Add PrivateLinkService and PrivateEndpoint support #2733
Conversation
…tualNetworkLinks; Add support for DNSZoneGroup; Export PLS/Alias as a configmap
super-harsh
requested review from
davefellows,
theunrepentantgeek,
matthchr and
babbageclunk
as code owners
v2/api/network/v1alpha1api20201101storage/network_interface_types_gen_test.go
Outdated
Show resolved
Hide resolved
|
|
||
| } | ||
|
|
||
| func DNSZoneGroup_CRUD(tc *testcommon.KubePerTestContext, vnet *v1beta20201101.VirtualNetwork, endpoint *network.PrivateEndpoint, rg *resources.ResourceGroup) { |
There was a problem hiding this comment.
Ok so this test is basically testing the scenario where the user has a VNET + PrivateDNSZone already configured on that VNET, and they want the PrivateEndpoint to create an entry in that existing PrivateDNSZone?
This seems pretty OK from a user-experience for me.
What about the other scenarios? User has NO private DNS zone and just wants to associate the Private Endpoint with a VNET directly. Should we have another test for that scenario? That scenario will make use of the customDnsConfigs property of the PrivateEndpoint, right?
| "github.com/Azure/azure-service-operator/v2/internal/testcommon" | ||
| ) | ||
|
|
||
| func Test_Networking_PrivateEndpoint_CRUD(t *testing.T) { |
There was a problem hiding this comment.
Did you reference an ARM template/bicep example to produce this test? If so can you link it in a comment up here at the top?
There was a problem hiding this comment.
There is an ARM bicep example identical to this, however, they use SQLServer and we're using StorageAccount in this test. Still do we add the link?
There was a problem hiding this comment.
Yeah I think still worth adding the link. Just say you replaced SQLServer with StorageAccount
There was a problem hiding this comment.
I don't see the comment, yet.
| { | ||
| Name: to.StringPtr("testEndpoint"), | ||
| PrivateLinkServiceReference: tc.MakeReferenceFromResource(sa), | ||
| GroupIds: []string{"blob"}, // TODO: This is a bit weird that user has to figure out the group ID(s). |
There was a problem hiding this comment.
is this the same thing they need to do in an ARM template?
There was a problem hiding this comment.
If it is the same as the ARM template story, we may want to have the GroupIds configurable from config maps so that we can automate the workflow.
There was a problem hiding this comment.
the problem is, GroupIDs are not findable from a resource, it can be funky to get groupIDs for each type of resource into a configMap. For example, for Batch/BatchAccounts, it can be either batchAccount or nodeManagement(depending upon the subresource/service type), for CosmosDB/DatabaseAccounts it is Sql, for ServiceBus/namespaces it'll be namespace etc.
There was a problem hiding this comment.
I am not sure I follow the configMap angle either. I just wanted to confirm that we're at parity with ARM templates or BICEP here, which I think we are. The user needs to (somehow) know what the GroupID is for their resource. I think if that's the same experience users get in the ARM template/BICEP/Terraform world then that's OK we're at parity with how it is in the rest of Azure.
v2/internal/controllers/crd_networking_privatelinkservice_test.go
Outdated
Show resolved
Hide resolved
| ConfigMaps: &network20220701.PrivateLinkServiceOperatorConfigMaps{ | ||
| Alias: &genruntime.ConfigMapDestination{ | ||
| Name: plsConfigMap, | ||
| Key: "alias", |
There was a problem hiding this comment.
What exactly is alias and why do users want to consume it?
There was a problem hiding this comment.
Alias is a globally unique name for your service. It helps you mask the customer data for your service and at the same time creates an easy-to-share name for your service. When you create a Private Link service, Azure generates an alias for your service that you can share with your customers. Your customers can use this alias to request a connection to your service.
The alias is composed of three parts: Prefix.GUID.Suffix
Prefix is the service name. You can pick your own prefix. After "Alias" is created, you can't change it, so select your prefix appropriately.
GUID will be provided by platform. This GUID makes the name globally unique.
Suffix is appended by Azure: region.azure.privatelinkservice
Complete alias: Prefix. {GUID}.region.azure.privatelinkservice
Reference: https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview#alias
There was a problem hiding this comment.
This sounds like something that should be called out in our docs. Consider adding a doc fragment to docs/v2/azure/supported-resources so that this included.
| { | ||
| Name: to.StringPtr("testEndpoint"), | ||
| PrivateLinkServiceReference: tc.MakeReferenceFromResource(sa), | ||
| GroupIds: []string{"blob"}, // TODO: This is a bit weird that user has to figure out the group ID(s). |
There was a problem hiding this comment.
If it is the same as the ARM template story, we may want to have the GroupIds configurable from config maps so that we can automate the workflow.
| ConfigMaps: &network20220701.PrivateLinkServiceOperatorConfigMaps{ | ||
| Alias: &genruntime.ConfigMapDestination{ | ||
| Name: plsConfigMap, | ||
| Key: "alias", |
There was a problem hiding this comment.
This sounds like something that should be called out in our docs. Consider adding a doc fragment to docs/v2/azure/supported-resources so that this included.
|
How is the progress on this? We need this as well |
Codecov Report
@@ Coverage Diff @@
## main #2733 +/- ##
==========================================
+ Coverage 52.45% 52.48% +0.02%
==========================================
Files 1091 1135 +44
Lines 431744 444130 +12386
==========================================
+ Hits 226488 233107 +6619
- Misses 169206 173982 +4776
- Partials 36050 37041 +991
... and 5 files with indirect coverage changes Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
|
@eskaufel This will be part of the v2.0.0 release. |
There was a problem hiding this comment.
There were a bunch of user scenarios we were tracking with this work, here's my take on what we wanted and what you've got:
- Private Link Service CRUD support
- Private endpoint CRUD support
The Private Endpoint connection scenarios:
- PE connects to VNET with PrivateDNSZone: Supported via
PrivateEndpointsPrivateDnsZoneGroup. do we also need to support via raw IP (IP exported from PE, imported into ARecord, via configmap?) - PE connects to VNET using on-prem DNS. Requires DNS forwarder stuff we don't have set up here.
Is that right?
v2/samples/network/v1beta20220701/v1beta20220701_privateendpointsprivatednszonegroup.yaml
Show resolved
Hide resolved
v2/internal/controllers/crd_networking_privatelinkservice_test.go
Outdated
Show resolved
Hide resolved
| "github.com/Azure/azure-service-operator/v2/internal/testcommon" | ||
| ) | ||
|
|
||
| func Test_Networking_PrivateEndpoint_CRUD(t *testing.T) { |
There was a problem hiding this comment.
I don't see the comment, yet.
* Add PrivateLinkService and PrivateEndpoint support
Closes #1313
Special notes for your reviewer:
With the support for PrivateLinkService and PrivateEndpoint, we don't need to export any field as DNS and Ip address to reach the endpoint/service is either provided by the user,
ServiceConnection, or by thevnet.If applicable: