Support for configurable Network Interfaces

[brianlieberman]

/kind feature

What this PR does / why we need it:
This PR adds the ability to configure one or more NetworkInterfaces for AzureMachines and AzureMachinePools, as well as pre-warming multiple IPConfigs on each interface.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #2327

TODOs:

• [ x] squashed commits
• [ x] includes documentation
• [ x] adds unit tests

Release note:

Adds additional fields for AzureMachine, AzureMachineTemplate, and AzureMachinePool to configure multiple NetworkInterfaces. An example configuration:

         - subnetName: node-subnet
           privateIPConfigs: 2

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: brianlieberman / name: Brian Lieberman (a9b3b46, c19ddea, 6e20ef6, 2a6e944, 9afbebe, 3e5a2f6, 7bd6b24, 9ab3955)
• ✅ login: dthorsen / name: Dane Thorsen (3800b8b, 6095d7b, 5a45826)

[k8s-ci-robot]

Hi @brianlieberman. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[CecileRobertMichon]

Haven't looked at the code yet, but thanks for opening this!

One question about the UX:

 ipConfigs:
  - {}
  - {}

If a user needs to pre-allocate say 250 IPs to work with Azure CNI in a 250 max pods per node configuration, how would this scale? It might make sense to allow the user to specify an IP count instead?

[brianlieberman]

Yeah ,as currently implemented it doesn't scale to that level well from a UX perspective, there's a tradeoff since currently you can specify a configuration for each IPConfig (publicIP, privateIP, allocatePublicIP). In the example we leave them empty to just provision a default of a dynamic privateIP, but that's the tradeoff we might make in order to make something like an int we can iterate instead. Open to implementation suggestions for improvement.

[dthorsen]

I like the idea of simply exposing a number of ipConfigs too. Definitely makes for a nicer UX. Maybe just have a couple integers? privateIPConfigs: 30 and publicIPConfigs: 1 or something like that?

[jackfrancis]

Is this new immutability requirement for SubnetName closely related to this change? Should it be a separate PR?

[brianlieberman]

The immutability isn't strictly changed with these changes, however it appeared to be an oversight I believe while looking at managing and validating the new interface level field?

[jackfrancis]

Do we have a guarantee that the first NetworkInterface in the m.AzureMachine.Spec.NetworkInterfaces slice will always be eth0?

[dthorsen]

I wondered about this as well. However, in my testing so far, I have been unable to cause the Linux interface order within the default CAPZ Ubuntu image to be anything other than matching the interface order in the Azure APIs. I have not had any luck so far on identifying the mechanism that is ensuring this though. I believe the ordering is consistent due to the behavior of the kernel module for the virtual network interface card, but I haven't specifically found the logic to say that definitively.

[jackfrancis]

Is there any other more reliable indication (e.g., n.Name == "eth0") that could be used?

[dthorsen]

Is there a feature of the kernel driver, cloud-init, or netplan that allows us to take advantage of that convention? Do you happen to have a link to some docs or code that can lend clarity there?

[dthorsen]

We do have a guarantee that the first network interface in the list from the user-specified yaml is the first interface in the Azure API. We are taking advantage of the inherent stability of Go slice element order to ensure that part doesn't get mixed up. The only part I can't say for certain is that the first interface in the slice will always be eth0 in the Linux OS. I do believe it to be the case, and it is the most reliable mechanism I have found so far. I have been unable to trigger (even after trying many times) eth0 in the Linux OS being anything other than the first NetworkInterface in the slice. I think this is likely the best way to signal to the OS the desired linux interface order, since the order in the API would then map to the ethX index in the OS 1 to 1.

[Jont828]

Yeah I would definitely prefer a more reliable indication. Maybe we could make a helper function in the scope for getting eth0? That way it's less error prone and more readable.

[dthorsen]

Can you clarify what you are proposing? Utilizing the interface index appears to be the only current reliable way of ensuring your intended interface order in the OS.

[dthorsen]

Oh re-reading your comment I think I understand. The intent is to improve the code readability. Makes sense to me to have a helper function.

[jackfrancis]

I agree that if we are able to guarantee ordinality, that the first interface reported from the linux API is going to be eth0. So a convenience func + UT that ensures that ordinality should be sufficient.

Thanks!

[brianlieberman]

Reworked the IPConfig functionality to use integer quantities and updated the example in the PR description

[Jont828]

Thanks for working on this PR, something that touches this much code definitely takes a while to put together. Here are some suggestions on some tweaks to make.

[Jont828]

Should this be an optional field? Just to clarify, if apply an existing template w/o the NetworkInterfaces field do we want it to give an error or just create an empty slice?

[Jont828]

Also we're going to want to add a header comment for this as well.

[CecileRobertMichon]

+1 to making this optional

Can you also please add a clarifying comment about what happens with Network Interfaces are not specified?

[Jont828]

Suggested change

	// The subnet to place the interface in
	// The subnet to place the interface in.

Could we end the comments with periods? Not sure if the linters will complain but it's more consistent in any case.

[Jont828]

Can we add comments for these fields as well?

[Jont828]

Suggested change

	// IP Configuration defines options to confiure a network interface.
	// AzureIPConfig defines options to configure a network interface.

[Jont828]

Suggested change

	// Network Interfaces to attach to each VM
	// AzureNetworkInterface defineds a network interface to attach to each VM.

Typically we want to start the documentation comment with the name of the type/function. I believe the linters will complain about it if it doesn't match.

[Jont828]

Ditto

[Jont828]

Suggested change

	machineryConversion "k8s.io/apimachinery/pkg/conversion"
	apiMachineryConversion "k8s.io/apimachinery/pkg/conversion"

Nit: for consistency with import name in other conversions.

[Jont828]

Suggested change

	// Network Interfaces to attach to the to a virtual machine
	// NetworkInterfaces specifies the network interfaces to attach to the to a virtual machine.

[invidian]

/ok-to-test

[CecileRobertMichon]

Let's just call this NetworkInterface. It's assumed that everything in here is in the context of Azure as this is the Azure provider and the types are used in AzureMachines and AzureClusters.

[CecileRobertMichon]

Suggested change

	// AzureNetworkInterface defineds a network interface.
	// AzureNetworkInterface defines a network interface.

[CecileRobertMichon]

same here, preferrence forIPConfig for consistency

[CecileRobertMichon]

Suggested change

	// AzureIPConfig defines options to confiure a network interface.
	// AzureIPConfig defines options to configure a network interface.

[CecileRobertMichon]

+1 to making this optional

Can you also please add a clarifying comment about what happens with Network Interfaces are not specified?

[CecileRobertMichon]

Suggested change

	// Number of private IP address to attach to the interface.
	// Number of private IP addresses to attach to the interface.

[CecileRobertMichon]

Nit: comment name should always start with field name (not sure if linter will catch this?)

[CecileRobertMichon]

same thing applies to other type comments in the file

[CecileRobertMichon]

where is this type being used? I can't find a reference to it

[CecileRobertMichon]

if len(m.AzureMachine.Spec.NetworkInterfaces) != 0, this function would cause the AzureMachine subnet name to get set, which is not a valid per webhook validation as subnet name cannot be set if network interfaces are defined. Am I missing something?

(feel free to ignore this comment if you implement my above comment about deprecating AzureMachine.Spec.SubnetName)

[CecileRobertMichon]

not sure why this is preferable, we're looping over all the subnets to find the one whose Name matches the AzureMachine SubnetName so it's equivalent but more costly than just using m.AzureMachine.Spec.SubnetName

[CecileRobertMichon]

it's unclear to me why we're using the defaults for index 0 but not for the others. What's significant about the order the network interfaces are specified in? What's different between the default spec and the fields we're setting below in the else statement?

[CecileRobertMichon]

this deviates significantly from the pattern we've established for other BYO existing resource in CAPZ. The way it works for other resources is that the reconciler will add a tag on each resource it creates to allow it to identify the resources it created vs. the ones the user pre-created. See the virtual networks as an example. There are pros and cons for both ways of doing it, however because this is creating an inconsistent user experience I would recommend putting BYO network interface as out of scope for this PR and tackling it in its own issue/PR so we can iterate on the design.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: brianlieberman / name: Brian Lieberman (a9b3b46, c19ddea, 6e20ef6, 2a6e944, 9afbebe, 3e5a2f6, 7bd6b24, 9ab3955, 3685380, 3a90933, 4ff1d2a, 77e3bfc, 6567927, 6a18007, a38a8d3, a6ba4e9, 24b09a8, 7cf1d09, ff3eae1, 2723c89, c902221, d90488f, 230d88f)
• ✅ login: dthorsen / name: Dane Thorsen (3800b8b, 6095d7b, 5a45826, be0b6cb, 05fc0d6)
• ✅ login: mytunguyen / name: Mytu (a362d56, 89f0f71)
• ✅ login: BrennenMM7 / name: Brennen Murray (4600f18)

[CecileRobertMichon]

LGTM pending few minor comments

/assign @nawazkh for another round of review

Docs are missing but will work on docs + e2e tests with @nawazkh as part of #467

@dthorsen thanks so much for doing the refactor and staying with us. Let's get this merged before January 10th so it can be included in v1.7.0. Could you please squash commits?

[dthorsen]

/retest

[nawazkh]

Jotted down my thoughts on another pass. Please take a look!

[nawazkh]

Did we miss updating the validateUpdate function for the new NetworkInterface updates?

[dthorsen]

azuremachinetemplate is immutable. And the new defaulting behavior should be permitted already through the immutability by the logic here

[nawazkh]

Thanks for pinning that logic!

[nawazkh]

Can we also add a test with AcceleratedNetworking: to.BoolPtr(true) and SubnetName is '' and NetworkInterface is not nil?

[nawazkh]

Can we instead convert IPConfig struct as below? We will have one less field to manage and a nil pointer will intrinsicly imply weather it is assigned or not?

Suggested change

	PrivateIP string
	PublicIP bool
	PublicIPAddress string
	PrivateIP *string
	PublicIPAddress *string

[CecileRobertMichon]

@nawazkh thank you for the review 🙏

@dthorsen happy new year! please let me know once all comments have been addressed and this is ready for a final pass

[dthorsen]

/retest

[CecileRobertMichon]

/lgtm

[CecileRobertMichon]

@nawazkh are all your comments resolved?

If so @dthorsen can you please squash one more time?

[dthorsen]

@nawazkh I believe I addressed all of your comments. Let me know if you have any other comments before I squash and push commits. Thanks!

[nawazkh]

Mega job @dthorsen ! Thank you for patiently working on this and addressing all the nits 🙌🏼
/lgtm

[nawazkh]

Persisting lgtm
/lgtm

[dthorsen]

/retest

[k8s-ci-robot]

@brianlieberman: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cluster-api-provider-azure-coverage	230d88f	link	false	/test pull-cluster-api-provider-azure-coverage
pull-cluster-api-provider-azure-e2e-exp	93305ad	link	false	/test pull-cluster-api-provider-azure-e2e-exp

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[CecileRobertMichon]

both of these test failures are known flakes getting worked on independently :(

/retest
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CecileRobertMichon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [CecileRobertMichon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment