add ASO install #3450
add ASO install #3450
Conversation
k8s-ci-robot
added
release-note-none
k8s-ci-robot
added
the
size/M
Codecov ReportPatch coverage has no change and project coverage change:
Additional details and impacted files@@ Coverage Diff @@
## main #3450 +/- ##
==========================================
+ Coverage 52.51% 52.52% +0.01%
==========================================
Files 182 182
Lines 18175 18175
==========================================
+ Hits 9545 9547 +2
+ Misses 8090 8088 -2
Partials 540 540 see 1 file with indirect coverage changes Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report in Codecov by Sentry. |
|
/retest |
| name: aso-controller-settings | ||
| type: Opaque | ||
| data: | ||
| AZURE_SUBSCRIPTION_ID: ${AZURE_SUBSCRIPTION_ID_B64:=""} |
There was a problem hiding this comment.
is this temporary until we can use workload identity?
There was a problem hiding this comment.
I was thinking auth for ASO would essentially mirror the AzureClusterIdentity for the Cluster, which could also be Service Principal. Or would it make sense to always configure ASO to use workload identity? I still don't have a clear idea of exactly how workload identity works so I couldn't quite figure out how to get that set up based on the docs: https://azure.github.io/azure-service-operator/guide/authentication/#azure-workload-identity
I was also thinking having a default set of credentials here would make it easy for users to get started using ASO directly even if CAPZ can work around relying on the credentials here.
| type: Opaque | ||
| data: | ||
| AZURE_SUBSCRIPTION_ID: ${AZURE_SUBSCRIPTION_ID_B64:=""} | ||
| AZURE_TENANT_ID: ${AZURE_TENANT_ID_B64:=""} |
There was a problem hiding this comment.
Just curious, is there a reason we want to add the :="" part to the variable references?
There was a problem hiding this comment.
I admit this was a shameless copy-paste from here and didn't really consider whether it's necessary or not:
cluster-api-provider-azure/config/default/credentials.yaml
Lines 7 to 8 in fec6314
It looks like ASO will get stuck in a crash loop either way when the vars aren't defined, but with :="" it doesn't crash until an ASO resource is created, whereas without :="" it'll crash as soon as it starts up even when no ASO resources exist.
There was a problem hiding this comment.
For the CAPZ manager credentials, the idea is that you can optionally define global credentials but it's also possible to define per Cluster credentials via AzureClusterIdentity, so we don't want the credentials to be required when installing CAPZ as they aren't actually required until you create your first cluster (without the defaulting to "", which is what :="" does, clusterctl init would fail when the environment variables are not set).
There was a problem hiding this comment.
So I think with :="" is what we want then. Eventually, a set of ASO credentials will be generated for each individual cluster from an AzureClusterIdentity if one exists, so those users can still choose not to define the global credentials and ASO will work fine with CAPZ until the user tries to create an ASO resource themselves without specifying credentials and relying on the defaults.
| - credentials.yaml | ||
|
|
||
| patches: | ||
| - patch: |- # default kustomization includes a namespace already |
There was a problem hiding this comment.
Nit: do we want a line break at the end? Not sure if it's better to use |- or | in this case.
There was a problem hiding this comment.
Looks like that doesn't affect the output at all.
|
I just noticed that CAPI Tilt assumes the root of the kustomize config is Originally I didn't integrate ASO directly with |
|
I managed to get this working from the existing Thoughts on this approach vs. renaming the current |
Have you considered making it configurable as an alternative? another idea: what if we renamed |
Kind of, didn't take the time yet to figure out exactly how that might work though.
Yeah I think this will be the easiest option. I'll update this PR next week with that change. |
k8s-ci-robot
added
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
|
/retest |
|
/hold I think I broke something here :/ |
k8s-ci-robot
added
the
do-not-merge/hold
/hold cancel Just pushed a fix for this. capz-webhook-service's selector was only selecting based on the |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/retest |
|
@Jont828 @CecileRobertMichon This is ready for another look whenever you have time. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 7043312555ed10d21bb4a4edf06e9cecab235dd3
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jackfrancis The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What type of PR is this?
/kind feature
What this PR does / why we need it: This PR adds the kustomize config necessary to install ASO. These changes deliberately omit integration with
tiltorclusterctl initso ASO doesn't get installed before it can be used. This other branch on my fork includes the necessary foo to wire up the install if you'd like to try it yourself: https://github.com/nojnhuh/cluster-api-provider-azure/tree/aso-wiredWhich issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #3520
Special notes for your reviewer:
TODOs:
Release note: