Add AppLens Client and Detector Endpoints #2243
Conversation
zacharyljones
requested review from
jewzaam,
m1kola,
bennerv,
hawkowl,
rogbas,
petrkotas,
ross-bryan and
darthhexx
as code owners
pkg/util/cluster/cluster.go
Outdated
| @@ -135,36 +135,17 @@ func (c *Cluster) Create(ctx context.Context, vnetResourceGroup, clusterName str | |||
| } | |||
|
|
|||
| c.log.Infof("creating AAD application") | |||
| // This is for our CFS scenario where we do not have permissions to allow the RP to create it's own AAD application | |||
There was a problem hiding this comment.
Changes to this file were specific to a local development scenario and were accidentally committed. All changes to this file have been reverted.
pkg/util/cluster/cluster.go
Outdated
| @@ -135,14 +135,32 @@ func (c *Cluster) Create(ctx context.Context, vnetResourceGroup, clusterName str | |||
| } | |||
|
|
|||
| c.log.Infof("creating AAD application") | |||
| appID, appSecret, err := c.createApplication(ctx, "aro-"+clusterName) | |||
There was a problem hiding this comment.
Changes to this file were specific to a local development scenario and were accidentally committed. All changes to this file have been reverted.
zacharyljones
force-pushed
the
zjones/app_lens_detectors
branch
2 times, most recently
from
21a7e79
to
5807b66
Compare
|
@weinong @coreyperkins FYSA |
|
The AppLens Client was modeled after the Azure CosmosDB Client in the Azure SDK for Go. Unfortunately this new client cannot be added to the Azure SDK for Go, as the AppLens service is technically private and there is no need for end users to have access to the client. |
| @@ -79,6 +80,7 @@ type Interface interface { | |||
| Domain() string | |||
| FeatureIsSet(Feature) bool | |||
| FPAuthorizer(string, string) (refreshable.Authorizer, error) | |||
| FPNewClientCertificateCredential(string) (*azidentity.ClientCertificateCredential, error) | |||
There was a problem hiding this comment.
we should use azcore.TokenCredential interface
There was a problem hiding this comment.
I will take a look - the current FPauthorizer uses cert based authentication to AAD, so I thought that made the most sense at the time. After our conversation yesterday, it sounds like we want to use the FP certificates to create an azcore.TokenCredential and then authenticate to AppLens using that credential. Is that correct?
There was a problem hiding this comment.
correct. that being said, azidentity.ClientCertificateCredential is also azcore.TokenCredential
There was a problem hiding this comment.
I attempted to use the azcore.TokenCredential interface, but ran into an issue with code gen. The mock env file that gets generated imports github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared instead of just github.com/Azure/azure-sdk-for-go/sdk/azcore. Similarly, all references to azcore.TokenCredential are replaced with shared.TokenCredential. This causes go validation to fail, unit tests to fail, etc.
A bit of research turned up this azure-sdk-for-go issue. Apparently this is a bug/issue with how older versions of the SDK
export symbols. Some aspects of this issue have been fixed but none of those changes are available in the go 1.17 compatible version of the SDK that I am using.
Sticking with azidentity.ClientCertificateCredential for now.
| @@ -102,3 +113,20 @@ func (a *azureActions) VMResize(ctx context.Context, vmName string, size string) | |||
| vm.HardwareProfile.VMSize = mgmtcompute.VirtualMachineSizeTypes(size) | |||
| return a.virtualMachines.CreateOrUpdateAndWait(ctx, clusterRGName, vmName, vm) | |||
| } | |||
|
|
|||
| func (a *azureActions) AppLensGetDetector(ctx context.Context, detectorId string) ([]byte, error) { | |||
| resp, err := a.appLens.GetDetector(ctx, &applens.GetDetectorOptions{ResourceID: a.oc.Properties.ClusterProfile.ResourceGroupID, DetectorID: detectorId}) | |||
There was a problem hiding this comment.
Updated to use cluster resource id, and not cluster resource group resource id
| var _ AppLensClient = &appLensClient{} | ||
|
|
||
| // NewAppLensClient returns a new AppLensClient | ||
| func NewAppLensClient(env *azureclient.AROEnvironment, clientCertCred *azidentity.ClientCertificateCredential) AppLensClient { |
There was a problem hiding this comment.
let's also use azcore.TokenCredential
There was a problem hiding this comment.
Do you want this in addition to azidentity.ClientCertificateCredential, or do you want me to replace azidentity.ClientCertificateCredential with azcore.TokenCredential?
There was a problem hiding this comment.
azidentity.ClientCertificateCredential is the implementation of azcore.TokenCredential interface
There was a problem hiding this comment.
Refer to previous comment
| return nil, err | ||
| } | ||
|
|
||
| return []string{fmt.Sprintf("%s://%s/.default", u.Scheme, u.Hostname())}, nil |
There was a problem hiding this comment.
i'm pretty sure the endpoint is not the scope.
There was a problem hiding this comment.
This was copied over from the Cosmos client - I figured I would resolve any issues related to the scope during testing as I wasn't sure whether it would be needed or not. Do you think the scope should be something else, or removed altogether?
There was a problem hiding this comment.
you have to have scope to get AAD token. in ADAL, it's called ResourceID. In MSAL, it's called Scope.
https://msazure.visualstudio.com/CloudNativeCompute/_git/aks-rp?path=/resourceprovider/server/microsoft.com/containerservice/templates/implementation.go&version=GBmaster&line=676&lineEnd=677&lineStartColumn=1&lineEndColumn=1&lineStyle=plain&_a=contents
There was a problem hiding this comment.
Understood - with that information I was able to use the appropriate scopes provided by the AppLens team. The code for creating the scope from the target endpoint has been removed.
| ctx context.Context, | ||
| requestOptions appLensRequestOptions, | ||
| requestEnricher func(*policy.Request)) (*http.Response, error) { | ||
| req, err := c.createRequest(ctx, http.MethodGet, requestOptions, requestEnricher) |
There was a problem hiding this comment.
Oof - you are correct. I will swap the get method for a post and update relevant unit tests. MTF.
There was a problem hiding this comment.
Client updated to use Post. Unit tests also updated.
|
Please rebase pull request. |
|
can you also add user agent please? |
| } | ||
|
|
||
| func (a *azureActions) AppLensListDetectors(ctx context.Context) ([]byte, error) { | ||
| resp, err := a.appLens.ListDetectors(ctx, &applens.ListDetectorsOptions{ResourceID: a.oc.Properties.ClusterProfile.ResourceGroupID}) |
There was a problem hiding this comment.
same here. using resource group ID seems wrong.
There was a problem hiding this comment.
Updated to use cluster resource id, and not cluster resource group resource id
zacharyljones
force-pushed
the
zjones/app_lens_detectors
branch
from
5807b66
to
3b591a4
Compare
zacharyljones
force-pushed
the
zjones/app_lens_detectors
branch
from
3b591a4
to
a726c05
Compare
@weinong Can you elaborate on this? I see that it is added in AKS, but I do not see it in the AppLens example. What does the user agent afford us? |
zacharyljones
force-pushed
the
zjones/app_lens_detectors
branch
4 times, most recently
from
82b2651
to
3707b8d
Compare
zacharyljones
force-pushed
the
zjones/app_lens_detectors
branch
2 times, most recently
from
d0e2b40
to
1aaa832
Compare
zacharyljones
force-pushed
the
zjones/app_lens_detectors
branch
from
1aaa832
to
756a28e
Compare
|
I'm assuming AppLens relies on an Azure service of same name, correct? Have we checked if it is available in all the Azure regions we support? cc @weinong |
yes, it's available in public and fairfax |
| return nil, err | ||
| } | ||
|
|
||
| successResponse := (response.StatusCode >= 200 && response.StatusCode < 300) || response.StatusCode == 304 |
There was a problem hiding this comment.
Why are we expecting to receive a variety of response codes from applens for a successful call?
There was a problem hiding this comment.
Agreed, I think it would be better to have a list of all success responses from applens and and evaluate based on that list rather than have a huge range.
| @@ -33,6 +40,9 @@ var ( | |||
| ActualCloudName: "AzureUSGovernment", | |||
| GenevaMonitoringEndpoint: "https://gcs.monitoring.core.usgovcloudapi.net/", | |||
| AppSuffix: "aro.azure.us", | |||
| AppLensEndpoint: "https://diag-runtimehost-prod-bn1-001.azurewebsites.us/api/invoke", | |||
| AppLensScope: "https://microsoft.onmicrosoft.com/runtimehost", | |||
There was a problem hiding this comment.
Why is the scope here a URL?
|
/azp run ci |
|
Azure Pipelines successfully started running 1 pipeline(s). |
cfsmikedrum
force-pushed
the
zjones/app_lens_detectors
branch
from
fd26c8d
to
7478b1b
Compare
|
@s-amann, the rebase is complete |
* Change to using the environment AppLens tenant ID Add the tenant ID values for the clouds * Remove the blank line Co-authored-by: Nont <nthanonchai@microsoft.com>
Also remove empty line from go.mod
cfsmikedrum
force-pushed
the
zjones/app_lens_detectors
branch
from
950750e
to
2bd4c35
Compare
There was a problem hiding this comment.
Some outstanding comments here, but as discussed I'll merge this to unblock AppLens onboarding @s-amann
| return nil, err | ||
| } | ||
|
|
||
| successResponse := (response.StatusCode >= 200 && response.StatusCode < 300) || response.StatusCode == 304 |
There was a problem hiding this comment.
Agreed, I think it would be better to have a list of all success responses from applens and and evaluate based on that list rather than have a huge range.
Which issue this PR addresses:
Feature 10651414
What this PR does / why we need it:
This PR adds API endpoints that will enable AppLens Detectors in the Diagnose & Solve Problems Blade in the Azure Portal for ARO clusters.
Test plan for issue:
I have tested that I am able to hit the appropriate AppLens endpoints locally and receive a 401: Unauthorized error. There is no way for me to fully test this change in my dev environment because the "public" AppLens endpoints exist within the AME tenant and cross-tenant communication is not allowed. It may be possible to setup a dev RP in the AME tenant, but this is a conversation that I will have with Red Hat/MS offline.
Is there any documentation that needs to be updated for this PR?
No, the AppLens team has generic documentation for performing this integration with any service (necessary api endpoints, AppLens service endpoints, etc.)