Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding multi tenancy for controller using aad-pod-identity #977

Merged
merged 3 commits into from
Dec 18, 2020

Conversation

nader-ziada
Copy link
Contributor

@nader-ziada nader-ziada commented Oct 5, 2020

What type of PR is this?

/kind feature

What this PR does / why we need it:

  • adding azure principal and identity provider types for multi-tenancy

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #586 , #778

Special notes for your reviewer:

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

  • work in progress

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests

Release note:

support for controller manager multi-tenancy 

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 5, 2020
@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. labels Oct 5, 2020
@k8s-ci-robot k8s-ci-robot added sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Oct 5, 2020
@nader-ziada
Copy link
Contributor Author

@devigned I thought I would push this while I'm working on it still so you can take a look and let me know what you think of the direction

@nader-ziada nader-ziada changed the title adding cluster principal and credentails prvider [WIP] adding cluster principal and credentials provider Oct 6, 2020
Copy link
Contributor

@devigned devigned left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per our conversation in Slack: https://kubernetes.slack.com/archives/CEX9HENG7/p1602089427042600. I believe we are able to greatly simplify the design after talking with the AAD pod identity team. This is a great start down the multi-tenancy path.

The gist of the linked conversation:

We should run aad pod identity within the capz namespace in namespace constrained mode. We should allow users to create AzureIdentities within the workload cluster namespace and have the identity owned by the AzureCluster. The capz controller would be responsible for copying the cluster namespace identity into the controller namespace and creating a AzureIdentityBinding in the controller namespace to link the label of the capz controller and the capz namespaced copy of the cluster AzureIdentity. The capz controller would then be responsible for deleting the identities within the capz namespace when they are no longer needed.

cloud/scope/clients.go Outdated Show resolved Hide resolved
api/v1alpha3/azurecluster_types.go Outdated Show resolved Hide resolved
api/v1alpha3/azureserviceprincipal_types.go Outdated Show resolved Hide resolved
cloud/scope/principal.go Outdated Show resolved Hide resolved
config/manager/manager_image_patch.yaml Outdated Show resolved Hide resolved
@devigned
Copy link
Contributor

devigned commented Oct 7, 2020

Probably goes without saying, but we will also need to deploy aad pod identity components with the capz components.

@nader-ziada
Copy link
Contributor Author

Probably goes without saying, but we will also need to deploy aad pod identity components with the capz components.

yes, will add the deployment for it, was still trying to get it to work

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 8, 2020
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 9, 2020
Makefile Outdated Show resolved Hide resolved
@justaugustus justaugustus removed their request for review October 10, 2020 19:03
cloud/scope/identity.go Outdated Show resolved Hide resolved
cloud/scope/identity.go Outdated Show resolved Hide resolved
@nader-ziada nader-ziada force-pushed the multitenancy branch 2 times, most recently from e92831d to d55c592 Compare October 16, 2020 15:49
Makefile Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Oct 16, 2020
@nader-ziada nader-ziada changed the title [WIP] adding cluster principal and credentials provider [WIP] adding multi tenancy for controller using aad-pod-identity Oct 16, 2020
@nader-ziada
Copy link
Contributor Author

/test pull-cluster-api-provider-azure-e2e-full
/test pull-cluster-api-provider-azure-e2e

}

// ClusterNamespaceAllowed indicates if the cluster namespace is allowed
func (c *AzureClusterIdentity) ClusterNamespaceAllowed(namespace string) bool {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's add a unit test for this

api/v1alpha3/azureclusteridentity_types.go Show resolved Hide resolved
cloud/scope/identity.go Outdated Show resolved Hide resolved
controllers/azureidentity_controller.go Outdated Show resolved Hide resolved
util/identity/defaults.go Outdated Show resolved Hide resolved
@@ -350,4 +351,60 @@ var _ = Describe("Workload cluster creation", func() {
})
})
})

Context("Creating a cluster using a different SP identity", func() {
BeforeEach(func() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment I wrote in the Windows PR - we need to audit all the clusters that get created in pr e2e tests and see if any of them can be safely combined to avoid growing the cost and duration of each PR run too much

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes sense for this test to have its own cluster since it using a different identity which we would want to test separately, wdyt?

type: Opaque
data:
certificate: CERTIFICATE
password: PASSWORD
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is unclear to me? is it one or the other?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

both kinds are supported by aad-pod-identity https://github.com/Azure/aad-pod-identity/tree/master/deploy/demo

docs/book/src/topics/multitenancy.md Show resolved Hide resolved
return ctrl.Result{}, err
}

bindingsToDelete := []aadpodv1.AzureIdentityBinding{}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where are the bindings created?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nevermind found it in scope. Seems a bit weird to me to not create the bindings/azureidentity in here too. Also why are we expecting unused bindings to be left around needing cleanup? Why not delete them as part of AzureCluster deletion?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The thinking behind this is that this object lives in a different namespace and is only for the purpose of the controller with the nmi pod, technically the cluster/user should not care about it. Also the reason we needed the cleanup controller is that if the user changes the reference to a different identity, the controller will generate a new azureIdentity/Binding and the old one will be left behind

APIVersion: "aadpodidentity.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: identity.GetAzureIdentityName(p.AzureCluster.Name, p.AzureCluster.Namespace, p.Identity.Name),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if this has the cluster name in it, its lifecycle is owned by the life of the cluster, no? Why not create/delete it when the an AzureCluster is created/deleted, similarly to how we create/delete the azure.json secret?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just added the cluster name to make it easier to find, but it wasn't there before, its not part of the cluster lifecycle it lives in a different namespace and is for internal use by the controller

@nader-ziada
Copy link
Contributor Author

/test pull-cluster-api-provider-azure-e2e-full

1 similar comment
@nader-ziada
Copy link
Contributor Author

/test pull-cluster-api-provider-azure-e2e-full

 - support SP identity only
 - add flavor + topic doc
 - add identity reconciler
add values to azurecluster instead of expecting an azureidentity
@k8s-ci-robot
Copy link
Contributor

@nader-ziada: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
pull-cluster-api-provider-azure-e2e-full 516cbd2 link /test pull-cluster-api-provider-azure-e2e-full
pull-cluster-api-provider-azure-apidiff d52af1a link /test pull-cluster-api-provider-azure-apidiff

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@CecileRobertMichon
Copy link
Contributor

lgtm

Are you tracking all follow-ups (clusterctl move, pre-existing aad pod identity deploy, etc) in issues in there respective repos?

Copy link
Contributor

@devigned devigned left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Solid work, @nader-ziada!
lgtm

@devigned
Copy link
Contributor

🚀
/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 17, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: devigned

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 17, 2020
@CecileRobertMichon
Copy link
Contributor

Just remembered still waiting on the proposal to match the implementation

That's why there's a /hold

@devigned
Copy link
Contributor

@CecileRobertMichon I promise, promise, promise to update the proposal by eod tomorrow.

@CecileRobertMichon
Copy link
Contributor

/hold cancel

@devigned thanks, github is witness 😉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/provider/azure Issues or PRs related to azure provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Multi-tenancy within one manager instance
5 participants