-
-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Sponsorships] Setup the secondary Azure subscription to consume the sponsor credits #3818
Comments
Next steps:
|
Update:
|
…r agents management in Azure (#516) This PR is a (mandatory) preparatory step for jenkins-infra/helpdesk#3818 . It split the controller/azurevm-agents/aci-agent scopes in 3 terraform modules. The goal is to allow instantiating the (*)agents module for the new sponsorship subscrption without repeating code. To avoid any breakage on the principal branch (which uses the latest reference of the `main` branch on https://github.com/jenkins-infra/shared-tools/), I've created 3 brand new modules in jenkins-infra/shared-tools@c7ec5b0 . It should make the PR here autonomous to merge (but the aformentionned commit is also to be reviewed and we can update modules). 💡 A few notes on the introduces changes: - The ci.jenkins.io's Network Security Group rule `allow_outbound_ssh_from_ci_controller_to_s390x` is removed. Its integrated into the new controller module as one of the agent IP prefixes passed as argument. - Same for the trusted.ci.jenkins.io's `allow_outbound_ssh_from_controller_to_permanent_agent` - The 3 Network Security Group rules `allow_inbound_ssh_from_controller_to_ephemeral_agents` (1 for each controller) are changed from a single `source_address_prefix` to `source_address_prefixes` collection - For ci.jenkins.io, it also adds the Public IP of the controller VM in this collection (along to the private VM IP) to cover cases where the requests are routed through the Internet instead of the internal network peerings --------- Signed-off-by: Damien Duportal <[email protected]>
…sorship subscription (#519) Related to jenkins-infra/helpdesk#3818 This PR adds resources for ci.jenkins.io in the "sponsorship" subscription to allow spinning up azure-vm and aci agents Signed-off-by: Damien Duportal <[email protected]>
…n to store agent NSG (#520) Related to jenkins-infra/helpdesk#3818 Fixup of #519 to correct the error ``` │ Error: creating/updating Network Security Group: (Name "ci.jenkins.io-ephemeralagents" / Resource Group "ci-jenkins-io-controller"): network.SecurityGroupsClient#CreateOrUpdate: Failure sending request: StatusCode=404 -- Original Error: Code="ResourceGroupNotFound" Message="Resource group 'ci-jenkins-io-controller' could not be found." ``` ---- Note that permissions have been increased to the SP to correct the following errors seen on the main branch: ``` │ Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '<redacted>' with object id '<redacted>' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/<redacted>/resourceGroups/ci-jenkins-io-ephemeral-agents/providers/Microsoft.Authorization/roleAssignments/e6e75982-06dc-57fd-1743-3a2648e0546f' or the scope is invalid. If access was recently granted, please refresh your credentials." ``` Signed-off-by: Damien Duportal <[email protected]>
Update:
WiP:
|
Update:
Wip: validation in progress on ci.jenkins.io (top level cloud is valid but network specification on each template need to be updated: incoming puppet code changes) |
…g the agent vnet (#522) Related to jenkins-infra/helpdesk#3818 This PR adds missing permissions allowing the ci.jenkins.io's SP to read the vnet in which it will spawns the agents for the new subscription. Please note there might be improvement to be done to have this setup in the terraform module for controller in the long term. Tested and applied locally: i'll self-merge this PR and watch the build on the main branch. Signed-off-by: Damien Duportal <[email protected]>
Update (wip):
|
Update:
|
Update:
|
While @smerle33 leads the plan above, I'll lead the migration of the packer images resource groups:
|
Ref. jenkins-infra/helpdesk#3818 (comment) This PR creates the shared gallery in the new subscription: - 3 resource groups (dev, staging and prod) with one gallery each - 4 images on each gallery IMPORTANT: this PR sets the ground to move everything to US East 2 (faster packer builds and we don't use East US since 1.5 years for agents). It cannot do all "eastus" -> "eastus**2**" changes yet though as changing location marks a resource group/gallery to be deleted, while we only want to create new resources (terraform forgets the old resource when only changing provider). IMPORTANT (2): I've removed the 4 role assignments which are required for the 4 controllers (ci, trusted, cert and infra) to read the shared gallery to spin up agent. The build >= 3 for this PR should only mark 3 resources to delete (the role assignment of the packer_sp itself): ``` terraform state rm 'module.cert_ci_jenkins_io.azurerm_role_assignment.controller_read_packer_prod_images[0]' terraform state rm 'module.trusted_ci_jenkins_io.azurerm_role_assignment.controller_read_packer_prod_images[0]' terraform state rm 'module.ci_jenkins_io.azurerm_role_assignment.controller_read_packer_prod_images[0]' terraform state rm 'azurerm_role_assignment.infra_ci_jenkins_io_allow_packer' ``` Signed-off-by: Damien Duportal <[email protected]>
Update: @smerle33 and I are working in parallel (and pair) on both plans. While working on jenkins-infra/packer-images#959, he was stuck on location issues. As such, we are moving all new resources (in the new subscription) to "US East 2" as we only use this location (see jenkins-infra/azure#560 and jenkins-infra/azure#561) |
Follow up of #560 Ref. jenkins-infra/helpdesk#3818 (comment) This PR ensures that all the packer resources defined in the new subscription (and only these) are migrated to US East 2 to solve errors found in jenkins-infra/packer-images#959 Expecting 23 resources to be re-created: - 4 RGs on the 6 are in us east today - 4 role assignements (as the 4 RGs changed) - 3 galleries - 12 images (4 per gallery Signed-off-by: Damien Duportal <[email protected]>
Update: most of the work done by @smerle33 in jenkins-infra/packer-images#959:
Wip:
|
#563) Ref. jenkins-infra/helpdesk#3818 (comment) This PR adds netowrk security rules to allow packer processes running in the infra.ci *Azure VM* agents to reach packer VMs (in their own subnet) through SSH or WinRM Signed-off-by: Damien Duportal <[email protected]>
…red) subscription Ref. jenkins-infra/helpdesk#3818 Signed-off-by: Damien Duportal <[email protected]>
…red) subscription (#3230) Ref. jenkins-infra/helpdesk#3818 Signed-off-by: Damien Duportal <[email protected]>
Update:
WiP:
|
Update:
|
Reopening: #3875 (comment) The crawler issue is most probably caused by the trusted ephemeral agent CIDR changes |
Closing as #3875 is NOT caused by the new networks. |
We've been given 40.000$ of Azure sponsorship credits: we should start using them as soon as possible to decrease the current Azure bill paid by the CDF for us.
This issue tracks the associated work for this.
Ideas on "how to consume these credits":
Run ci.jenkins.io existing Azure ephemeral workloads:
Run other controller ephemeral workloads: infra.ci ?
The text was updated successfully, but these errors were encountered: