Allow owners to arbitrary ARM IDs #2357
Comments
|
Is the resource you're attempting to add the |
|
Hello, yes it’s a resource supported by ASO. So I can import it. thank you |
matthchr
changed the title
|
We're still considering this but haven't decided to do it yet. |
|
We are facing the same problem, currently creating role assignments on secret level within a key vault is not possible. |
|
Any update on this, what is the plan here? This is really blocking us to adapt ASO V2 |
|
Sorry I missed this in Feb @ombre9. For future reference if we're slow responding to a question/issue you can also ping us on the k8s slack in the We've been waiting for enough customer use-cases to accumulate that it makes sense to do this. We're probably at or near that point now, which means this item needs to get a design done for it and then assuming that design is accepted we need to implement it. Given how close we are to our GA release of 2.0.0 this would likely come in 2.1.0. We don't have concrete timelines for each release, it depends on what features we triage in, but we try to do one at least every 1-2 months, which would probably put 2.1.0 somewhere around May/June 2023 timeframe. Is RoleAssignments for KeyVault secrets your primary use-case for this feature or are there others? |
|
@matthchr atm yes! |
|
+1 to this feature - assigning arbitrary ARM IDs would be ideal for the workflow I'm intending: creating a cluster outside of ASO using something like Terraform, and then creating the application-specific nodepools using ASO by referencing that ARM ID. |
|
Until we get this feature, I wanted to document the current workaround: Imagine you want to create a resource B inside of an existing resource A, such that A owns B. A concrete example of this would be creating a
If your hierarchy is longer (i.e. A -> B -> C -> D, and you just want to create D) you have to create A, B and C following step 1 above. |
|
Thanks for the workaround @matthchr ! a big upvote from me as we have several resources already in place and managed by other teams but we still like to use them with ASO managed resources without worrying about them expect pointing to them directly |
|
@matthchr thanks for documenting the workaround. Unfortunately it doesn't work for our use case. I cannot shadow a secret in a keyvault. We are really waiting for the feature, cause we want to adopt ASO v2 as soon as possible. |
|
One note (mostly to myself) about this: When implementing this we need to be a bit careful because there is some code right now that relies on being able to retrieve its owner in Kubernetes. I think that this code only exists in handcrafted resources such as mysql user. There are a couple of options for how we can handle this:
|
|
+1 to this feature |
|
@matthchr Hey, I see this feature is being pushed over and over again to a new milestone and we've been waiting for this to finally decommission ASO v1. This becomes a problem for us because of an internal compliance issue with ASO v1 (as mentioned above suggested workaround doesn't work for our use case). Can you provide an update? thanks |
matthchr
added
the
high-priority
|
Sorry @ombre9. You're totally right, this has been in the backlog for a long time and hasn't been prioritized because we've been working on other things. That's wrong though, clearly there's strong desire for this feature. I've bumped it up to high-priority and moved it into 2.3.0. There's no guarantee it makes it into 2.3.0 but we'll try our best to get it in. |
This closes Azure#2357. Nearly all resources now support being owned by an arbitrary ARM ID. Only database user resources (MySQLUser, PostgreSQLUser) do not allow ARM ID ownership. This is because those resources must extract certain connection information from their parents and so must have access to their parents via the Kubernetes API. ARM ID ownership behaves the following way: * Resources owned by an ARM ID will continue to attempt to reconcile if that ID doesn't exist. When the owning resource cannot be found, the resource will report a Ready=false with a "Warning" and additional details. If possible, avoid deleting the owning ARM resource without also deleting the resources in Kubernetes. * The credential being used for the resource must have the same subscription ID as the owning ARM resource. This means if your global credential is for Subscription A you cannot have ARM ID owners from subscription B unless you also create a serviceoperator.azure.com/credential-from for subscription B.
This closes Azure#2357. Nearly all resources now support being owned by an arbitrary ARM ID. Only database user resources (MySQLUser, PostgreSQLUser) do not allow ARM ID ownership. This is because those resources must extract certain connection information from their parents and so must have access to their parents via the Kubernetes API. ARM ID ownership behaves the following way: * Resources owned by an ARM ID will continue to attempt to reconcile if that ID doesn't exist. When the owning resource cannot be found, the resource will report a Ready=false with a "Warning" and additional details. If possible, avoid deleting the owning ARM resource without also deleting the resources in Kubernetes. * The credential being used for the resource must have the same subscription ID as the owning ARM resource. This means if your global credential is for Subscription A you cannot have ARM ID owners from subscription B unless you also create a serviceoperator.azure.com/credential-from for subscription B.
This closes Azure#2357. Nearly all resources now support being owned by an arbitrary ARM ID. Only database user resources (MySQLUser, PostgreSQLUser) do not allow ARM ID ownership. This is because those resources must extract certain connection information from their parents and so must have access to their parents via the Kubernetes API. ARM ID ownership behaves the following way: * Resources owned by an ARM ID will continue to attempt to reconcile if that ID doesn't exist. When the owning resource cannot be found, the resource will report a Ready=false with a "Warning" and additional details. If possible, avoid deleting the owning ARM resource without also deleting the resources in Kubernetes. * The credential being used for the resource must have the same subscription ID as the owning ARM resource. This means if your global credential is for Subscription A you cannot have ARM ID owners from subscription B unless you also create a serviceoperator.azure.com/credential-from for subscription B.
This closes Azure#2357. Nearly all resources now support being owned by an arbitrary ARM ID. Only database user resources (MySQLUser, PostgreSQLUser) do not allow ARM ID ownership. This is because those resources must extract certain connection information from their parents and so must have access to their parents via the Kubernetes API. ARM ID ownership behaves the following way: * Resources owned by an ARM ID will continue to attempt to reconcile if that ID doesn't exist. When the owning resource cannot be found, the resource will report a Ready=false with a "Warning" and additional details. If possible, avoid deleting the owning ARM resource without also deleting the resources in Kubernetes. * The credential being used for the resource must have the same subscription ID as the owning ARM resource. This means if your global credential is for Subscription A you cannot have ARM ID owners from subscription B unless you also create a serviceoperator.azure.com/credential-from for subscription B.
This closes Azure#2357. Nearly all resources now support being owned by an arbitrary ARM ID. Only database user resources (MySQLUser, PostgreSQLUser) do not allow ARM ID ownership. This is because those resources must extract certain connection information from their parents and so must have access to their parents via the Kubernetes API. ARM ID ownership behaves the following way: * Resources owned by an ARM ID will continue to attempt to reconcile if that ID doesn't exist. When the owning resource cannot be found, the resource will report a Ready=false with a "Warning" and additional details. If possible, avoid deleting the owning ARM resource without also deleting the resources in Kubernetes. * The credential being used for the resource must have the same subscription ID as the owning ARM resource. This means if your global credential is for Subscription A you cannot have ARM ID owners from subscription B unless you also create a serviceoperator.azure.com/credential-from for subscription B.
This closes #2357. Nearly all resources now support being owned by an arbitrary ARM ID. Only database user resources (MySQLUser, PostgreSQLUser) do not allow ARM ID ownership. This is because those resources must extract certain connection information from their parents and so must have access to their parents via the Kubernetes API. ARM ID ownership behaves the following way: * Resources owned by an ARM ID will continue to attempt to reconcile if that ID doesn't exist. When the owning resource cannot be found, the resource will report a Ready=false with a "Warning" and additional details. If possible, avoid deleting the owning ARM resource without also deleting the resources in Kubernetes. * The credential being used for the resource must have the same subscription ID as the owning ARM resource. This means if your global credential is for Subscription A you cannot have ARM ID owners from subscription B unless you also create a serviceoperator.azure.com/credential-from for subscription B.
github-project-automation
bot
moved this from Backlog
to Recently Completed
in Azure Service Operator Roadmap
matthchr
moved this from Recently Completed
to Ready for Release
in Azure Service Operator Roadmap
Describe the current behavior
Currently, the type of the owner field is
ArbitraryOwnerReference. It's only support another resource defined in the cluster.Describe the improvement
It would be great if I could define an
armIdto be able to add a role to an existing resource outside of the cluster.Thanks
The text was updated successfully, but these errors were encountered: