ci: [Service Tags] add public ips with service tags for LBs during cluster creation #3277
Conversation
Signed-off-by: Keerthana Routhu <[email protected]>
k-routhu
changed the title
k-routhu
changed the title
hack/aks/Makefile
Outdated
| REGION ?= westus2 | ||
| VM_SIZE ?= Standard_B2s | ||
| VM_SIZE_WIN ?= Standard_B2s | ||
| IP_TAG ?= FirstPartyUsage=/DelegatedNetworkControllerTest | ||
| IP_PREFIX ?= serviceTaggedIp | ||
| PUBLIC_IPv4 ?= $(IP_PREFIX)-$(CLUSTER)-v4 | ||
| PUBLIC_IPv6 ?= $(IP_PREFIX)-$(CLUSTER)-v6 |
There was a problem hiding this comment.
All ?= should be lined up.
hack/aks/Makefile
Outdated
| public-ipv4: rg-up | ||
| $(AZCLI) network public-ip create --name $(PUBLIC_IPv4) \ | ||
| --resource-group $(GROUP) \ | ||
| --allocation-method Static \ | ||
| --ip-tags $(IP_TAG) \ | ||
| --location $(REGION) \ | ||
| --sku Standard \ | ||
| --tier Regional \ | ||
| --version IPv4 | ||
|
|
||
| public-ipv6: rg-up | ||
| $(AZCLI) network public-ip create --name $(PUBLIC_IPv6) \ | ||
| --resource-group $(GROUP) \ | ||
| --allocation-method Static \ | ||
| --ip-tags $(IP_TAG) \ | ||
| --location $(REGION) \ | ||
| --sku Standard \ | ||
| --tier Regional \ | ||
| --version IPv6 |
There was a problem hiding this comment.
Duplicate rg-up calls when creating cluster. I would remove the rg-up from the make calls public-ipv4 and public-ipv6
| $(AZCLI) aks create -n $(CLUSTER) -g $(GROUP) -l $(REGION) \ | ||
| --auto-upgrade-channel $(AUTOUPGRADE) \ | ||
| --node-os-upgrade-channel $(NODEUPGRADE) \ | ||
| --kubernetes-version $(K8S_VER) \ | ||
| --node-count $(NODE_COUNT) \ | ||
| --node-vm-size $(VM_SIZE) \ | ||
| --load-balancer-sku standard \ |
There was a problem hiding this comment.
Inconsistent removal of --load-balancer-sku. Does it need to be standard or can we keep it as basic?
There was a problem hiding this comment.
can be basic, I meant to remove --load-balancer-sku standard for nodesubnet-byocni-nokubeproxy-up since I'm adding --load-balancer-outbound-ips <publicip v4>,<publicip v6>
There was a problem hiding this comment.
Does this implicitly set every cluster to standard for the load balancer sku?
| @@ -98,6 +120,7 @@ up: swift-up ## Alias to swift-up | |||
|
|
|||
|
|
|||
| nodesubnet-byocni-nokubeproxy-up: rg-up overlay-net-up ## Brings up an NodeSubnet BYO CNI cluster without kube-proxy | |||
| @$(MAKE) public-ipv4 | |||
There was a problem hiding this comment.
will this rerun the public ip creation? if so, should we have the ip creation as a global step so it provisions just once?
There was a problem hiding this comment.
yes, this reruns public ip creation, but since the Cilium pipelines do cluster creation in parallel, we need to provision different public ips
There was a problem hiding this comment.
why are you reinvoking Make for this? unless you are overriding or changing args and options versus the Make invocation you are already in, you could make the IP target a dependency here, like rg-up etc.
| @@ -98,6 +120,7 @@ up: swift-up ## Alias to swift-up | |||
|
|
|||
|
|
|||
| nodesubnet-byocni-nokubeproxy-up: rg-up overlay-net-up ## Brings up an NodeSubnet BYO CNI cluster without kube-proxy | |||
There was a problem hiding this comment.
Are these steps run in parallel or in a sequential order?
Public IPs from ST are limited so we should try to either reuse or not create too many public ips at the same time
There was a problem hiding this comment.
these steps are run in parallel, but I do believe we have the capacity to create the public ips. The majority of the clusters are created in westus and westus2, and they have 254 and 512 available vips respectively, and we create about 10-12 clusters (and public ips) in each location, and delete them all at the end
| --location $(REGION) \ | ||
| --sku Standard \ | ||
| --tier Regional \ | ||
| --version IPv6 |
There was a problem hiding this comment.
Did we request IPV6 ips for our test ST ?
There was a problem hiding this comment.
discussed offline, should be good to go on ipv6
jpayne3506
changed the title
| KUBE_PROXY_JSON_PATH ?= ./kube-proxy.json | ||
|
|
||
| # overrideable variables | ||
| SUB ?= $(AZURE_SUBSCRIPTION) | ||
| CLUSTER ?= $(USER)-$(REGION) | ||
| GROUP ?= $(CLUSTER) | ||
| VNET ?= $(CLUSTER) | ||
|
|
There was a problem hiding this comment.
nit: Lets keep this line in.
hack/aks/Makefile
Outdated
| REGION ?= westus2 | ||
| VM_SIZE ?= Standard_B2s | ||
| VM_SIZE_WIN ?= Standard_B2s | ||
| IP_TAG ?= FirstPartyUsage=/DelegatedNetworkControllerTest | ||
| IP_PREFIX ?= serviceTaggedIp | ||
| PUBLIC_IPv4 ?= $(IP_PREFIX)-$(CLUSTER)-v4 | ||
| PUBLIC_IPv6 ?= $(IP_PREFIX)-$(CLUSTER)-v6 |
There was a problem hiding this comment.
All ?= should be lined up.
| $(AZCLI) aks create -n $(CLUSTER) -g $(GROUP) -l $(REGION) \ | ||
| --auto-upgrade-channel $(AUTOUPGRADE) \ | ||
| --node-os-upgrade-channel $(NODEUPGRADE) \ | ||
| --kubernetes-version $(K8S_VER) \ | ||
| --node-count $(NODE_COUNT) \ | ||
| --node-vm-size $(VM_SIZE) \ | ||
| --load-balancer-sku standard \ |
There was a problem hiding this comment.
Does this implicitly set every cluster to standard for the load balancer sku?
| public-ipv4: | ||
| $(AZCLI) network public-ip create --name $(PUBLIC_IPv4) \ | ||
| --resource-group $(GROUP) \ | ||
| --allocation-method Static \ | ||
| --ip-tags $(IP_TAG) \ | ||
| --location $(REGION) \ | ||
| --sku Standard \ | ||
| --tier Regional \ | ||
| --version IPv4 | ||
|
|
||
| public-ipv6: | ||
| $(AZCLI) network public-ip create --name $(PUBLIC_IPv6) \ | ||
| --resource-group $(GROUP) \ | ||
| --allocation-method Static \ | ||
| --ip-tags $(IP_TAG) \ | ||
| --location $(REGION) \ | ||
| --sku Standard \ | ||
| --tier Regional \ | ||
| --version IPv6 |
There was a problem hiding this comment.
are these identical except for "v4" and "v6"? consider how you could simplify and parameterize throughout, like this:
| public-ipv4: | |
| $(AZCLI) network public-ip create --name $(PUBLIC_IPv4) \ | |
| --resource-group $(GROUP) \ | |
| --allocation-method Static \ | |
| --ip-tags $(IP_TAG) \ | |
| --location $(REGION) \ | |
| --sku Standard \ | |
| --tier Regional \ | |
| --version IPv4 | |
| public-ipv6: | |
| $(AZCLI) network public-ip create --name $(PUBLIC_IPv6) \ | |
| --resource-group $(GROUP) \ | |
| --allocation-method Static \ | |
| --ip-tags $(IP_TAG) \ | |
| --location $(REGION) \ | |
| --sku Standard \ | |
| --tier Regional \ | |
| --version IPv6 | |
| ip: | |
| $(AZCLI) network public-ip create --name $(IP_PREFIX)-$(CLUSTER)-$(IPVERSION) \ | |
| --resource-group $(GROUP) \ | |
| --allocation-method Static \ | |
| --ip-tags $(IP_TAG) \ | |
| --location $(REGION) \ | |
| --sku Standard \ | |
| --tier Regional \ | |
| --version IP$(IPVERSION) | |
| ipv4: | |
| @$(MAKE) ip IPVERSION=v4 | |
| ipv6: | |
| @$(MAKE) ip IPVERSION=v6 | |
| IP_TAG ?= FirstPartyUsage=/DelegatedNetworkControllerTest | ||
| IP_PREFIX ?= serviceTaggedIp |
There was a problem hiding this comment.
are these strings pre-determined?
| @@ -98,6 +120,7 @@ up: swift-up ## Alias to swift-up | |||
|
|
|||
|
|
|||
| nodesubnet-byocni-nokubeproxy-up: rg-up overlay-net-up ## Brings up an NodeSubnet BYO CNI cluster without kube-proxy | |||
| @$(MAKE) public-ipv4 | |||
There was a problem hiding this comment.
why are you reinvoking Make for this? unless you are overriding or changing args and options versus the Make invocation you are already in, you could make the IP target a dependency here, like rg-up etc.
|
Why are we using |
@timraymond yes and no. I originally wrote this Makefile because I needed to build infra that required certain subscription flags enabled (which ARM may be able to do, but was documented as AzCLI commands), and a certain preview CLI installed locally and/or a preview AZ AKS plugin installed locally. This made it easy for everyone to deploy infra identically without copy/pasting out of some install steps OneNote every time. I also find it nice to have a central list of capabilities. We could write Bicep for everything here, but I think I would still want the Makefile to exist as the single entrypoint to all of the |
Reason for Change:
Adding service tags to all public ips. This change adds public ips and attaches these ips as load balancer outbound ips during cluster creation. Branch
spathak/add-service-tagsis where all the changes were made and tested -- created this branch based off of that one.Testing:
spathak/add-service-tagsTested changes in a couple of Cilium pipelines:
CNI Nightly Pipeline - Task
The public ips created have service tags attached to them, and the ips fall within the allowed ranges for the locations they were created
CNI Release Test - Task
All of the public ips created have service tags attached to them, and the ips fall within the allowed ranges for the locations they were created
CNI - LSG Integration Test - Task
The clusters get created here successfully with the correct public ips. The integration tests do fail, but I checked with John Payne -- he mentioned that the integration tests fail frequently because they're heavily dependent on a partner team (Canonical). He suggested running Cilium Private Test pipelines on v1.14 and v1.16 (the next two on the list) and the remaining pipelines with the service tags. The remaining pipelines look good and create public ips as expected, so I believe we should be good to go on that front.
ACN PR Pipeline - Task
All of the public ips created have service tags attached to them, and the ips fall within the allowed ranges for the locations they were created