZKA
# Install
docker run --rm \
-v $(pwd):/tmp/files \
sas-orchestration \
create sas-deployment-cr \
--deployment-data /tmp/files/$PLIKCERTS \
--license /tmp/files/$PLIKLICENCJA \
--user-content /tmp/files/deploy \
--cadence-name $CADENCE \
--cadence-version $CADENCEVERSION \
> viya4-sasdeployment.yaml
kubectl apply -f viya4-sasdeployment.yaml -n sasoperator
kubectl -n sasoperator get sasdeployment
... View more
11-07-2021
03:09 PM
Mate, in about 3-4 days I'm going to publish script / turorial for deployment on any enviroment (cloud or not) , from begining (vm creation) to end (sucessful sasboot login 🙂 ), give me some time.
... View more
11-04-2021
03:40 AM
Finally to get rid of this specific problem : Creation of standalone NFS server should look like : # NFS :
export STORAGEFOLDER="/home/saspodstorage"
export NFSRULES="*(rw,sync,no_subtree_check,crossmnt,fsid=0)" # This is most important - world access to share
export NFSNETWORK="10.0.110.0/24" # It firewall network subnet for other hosts
export NFSSERVER="10.0.110.99" # NFS Server IP Instalation : # ---- NFS Server --------------------
sudo apt -y install nfs-kernel-server
sudo cat /proc/fs/nfsd/versions
sudo mkdir -p /srv/nfs4/nfs-share
sudo mkdir -p $STORAGEFOLDER
sudo mount --bind $STORAGEFOLDER /srv/nfs4/nfs-share
sudo echo "$STORAGEFOLDER /srv/nfs4/nfs-share none bind 0 0" >> /etc/fstab
sudo mount -a
sudo ufw allow from $NFSNETWORK to any port nfs
sudo echo "/srv/nfs4/nfs-share $NFSRULES" >> /etc/exports
sudo chmod 777 -R $STORAGEFOLDER
sudo exportfs -ar
sudo exportfs -v
sudo systemctl restart nfs-server # It's important to restart service
sleep 1m
clear
# -------------------------------------------------------- Provisioner (default RBAC is enabled, I got it to work without security tuning just placing it in the same namespace as sasoperator) # ---- NFS Subdir Subdir External Provisioner -
kubectl create ns sasoperator
echo -e "Rozpoczynam\v instlacje\v NFS \v Subdir \v Subdir \v External \v Provisioner"
helm repo add nfs-subdir-external-provisioner https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
helm repo update
helm install nfs-subdir-external-provisioner nfs-subdir-external-provisioner/nfs-subdir-external-provisioner \
--set nfs.server=$NFSSERVER \
--set nfs.path=/srv/nfs4/nfs-share \
--set storageClass.defaultClass=true \
--set storageClass.accessModes=ReadWriteMany \
--namespace sasoperator
# -------------------------------------------------------- After giving it some time tee test-pod.yaml << EOF
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: test-claim
spec:
accessModes:
- ReadWriteOnce
storageClassName: nfs-client
resources:
requests:
storage: 1Mi
---
kind: Pod
apiVersion: v1
metadata:
name: test-pod
spec:
containers:
- name: test-pod
image: gcr.io/google_containers/busybox:1.24
command:
- "/bin/sh"
args:
- "-c"
- "touch /mnt/SUCCESS && exit 0 || exit 1"
volumeMounts:
- name: nfs-pvc
mountPath: "/mnt"
restartPolicy: "Never"
volumes:
- name: nfs-pvc
persistentVolumeClaim:
claimName: test-claim
EOF
kubectl apply -f test-pod.yaml -n sasoperator
sleep 1m
kubectl describe pod test-pod -n sasoperator And now sas-consul-client secret is out 🙂 Now I'm facing problem which theoreticly could stop whole idea of single machine deployment - limits of 110 pods per node in k8s.. 😉
... View more
11-03-2021
09:06 PM
Ok, finally I got rid of that problem, now I'm fighting with some other ones, I'm going to resolve it by myself, if not succeed .... I would appreciate communities help 😄
... View more
11-02-2021
04:52 PM
Deployin whole installation now 😄 so let's wait 🙂
... View more
11-02-2021
04:39 PM
2 Likes
Hey ! that answer was awesome, mostly "world wireatble allow". I changed allow properties and test-pod started. My whole NFS script looks like (part of whole Viya4 SMD Deployment script) : export STORAGEFOLDER="/home/saspodstorage"
export NFSRULES="0.0.0.0/0(rw,sync,no_subtree_check,crossmnt,fsid=0)"
export NFSNETWORK="10.0.110.0/24"
export NFSSERVER="10.0.110.99"
# ---- Install NFS Server --------------------
sudo apt -y install nfs-kernel-server
sudo cat /proc/fs/nfsd/versions
sudo mkdir -p /srv/nfs4/nfs-share
sudo mkdir -p $STORAGEFOLDER
sudo mount --bind $STORAGEFOLDER /srv/nfs4/nfs-share
sudo echo "$STORAGEFOLDER /srv/nfs4/nfs-share none bind 0 0" >> /etc/fstab
sudo mount -a
sudo ufw allow from $NFSNETWORK to any port nfs
sudo echo "/srv/nfs4/nfs-share $NFSRULES" >> /etc/exports
sudo exportfs -ar
sudo exportfs -v
clear
# --------------------------------------------------------
# ---- InstallNFS Subdir Subdir External Provisioner -
helm repo add nfs-subdir-external-provisioner https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
helm repo update
helm install nfs-subdir-external-provisioner nfs-subdir-external-provisioner/nfs-subdir-external-provisioner \
--set nfs.server=$NFSSERVER \
--set nfs.path=/srv/nfs4/nfs-share \
--set storageClass.defaultClass=true \
--set storageClass.accessModes=ReadWriteMany
... View more
11-02-2021
02:42 PM
Thanks mate, now I see the problem, it's with PersistentVolumeClaim, after that test it came up with : root@vmkub01:~# kubectl describe pod test-pod -n sasoperator
Name: test-pod
Namespace: sasoperator
Priority: 0
Node: <none>
Labels: <none>
Annotations: <none>
Status: Pending
IP:
IPs: <none>
Containers:
test-pod:
Image: gcr.io/google_containers/busybox:1.24
Port: <none>
Host Port: <none>
Command:
/bin/sh
Args:
-c
touch /mnt/SUCCESS && exit 0 || exit 1
Environment: <none>
Mounts:
/mnt from nfs-pvc (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-fd9g8 (ro)
Conditions:
Type Status
PodScheduled False
Volumes:
nfs-pvc:
Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
ClaimName: test-claim
ReadOnly: false
kube-api-access-fd9g8:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedScheduling 39s (x2 over 40s) default-scheduler 0/1 nodes are available: 1 pod has unbound immediate PersistentVolumeClaims. It look like root@vmkub01:~# kubectl describe pod sas-consul-server-0 -n sasoperator
Name: sas-consul-server-0
Namespace: sasoperator
Priority: 0
Node: <none>
Labels: app=sas-consul-server
app.kubernetes.io/name=sas-consul-server
controller-revision-hash=sas-consul-server-599b54cc66
sas.com/deployment=sas-viya
statefulset.kubernetes.io/pod-name=sas-consul-server-0
workload.sas.com/class=stateful
Annotations: prometheus.io/scheme: https
sas.com/certificate-file-format: pem
sas.com/component-name: sas-consul-server
sas.com/component-version: 1.310006.0-20211014.1634217840806
sas.com/kustomize-base: base
sas.com/tls-enabled-ports: all
sas.com/tls-mode: full-stack
sas.com/version: 1.310006.0
seccomp.security.alpha.kubernetes.io/pod: runtime/default
sidecar.istio.io/inject: false
sidecar.istio.io/proxyCPU: 15m
sidecar.istio.io/proxyMemory: 115Mi
traffic.sidecar.istio.io/excludeInboundPorts: 8301
Status: Pending
IP:
IPs: <none>
Controlled By: StatefulSet/sas-consul-server
Init Containers:
sas-certframe:
Image: cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-certframe:3.20.7-20211015.1634318362435
Port: <none>
Host Port: <none>
Limits:
cpu: 500m
memory: 500Mi
Requests:
cpu: 50m
memory: 50Mi
Environment Variables from:
sas-certframe-config-2ch97fd95b ConfigMap Optional: false
sas-certframe-ingress-certificate-config-cmm2t44t88 ConfigMap Optional: false
sas-certframe-user-config-c4ch2c59m7 ConfigMap Optional: false
Environment:
KUBE_POD_NAME: sas-consul-server-0 (v1:metadata.name)
SAS_CERTFRAME_TOKEN_DIR: /certframe-token
SAS_ADDITIONAL_CA_CERTIFICATES_DIR: /customer-provided-ca-certificates
Mounts:
/certframe-token from certframe-token (rw)
/customer-provided-ca-certificates from customer-provided-ca-certificates (rw)
/security from security (rw)
sas-certframe-client-token-generator:
Image: cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-certframe:3.20.7-20211015.1634318362435
Port: <none>
Host Port: <none>
Limits:
cpu: 500m
memory: 500Mi
Requests:
cpu: 50m
memory: 50Mi
Environment:
SAS_KEYS_SECRET_NAME: sas-consul-client
SAS_KEYS_KEY_NAMES: CONSUL_HTTP_TOKEN
SAS_SECURITY_ARTIFACTS_DIR: /security
SAS_CERTFRAME_TOKEN_DIR: /certframe-token
Mounts:
/certframe-token from certframe-token (rw)
/security from security (rw)
sas-certframe-management-token-generator:
Image: cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-certframe:3.20.7-20211015.1634318362435
Port: <none>
Host Port: <none>
Limits:
cpu: 500m
memory: 500Mi
Requests:
cpu: 50m
memory: 50Mi
Environment:
SAS_KEYS_SECRET_NAME: sas-consul-management
SAS_KEYS_KEY_NAMES: CONSUL_MANAGEMENT_TOKEN CONSUL_TOKENS_ENCRYPTION
SAS_KEYS_KEY_TYPES: uuid base64
SAS_SECURITY_ARTIFACTS_DIR: /security
SAS_CERTFRAME_TOKEN_DIR: /certframe-token
Mounts:
/certframe-token from certframe-token (rw)
/security from security (rw)
Containers:
sas-consul-server:
Image: cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-consul-server:1.310006.0-20211014.1634217840806
Ports: 8300/TCP, 8301/TCP, 8301/UDP, 8500/TCP
Host Ports: 0/TCP, 0/TCP, 0/UDP, 0/TCP
Limits:
cpu: 1
memory: 1Gi
Requests:
cpu: 250m
memory: 150Mi
Liveness: exec [sh /opt/sas/viya/home/bin/consul-liveness-probe.sh] delay=45s timeout=1s period=30s #success=1 #failure=3
Readiness: exec [sh /opt/sas/viya/home/bin/consul-readiness-probe.sh] delay=45s timeout=1s period=30s #success=1 #failure=3
Startup: exec [sh /opt/sas/viya/home/bin/consul-startup-probe.sh] delay=45s timeout=1s period=30s #success=1 #failure=3
Environment Variables from:
sas-tls-config-f8ccd48c6m ConfigMap Optional: false
sas-shared-config-9dh449kdkb ConfigMap Optional: false
sas-consul-client Secret Optional: false
sas-consul-management Secret Optional: false
ingress-input-mfh55658f2 ConfigMap Optional: false
Environment:
CONSUL_BOOTSTRAP_EXPECT: 3
CONSUL_CLIENT_ADDRESS: 0.0.0.0
CONSUL_DATACENTER_NAME: viya
Mounts:
/consul/data from sas-viya-consul-data-volume (rw)
/opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts from security (rw,path="cacerts")
/opt/sas/viya/config/etc/SASSecurityCertificateFramework/private from security (rw,path="private")
/opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/consul/default from tmp-volume (rw,path="consul-tokens")
/opt/sas/viya/config/etc/consul.d from tmp-volume (rw,path="consul.d")
/opt/sas/viya/config/etc/consul.d/default from sitedefault-vol (rw)
/opt/sas/viya/config/tmp/sas-consul from tmp-volume (rw,path="sas-consul")
/security from security (rw)
/tmp from tmp-volume (rw,path="tmp")
Conditions:
Type Status
PodScheduled False
Volumes:
sas-viya-consul-data-volume:
Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
ClaimName: sas-viya-consul-data-volume-sas-consul-server-0
ReadOnly: false
sitedefault-vol:
Type: Projected (a volume that contains injected data from multiple sources)
ConfigMapName: sas-consul-config-7m8mcgtm5c
ConfigMapOptional: <nil>
SecretName: sas-consul-config-6m98g47d77
SecretOptionalName: <nil>
tmp-volume:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
certframe-token:
Type: Secret (a volume populated by a Secret)
SecretName: sas-certframe-token
Optional: false
security:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
customer-provided-ca-certificates:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: sas-customer-provided-ca-certificates-29kdmk686c
Optional: false
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
workload.sas.com/class=stateful:NoSchedule
workload.sas.com/class=stateless:NoSchedule
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedScheduling 8s (x279 over 6h15m) default-scheduler 0/1 nodes are available: 1 pod has unbound immediate PersistentVolumeClaims.
root@vmkub01:~# kubectl describe pod sas-consul-server-0 -n sasoperator
Name: sas-consul-server-0
Namespace: sasoperator
Priority: 0
Node: <none>
Labels: app=sas-consul-server
app.kubernetes.io/name=sas-consul-server
controller-revision-hash=sas-consul-server-599b54cc66
sas.com/deployment=sas-viya
statefulset.kubernetes.io/pod-name=sas-consul-server-0
workload.sas.com/class=stateful
Annotations: prometheus.io/scheme: https
sas.com/certificate-file-format: pem
sas.com/component-name: sas-consul-server
sas.com/component-version: 1.310006.0-20211014.1634217840806
sas.com/kustomize-base: base
sas.com/tls-enabled-ports: all
sas.com/tls-mode: full-stack
sas.com/version: 1.310006.0
seccomp.security.alpha.kubernetes.io/pod: runtime/default
sidecar.istio.io/inject: false
sidecar.istio.io/proxyCPU: 15m
sidecar.istio.io/proxyMemory: 115Mi
traffic.sidecar.istio.io/excludeInboundPorts: 8301
Status: Pending
IP:
IPs: <none>
Controlled By: StatefulSet/sas-consul-server
Init Containers:
sas-certframe:
Image: cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-certframe:3.20.7-20211015.1634318362435
Port: <none>
Host Port: <none>
Limits:
cpu: 500m
memory: 500Mi
Requests:
cpu: 50m
memory: 50Mi
Environment Variables from:
sas-certframe-config-2ch97fd95b ConfigMap Optional: false
sas-certframe-ingress-certificate-config-cmm2t44t88 ConfigMap Optional: false
sas-certframe-user-config-c4ch2c59m7 ConfigMap Optional: false
Environment:
KUBE_POD_NAME: sas-consul-server-0 (v1:metadata.name)
SAS_CERTFRAME_TOKEN_DIR: /certframe-token
SAS_ADDITIONAL_CA_CERTIFICATES_DIR: /customer-provided-ca-certificates
Mounts:
/certframe-token from certframe-token (rw)
/customer-provided-ca-certificates from customer-provided-ca-certificates (rw)
/security from security (rw)
sas-certframe-client-token-generator:
Image: cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-certframe:3.20.7-20211015.1634318362435
Port: <none>
Host Port: <none>
Limits:
cpu: 500m
memory: 500Mi
Requests:
cpu: 50m
memory: 50Mi
Environment:
SAS_KEYS_SECRET_NAME: sas-consul-client
SAS_KEYS_KEY_NAMES: CONSUL_HTTP_TOKEN
SAS_SECURITY_ARTIFACTS_DIR: /security
SAS_CERTFRAME_TOKEN_DIR: /certframe-token
Mounts:
/certframe-token from certframe-token (rw)
/security from security (rw)
sas-certframe-management-token-generator:
Image: cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-certframe:3.20.7-20211015.1634318362435
Port: <none>
Host Port: <none>
Limits:
cpu: 500m
memory: 500Mi
Requests:
cpu: 50m
memory: 50Mi
Environment:
SAS_KEYS_SECRET_NAME: sas-consul-management
SAS_KEYS_KEY_NAMES: CONSUL_MANAGEMENT_TOKEN CONSUL_TOKENS_ENCRYPTION
SAS_KEYS_KEY_TYPES: uuid base64
SAS_SECURITY_ARTIFACTS_DIR: /security
SAS_CERTFRAME_TOKEN_DIR: /certframe-token
Mounts:
/certframe-token from certframe-token (rw)
/security from security (rw)
Containers:
sas-consul-server:
Image: cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-consul-server:1.310006.0-20211014.1634217840806
Ports: 8300/TCP, 8301/TCP, 8301/UDP, 8500/TCP
Host Ports: 0/TCP, 0/TCP, 0/UDP, 0/TCP
Limits:
cpu: 1
memory: 1Gi
Requests:
cpu: 250m
memory: 150Mi
Liveness: exec [sh /opt/sas/viya/home/bin/consul-liveness-probe.sh] delay=45s timeout=1s period=30s #success=1 #failure=3
Readiness: exec [sh /opt/sas/viya/home/bin/consul-readiness-probe.sh] delay=45s timeout=1s period=30s #success=1 #failure=3
Startup: exec [sh /opt/sas/viya/home/bin/consul-startup-probe.sh] delay=45s timeout=1s period=30s #success=1 #failure=3
Environment Variables from:
sas-tls-config-f8ccd48c6m ConfigMap Optional: false
sas-shared-config-9dh449kdkb ConfigMap Optional: false
sas-consul-client Secret Optional: false
sas-consul-management Secret Optional: false
ingress-input-mfh55658f2 ConfigMap Optional: false
Environment:
CONSUL_BOOTSTRAP_EXPECT: 3
CONSUL_CLIENT_ADDRESS: 0.0.0.0
CONSUL_DATACENTER_NAME: viya
Mounts:
/consul/data from sas-viya-consul-data-volume (rw)
/opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts from security (rw,path="cacerts")
/opt/sas/viya/config/etc/SASSecurityCertificateFramework/private from security (rw,path="private")
/opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/consul/default from tmp-volume (rw,path="consul-tokens")
/opt/sas/viya/config/etc/consul.d from tmp-volume (rw,path="consul.d")
/opt/sas/viya/config/etc/consul.d/default from sitedefault-vol (rw)
/opt/sas/viya/config/tmp/sas-consul from tmp-volume (rw,path="sas-consul")
/security from security (rw)
/tmp from tmp-volume (rw,path="tmp")
Conditions:
Type Status
PodScheduled False
Volumes:
sas-viya-consul-data-volume:
Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
ClaimName: sas-viya-consul-data-volume-sas-consul-server-0
ReadOnly: false
sitedefault-vol:
Type: Projected (a volume that contains injected data from multiple sources)
ConfigMapName: sas-consul-config-7m8mcgtm5c
ConfigMapOptional: <nil>
SecretName: sas-consul-config-6m98g47d77
SecretOptionalName: <nil>
tmp-volume:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
certframe-token:
Type: Secret (a volume populated by a Secret)
SecretName: sas-certframe-token
Optional: false
security:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
customer-provided-ca-certificates:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: sas-customer-provided-ca-certificates-29kdmk686c
Optional: false
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
workload.sas.com/class=stateful:NoSchedule
workload.sas.com/class=stateless:NoSchedule
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedScheduling 20s (x279 over 6h15m) default-scheduler 0/1 nodes are available: 1 pod has unbound immediate PersistentVolumeClaims. Here come's the problem, I'm going to analyze the whole way creating my nfs storage class and provisioner 1 pod has unbound immediate PersistentVolumeClaims
... View more
11-02-2021
03:34 AM
Could you pass me link? I can't find verify steps in deployment guide 😐
... View more
11-02-2021
03:31 AM
Hello there (general Kenobi:D) and the second one it looks that all of the components are pending BUT , replying to private message from sas mate I've discovered that there is somekind space issue I'm going to read about this
... View more
10-31-2021
06:20 PM
1 Like
Hello mates, I'm developing script deploying whole Kubernetes enviroment + SAS Viya4 locally on one machine. I've done lot of effort to make it work as desired. Finally script is close to be ready and of course like other my "hardcore tasks" to by shared with you. I know that there is limited support from SAS on custom made clusters so I'm asking you - fellow community for help. I know that there is limited support from SAS on custom made clusters so I'm asking you - fellow community for help. The problem I'm facing is that 99% of my pods have "sas-consul-client secret not found", and of course I researched https://support.sas.com/kb/67/349.html , created specified psps and still .. doesn't work. The biggest mystery is... that all the yamls in site-config, sas-bases, sas-orchestra which are used to deploy ... don't contain creating this secret. There are only SecRefs 😐 Ok, here's my environment: 1. Installed kubelet=$KUBEVERSION kubectl=$KUBEVERSION kubeadm=$KUBEVERSION where KUBEVERSION="1.21.5-00" 2. Turned swap off 3. Installed docker 4. Inited cluster with kubeadm init --pod-network-cidr=$NETWORKCIDR --apiserver-advertise-address=$NETWORKADDR where NETWORKCIDR="192.168.0.0/16" && NETWORKADDR="10.0.110.99" 5. Created PSPs : - psp-privileged.yaml << EOF
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
EOF
psp-baseline.yaml << EOF
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: baseline
annotations:
# Optional: Allow the default AppArmor profile, requires setting the default.
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: false
# The moby default capability set, minus NET_RAW
allowedCapabilities:
- 'CHOWN'
- 'DAC_OVERRIDE'
- 'FSETID'
- 'FOWNER'
- 'MKNOD'
- 'SETGID'
- 'SETUID'
- 'SETFCAP'
- 'SETPCAP'
- 'NET_BIND_SERVICE'
- 'SYS_CHROOT'
- 'KILL'
- 'AUDIT_WRITE'
# Allow all volume types except hostpath
volumes:
# 'core' volume types
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that ephemeral CSI drivers & persistentVolumes set up by the cluster admin are safe to use.
- 'csi'
- 'persistentVolumeClaim'
- 'ephemeral'
# Allow all other non-hostpath volume types.
- 'awsElasticBlockStore'
- 'azureDisk'
- 'azureFile'
- 'cephFS'
- 'cinder'
- 'fc'
- 'flexVolume'
- 'flocker'
- 'gcePersistentDisk'
- 'gitRepo'
- 'glusterfs'
- 'iscsi'
- 'nfs'
- 'photonPersistentDisk'
- 'portworxVolume'
- 'quobyte'
- 'rbd'
- 'scaleIO'
- 'storageos'
- 'vsphereVolume'
hostNetwork: false
hostIPC: false
hostPID: false
readOnlyRootFilesystem: false
runAsUser:
rule: 'RunAsAny'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
# The PSP SELinux API cannot express the SELinux Pod Security Standards,
# so if using SELinux, you must choose a more restrictive default.
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
EOF
psp-restricted.yaml << EOF
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that ephemeral CSI drivers & persistentVolumes set up by the cluster admin are safe to use.
- 'csi'
- 'persistentVolumeClaim'
- 'ephemeral'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
EOF 6. Installed Calico, Metallb, Ingress 7. Created NFS Server and NFS Subdir Provisioner 8. Downloaded and created ARK-Report (in attachment) 9. Installed cert-manager and custom CA autority 1. Created directory structure for sasoperator and sas deployment 2. Successfully deployed sasoperator 3. Created kustomization.yaml for site-deployment namespace: {{ NAME-OF-NAMESPACE }}
resources:
- sas-bases/base
- sas-bases/overlays/cert-manager-issuer
- sas-bases/overlays/network/networking.k8s.io
- sas-bases/overlays/cas-server
- sas-bases/overlays/internal-postgres
# If your deployment contains programming-only offerings only, comment out the next line
- sas-bases/overlays/internal-elasticsearch
- sas-bases/overlays/update-checker
- sas-bases/overlays/cas-server/auto-resources
configurations:
- sas-bases/overlays/required/kustomizeconfig.yaml
transformers:
# If your deployment does not support privileged containers or if your deployment
# contains programming-only offerings, comment out the next line
- sas-bases/overlays/internal-elasticsearch/sysctl-transformer.yaml
- sas-bases/overlays/required/transformers.yaml
- site-config/security/cert-manager-provided-ingress-certificate.yaml
- sas-bases/overlays/cas-server/auto-resources/remove-resources.yaml
# If your deployment contains programming-only offerings only, comment out the next line
- sas-bases/overlays/internal-elasticsearch/internal-elasticsearch-transformer.yaml
# Mount information
# - site-config/{{ DIRECTORY-PATH }}/cas-add-host-mount.yaml
components:
- sas-bases/components/security/core/base/full-stack-tls
- sas-bases/components/security/network/networking.k8s.io/ingress/nginx.ingress.kubernetes.io/full-stack-tls
patches:
- path: site-config/storageclass.yaml
target:
kind: PersistentVolumeClaim
annotationSelector: sas.com/component-name in (sas-backup-job,sas-data-quality-services,sas-commonfiles,sas-cas-operator,sas-pyconfig)
# License information
# secretGenerator:
# - name: sas-license
# type: sas.com/license
# behavior: merge
# files:
# - SAS_LICENSE=license.jwt
configMapGenerator:
- name: ingress-input
behavior: merge
literals:
- INGRESS_HOST={{ NAME-OF-INGRESS-HOST }}
- name: sas-shared-config
behavior: merge
literals:
- SAS_SERVICES_URL=https://{{ NAME-OF-INGRESS-HOST }}:{{ PORT }}
# - SAS_URL_EXTERNAL_VIYA={{ EXTERNAL-PROXY-URL }}
EOF Changed values and finally kustomization.yaml looks like : namespace: sasoperator
resources:
- sas-bases/base
- sas-bases/overlays/cert-manager-issuer
- sas-bases/overlays/network/networking.k8s.io
- sas-bases/overlays/cas-server
- sas-bases/overlays/internal-postgres
# If your deployment contains programming-only offerings only, comment out the next line
- sas-bases/overlays/internal-elasticsearch
- sas-bases/overlays/update-checker
configurations:
- sas-bases/overlays/required/kustomizeconfig.yaml
transformers:
# If your deployment does not support privileged containers or if your deployment
# contains programming-only offerings, comment out the next line
- sas-bases/overlays/internal-elasticsearch/sysctl-transformer.yaml
- sas-bases/overlays/required/transformers.yaml
- site-config/security/cert-manager-provided-ingress-certificate.yaml
# If your deployment contains programming-only offerings only, comment out the next line
- sas-bases/overlays/internal-elasticsearch/internal-elasticsearch-transformer.yaml
# Mount information
# - site-config/{{ DIRECTORY-PATH }}/cas-add-host-mount.yaml
components:
- sas-bases/components/security/core/base/full-stack-tls
- sas-bases/components/security/network/networking.k8s.io/ingress/nginx.ingress.kubernetes.io/full-stack-tls
patches:
- path: site-config/storageclass.yaml
target:
kind: PersistentVolumeClaim
annotationSelector: sas.com/component-name in (sas-backup-job,sas-data-quality-services,sas-commonfiles,sas-cas-operator,sas-pyconfig)
# License information
# secretGenerator:
# - name: sas-license
# type: sas.com/license
# behavior: merge
# files:
# - SAS_LICENSE=license.jwt
configMapGenerator:
- name: ingress-input
behavior: merge
literals:
- INGRESS_HOST=vmkub01.local
- name: sas-shared-config
behavior: merge
literals:
- SAS_SERVICES_URL=https://vmkub01.local:443
# - SAS_URL_EXTERNAL_VIYA={{ EXTERNAL-PROXY-URL }} Pulled ark docker pull cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-orchestration:1.64.0-20211012.1634057996496 docker tag cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-orchestration:1.64.0-20211012.1634057996496 sas-orchestration created .yaml deployment with ark docker run --rm \
-v $(pwd):/tmp/files \
sas-orchestration \
create sas-deployment-cr \
--deployment-data /tmp/files/$CERTS \
--license /tmp/files/$LICENCE \
--user-content /tmp/files/deploy \
--cadence-name $CADENCE \
--cadence-version $CADENCEVERSION \
> viya4-sasdeployment.yaml where export LICENCE="SASViyaV4_9xxxx_0_stable_2021.1.6_license_2021-10-21T071701.jwt"
export CERTS="SASViyaV4_9xxxx_certs.zip"
export SASNAMESPACE="sasoperator"
export CADENCE="stable"
export CADENCEVERSION="2021.1.6" and file looks like (without certs and license ofc): ---
apiVersion: v1
kind: Secret
metadata:
creationTimestamp: null
name: sas-viya
stringData:
cacert: |
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
cert: |
-----BEGIN RSA PRIVATE KEY-----
xxxx
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
license:
xxx
---
apiVersion: orchestration.sas.com/v1alpha1
kind: SASDeployment
metadata:
annotations:
operator.sas.com/checksum: ""
creationTimestamp: null
name: sas-viya
spec:
caCertificate:
secretKeyRef:
key: cacert
name: sas-viya
cadenceName: stable
cadenceVersion: 2021.1.6
clientCertificate:
secretKeyRef:
key: cert
name: sas-viya
license:
secretKeyRef:
key: license
name: sas-viya
repositoryWarehouse:
updatePolicy: Never
userContent:
files:
kustomization.yaml: |
namespace: sasoperator
resources:
- sas-bases/base
- sas-bases/overlays/cert-manager-issuer
- sas-bases/overlays/network/networking.k8s.io
- sas-bases/overlays/cas-server
- sas-bases/overlays/internal-postgres
# If your deployment contains programming-only offerings only, comment out the next line
- sas-bases/overlays/internal-elasticsearch
- sas-bases/overlays/update-checker
configurations:
- sas-bases/overlays/required/kustomizeconfig.yaml
transformers:
# If your deployment does not support privileged containers or if your deployment
# contains programming-only offerings, comment out the next line
- sas-bases/overlays/internal-elasticsearch/sysctl-transformer.yaml
- sas-bases/overlays/required/transformers.yaml
- site-config/security/cert-manager-provided-ingress-certificate.yaml
# If your deployment contains programming-only offerings only, comment out the next line
- sas-bases/overlays/internal-elasticsearch/internal-elasticsearch-transformer.yaml
# Mount information
# - site-config/{{ DIRECTORY-PATH }}/cas-add-host-mount.yaml
components:
- sas-bases/components/security/core/base/full-stack-tls
- sas-bases/components/security/network/networking.k8s.io/ingress/nginx.ingress.kubernetes.io/full-stack-tls
patches:
- path: site-config/storageclass.yaml
target:
kind: PersistentVolumeClaim
annotationSelector: sas.com/component-name in (sas-backup-job,sas-data-quality-services,sas-commonfiles,sas-cas-operator,sas-pyconfig)
# License information
# secretGenerator:
# - name: sas-license
# type: sas.com/license
# behavior: merge
# files:
# - SAS_LICENSE=license.jwt
configMapGenerator:
- name: ingress-input
behavior: merge
literals:
- INGRESS_HOST=vmkub01.local
- name: sas-shared-config
behavior: merge
literals:
- SAS_SERVICES_URL=https://vmkub01.local:443
# - SAS_URL_EXTERNAL_VIYA={{ EXTERNAL-PROXY-URL }}
sas-bases: ""
site-config/security/cert-manager-provided-ingress-certificate.yaml: "## Example PatchTransformer to patch the secret used by nginx ingress objects\n##\n## In the following code, the locations that require user specified values are indicated by a capitalized and\n## hyphenated name set off by curly braces and a space at each end. You should replace this token with the \n## actual value.\n## Replace the curly braces, interior spaces, and the variable name.\n## For instance, \"sas-viya-issuer\"\n## should be replaced with the name of the cert-manager issuer that will issue certificates used to make\n## TLS connections to the SAS Viya applications, such as sas-viya-issuer.\n## If you use the suggested example, the correct, final syntax would be:\n## value: sas-viya-issuer\n##\n##\n---\napiVersion: builtin\nkind: PatchTransformer\nmetadata:\n name: sas-cert-manager-ingress-annotation-transformer\npatch: |-\n - op: add\n path: /metadata/annotations/cert-manager.io~1issuer\n value: sas-viya-issuer # name of the cert-manager issuer that will supply the Ingress cert, such as sas-viya-issuer\ntarget:\n kind: Ingress\n name: .*"
site-config/storageclass.yaml: |
kind: RWXStorageClass
metadata:
name: wildcard
spec:
storageClassName: nfs-client then : kubectl apply -f viya4-sasdeployment.yaml -n sasoperator finally got : NAME STATE CADENCENAME CADENCEVERSION CADENCERELEASE AGE
sas-viya SUCCEEDED stable 2021.1.6 20211029.1635519350329 7h8m but: sas-model-management-c894776d9-dsvww 0/1 Init:CreateContainerConfigError 0 7h53m
sas-model-manager-app-795848d4db-f9tx5 0/1 CreateContainerConfigError 0 7h53m
sas-model-publish-f4f9f5d7d-c7hrc 0/1 Init:CreateContainerConfigError 0 7h53m
sas-model-repository-86f4b6cb47-gwddw 0/1 CreateContainerConfigError 0 7h53m
sas-model-studio-app-5bd79dfdb-7kwxz 0/1 CreateContainerConfigError 0 7h53m
sas-natural-language-conversations-576674865d-wssnw 0/1 CreateContainerConfigError 0 7h53m
sas-natural-language-generation-5bc9f5b9-28cq9 0/1 CreateContainerConfigError 0 7h53m
sas-natural-language-understanding-64d776d46b-j9wkt 0/1 CreateContainerConfigError 0 7h53m
sas-notifications-554875b7d5-99446 0/1 Init:CreateContainerConfigError 0 7h53m
sas-office-addin-app-5fc7d68d96-v5rr7 0/1 CreateContainerConfigError 0 7h53m
sas-opendistro-operator-56f45fb488-lsqkw 0/1 CreateContainerConfigError 0 7h53m
sas-parse-execution-provider-54b6567f59-rrhwv 0/1 CreateContainerConfigError 0 7h53m
sas-preferences-656d9cd848-87njx 0/1 Init:CreateContainerConfigError 0 7h53m
sas-prepull-85c69b74c7-bhgsn 1/1 Running 0 7h54m
sas-projects-8955cf56f-v8tf4 0/1 CreateContainerConfigError 0 7h53m
sas-pyconfig-j2zgm 0/1 Pending 0 7h53m
sas-rabbitmq-server-0 0/1 Pending 0 7h53m
sas-rabbitmq-server-1 0/1 Pending 0 7h53m
sas-rabbitmq-server-2 0/1 Pending 0 7h53m
sas-readiness-78955dc49d-mg8fp 0/1 CreateContainerConfigError 0 7h53m
sas-report-distribution-6d6b55ddd5-67mq4 0/1 Init:CreateContainerConfigError 0 7h53m
sas-report-execution-7498cf5d86-rrlgz 0/1 CreateContainerConfigError 0 7h53m
sas-report-renderer-6fd7d8d5-fkjcd 0/1 CreateContainerConfigError 0 7h53m
sas-report-services-group-7d8564487d-txjmq 0/1 CreateContainerConfigError 0 7h53m
sas-scheduled-backup-job-27260700-fzmf9 0/2 Pending 0 5h56m
sas-scheduler-776d8686c9-v7jml 0/1 CreateContainerConfigError 0 7h53m
sas-score-definitions-6bf66dcfd-xn6gw 0/1 Init:CreateContainerConfigError 0 7h53m
sas-score-execution-8d96cf55b-twvqk 0/1 Pending 0 7h53m and all the pods with errors are like this (describe pod) : Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 35m default-scheduler Successfully assigned sasoperator/sas-conversation-designer-app-646ff4697c-k2xcf to vmkub01
Normal Pulling 35m kubelet Pulling image "cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-certframe:3.20.7-20211015.1634318362435"
Normal Pulled 34m kubelet Successfully pulled image "cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-certframe:3.20.7-20211015.1634318362435" in 59.23941659s
Normal Created 34m kubelet Created container sas-certframe
Normal Started 34m kubelet Started container sas-certframe
Normal Pulling 34m kubelet Pulling image "cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-conversation-designer-app:2.9.1-20211013.1634156561133"
Normal Pulled 24m kubelet Successfully pulled image "cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-conversation-designer-app:2.9.1-20211013.1634156561133" in 10m17.950160092s
Warning Failed 22m (x11 over 24m) kubelet Error: secret "sas-consul-client" not found
Normal Pulled 19s (x110 over 24m) kubelet Container image "cr.sas.com/viya-4-x64_oci_linux_2-docker/sas-conversation-designer-app:2.9.1-20211013.1634156561133" already present on machine
Please help me get rid of this (error ofc :D)
... View more
02-23-2020
06:04 AM
There is no need to upload new files, i've got it to work and here's my solution : https://communities.sas.com/t5/Administration-and-Deployment/SAS-Viya-3-5-ODBC-DB2-connect-Tutorial/m-p/626709#M18268
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-22-2023
09:46 AM
|
