Comments (12)
CecileRobertMichon
commented on June 30, 2024
1
/reopen
@lzhecheng #4169 added OOT credential provider to all the k8s CI artifacts templates, however we need a more user friendly way to install it (e.g. Helm chart) before we can add it to all templates.
from cluster-api-provider-azure.
lzhecheng
commented on June 30, 2024
@CecileRobertMichon I never update templates in capz repo. Can you show how/example for me or you can help take this issue? I have included all necessary changes in issue description. Thank you.
from cluster-api-provider-azure.
jackfrancis
commented on June 30, 2024
Should the credential provider yaml be downloaded at runtime? Or can we put it into the reference OS image?
from cluster-api-provider-azure.
lzhecheng
commented on June 30, 2024
Should the credential provider yaml be downloaded at runtime? Or can we put it into the reference OS image?
Yes I think it can be put into the image.
from cluster-api-provider-azure.
jackfrancis
commented on June 30, 2024
cc @mboersma
@lzhecheng Thanks! Does OOT credital provider work with versions of k8s < 1.29? If so can we backport these files into each cloud-provider-azure release branch:
As far as I know CAPZ builds OS images for each release, so we'd want to update those CI to pull the release-appropriate yaml file to put into /var/lib/kubelet.
from cluster-api-provider-azure.
lzhecheng
commented on June 30, 2024
@jackfrancis yes, I can do it. Notice, windows config file is different from linux one so its config file is called credential-provider-config-win.yaml and should be renamed when put into /var/lib/kubelet.
from cluster-api-provider-azure.
CecileRobertMichon
commented on June 30, 2024
Another option: we could generate the file in our existing azurejson controller and then add it to the VM in the template the same way we add azure.json
Pros:
- it's more consistent with how we do out of tree cloud provider
- changing the config doesn't require building a new image
- we can still test in tree creds provider if needed
Cons:
- it requires every template to have the file added under KubeadmConfig "files" (but looks like we have to do that for kubeletExtraArgs in any case)
from cluster-api-provider-azure.
CecileRobertMichon
commented on June 30, 2024
curl --retry 10 --retry-delay 5 -Lo /var/lib/kubelet/credential-provider/acr-credential-provider "https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${JOB_NAME}/${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/azure-acr-credential-provider"
Looks like the template above is building the OOT credential provider binary for the purpose of testing it, how does it work when we don't want to build it ourselves but just use a release? Is that where it would need to be put on the VM OS image? or is there a helm chart for it to install it on k8s clusters? @lzhecheng
from cluster-api-provider-azure.
lzhecheng
commented on June 30, 2024
curl --retry 10 --retry-delay 5 -Lo /var/lib/kubelet/credential-provider/acr-credential-provider "https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${JOB_NAME}/${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/azure-acr-credential-provider"
Looks like the template above is building the OOT credential provider binary for the purpose of testing it, how does it work when we don't want to build it ourselves but just use a release? Is that where it would need to be put on the VM OS image? or is there a helm chart for it to install it on k8s clusters? @lzhecheng
My recent change to ci-entrypoint.sh doesn't support it. I think it should be done the same way as CCM.
So far no helm chart.
from cluster-api-provider-azure.
CecileRobertMichon
commented on June 30, 2024
/assign
/milestone v1.12
from cluster-api-provider-azure.
k8s-ci-robot
commented on June 30, 2024
@CecileRobertMichon: Reopened this issue.
In response to this:
/reopen
@lzhecheng #4169 added OOT credential provider to all the k8s CI artifacts templates, however we need a more user friendly way to install it (e.g. Helm chart) before we can add it to all templates.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from cluster-api-provider-azure.
CecileRobertMichon
commented on June 30, 2024
@lzhecheng it seems that the credential provider doesn't work with kubelet 1.25? The tests are failing for k8s 1.25 since this merged, kubelet is crashing with
Nov 04 20:58:31.931758 capz-conf-wmjvfg-control-plane-s64vm kubelet[2684]: E1104 20:58:31.931732 2684 kuberuntime_manager.go:261] "Failed to register CRI auth plugins" err="error decoding config /var/lib/kubelet/credential-provider-config.yaml: no kind \"CredentialProviderConfig\" is registered for version \"kubelet.config.k8s.io/v1\" in scheme \"pkg/credentialprovider/plugin/plugin.go:56\""
https://storage.googleapis.com/kubernetes-jenkins/logs/capz-conformance-dual-stack-1-25/1720896299273818112/artifacts/clusters/capz-conf-wmjvfg/machines/capz-conf-wmjvfg-control-plane-b8zps/kubelet.log
https://testgrid.k8s.io/provider-azure-1.25-signal#capz-conformance-dual-stack
from cluster-api-provider-azure.
Related Issues (20)
- Add artifact streaming support for managed AKS HOT 2
- API version upgrade test failing with 'Provided Kubernetes version v1.22.9 does not have a corresponding VM image in the "capi offer"' HOT 10
- Spot machine deployments fail in regions without zones due to availability sets
- Zone redundant MachinePool cannot be created HOT 1
- e2e tests should exercise `spotVMOptions` HOT 1
- Enable workload identity on workload clusters
- Clusters w/ Windows node pool not working with SMB drivers HOT 1
- Releasing docs need some updates HOT 7
- Upgrade to 1.13 failing with ClientAssertionCredential errors HOT 2
- CAPZ v1.13.0 fails to reconcile tags when Azure Policies are used to alter them HOT 4
- Consolidate duplicate webhook logic for managed cluster types HOT 1
- Don't reset cluster and collect capz controller log if cluster creation timeout HOT 1
- [Feature request] Introduce support for capacity reservation in AzureMachineSpec HOT 1
- Docker-in-Docker failing in prow jobs HOT 3
- Deploying more than topology based on the default AKS ClusterClass only results in one successfully deployed cluster HOT 2
- Not possible to migrate existing AzureCluster with empty subscriptionID to CAPZ v1.11 or newer, which removes the fallback credential
- Add support to configure AKS clusters with a pre-existing privateDNSZone HOT 1
- Add FAQ to AKS doc
- CAPZ stays stuck in deleting mode when resources are all actually gone HOT 10
- Add option to enable monitoring on cluster HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cluster-api-provider-azure.