Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multitenancy for managed clusters #1386

Merged
merged 7 commits into from
Jun 17, 2021
Merged

Multitenancy for managed clusters #1386

merged 7 commits into from
Jun 17, 2021

Conversation

shysank
Copy link
Contributor

@shysank shysank commented May 25, 2021

What type of PR is this?
/kind feature

What this PR does / why we need it:
This PR implements multitenancy for azure managed clusters largely building upon the work done in #977

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #1153

Special notes for your reviewer:
A couple of things to note:

  • NetworkInfrastructureReadyCondition not implemented. There are no conditions right now for managed clusters. So, will create a followup issue for this
  • There is a separate AzureIdentityReconciler for reconciling AzureIdentity and AzureIdentityBinding in exp/controllers. which does exactly the same thing as the one already there in controllers with one difference being it only deletes identities created by managed clusters. This should eventually merged into a single controller once managed clusters are promoted from experimental.

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests

Release note:

Multitenancy for managed clusters.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. area/provider/azure Issues or PRs related to azure provider labels May 25, 2021
@k8s-ci-robot k8s-ci-robot added the sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. label May 25, 2021
@shysank
Copy link
Contributor Author

shysank commented May 25, 2021

/retest

nader-ziada
nader-ziada reviewed May 25, 2021
View reviewed changes
Copy link
Contributor

@nader-ziada nader-ziada left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it possible to have an e2e test for this?

azure/scope/identity.go Outdated Show resolved Hide resolved
azure/scope/identity.go Outdated Show resolved Hide resolved
exp/api/v1alpha4/azuremanagedcontrolplane_types.go Outdated Show resolved Hide resolved
exp/controllers/azuremangedcontrolplane_controller.go Outdated Show resolved Hide resolved
@shysank shysank force-pushed the aks_multitenancy branch 2 times, most recently from 942f00e to d79fc5d Compare May 25, 2021 22:47
@shysank
Copy link
Contributor Author

shysank commented May 26, 2021

is it possible to have an e2e test for this?

Yes, I'll work on adding it.

@nader-ziada
Copy link
Contributor

I think this is good to go
@devigned do you have any thoughts?

devigned
devigned approved these changes May 27, 2021
View reviewed changes
Copy link
Contributor

@devigned devigned left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

The issue with the repeated identity controller should either be refactored here or in #1389.

@CecileRobertMichon
Copy link
Contributor

CecileRobertMichon commented May 27, 2021
edited
Loading

The issue with the repeated identity controller should either be refactored here or in #1389

I don't intend to refactor exp/ controllers or dir structure in #1389, IMO we should tackle it here. The identity feature is not experimental so it shouldn't live in exp/.

@shysank
Copy link
Contributor Author

shysank commented May 28, 2021

The issue with the repeated identity controller should either be refactored here or in #1389

I don't intend to refactor exp/ controllers or dir structure in #1389, IMO we should tackle it here. The identity feature is not experimental so it shouldn't leave in exp/.

Two solutions I can think of:

  1. Reconcile identities created by amcp along with azure cluster. This is what Nader and I discussed; we didn't want to import exp api types inside the main controllers package.
  2. Ignore identities created by amcp, and just make sure they don't get deleted. A hacky solution until we remove it from exp, lots of dangling identities will be there. There may also be issues when we create a new amcp with the same in future.

Both of these are not ideal solutions. The main problem I see is, although the identity feature is not experimental, in this case it's tightly coupled with the exp api types which makes it difficult to move it out of exp. wdyt?

@nader-ziada
Copy link
Contributor

The issue with the repeated identity controller should either be refactored here or in #1389

I don't intend to refactor exp/ controllers or dir structure in #1389, IMO we should tackle it here. The identity feature is not experimental so it shouldn't leave in exp/.

Two solutions I can think of:

  1. Reconcile identities created by amcp along with azure cluster. This is what Nader and I discussed; we didn't want to import exp api types inside the main controllers package.
  2. Ignore identities created by amcp, and just make sure they don't get deleted. A hacky solution until we remove it from exp, lots of dangling identities will be there. There may also be issues when we create a new amcp with the same in future.

Both of these are not ideal solutions. The main problem I see is, although the identity feature is not experimental, in this case it's tightly coupled with the exp api types which makes it difficult to move it out of exp. wdyt?

The identity controller in the exp folder is just to deal with identities related to managedcontrolplane clusters, I don't understand why it is an issue to keep it there. If the issue is about duplication of code we can try to refactor some of the code in a util package and use it in both, but I still think they should be two controllers

@CecileRobertMichon
Copy link
Contributor

Reconcile identities created by amcp along with azure cluster. This is what Nader and I discussed; we didn't want to import exp api types inside the main controllers package.

Why is importing exp types in the main controller a bad thing? As long as it's all behind feature gates that should be fine and, IMO, cleaner than duplicating code that might diverge in the future. We already do this in CAPI, eg:
https://github.com/kubernetes-sigs/cluster-api/blob/master/controllers/cluster_controller.go#L365-L373

@nader-ziada
Copy link
Contributor

Reconcile identities created by amcp along with azure cluster. This is what Nader and I discussed; we didn't want to import exp api types inside the main controllers package.

Why is importing exp types in the main controller a bad thing? As long as it's all behind feature gates that should be fine and, IMO, cleaner than duplicating code that might diverge in the future. We already do this in CAPI, eg:
https://github.com/kubernetes-sigs/cluster-api/blob/master/controllers/cluster_controller.go#L365-L373

I didn't think this was allowed, in that case, my bad for asking Shyam to not do that and have a 2nd controller, we can just combine them then

@shysank
Copy link
Contributor Author

shysank commented May 28, 2021

Thanks @CecileRobertMichon and @nader-ziada for the feedback. I'll update the existing identity_controller to handle aks identities, and remove the new one.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 29, 2021
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jun 1, 2021
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 1, 2021
@alexeldeib
Copy link
Contributor

this looks fairly good to go? anything you're still working on?

@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 16, 2021
@shysank
Copy link
Contributor Author

shysank commented Jun 16, 2021
edited
Loading

this looks fairly good to go? anything you're still working on?

Nope, I think we can this one in and create a follow up issue for more e2e scenarios.

@alexeldeib
Copy link
Contributor

/lgtm

nice work!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 16, 2021
This was referenced Jun 16, 2021
Closed
Closed
CecileRobertMichon
CecileRobertMichon reviewed Jun 16, 2021
View reviewed changes
Copy link
Contributor

@CecileRobertMichon CecileRobertMichon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/assign @nader-ziada

@nader-ziada
Copy link
Contributor

👏👏

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nader-ziada

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 16, 2021
@nader-ziada
Copy link
Contributor

@shysank you are going to have to rebase so we can get this in

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 16, 2021
@shysank
Copy link
Contributor Author

shysank commented Jun 16, 2021

/test pull-cluster-api-provider-azure-e2e

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jun 16, 2021
edited
Loading

@shysank: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
pull-cluster-api-provider-azure-apidiff 5a6a864 link /test pull-cluster-api-provider-azure-apidiff

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@nader-ziada
Copy link
Contributor

/test pull-cluster-api-provider-azure-e2e

@nader-ziada
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 17, 2021
@k8s-ci-robot k8s-ci-robot merged commit 15bde64 into kubernetes-sigs:master Jun 17, 2021
@k8s-ci-robot k8s-ci-robot added this to the v0.5.0 milestone Jun 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CecileRobertMichon CecileRobertMichon CecileRobertMichon left review comments

@nader-ziada nader-ziada nader-ziada left review comments

@alexeldeib alexeldeib alexeldeib left review comments

@devigned devigned devigned approved these changes

@juan-lee juan-lee Awaiting requested review from juan-lee

Assignees

@alexeldeib alexeldeib

@nader-ziada nader-ziada

@CecileRobertMichon CecileRobertMichon

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/provider/azure Issues or PRs related to azure provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
v0.5.0
Development

Successfully merging this pull request may close these issues.

Multi tenancy support for AKS/managed clusters
6 participants
@shysank @nader-ziada @CecileRobertMichon @k8s-ci-robot @alexeldeib @devigned