windows-testing icon indicating copy to clipboard operation
windows-testing copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Use managed identity for the clusters and remove az capi

Open jsturtevant opened this issue 1 year ago • 11 comments

The removes the need for Service Principals in the cluster creation process. It uses managed identities on the management cluster and workload clusters instead.

When running locally you can log into the azure CLI via interactive prompt which means the there are no Service Principals needed to run the e2e tests. A service principal is still used for the Azure CLI in CI since this script runs in the PROW instance and doesn't have access to the Azure Managed Identity infrastructure.

This removes the dependency on az capi extension due to https://github.com/Azure/azure-capi-cli-extension/issues/263. This brough the required steps into the scripts here which will make it easier to maintain and debug.

It does assume a cloud-provider-identity pre-created with

az identity create -n "cloud-provider-user-identity" -g "capz-ci" -l westus2
az role assignment create --assignee-object-id "<objectid>" --role "Contributor" --scope "/subscriptions/<subid" --assignee-principal-type ServicePrincipal --output none --only-show-errors

/cc @marosset

jsturtevant avatar May 16 '24 21:05 jsturtevant

cc @mboersma @dtzar

jackfrancis avatar May 16 '24 21:05 jackfrancis

fyi @ritikaguptams

jsturtevant avatar May 16 '24 22:05 jsturtevant

/assign @marosset

jsturtevant avatar May 17 '24 16:05 jsturtevant

Going to try this out now!

marosset avatar May 17 '24 17:05 marosset

@jsturtevant - can you add the info about having the MI pre-created to https://github.com/kubernetes-sigs/windows-testing/blob/master/capz/readme.md?

marosset avatar May 17 '24 17:05 marosset

CLA Signed

The committers listed above are authorized under a signed CLA.

  • :white_check_mark: login: jsturtevant / name: James Sturtevant (0e4d2b7e10f20f9493960da1b8fd20c7de92366d, 69bf055d1ab8f37628f6fd0efe9d6db15d82aa4d, 4ba26a10f9f6991deb8429a93d9005bf39e6bb1d, 2987387e852399540bbffec6a74a25b45f55af11, b6e62d3b30bcec336f654c77cbe7198dbf7829be, fd6d8ea48c10a0f5189e875cc0e51c3a19e83a1c, 7f56517a2b7f003b6693d65dee4edb0e5bb503c9)

linux-foundation-easycla[bot] avatar May 17 '24 20:05 linux-foundation-easycla[bot]

I got a cluster setup using these updates!

let's just update the README then this lgtm!

marosset avatar May 17 '24 22:05 marosset

/test pull-e2e-capz-windows-2022-extension

jsturtevant avatar May 23 '24 20:05 jsturtevant

/cc @bingbing8

jsturtevant avatar May 24 '24 21:05 jsturtevant

@jsturtevant: GitHub didn't allow me to request PR reviews from the following users: bingbing8.

Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @bingbing8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot avatar May 24 '24 21:05 k8s-ci-robot

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jsturtevant, marosset

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • ~~OWNERS~~ [jsturtevant,marosset]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar May 28 '24 20:05 k8s-ci-robot