Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Azure Sandbox #60

Open
wants to merge 27 commits into
base: main
Choose a base branch
from
Open

Azure Sandbox #60

wants to merge 27 commits into from

Conversation

makirill
Copy link

TBD

@makirill makirill requested a review from fridim May 13, 2024 21:54
makirill and others added 22 commits July 24, 2024 09:20
* Implement Quota for OcpSandbox

Following the design document and proposal, this changes implements the Quota for OcpSandbox.

OcpSharedClusterConfiguration is updated with the new fields:

```go
// For any new project (openshift namespace) created by the sandbox API
// for an OcpSandbox, a default ResourceQuota will be set.
// This quota is designed to be large enough to accommodate general needs.
// Additionally, content developers can specify custom quotas in agnosticV
// based on the requirements of specific Labs/Demos.
DefaultSandboxQuota *v1.ResourceQuota `json:"default_sandbox_quota"`

// StrictDefaultSandboxQuota is a flag to determine if the default sandbox quota
// should be strictly enforced. If set to true, the default sandbox quota will be
// enforced as a hard limit. Requested quota not be allowed to exceed the default.
// If set to false, the default sandbox will be updated
// to the requested quota.
StrictDefaultSandboxQuota bool `json:"strict_default_sandbox_quota"`

// QuotaRequired is a flag to determine if a quota is required in any request
// for an OcpSandbox.
// If set to true, a quota must be provided in the request.
// If set to false, a quota will be created based on the default sandbox quota.
// By default it's false.
QuotaRequired bool `json:"quota_required"`
```

In a nutshell:
* Add and update handlers
* Update openapi spec swagger file
* New DB migration
* Add unit tests for the (tricky) function that derives the quota from the default quota
* Add functional tests for the new feature(s)
* In Release() of the OcpSandbox, remove the part that tries to delete
  the service account. That is useless and can be removed. The service
  account is automatically deleted when the namespace is deleted.

Makefile:
- move CGO_ENABLED to the top of file (DRY)
- simplify running the test by creating a new target `make tokens`

* Add bool SkipQuota to OcpSharedClusterConf

SkipQuota disables quota creation entirely. That will be useful to push the new code to production without any change to current behavior. This way we can set this value on all existing clusters to false as a first step, and enable it as we go. Later we can turn this feature on by default.

* Add test to update quota of a shared cluster
* Add condition for virt and add rolebinding for hcp

* Add test + fix "boolean" strings

---------

Co-authored-by: Guillaume Coré <[email protected]>
* OcpSandbox: Implement limit range

On 4.14 we hit this bug kubevirt/containerized-data-importer#3157
the container to copy disks, doesn't set the requests/limits
https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/

Implement Limit range in the OcpSharedClusterConfiguration.
Add a sensible default and the ability to update it.

```
[ec2-user@bastion ~]$ oc describe limitrange
Name:       sandbox-limit-range
Namespace:  sandbox-testg-16e9ff07-4e60-49f5-968b-c3df4a2292b5
Type        Resource  Min  Max  Default Request  Default Limit  Max Limit/Request Ratio
----        --------  ---  ---  ---------------  -------------  -----------------------
Container   cpu       -    -    500m             1              -
Container   memory    -    -    1Gi              2Gi            -
```

* Add the ability for the limitrange in request

* Simplify limit range
* Add secret to generate a token

* Add secret to generate a token
@makirill makirill marked this pull request as ready for review September 26, 2024 14:44
@makirill makirill changed the title WIP: Azure Sandbox Azure Sandbox Sep 26, 2024
Copy link
Contributor

@fridim fridim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a test to ensure credentials are present.

The test doesn't pass

That is the result

{
  "id": 24,
  "created_at": "2024-10-23T09:47:11.999848+02:00",
  "updated_at": "2024-10-23T09:47:38.520077+02:00",
  "service_uuid": "64005bd8-6c97-457c-be5c-e102f767007f",
  "status": "success",
  "to_cleanup": false,
  "annotations": {
    "guid": "st6zn"
  },
  "request": {
    "annotations": {
      "guid": "st6zn"
    },
    "resources": [
      {
        "annotations": {
          "cost_center": "...EDITED...",
          "domain": "...EDITED...",
          "purpose": "backend",
          "requester": "[email protected]"
        },
        "count": 1,
        "kind": "AzureSandbox",
        "quota": {}
      }
    ],
    "service_uuid": "64005bd8-6c97-457c-be5c-e102f767007f"
  }
}

credentials are missing and there is an empty quota. I don't think that is intended


const (
sandboxRoleName = "Custom-Owner (Block Billing and Subscription deletion)"
rgNamePrefix = "openenv-"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

openenv is a loaded term.
openenv usually means we charge back.
Here i think it's more generic as in "sandbox" that can either be charged back or not.
So for the prefix i would use sandbox-, wdyt?

@@ -0,0 +1,75 @@
package azure
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is a typo in the filename service_principalp.go should be service_principal.go right?

jsonpath "$.Placement.service_uuid" == "{{uuid}}"
jsonpath "$.Placement.resources" count == 1
jsonpath "$.Placement.resources[0].annotations.guid" == "st6zn"
jsonpath "$.Placement.resources[0].annotations.purpose" == "backend"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need more tests like

  • get a placement, ensure the azure credentials are set

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants