-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: document ARO-HCP Clusters creation in CS with Managed Identities #858
base: main
Are you sure you want to change the base?
Conversation
@@ -353,8 +355,44 @@ Then register it with the Maestro Server | |||
``` | |||
az network vnet subnet update -g <resource-group> -n <subnet-name> --vnet-name <vnet-name> --network-security-group <nsg-name> | |||
``` | |||
- Generate a random alphanumeric string used as a suffix for the User-Assigned Managed Identities of the operators of the cluster |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Although for now we document this, I think the whole step 2, which is creation of prerequisites, could be automated or partially automated by having a script that executes the commands.
We can work on that in the near future if we want.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 that would be great.
a different managed identity, and different clusters must use different managed identities, even for the same | ||
operators. | ||
``` | ||
az identity create -n ${USER}-cp-cloud-controller-manager-${OPERATORS_UAMIS_SUFFIX} -g <resource-group> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An example of a name of a managed identity is:
msoriano-cp-cloud-controller-manager-8ffe3f
operators. | ||
``` | ||
az identity create -n ${USER}-cp-cloud-controller-manager-${OPERATORS_UAMIS_SUFFIX} -g <resource-group> | ||
az identity create -n ${USER}-cp-ingress-${OPERATORS_UAMIS_SUFFIX} -g <resource-group> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Notice how the control plane side managed identities contain a "cp" part. The same happens for the data plane ones with "dp". This is intentional and the reason is that the same operator can be installed in both the control plane and the data plane but we still need different managed identities for it so we add cp/dp to allow having different names for them
cc @bennerv , @machi1990, @geoberle as relevant people too |
I think we could already require people to do this even if not fully used by CS, to start preparing and getting them used to this. Before though we would need all the pieces in the frontend side too so the information can be passed from user -> frontend -> cs |
- Generate a random alphanumeric string used as a suffix for the User-Assigned Managed Identities of the operators of the cluster | ||
> NOTE: The random suffix used has to be different for each cluster to be created | ||
``` | ||
export OPERATORS_UAMIS_SUFFIX=$(openssl rand -hex 3) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we should use the future clusters name as the suffix instead of a random string. Easier for traceability. Wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason I added randomness is because:
- Two different people could create a cluster with the same name
- The same person could create two clusters with the same name, in different RGs
- In the Azure portal UI you see the name of the managed identity
We could add the name of the cluster on top of that at some point too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 on adding some element that could enable us to associate the MIs to the cluster being created.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated the MIs creation to also include the desired CS Cluster name.
I am not super convinced about it because:
- Different people or even the same person can have the same cluster name for different clusters, which doesn't really help to differentiate then
- Name length limit concerns. If we do this here people will tend to try do to the same or similar when writing automated tests. In those cases reaching the length limit is quite more probable because names formed there usually concatenate several parts adding quickly. MIs have a max length of 128 characters. But right now in this name we already have: username (unbounded), operator name (unbounded), cluster name (54 characters), other extra characters like hyphens, ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you Miguel. I really expect authors of the automated tests to take name limits onto account and not copy and paste the command as it or its equivalent.
1ebd5df
to
a8a778a
Compare
a8a778a
to
c68c0c5
Compare
@geoberle I also added a cleaning up a cluster section for CS |
Hi @machi1990 , @geoberle, @JameelB, @bennerv please take a look. Also including the threads with my replies. Thanks. |
What this PR does
We document how to create the N needed Managed Identities when creating ARO-HCP Clusters directly against CS.
As an important remark, this assumes 4.17.x clusters creation. The set of required managed identities can differ between OCP versions. For now assuming 4.17.x is good enough but in the future we might want to improve on this.
As an important note, similar documentation / scripts should be created for the frontend side.
Special notes for your reviewer