New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1776079: Azure: check existing role assignments before creating a new one #137
Bug 1776079: Azure: check existing role assignments before creating a new one #137
Conversation
@joelddiaz: This pull request references Bugzilla bug 1776079, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
390ec18
to
ec23983
Compare
/bugzilla refresh |
@joelddiaz: This pull request references Bugzilla bug 1776079, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Were you able to reproduce what the customer found?
pkg/azure/minter.go
Outdated
// check whether assignment already exists | ||
alreadyExists := false | ||
for _, r := range currentRoleAssignments { | ||
if strings.Contains(*r.Properties.Scope, scope) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a comment here clarifying why we can't do an eq and what the data strings look like? I see scope above but what does r.Properties.Scope come out looking like? The test data looks awfully similar.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the Contains() comparison is because our generated scope var string doesn't have a leading /, and the returned r.Properties.Scope does have the leading /.
i reworked the generated string a few lines above to just put the leading / in the string so we can now do a simple string comparison. putting the leading / still allows all the minting to work.
Yes. I stood up an Azure cluster and by forcing CCO to re-reconcile a CredentialsRequest, you could then see the log messages on the Azure console (that's how I got that JSON example ;) ) |
ec23983
to
de9d496
Compare
/test e2e-azure |
…new one Currently when re-reconciling an already-provisioned CredentialsRequest in Azure, the actuator will just always attempt to create a role assignment even if it already exists. There is error handling to catch the "RoleAssignmentExists" error, and it just moves along to the next task. This results in the Resource Group where the cluster is installed having periodic entries in the Activity Log recording these (non-critical) errors: ``` { "authorization": { "action": "Microsoft.Authorization/roleAssignments/write", "scope": "/subscriptions/SUBSCRIPTION_ID/resourceGroups/jdiaz-az-gpqgx-rg/providers/Microsoft.Authorization/roleAssignments/94025186-5e7b-4e18-88de-4625cac3ed19" }, "level": "Error", "operationName": { "value": "Microsoft.Authorization/roleAssignments/write", "localizedValue": "Create role assignment" }, "resourceGroupName": "jdiaz-az-gpqgx-rg", "subStatus": { "value": "Conflict", "localizedValue": "Conflict (HTTP Status Code: 409)" }, "properties": { "statusCode": "Conflict", "serviceRequestId": "931445cc-fbc6-469a-a6f4-2f7750788255", "statusMessage": "{\"error\":{\"code\":\"RoleAssignmentExists\",\"message\":\"The role assignment already exists.\"}}" }, } ``` Change the logic to pull the current list of Role Assignments so that we can avoid making unnecessary CreateRoleAssignment calls.
de9d496
to
1544a90
Compare
/test e2e-azure |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dgoodwin, joelddiaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
6 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
@joelddiaz: All pull requests linked via external trackers have merged. Bugzilla bug 1776079 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Thanks for fixing this so quickly! Out of curiosity, how do you force CCO to re-reconcile? Just delete the container and then it runs as soon as it starts? |
That will work, as will just adding a meaningless annotation to a credentials request. |
As long as you can get the code to pass through this throttling/sanity check https://github.com/openshift/cloud-credential-operator/blob/master/pkg/controller/credentialsrequest/credentialsrequest_controller.go#L433-L439 , then that will cause the code to go through a full re-reconcile. |
Currently when re-reconciling an already-provisioned CredentialsRequest in Azure, the actuator will just always attempt to create a role assignment even if it already exists. There is error handling to catch the "RoleAssignmentExists" error, and it just moves along to the next task.
This results in the Resource Group where the cluster is installed having periodic entries in the Azure console Activity Log for the Resource Group recording these (non-critical) errors:
Change the logic to pull the current list of Role Assignments so that we can avoid making unnecessary CreateRoleAssignment calls.