Support arbitrary ARM ID owners #3245
Conversation
matthchr
requested review from
davefellows,
theunrepentantgeek,
babbageclunk and
super-harsh
as code owners
matthchr
force-pushed
the
feature/arbitrary-armid-owner
branch
2 times, most recently
from
ab49bd8
to
3ccb5ed
Compare
Codecov Report
@@ Coverage Diff @@
## main #3245 +/- ##
==========================================
- Coverage 54.46% 54.36% -0.10%
==========================================
Files 1446 1446
Lines 616161 616614 +453
==========================================
- Hits 335584 335227 -357
- Misses 225588 226405 +817
+ Partials 54989 54982 -7
|
|
/ok-to-test sha=3ccb5ed |
| func(old runtime.Object) (admission.Warnings, error) { | ||
| return resource.validateOwnerReference() | ||
| }, |
There was a problem hiding this comment.
Does this need to be wrapped? or, could you use resource.validateOwnerReference directly?
There was a problem hiding this comment.
It's wrapped to discard the old parameter because it's not needed but I wanted to share a single impl for update/create. Since the signature matches for create it's called directly:
// createValidations validates the creation of the resource
func (zone *DnsZone) createValidations() []func() (admission.Warnings, error) {
return []func() (admission.Warnings, error){zone.validateResourceReferences, zone.validateOwnerReference}
}
but for update because the signature doesn't match exactly it's wrapped. This is the same behavior as w/ validateResourceReferences so I think it makes sense to do the same thing here. LMK if you see a cleaner way.
v2/tools/generator/internal/functions/kubernetes_admissions_validations.go
Outdated
Show resolved
Hide resolved
v2/pkg/genruntime/core/errors.go
Outdated
| func (e *SubscriptionMismatch) Error() string { | ||
| return e.cause.Error() | ||
| } |
There was a problem hiding this comment.
Does SubscriptionMismatch need a custom error message as well?
There was a problem hiding this comment.
I've changed how this is implemented so that it makes more sense. The error format is now part of this error type rather than just hardcoded in the file that called NewSubscriptionMismatchError
|
|
||
| // GetResourceTypeAndProvider returns the provider and the array of resource types which represent the resource. | ||
| // For example: Microsoft.Compute/virtualMachineScaleSets would return ("Microsoft.Compute", []string{"virtualMachineScaleSets"}, nil) | ||
| func GetResourceTypeAndProvider(res ARMMetaObject) (string, []string, error) { |
There was a problem hiding this comment.
I think we already have this code somewhere. We should either reuse the original, or change the other case to use this one. Maybe as a separate PR though.
There was a problem hiding this comment.
Not sure if you saw but I just moved it from where it was elsewhere. Previously it was unexpected in resource_hierarchy.go. Unless you're saying it's already in two different places in the code? One in resource_hierarchy.go and one someplace else?
| // to have an owner (for example, ResourceGroup), returns nil. | ||
| func (r *Resolver) ResolveOwner(ctx context.Context, obj genruntime.ARMOwnedMetaObject) (genruntime.ARMMetaObject, error) { | ||
| // to have an owner (for example, ResourceGroup) or the owner points to a raw ARM ID, returns nil. | ||
| func (r *Resolver) ResolveOwner(ctx context.Context, obj genruntime.ARMOwnedMetaObject) (OwnerDetails, error) { |
There was a problem hiding this comment.
Seems odd that ResolveOwner returns nil even if it has an owner, just because it's an ARM ID.
Maybe rename to ResolveClusterOwner() or ResolveKubernetesOwner()?
There was a problem hiding this comment.
Ah it doesn't actually return nil anymore. I refactored the method and added the OwnerDetails return type because I also didn't like this. Now it always has a return and that return has the Result set to either:
OwnerFoundKubernetes(if the owner was found in k8s)OwnerFoundARM(if the owner was found in ARM)OwnerNotExpected(if the owner was not found but also not expected)- an error (if an owner was not found but was expected).
There was a problem hiding this comment.
I've fixed this comment.
matthchr
force-pushed
the
feature/arbitrary-armid-owner
branch
from
3ccb5ed
to
0363c94
Compare
|
/ok-to-test sha=0363c94 |
This closes Azure#2357. Nearly all resources now support being owned by an arbitrary ARM ID. Only database user resources (MySQLUser, PostgreSQLUser) do not allow ARM ID ownership. This is because those resources must extract certain connection information from their parents and so must have access to their parents via the Kubernetes API. ARM ID ownership behaves the following way: * Resources owned by an ARM ID will continue to attempt to reconcile if that ID doesn't exist. When the owning resource cannot be found, the resource will report a Ready=false with a "Warning" and additional details. If possible, avoid deleting the owning ARM resource without also deleting the resources in Kubernetes. * The credential being used for the resource must have the same subscription ID as the owning ARM resource. This means if your global credential is for Subscription A you cannot have ARM ID owners from subscription B unless you also create a serviceoperator.azure.com/credential-from for subscription B.
matthchr
force-pushed
the
feature/arbitrary-armid-owner
branch
from
0363c94
to
255bc20
Compare
|
/ok-to-test sha=255bc20 |
This closes #2357.
Nearly all resources now support being owned by an arbitrary ARM ID. Only database user resources (MySQLUser, PostgreSQLUser) do not allow ARM ID ownership. This is because those resources must extract certain connection information from their parents and so must have access to their parents via the Kubernetes API.
ARM ID ownership behaves the following way:
Documentation will come in a follow-up PR.
If applicable: