AKS/ACI - Add install-connector and remove-connector commands

[julienstroheker]

Add az aks install-connector and az aks remove-connector commands

$ az aks install-connector --help

Command
    az aks install-connector: Deploy the ACI-Connector to a AKS cluster.

Arguments
    --name -n           [Required]: Resource name for the managed cluster.
    --name-aks          [Required]: The name of the AKS cluster. The name is case insensitive.
    --resource-group -g [Required]: Name of resource group. You can configure the default group
                                    using `az configure --defaults group=<name>`.
    --chart-url                   : URL to the chart, Default: https://github.com/Azure/aci-
                                    connector-k8s/raw/master/charts/aci-connector.tgz.
    --client-secret               : The secret associated with the service principal. If --service-
                                    principal is specified, then secret should also be specified. If
                                    --service-principal is not specified, the secret is auto-
                                    generated for you and stored in ${HOME}/.azure/ directory.
    --location -l                 : Location. You can configure the default location using `az
                                    configure --defaults location=<location>`.
    --os-type                     : Os type target, could be Windows, Linux or Both.  Default:
                                    Linux.
    --service-principal           : The service principal used for ACI authentication to Azure APIs.
                                    If not specified, it is created for you and stored in the
                                    ${HOME}/.azure directory.

Global Arguments
    --debug                       : Increase logging verbosity to show all debug logs.
    --help -h                     : Show this help message and exit.
    --output -o                   : Output format.  Allowed values: json, jsonc, table, tsv.
                                    Default: json.
    --query                       : JMESPath query string. See http://jmespath.org/ for more
                                    information and examples.
    --verbose                     : Increase logging verbosity. Use --debug for full debug logs.

$ az aks remove-connector --help

Command
    az aks remove-connector: Undeploy the ACI-Connector from an AKS cluster.

Arguments
    --name -n           [Required]: Resource name for the managed cluster.
    --name-aks          [Required]: The name of the AKS cluster. The name is case insensitive.
    --resource-group -g [Required]: Name of resource group. You can configure the default group
                                    using `az configure --defaults group=<name>`.
    --graceful                    : Mention if you want to drain/uncordon your aci-connector to move
                                    your applications running on ACI to your others nodes. Default :
                                    False.
    --os-type                     : Os type target, could be Windows, Linux or Both.  Default:
                                    Linux.

Global Arguments
    --debug                       : Increase logging verbosity to show all debug logs.
    --help -h                     : Show this help message and exit.
    --output -o                   : Output format.  Allowed values: json, jsonc, table, tsv.
                                    Default: json.
    --query                       : JMESPath query string. See http://jmespath.org/ for more
                                    information and examples.
    --verbose                     : Increase logging verbosity. Use --debug for full debug logs.

---

This checklist is used to make sure that common guidelines for a pull request are followed.

General Guidelines

• The PR has modified HISTORY.rst describing any customer-facing, functional changes. Note that this does not include changes only to help content. (see Modifying change log).

Command Guidelines

• Each command and parameter has a meaningful description.
• Each new command has a test.

(see Authoring Command Modules)

[azuresdkci]

View a preview at https://prompt.ws/r/Azure/azure-cli/4996
This is an experimental preview for @microsoft.com users.
(It may take a minute or two for your instance to be ready)
Email feedback to 'azfeedback' with subject 'Prompt Feedback'.

[weinong]

I have a concern about it: _ensure_service_principal implicitly grants subscription scope contributor to the spn. I dont think you want it.
Suggest to remove below code from _ensure_service_principal all together as it's not needed:

# add role first before save it
if not _add_role_assignment('Contributor', service_principal):
     logger.warning('Could not create a service principal with the right permissions. '
                 'Are you an Owner on this project?')

[weinong]

@mboersma

[listonb]

@weinong You are asking @julienstroheker to remove code thats not even part of the commit. If theres a concern with another module/function i suggest submitting a PR or issue for that code. This is also an overall problem that should be addressed as an issue regarding the functionality of that method. Which I agree, we should not be scoping to an entire sub, but we are already doing that for acs/aks, thus this should be its own issue and un-related to thi pr.

[weinong]

@listonb np! we can fix that separately.

[itowlson]

I can't see where the command line options and docs are coming from in the Python, so I'll leave my notes here:

• I don't understand the difference between the --name and --name-aks options. Can we draw out this distinction more clearly?
• Same comment for --resource-group and --resource-group-name-aks
• In uninstall-connector, --gracefull should be --graceful (one l)
• In the --linux and --windows options, "Os" should be "OS" (capitalise acronyms)
• Why is a target OS required for the 'remove' command?
• ...that makes me think about the OS switches in general - is it valid to pass both --linux and --windows? If so, the explanation of the OS switches is confusing to me. If not, we should look at changing the design, e.g. to a single --target-os or --os-type option.
• --url-chart is documented as "The URL to the chart." Which chart?
• Subjective perhaps, but to me "URL chart" reads more like a chart of a URL or URLs. The URL to a chart would be the "chart URL". So perhaps consider changing this option to --chart-url?
• In prose, a colon is normally written without a space before it, as in "Default: foo." Is 'space before colon in default value docs' an Azure CLI convention? If not, let's remove the space.

[rbitia]

alright so --os for os types with the options windows, linux, both
then we are dropping the new rg for a connector and using the rg they created for the AKS cluster.
--url-chart is for the helm chart if they configured their own we should use --chart-url

[rbitia]

Open question about defaults - for simplicity Linux, for coolness Windows + Linux.
Open to debate though.

[julienstroheker]

@itowlson Thanks for the comments!

• --name is the name of the connector and --name-aks is the name of the cluster where we want to deploy
• I will automatically deploy the connector to the same RG where the AKS cluster is deployed, so I will remove the --resource-group-name-aks param.
• the graceful typo should be fixed in the last commit
• We need to specify the OS type for the remove command for the graceful command, since the we want to drain the nodes and the connector will have a different name depends if you are using windows or/and linux
• I will change for ria --os windows --os linux and --os both
• I will document the chart_url and applied your comments for the variable naming

[itowlson]

@julienstroheker Thanks for the clarifications and for your thoughtful responses. A couple of picky nits around the name and OS stuff, possibly due to my lack of understanding:

• At the moment, the --name text says "Resource name for the managed cluster." Will this change to say something like "Resource name for the ACI Connector instance." (or similar)?

• I see what you're saying about the OS type in remove, but still don't have the mental model quite straight. Are we saying the the name option is kind of a 'base name' that gets decorated with the OS name to make an actual name? So if I pass --os both then I get two ACI Connectors, and I can remove them separately (e.g. can pass --os linux on remove to drain only the Linux connector)? Pardon me if I'm being slow!

[julienstroheker]

@itowlson

• I am not sure to understand the question, are you talking about the description in the --help command ? if it the case, right now we have : The name for the ACI Connector but I can change it.
• The way that it is coded right now in the connector, if you need windows (--os-type=Windows or --os-type=Both) you have no choice to use the docker image with the tag canary. That image will deploy 1 pod and 2 nodes. Those nodes will have the name aci-connector-0 and aci-connector-1. Since we cannot cleary identify which one is the windows one or the linux one we have no choice to delete both of them. This should be fixed soon, when we will have a better convention name we can apply your scenario.

Make senses ?

[robbiezhang]

should use the "name" parameter instead of aci-connector-x

[robbiezhang]

same here. show we use {name}-win, {name}-linux as the node name?

[julienstroheker]

This is not supported in the current connector codebase, we cannot specify a custom node name

[julienstroheker]

see @itowlson last comment

[itowlson]

@julienstroheker That's cool, I didn't realise the --name text had been updated from the text posted at the top of the PR. Your new text is fine.

Regarding why we need the OS type on remove, thanks for the offline conversation - I'll document it here so others have the information too. The issue, as I understand it, is:

• Deployment of the ACI Connector is controlled by a Helm chart. az aks doesn't have low-level control over the nodes that get created.
• Depending on whether the OSes include Windows, the Helm chart creates a single aci-connector node (Linux only) or two aci-connector-0/-1 nodes (Linux and Windows). If Helm creates two nodes, it doesn't tell us which is which.
• During removal, we could issue drain commands for all these nodes (aci-connector, aci-connector-0 and aci-connector-1) and handle "that node doesn't exist" errors. But relying on node names feels brittle.
• Therefore, we prefer the user to tell us what OSes they expect to be removing, and to infer from that what nodes to drain.
• In future, it would be nice if the Helm chart labelled the nodes with their OS, or otherwise labelled or annotated them so we could locate them automatically. Then we may be able to remove this requirement.

Let me know any errors or important omissions and I'll edit this comment so it can act as a reference.

[rbitia]

@troydai not sure who I need from the CLI team to get this merged

[listonb]

@devigned @JasonRShaver Can we get a review of this? thx!!

[mboersma]

Is it possible to have --name be the name of the AKS managed cluster and --connector-name be the ACI connector's name instead? Then we use --name consistently across all the az aks commands, which would be less surprising to users.

[derekbekoe]

All help should be defined in params.py and _help.py not in the docstring of the commands.

--os-type: In params.py, define a choice_list of this param with possible values of ['Windows', 'Linux', 'Both']
--chart-url: In params.py, you can specify the default value as a string default='...'

[derekbekoe]

If you define chart_url in params.py with a default, this is not needed.

[derekbekoe]

No need for the 'Error: ' prefix.
CLIErrors are already handled by the CLI appropriately (red if color available or with the ERROR: prefix that the logger provides).

[derekbekoe]

Define 'Windows', 'Both', 'Linux' as constants and this should be a case-insensitive comparison.

[derekbekoe]

Once you move the param descriptions to params.py, you can define the default there.
Consider making --graceful a flag so if --graceful it set, your graceful variable will be set to true, if not, it will be set to false. This can be done through params.py.

[derekbekoe]

No need to prefix with Error :

[derekbekoe]

As before, should be a case-insensitive comparison.

[julienstroheker]

@derekbekoe Thanks for the review ! I am on it !

[julienstroheker]

@derekbekoe feel free to look at the new commits. Thanks

[derekbekoe]

Few more comments.

[derekbekoe]

The argument name should be --connector-name not ``--connector_name`.
Same elsewhere in this help file.

[derekbekoe]

There would be a space after --client-secret I believe.

[derekbekoe]

For this to actually be a flag, use action='store_true' then remove the default.
Right now, you'd have to specify --graceful True which isn't what is wanted.

[derekbekoe]

You can delete this whole docstring.

[derekbekoe]

Can remove this whole docstring.

[derekbekoe]

nit: typo connector

[julienstroheker]

@derekbekoe Thanks again ! I applied your comments.

[mboersma]

This all looks good to me, my comments are optional. I haven't been able to test it interactively though.

[mboersma]

(Optional) you could simplify this a bit:

if os_type in ['windows', 'both']:

[julienstroheker]

I'll do the change, thanks

[mboersma]

I think we're supposed to leave this alone and let the maintainers increment it--at least I had a previous PR where that was the case.

[julienstroheker]

Oh ok, I did it because it failed the CI. Do you want me to put it back version .20?

[yugangw-msft]

There is a process change recently that if yours is the first one since the latest release, you should bump up the version here and in the HISTORY.RST; otherwise CI will fail

[mboersma]

Same comment as above--could use in here.

[julienstroheker]

I'll do the change too.

[yugangw-msft]

these 2 comments are invalid

[yugangw-msft]

Please cross check whether you need to use case-insensitive comparison, considering you have defined the enum list with the first character in capital aci_connector_os_type = ['Windows', 'Linux', 'Both']

[yugangw-msft]

suggest use a loop to avoid code dupes, something like

 nodes = ['-0', '-1'] if os_type.lower() in ['windows', 'both'] else ['']
 for n in nodes:
    drain_node = subprocess.check_output(["kubectl", "drain", "aci-connector{}".format(n), "--force"],  universal_newlines=True)

[yugangw-msft]

this comment might be wrong

[derekbekoe]

LGTM.
Same 2 comments as before. Up to you if you want to address.

[derekbekoe]

You can still just remove this block of comments.
Everything should be defined in params.py already.

[julienstroheker]

Got it, let me move all of it in the params.py file to make it cleaner.

[derekbekoe]

You can still just remove this block of comments.
Everything should be defined in params.py already.

[julienstroheker]

Got it, let me move all of it in the params.py file to make it cleaner.

[yugangw-msft]

One more comment. Please do enough manual testing, particularly for both windows and linux, and let me know when it is ready to merge.

[yugangw-msft]

drain_node is not used any more in this method, so why not simplify like

     if not drain_node:
            raise CLIError("Couldn't find the node.")