Implement ScaleSetPriority for AzureManagedMachinePool

[jackfrancis]

What type of PR is this?

/kind feature
/kind bug

What this PR does / why we need it:

This PR implements the ScaleSetPriority feature for AzureManagedMachinePool. See the official AKS documentation for Spot node pools here:

https://docs.microsoft.com/en-us/azure/aks/spot-node-pool

This PR ensures that we don't override (e.g., accidentally delete) any AKS-enforced labels that may make it to the user-configurable part of the the node pool labels configuration surface area.

Until this AKS issue is addressed, capz must have this adaptive update behavior:

• [BUG] kubernetes.azure.com/scalesetpriority:spot is user-overrideable Azure/AKS#3152

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #2460

Special notes for your reviewer:

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

• squashed commits
• includes documentation
• adds unit tests

Release note:

Implement ScaleSetPriority for AzureManagedMachinePool

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[jackfrancis]

I don't think it's possible to do this validation in the kubebuilder API type spec (e.g., using the Pattern= interface to define a required regular expression match) because the API type is a map[string]string.

[zmalik]

@jackfrancis if you send the Regular value. AKS isn't setting it to Regular but returns the empty.

Later any other change to nodepool will fail as Azure API returns the error that it cannot change from "" to Regular

[jackfrancis]

I wasn't able to reproduce this with labels changes to the node pool. Which node pool changes were you seeing this on when ScaleSetPriority was set to "Regular"?

[jackfrancis]

Again I did some more manual tests and this looks fine. Creating a cluster with an explicit scaleSetPriority: Regular AzureManagedMachinePool configuration does not have any apparent negative side-effects.

I think this PR is ready to gol

[zmalik]

still doesn't work for me.

steps to reproduce:

1. create an agentpool with explicit ScaleSetPriority set to Regular
2. verify in az aks nodepool show --cluster-name cluster-name -n nodepool-name that it has "scaleSetPriority": null,
3. try to change a label in agentpool and see reconcile error Message=\"Changing property 'properties.ScaleSetPriority' is not allowed.

[jackfrancis]

Are you testing using a build from this branch? In this current PR implementation, I definitely can't reproduce. I do observe what you're seeing from the AKS API:

$ az aks nodepool show --cluster-name capz-e2e-l9d26h-aks -n pool1 -g capz-e2e-l9d26h-aks | grep 'scaleSetPriority'
  "scaleSetPriority": null,

However, I'm able to continually update the node pool using capz (using node labels below as an example):

$ k get azuremanagedmachinepool/pool1 -n capz-e2e-l9d26h -o yaml | grep -A 5 '  nodeLabels'
  nodeLabels:
    foo: bar
  osDiskSizeGB: 40
  osDiskType: Ephemeral
  osType: Linux
  providerIDList:

You can see I've already applied a foo: bar node label. I'll now add a 2nd label:

$ k edit azuremanagedmachinepool/pool1 -n capz-e2e-l9d26h
azuremanagedmachinepool.infrastructure.cluster.x-k8s.io/pool1 edited
$ k get azuremanagedmachinepool/pool1 -n capz-e2e-l9d26h -o yaml | grep -A 5 '  nodeLabels'
  nodeLabels:
    foo: bar
    hello: world
  osDiskSizeGB: 40
  osDiskType: Ephemeral
  osType: Linux

Now if I get the node pool data from the AKS API I see the updated label:

$ az aks nodepool show --cluster-name capz-e2e-l9d26h-aks -n pool1 -g capz-e2e-l9d26h-aks | grep -A 5 'nodeLabels'
  "nodeLabels": {
    "foo": "bar",
    "hello": "world"
  },
  "nodePublicIpPrefixId": null,
  "nodeTaints": [

As expected, ScaleSetPriority is unchanged from either source:

$ az aks nodepool show --cluster-name capz-e2e-l9d26h-aks -n pool1 -g capz-e2e-l9d26h-aks | grep 'scaleSetPriority'
  "scaleSetPriority": null,
$ k get azuremanagedmachinepool/pool1 -n capz-e2e-l9d26h -o yaml | grep '  scaleSetPriority'
  scaleSetPriority: Regular

I think this PR has overcome this particular pathology. We should ship add'l E2E tests with this PR to prove it, but I'm confident we're good here.

[zmalik]

definitely its working now, does Azure API changed something?
in any case I agree to merge this

[jackfrancis]

@nojnhuh @CecileRobertMichon I'd like to advocate we move forward with this after further reviewing the existing code for vulnerabilities to the introduction of lots of requests (and thus API throttling). For the record, the scenario I'm concerned about it:

1. Scale out a spot pool successfully
2. Azure recalculates spot pricing and deletes the vms that underlie our cluster nodes
3. capz continually initiates a PUT against Azure APIs to restore its source of goal state truth

I think there is possibly some work to do to streamline how capz and Azure communicate in spot scenarios, but I'm not concerned about exponential request leakage to Azure.

tl;dr ready for final review

[nojnhuh]

left a couple nits, overall lgtm

[nojnhuh]

FWIW I don't think doing this is necessary here because we're never taking the address of tc in the subtest (like with &tc). Certainly doesn't hurt to keep it here though in case this test needs to do that in the future.

[jackfrancis]

Two points:

1. It's correct that we do this as a best-practice to avoid the non-deterministic UT outcomes that result from not doing this when we need to.
2. Doing it all the time as a rote practice tends to make the developer forget the exact edge case root cause that makes this pattern a necessary thing and it becomes a kind of incantation.

🤷

[jackfrancis]

/retest

[CecileRobertMichon]

does this intentionally drop any labels that are not system labels (ie. no kubernetes.azure.com prefix) but aren't part of the CAPZ spec? for example if they were added by some external process

[jackfrancis]

Yes. I think the idea here is that capz is the "exclusive" maintainer of labels, and the update interface has been defined such that every time you push a labels change you need to include the entire set of labels. Ref:

https://learn.microsoft.com/en-us/azure/aks/use-labels#updating-labels-on-existing-node-pools

The think about the kubernetes.azure.com-prefixed labels is (IMO) and AKS bug, and hopefully we can drop this foo at some point in the future.

[jackfrancis]

Azure/AKS#3152

[CecileRobertMichon]

/lgtm
/assign @nojnhuh

[k8s-ci-robot]

@CecileRobertMichon: GitHub didn't allow me to assign the following users: nojnhuh.

Note that only kubernetes-sigs members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/lgtm
/assign @nojnhuh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[nojnhuh]

/assign

[jackfrancis]

/retest

[nojnhuh]

LGTM

[CecileRobertMichon]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CecileRobertMichon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [CecileRobertMichon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment