-
Notifications
You must be signed in to change notification settings - Fork 203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support arbitrary ARM ID owners #3245
Conversation
ab49bd8
to
3ccb5ed
Compare
Codecov Report
@@ Coverage Diff @@
## main #3245 +/- ##
==========================================
- Coverage 54.46% 54.36% -0.10%
==========================================
Files 1446 1446
Lines 616161 616614 +453
==========================================
- Hits 335584 335227 -357
- Misses 225588 226405 +817
+ Partials 54989 54982 -7
|
/ok-to-test sha=3ccb5ed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I understand what's going on here; will come back for another read through but don't want to block.
func(old runtime.Object) (admission.Warnings, error) { | ||
return resource.validateOwnerReference() | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this need to be wrapped? or, could you use resource.validateOwnerReference
directly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's wrapped to discard the old
parameter because it's not needed but I wanted to share a single impl for update/create. Since the signature matches for create it's called directly:
// createValidations validates the creation of the resource
func (zone *DnsZone) createValidations() []func() (admission.Warnings, error) {
return []func() (admission.Warnings, error){zone.validateResourceReferences, zone.validateOwnerReference}
}
but for update because the signature doesn't match exactly it's wrapped. This is the same behavior as w/ validateResourceReferences
so I think it makes sense to do the same thing here. LMK if you see a cleaner way.
v2/tools/generator/internal/functions/kubernetes_admissions_validations.go
Outdated
Show resolved
Hide resolved
v2/pkg/genruntime/core/errors.go
Outdated
func (e *SubscriptionMismatch) Error() string { | ||
return e.cause.Error() | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does SubscriptionMismatch
need a custom error message as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've changed how this is implemented so that it makes more sense. The error format is now part of this error type rather than just hardcoded in the file that called NewSubscriptionMismatchError
|
||
// GetResourceTypeAndProvider returns the provider and the array of resource types which represent the resource. | ||
// For example: Microsoft.Compute/virtualMachineScaleSets would return ("Microsoft.Compute", []string{"virtualMachineScaleSets"}, nil) | ||
func GetResourceTypeAndProvider(res ARMMetaObject) (string, []string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we already have this code somewhere. We should either reuse the original, or change the other case to use this one. Maybe as a separate PR though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if you saw but I just moved it from where it was elsewhere. Previously it was unexpected in resource_hierarchy.go
. Unless you're saying it's already in two different places in the code? One in resource_hierarchy.go
and one someplace else?
// to have an owner (for example, ResourceGroup), returns nil. | ||
func (r *Resolver) ResolveOwner(ctx context.Context, obj genruntime.ARMOwnedMetaObject) (genruntime.ARMMetaObject, error) { | ||
// to have an owner (for example, ResourceGroup) or the owner points to a raw ARM ID, returns nil. | ||
func (r *Resolver) ResolveOwner(ctx context.Context, obj genruntime.ARMOwnedMetaObject) (OwnerDetails, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems odd that ResolveOwner
returns nil even if it has an owner, just because it's an ARM ID.
Maybe rename to ResolveClusterOwner()
or ResolveKubernetesOwner()
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah it doesn't actually return nil
anymore. I refactored the method and added the OwnerDetails
return type because I also didn't like this. Now it always has a return and that return has the Result
set to either:
OwnerFoundKubernetes
(if the owner was found in k8s)OwnerFoundARM
(if the owner was found in ARM)OwnerNotExpected
(if the owner was not found but also not expected)- an error (if an owner was not found but was expected).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've fixed this comment.
3ccb5ed
to
0363c94
Compare
/ok-to-test sha=0363c94 |
This closes Azure#2357. Nearly all resources now support being owned by an arbitrary ARM ID. Only database user resources (MySQLUser, PostgreSQLUser) do not allow ARM ID ownership. This is because those resources must extract certain connection information from their parents and so must have access to their parents via the Kubernetes API. ARM ID ownership behaves the following way: * Resources owned by an ARM ID will continue to attempt to reconcile if that ID doesn't exist. When the owning resource cannot be found, the resource will report a Ready=false with a "Warning" and additional details. If possible, avoid deleting the owning ARM resource without also deleting the resources in Kubernetes. * The credential being used for the resource must have the same subscription ID as the owning ARM resource. This means if your global credential is for Subscription A you cannot have ARM ID owners from subscription B unless you also create a serviceoperator.azure.com/credential-from for subscription B.
0363c94
to
255bc20
Compare
/ok-to-test sha=255bc20 |
This closes #2357.
Nearly all resources now support being owned by an arbitrary ARM ID. Only database user resources (MySQLUser, PostgreSQLUser) do not allow ARM ID ownership. This is because those resources must extract certain connection information from their parents and so must have access to their parents via the Kubernetes API.
ARM ID ownership behaves the following way:
Documentation will come in a follow-up PR.
If applicable: