Skip to content

Commit

Permalink
feat!: Incremental changeset removal of CSI driver workflow. (#312)
Browse files Browse the repository at this point in the history
  • Loading branch information
digimaun authored Aug 21, 2024
1 parent 182db97 commit 6022af5
Show file tree
Hide file tree
Showing 13 changed files with 267 additions and 1,715 deletions.
4 changes: 3 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -331,4 +331,6 @@ coverage.json
.tox/

# test results / junit
junit/
junit/

pyrightconfiguration.json
34 changes: 0 additions & 34 deletions azext_edge/edge/_help.py
Original file line number Diff line number Diff line change
Expand Up @@ -403,40 +403,6 @@ def load_iotops_help():
Pre-creating an app registration is useful when the logged-in principal has constrained
Entra Id permissions. For example in CI/automation scenarios, or an orgs separation of user
responsibility.
examples:
- name: Minimum input for complete setup. This includes Key Vault configuration, CSI driver deployment, TLS config and deployment of IoT Operations.
text: >
az iot ops init --cluster mycluster -g myresourcegroup --kv-id /subscriptions/2cb3a427-1abc-48d0-9d03-dd240819742a/resourceGroups/myresourcegroup/providers/Microsoft.KeyVault/vaults/mykeyvault
- name: Same setup as prior example, except with the usage of an existing app Id and a flag to include a simulated PLC server as part of the deployment.
Including the app Id will prevent init from creating an app registration.
text: >
az iot ops init --cluster mycluster -g myresourcegroup --kv-id $KEYVAULT_ID --sp-app-id a14e216b-6802-4e9c-a6ac-844f9ffd230d --simulate-plc
- name: To skip deployment and focus only on the Key Vault CSI driver and TLS config workflows simple pass in --no-deploy.
This can be useful when desiring to deploy from a different tool such as Portal.
text: >
az iot ops init --cluster mycluster -g myresourcegroup --kv-id $KEYVAULT_ID --sp-app-id a14e216b-6802-4e9c-a6ac-844f9ffd230d --no-deploy
- name: To only deploy IoT Operations on a cluster that has already been prepped, simply omit --kv-id and include --no-tls.
text: >
az iot ops init --cluster mycluster -g myresourcegroup --no-tls
- name: Use --no-block to do other work while the deployment is on-going vs waiting for the deployment to finish before starting the other work.
text: >
az iot ops init --cluster mycluster -g myresourcegroup --kv-id $KEYVAULT_ID --sp-app-id a14e216b-6802-4e9c-a6ac-844f9ffd230d --no-block
- name: This example shows providing values for --sp-app-id, --sp-object-id and --sp-secret. These values should reflect the desired service principal
that will be used for the Key Vault CSI driver secret synchronization. Please review the command summary for additional details.
text: >
az iot ops init --cluster mycluster -g myresourcegroup --kv-id $KEYVAULT_ID --sp-app-id a14e216b-6802-4e9c-a6ac-844f9ffd230d
--sp-object-id 224a7a3f-c63d-4923-8950-c4a85f0d2f29 --sp-secret $SP_SECRET
- name: To customize runtime configuration of the Key Vault CSI driver, --csi-config can be used. For example setting resource limits on the telegraf container dependency.
text: >
az iot ops init --cluster mycluster -g myresourcegroup --kv-id $KEYVAULT_ID --sp-app-id a14e216b-6802-4e9c-a6ac-844f9ffd230d
--csi-config telegraf.resources.limits.memory=500Mi telegraf.resources.limits.cpu=100m
"""

helps[
Expand Down
30 changes: 5 additions & 25 deletions azext_edge/edge/commands_edge.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,7 @@
from .providers.check.common import ResourceOutputDetailLevel
from .providers.edge_api.orc import ORC_API_V1
from .providers.orchestration.common import (
DEFAULT_SERVICE_PRINCIPAL_SECRET_DAYS,
DEFAULT_X509_CA_VALID_DAYS,
KEYVAULT_ARC_EXTENSION_VERSION,
KubernetesDistroType,
MqMemoryProfile,
MqServiceType,
Expand Down Expand Up @@ -102,7 +100,6 @@ def init(
instance_name: Optional[str] = None,
instance_description: Optional[str] = None,
cluster_namespace: str = DEFAULT_NAMESPACE,
keyvault_spc_secret_name: str = DEFAULT_NAMESPACE,
custom_location_name: Optional[str] = None,
location: Optional[str] = None,
show_template: Optional[bool] = None,
Expand All @@ -125,15 +122,8 @@ def init(
mq_broker_config_file: Optional[str] = None,
mq_insecure: Optional[bool] = None,
dataflow_profile_instances: int = 1,
disable_secret_rotation: Optional[bool] = None,
rotation_poll_interval: str = "1h",
csi_driver_version: str = KEYVAULT_ARC_EXTENSION_VERSION,
csi_driver_config: Optional[List[str]] = None,
service_principal_app_id: Optional[str] = None,
service_principal_object_id: Optional[str] = None,
service_principal_secret: Optional[str] = None,
service_principal_secret_valid_days: int = DEFAULT_SERVICE_PRINCIPAL_SECRET_DAYS,
keyvault_resource_id: Optional[str] = None,
# TODO - @digimaun csi_driver_config: Optional[List[str]] = None,
keyvault_resource_id: Optional[str] = None, # TODO - @digimaun
tls_ca_path: Optional[str] = None,
tls_ca_key_path: Optional[str] = None,
tls_ca_dir: Optional[str] = None,
Expand All @@ -144,11 +134,12 @@ def init(
disable_rsync_rules: Optional[bool] = None,
context_name: Optional[str] = None,
ensure_latest: Optional[bool] = None,
**kwargs,
) -> Union[Dict[str, Any], None]:
from .common import INIT_NO_PREFLIGHT_ENV_KEY
from .providers.orchestration import deploy
from .util import (
assemble_nargs_to_dict,
# assemble_nargs_to_dict,
is_env_flag_enabled,
read_file_content,
url_safe_random_chars,
Expand Down Expand Up @@ -184,9 +175,6 @@ def init(
if not exists(tls_ca_key_path):
raise InvalidArgumentValueError("Provided CA private key file does not exist.")

if csi_driver_config:
csi_driver_config = assemble_nargs_to_dict(csi_driver_config)

# TODO - @digimaun
mq_broker_config = None
if mq_broker_config_file:
Expand Down Expand Up @@ -227,20 +215,12 @@ def init(
mq_insecure=mq_insecure,
dataflow_profile_instances=int(dataflow_profile_instances),
keyvault_resource_id=keyvault_resource_id,
keyvault_spc_secret_name=str(keyvault_spc_secret_name),
disable_secret_rotation=disable_secret_rotation,
rotation_poll_interval=str(rotation_poll_interval),
csi_driver_version=str(csi_driver_version),
csi_driver_config=csi_driver_config,
service_principal_app_id=service_principal_app_id,
service_principal_object_id=service_principal_object_id,
service_principal_secret=service_principal_secret,
service_principal_secret_valid_days=int(service_principal_secret_valid_days),
tls_ca_path=tls_ca_path,
tls_ca_key_path=tls_ca_key_path,
tls_ca_dir=tls_ca_dir,
tls_ca_valid_days=int(tls_ca_valid_days),
template_path=template_path,
**kwargs,
)


Expand Down
92 changes: 20 additions & 72 deletions azext_edge/edge/params.py
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ def load_iotops_arguments(self, _):
options_list=["--tags"],
arg_type=tags_type,
help="Instance tags. Property bag in key-value pairs with the following format: a=b c=d. "
"Use --tags \"\" to remove all tags.",
'Use --tags "" to remove all tags.',
)
context.argument(
"instance_description",
Expand Down Expand Up @@ -514,81 +514,29 @@ def load_iotops_arguments(self, _):
# AKV CSI Driver
context.argument(
"keyvault_resource_id",
options_list=["--kv-id"],
options_list=[
"--kv-resource-id",
context.deprecate(
target="--kv-id",
redirect="--kv-resource-id",
hide=True,
),
],
help="Key Vault ARM resource Id. Providing this resource Id will enable the client "
"to setup all necessary resources and cluster side configuration to enable "
"the Key Vault CSI driver for IoT Operations.",
arg_group="Key Vault CSI Driver",
)
context.argument(
"keyvault_spc_secret_name",
options_list=["--kv-spc-secret-name"],
help="The Key Vault secret **name** to use as the default SPC secret. "
"If the secret does not exist, it will be created with a cryptographically secure placeholder value.",
arg_group="Key Vault CSI Driver",
)
context.argument(
"disable_secret_rotation",
options_list=["--disable-rotation"],
arg_type=get_three_state_flag(),
help="Flag to disable secret rotation.",
arg_group="Key Vault CSI Driver",
)
context.argument(
"rotation_poll_interval",
options_list=["--rotation-int"],
help="Rotation poll interval.",
arg_group="Key Vault CSI Driver",
)
context.argument(
"csi_driver_version",
options_list=["--csi-ver"],
help="CSI driver extension version.",
arg_group="Key Vault CSI Driver",
)
context.argument(
"csi_driver_config",
options_list=["--csi-config"],
nargs="+",
action="extend",
help="CSI driver extension custom configuration. Format is space-separated key=value pairs. "
"--csi-config can be used one or more times.",
arg_group="Key Vault CSI Driver",
)
context.argument(
"service_principal_app_id",
options_list=["--sp-app-id"],
help="Service principal app Id. If provided will be used for CSI driver setup. "
"Otherwise an app registration will be created. "
"**Required** if the logged in principal does not have permissions to query graph.",
arg_group="Key Vault CSI Driver",
)
context.argument(
"service_principal_object_id",
options_list=["--sp-object-id"],
help="Service principal (sp) object Id. If provided will be used for CSI driver setup. "
"Otherwise the object Id will be queried from the app Id - creating the sp if one does not exist. "
"**Required** if the logged in principal does not have permissions to query graph. "
"Use `az ad sp show --id <app Id> --query id -o tsv` to produce the proper object Id. "
"Alternatively using Portal you can navigate to Enterprise Applications in your Entra Id tenant.",
arg_group="Key Vault CSI Driver",
)
context.argument(
"service_principal_secret",
options_list=["--sp-secret"],
help="The secret corresponding to the provided service principal app Id. "
"If provided will be used for CSI driver setup. Otherwise a new secret will be created. "
"**Required** if the logged in principal does not have permissions to query graph.",
arg_group="Key Vault CSI Driver",
)
context.argument(
"service_principal_secret_valid_days",
options_list=["--sp-secret-valid-days"],
help="Option to control the duration in days of the init generated service principal secret. "
"Applicable if --sp-secret is not provided.",
arg_group="Key Vault CSI Driver",
type=int,
)
# TODO - @digimaun - still applicable
# context.argument(
# "csi_driver_config",
# options_list=["--csi-config"],
# nargs="+",
# action="extend",
# help="CSI driver extension custom configuration. Format is space-separated key=value pairs. "
# "--csi-config can be used one or more times.",
# arg_group="Key Vault CSI Driver",
# )
# TLS
context.argument(
"tls_ca_path",
Expand Down Expand Up @@ -1122,7 +1070,7 @@ def load_iotops_arguments(self, _):
options_list=["--tags"],
arg_type=tags_type,
help="Schema registry tags. Property bag in key-value pairs with the following format: a=b c=d. "
"Use --tags \"\" to remove all tags.",
'Use --tags "" to remove all tags.',
)
context.argument(
"description",
Expand Down
Loading

0 comments on commit 6022af5

Please sign in to comment.