search

kubernetes-sigs / windows-testing

Containers, scripts and documentation for running Kubernetes tests with Windows nodes
Apache License 2.0
40 stars 55 forks source link

Use managed identity for the clusters and remove az capi #430

Closed jsturtevant closed 5 months ago

jsturtevant commented 5 months ago

The removes the need for Service Principals in the cluster creation process. It uses managed identities on the management cluster and workload clusters instead.

When running locally you can log into the azure CLI via interactive prompt which means the there are no Service Principals needed to run the e2e tests. A service principal is still used for the Azure CLI in CI since this script runs in the PROW instance and doesn't have access to the Azure Managed Identity infrastructure.

This removes the dependency on az capi extension due to https://github.com/Azure/azure-capi-cli-extension/issues/263. This brough the required steps into the scripts here which will make it easier to maintain and debug.

It does assume a cloud-provider-identity pre-created with 

az identity create -n "cloud-provider-user-identity" -g "capz-ci" -l westus2
az role assignment create --assignee-object-id "<objectid>" --role "Contributor" --scope "/subscriptions/<subid" --assignee-principal-type ServicePrincipal --output none --only-show-errors

/cc @marosset

jackfrancis commented 5 months ago

cc @mboersma @dtzar

jsturtevant commented 5 months ago

fyi @ritikaguptams

jsturtevant commented 5 months ago

/assign @marosset

marosset commented 5 months ago

Going to try this out now!

marosset commented 5 months ago

@jsturtevant - can you add the info about having the MI pre-created to https://github.com/kubernetes-sigs/windows-testing/blob/master/capz/readme.md?

linux-foundation-easycla[bot] commented 5 months ago

CLA Signed

The committers listed above are authorized under a signed CLA.

marosset commented 5 months ago

I got a cluster setup using these updates!

let's just update the README then this lgtm!

jsturtevant commented 5 months ago

/test pull-e2e-capz-windows-2022-extension

jsturtevant commented 5 months ago

/cc @bingbing8

k8s-ci-robot commented 5 months ago

@jsturtevant: GitHub didn't allow me to request PR reviews from the following users: bingbing8.

Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to [this](https://github.com/kubernetes-sigs/windows-testing/pull/430#issuecomment-2130420290): >/cc @bingbing8 Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
k8s-ci-robot commented 5 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jsturtevant, marosset

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes-sigs/windows-testing/blob/master/OWNERS)~~ [jsturtevant,marosset] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment