Update nbc contract: identityconfig, vmtype, nodepoolprofile #4208
Conversation
lilypan26
requested review from
juan-lee,
cameronmeissner,
UtheMan,
ganeshkumarashok,
anujmaheshwari1,
AlisonB319,
Devinwong,
ShiqianTao,
AbelHu,
junjiezhang1997 and
jason1028kr
as code owners
|
|
||
| // vm_size represents the size of this node pool | ||
| // Let's keep it for now but continue to review if this can be removed from contract as this can be retrieved from IMDS | ||
| string vm_size = 1; |
There was a problem hiding this comment.
Not seeing this used anywhere for populating cse_cmd, not sure why it was initially added?
There was a problem hiding this comment.
Added back as it can be used to compute many other contract variables which can then be removed.
Pull Request Test Coverage Report for Build 8483202629Details
💛 - Coveralls |
pkg/proto/nbcontract/v1/vmtype.proto
Outdated
| package nbcontract.v1; | ||
|
|
||
| enum VmType { | ||
| VM_TYPE_STANDARD = 0; |
There was a problem hiding this comment.
Not sure if defaulting to standard is the best move here, but this is what AB currently does unless vmss is explicity specified.
There was a problem hiding this comment.
Agreed. I think it should be good as long as AB is doing this too.
There was a problem hiding this comment.
BTW, protobuff official doc suggests to set the first enum=0 as unspecified to handle evolution scenario.
You may want to consider unspecified = 0, standard = 1, etc. And in our go binary parser, if it's unspecified, we will still set it to standard. Does that sound make sense to you?
https://protobuf.dev/programming-guides/dos-donts/#unspecified-enum
There was a problem hiding this comment.
Do we know where (and what for) this is used?
There was a problem hiding this comment.
the only place I found is that is it is logged into the azure json file: https://github.com/Azure/AgentBaker/blob/master/parts/linux/cloud-init/artifacts/cse_config.sh#L192C5-L192C28
i'm not sure how this file is used however
There was a problem hiding this comment.
This file is used by cloud-provder-azure clients, the structure is documented here: https://cloud-provider-azure.sigs.k8s.io/install/configs/. But:
- Cataloguing all of the uses of this on the node would be great. Currently it is likely used by kubelet (to authenticate to ACRs, via in-tree auth helpers which use cloud-provider-azure clients) and probably CSI drivers. There may be other uses I am not aware of.
- I am not sure why any of these need vmType ... (kubelet ACR auth definitely should not need it?)
- From the contract perspective, it may still be a good idea to collect everything that goes to azure.json in one place (unless we have a clear indication some settings are used elsewhere as well)
There was a problem hiding this comment.
Sure I can start noting down where azure.json is used and what variables in the contract are stored inside. Not sure how best to confirm what variables are need or not though.
| @@ -2,16 +2,8 @@ syntax = "proto3"; | |||
| package nbcontract.v1; | |||
|
|
|||
| message IdentityConfig { | |||
| IdentityType identity_type = 1; | |||
There was a problem hiding this comment.
Removing, since not seeing this used anywhere
There was a problem hiding this comment.
Makes sense to me too. If later on we have other identity type to support, we can add it back.
….com/Azure/AgentBaker into lily/update-contract-identity-config
| string service_principal_id = 1; | ||
| string service_principal_secret = 2; | ||
| string assigned_identity_id = 3; //could be user or system assigned, depending on the type | ||
| string use_managed_identity_extension = 4; |
There was a problem hiding this comment.
This should be bool, I think
There was a problem hiding this comment.
good catch, should be a bool
| string service_principal_id = 1; | ||
| string service_principal_secret = 2; | ||
| string assigned_identity_id = 3; //could be user or system assigned, depending on the type | ||
| string use_managed_identity_extension = 4; |
There was a problem hiding this comment.
Wondering if this is only used for generating azure config file? If yes - it might make sense to collect all the settings that affect it in one place ...
There was a problem hiding this comment.
Grouped all the auth config fields and cluster config fields used to generate azure config file as listed here: https://cloud-provider-azure.sigs.k8s.io/install/configs/ into AuthConfig and ClusterConfig.
|
One unit test failed. It should be because the contract is changed. In case you didn't know yet, you can run it locally for convenience with go test |
….com/Azure/AgentBaker into lily/update-contract-identity-config
| string service_principal_id = 4; // set to aadClientId | ||
| string service_principal_secret = 5; // set to aadClientSecret |
There was a problem hiding this comment.
At least these (and possibly others) can be unspecified. What pattern did we settle on for handling optional strings?
There was a problem hiding this comment.
I think we decided that unless we need to change the default value of just an empty string or need to handle the nil case specially, then there is no need to specify optional. In this case, not specifying it should have an empty string value so i excluded the optional.
….com/Azure/AgentBaker into lily/update-contract-identity-config
What type of PR is this?
What this PR does / why we need it:
Updating node bootstrap contract as needed. Updated IdentityConfig and added vmType enum. Removed nodepoolprofile config.
Which issue(s) this PR fixes:
Fixes #
Requirements:
Special notes for your reviewer:
Release note: