Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cache credentials from AzureClusterIdentity #5283

Merged
merged 1 commit into from
Nov 19, 2024

Conversation

nojnhuh
Copy link
Contributor

@nojnhuh nojnhuh commented Nov 18, 2024

What type of PR is this?
/kind feature

What this PR does / why we need it:

This PR leverages the credential cache added in #5211 for credentials defined in AzureClusterIdentity resources. This lets CAPZ save token handles between reconciles instead of re-authenticating every reconciliation loop.

These graphs show the reconciles involving authentication requests made by CAPZ when creating two workload clusters that used the same credentials before and after implementing the cache:
before
after

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #1077

Special notes for your reviewer:

  • cherry-pick candidate

The most interesting change here is in azure/scope/identity.go, which inserts the cache in place of the direct SDK calls. The rest of the changes plumb the cache created in main to there.

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests

Release note:

CAPZ now caches credentials to reduce the number of authentication requests it makes to Entra

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Nov 18, 2024
@k8s-ci-robot k8s-ci-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Nov 18, 2024
Copy link

codecov bot commented Nov 18, 2024

Codecov Report

Attention: Patch coverage is 76.84211% with 22 lines in your changes missing coverage. Please review.

Project coverage is 53.03%. Comparing base (7e9ebb9) to head (34b748e).
Report is 12 commits behind head on main.

Files with missing lines Patch % Lines
main.go 0.00% 10 Missing ⚠️
internal/test/env/env.go 0.00% 7 Missing ⚠️
controllers/helpers.go 54.54% 5 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #5283      +/-   ##
==========================================
+ Coverage   53.00%   53.03%   +0.03%     
==========================================
  Files         272      272              
  Lines       29429    29404      -25     
==========================================
- Hits        15598    15595       -3     
+ Misses      13027    13010      -17     
+ Partials      804      799       -5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.


🚨 Try these New Features:

@dtzar dtzar removed the request for review from jsturtevant November 18, 2024 18:51
@dtzar dtzar added this to the v1.18 milestone Nov 18, 2024
g.Expect(err).NotTo(HaveOccurred())
cred, err := provider.GetTokenCredential(context.Background(), "", tt.ActiveDirectoryAuthorityHost, "")
_, err = provider.GetTokenCredential(context.Background(), "", tt.ActiveDirectoryAuthorityHost, "")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why aren't we asserting the first response object?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That value is returned by a mock defined by the test, so it doesn't really mean anything.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The main validation of that is covered by verifying the arguments we pass to the p.cache.GetOrStore... calls in the cacheExpect of each test case.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that GetTokenCredential returns non-nil every time err is nil, maybe I'm being extra-defensive and protecting against the possibility that GetTokenCredential changes and an undesirable outcome is identified only in the TokenCredential object.

Non-blocking.

Copy link
Contributor

@jackfrancis jackfrancis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 18, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: da43590508b97601bc43c1df3f70462dc8c96177

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jackfrancis

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 18, 2024
@nojnhuh
Copy link
Contributor Author

nojnhuh commented Nov 19, 2024

/retest

@k8s-ci-robot k8s-ci-robot merged commit 5b2cbce into kubernetes-sigs:main Nov 19, 2024
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

Reduce the amount of authentication requests
4 participants