[Sponsorships] Setup the secondary Azure subscription to consume the sponsor credits

[dduportal]

We've been given 40.000$ of Azure sponsorship credits: we should start using them as soon as possible to decrease the current Azure bill paid by the CDF for us.

This issue tracks the associated work for this.

---

Ideas on "how to consume these credits":

• Run ci.jenkins.io existing Azure ephemeral workloads:

  • ACI (Windows containers)
  • buildPlugin with Docker CE (Azure VMs)
  • ATH with Docker CE (Azure VMs) (separate from buildPlugin to ensure we can keep track of costs)
  • BOM builds (VM first, and evenyually an AKS cluster in addition to EKS)

• Run other controller ephemeral workloads: infra.ci ?

[dduportal]

Next steps:

• Setup the new subscription:

  • Add @lemeurherve @MarkEWaite @timja and @smerle33 as Contributor (at least) or co-admins of the secondary subscription
  • In the (private) repository jenkins-infra/terraform-states, setup the SP to have the same permission in the secondary subscription as in the current "Jenkins" subscription:
    • SPs of azure-net (production and staging) - https://github.com/jenkins-infra/terraform-states/commit/7946c24bd1899f35331eab44ad0edb5583f3eab4
    • SPs of azure (production and staging) - https://github.com/jenkins-infra/terraform-states/commit/05f6dc95ebc7e4e603289aa60620989b11856fbe

• Setup the ci.jenkins.io agent resources in the new subscription:

  • add jenkins-infra/azure-net resources (public vnet, agent subnet, peering with current public vnet)
    • feat: add the public vnet for the secondary (sponsored) subscription azure-net#169
    • feat(vnets) add peering and subnet to allow ci.jenkins.io to spawn VM agents in the new subscription azure-net#172
  • add jenkins-infra/azure resource (storage account, others?)

[dduportal]

Update:

• WiP on ci.jenkins.io: add jenkins-infra/azure resources (storage account, others?) in the new subscription

  • PR feat(ci.j, trusted.ci and cert.ci) migrate to separated tf modules for agents management in Azure azure#516 to split the terraform modules in order to allow multiple instanciations for the "agent" modules

• Next steps:

  • PR to create the Azure VM agent resources
  • Create (manually) the new Azure credential with ci.jenkins.io SP and subscription
  • PR to create the Azure sponsorship JCasc for ci.jenkins.io

[dduportal]

Update:

• Had to run a few terraform azure PR to create (azure-vm) agent resources for ci.jenkins.io (permissions issues, typos and unexpected behaviors)
  • Initial feature request PR: feat(ci.jenkins.io) add resources for azure-vm agents in the new sponsorship subscription azure#519
  • Fixup number one: feat(ci.jenkins.io) add a custom controller RG in the new subscription to store agent NSG azure#520
  • Fixup number two: fixup(ci.jenkins.io) ensure the RG in sponsorship subscription uses the proper provider azure#521

WiP:

• Credential to add on ci.j
• Puppet configuration update to add the new cloud - feat(ci.jenkins.io) add azurevm cloud configuration for the new subscription jenkins-infra#3189

[dduportal]

Update:

• Credentials on ci.jenkins.io:

  • Added azure-jenkins-sponsorship-credential, same as the current azure-credential except for the subscription ID of course
  • Updated definition of both credentials
  • Used the "Check Service Principal" on both credentials with success

• Deployed the new JCasc configuration adding the secondary Azure VM cloud with success:

  • feat(ci.jenkins.io) add azurevm cloud configuration for the new subscription jenkins-infra#3189
  • trusted.ci and cert.ci had no changes (expected)
  • Successfully added the new cloud on ci.jenkins.io

Wip: validation in progress on ci.jenkins.io (top level cloud is valid but network specification on each template need to be updated: incoming puppet code changes)

[dduportal]

Update (wip):

• Cloud agent on ci.jenkins.io in the new subscription:
  • Global configuration is valid (permissions and top-level cloud configuration)
  • Template configuration to be fixed by the 2 following PRs (tested manually with success before opening PRs):
    • fix(ci.jenkins.io) add missing permissions to allow controller reading the agent vnet azure#522
    • fix(jenkinscontroller) ensure agent subnet setups are properly setup for each azure-vm cloud jenkins-infra#3190
  • First tentative for spawning an agent gave a quota error: sent a support request to Microsoft to update quotas in the subscriptions with:
    • Regional vCPUs limit to 800, spot regional vCPUs to 800 (65 VM of each type max already set)

[dduportal]

Update:

• Quota increased by Microsoft for normal vCPUs, but they refused for spot vCPUs as they have too much spot requests these days
• Initial manual testing showed error around the disk encryption. We had to enable a feature at the subscription level () to avoid the following error:

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"InvalidParameter","message":"The property 'securityProfile.encryptionAtHost' is not valid because the 'Microsoft.Compute/EncryptionAtHost' feature is not enabled for this subscription."}]}

• Manual test was successful after manually disabling the spot mode (otherwise quota blocks us).

• WiP:

  • Puppet configuration to allows disabling spot at subscription level
  • Check the initial costs (as it is my credit card in the new subscription)

• TODO:

  • Add resources for ACI agents
  • Add resources for trusted.ci azure vm agents
  • Add resources for cert.ci azure vm agents

[dduportal]

Update:

• Confirmed with @MarkEWaite that we started to consume credits in the new subscription (VM agents spined up by ci.jenkins.io), billing being automatic

  • ⚠️ the cost management section of the Azure UI does NOT work for the sponsored subscription. You have to check in https://www.microsoftazuresponsorships.com/

• WiP: ACI (ci.jenkins.io)

  • Check for (secondary) controller SP permissions or create another one
  • Add the ACI JCasc config in puppet (jenkins-infra/jenkins-infra)
  • Validate manually

• Next steps:

  • trusted.ci.jenkins.io (same as ci.jenkins.io)
    • [ ] Create network resources in jenkins-infra/azure-net (vnet, subnet, peeing with trusted)
    • [ ] Create agent-related resources in jenkins-infra/azure (ephemeral agents module, addition network rules/azure ad permirssions)
    • Add secondary controller SP as a credential in trusted.ci controller UI
    • Add JCasc agent configuration in jenkins-infra/jenkins-infra
    • Validate manually an agent

[dduportal]

Adding a figures about packer billing (which justifies the effort to move it to the sponsored subscription):

In the past 6 months, it costed us between $200 to $300 each month:

See the past few days:

Of course, the main cost center is the resource group with the production images gallery: it means we should garbage collect the old VM templates (or decrease the current garbage collector retention time) to decrease this cost.

[dduportal]

To use the new subscription for packer :

* [x]   migrate packer-builds resources groups (3 rg) [azure] [feat(packer): move packer-builds to the new provider azure sponsored azure#556](https://github.com/jenkins-infra/azure/pull/556)

* [x]  create a new azure SP credential within infra.ci for packer image job on the new subscription

* [ ]  update packer-image jenkins pipeline with the new credential

* [ ]  temporarily disable spot instance usage within packer (sources.pkr.hcl) / add quotas for packers machines within the new subscription (and try again spot instances)

* [ ]  split var.azure_subscription_id to provide the legacy subscription for the image gallery destination

* [ ]  allow infra.ci agents to reach packer VM with winRM protocol (ssh is already allowed) :
  
  * [ ]   change packer-image to use brand new private network

While @smerle33 leads the plan above, I'll lead the migration of the packer images resource groups:

• Create the new resource groups *packer-images and associated resources in the new subscription (terraform project jenkins-infra/azure)
  • Create RGs
  • Check wether shared galleries have their names spreads on all azure or per RG/subscription (and either create new ones with same name or migrate existing one)
• Add read permissions on the new production images on all controllers using Azure VMs
• Ensure there is at least one production image (either from migration or release a new one after @smerle33 work is finished)
• Migrate controllers to the new image
• Improve GC on the "current subscription" to decrease image removal
• Remove old RGs
• Migrate GC to new subscription

[dduportal]

Update: @smerle33 and I are working in parallel (and pair) on both plans.

While working on jenkins-infra/packer-images#959, he was stuck on location issues.

As such, we are moving all new resources (in the new subscription) to "US East 2" as we only use this location (see jenkins-infra/azure#560 and jenkins-infra/azure#561)

[dduportal]

Update: most of the work done by @smerle33 in jenkins-infra/packer-images#959:

• Changed instance size + disabled spot (to ensure we stay in allocated quotas)
• Switched to new credential for subscription + allow overriding subscription for gallery to allow us all cases
• Restrict to US East 2 region only
• Moved to using a private network (no public IP, finer control on machines access)

Wip:

• Switching to private network shows a timeout for reaching machines through SSH or WinRM, we have to specify custom NSG rules to cross subnets from infra.ci VM agents (VM/kube) to the packer net.

[dduportal]

Update:

• Packer builds are fully utilizing the new subscription and the release 1.43.0 has been done in the new subscription

WiP:

• Bump packer image version to 1.43.0 on all controllers (which requires switching gallery configuration to new subscription)
• Fix errors related to the new subscription

[dduportal]

Update:

• All controllers are using the new image in the new subscription
• Removed the packer resources from the former subscription

[dduportal]

Reopening: #3875 (comment)

The crawler issue is most probably caused by the trusted ephemeral agent CIDR changes

[dduportal]

Update:

• Costs check:
  • We can clearly view the resource migration. The amount of billing decrease is from 2% to 6% depending on the months

• The new (sponsored) subscription is now used (almost 1k$ consumed). Check below the top-level consumption per resource kind. Please note that we cannot use Spot instance in this for now (not enough quota when we asked last month):

[dduportal]

Closing as #3875 is NOT caused by the new networks.