This was required as setup-envtest@latest no longer works with Go
versions less than 1.22.
controller-tools was also updated as it panics if 0.13.0 is used with Go
1.22. 0.14.0 must be used instead.
Go version also moved to 1.21 to comply with new mod shape.
ubuntu-latest now has Kustomize v5 by default which is what we were using
before (even though we purposefully selected Kustomize v4 in our
installation scripts we weren't actually using it).
This ensures that we use the pinned version of Kustomize.
ARM apperantly now can return Type either in the correct case or
lowercase. This feels like a bug but it's not something they're fixing
anytime soon, so for now we need to work around it.
* Update KeyVault SecretClient to recover soft delete
* Includes a test ensuring that this works
* Add Azure SQL Combined test to ensure create+delete+recreate works
* Update CI to not fail on stderr
* Add OperatorMode config value and use it from main
It's specified as AZURE_OPERATOR_MODE, with possible values `webhooks`, `watchers` and `watchers-and-webhooks`. Use the setting from main() to decide whether watchers and webhooks should be started.
* Move reconciler and webhook registration out of main
Move it to controllers.RegisterReconcilers and controllers.RegisterWebhooks so that it can be shared between main and the controller tests.
* Test the watchers/webhooks behaviour of different operator modes
* Include operator logging when TEST_EMIT_ASO_LOGS is set
This can be very useful when trying to understand why a test is failing, but it's far too noisy to include all the time.
* Add tests for OperatorMode
* Add make targets and pipeline jobs for webhooks + watchers modes
* Remove envtest job timeout for now
It seems like there's a problem in the job that's causing it to be killed by the timeout, but the way the job is killed prevents us from seeing the output which would let us fix the underlying problem in whichever test is failing.
* Use require rather than assert in Azure SQL
Also in the Ensure* helpers.
The assert library doesn't stop the current test if the assertion fails, which means that the test run always ends up finishing with a timeout waiting for something that can't happen because some prerequisite failed.
In general the require model is better for tests. The downside is that you might need to run the test multiple times to see all the problems, but it avoids nonsensical situations where you timeout deleting a resource that you failed to create.
* Increase test FailoverGracePeriod to 60
Previous runs were failing with an error saying that 60 is the minimum. (Not sure whether this is a new constraint?)
* Rewrite Retry as a non-recursive function
It was producing very annoying stack traces if a test timed out.
* Update aad-pod-identity helm chart dependency to 4.1.1
This corresponds to aad-pod-identity version 1.8.0. It's needed
because the previous version 1.5.5 installs v1beta1
ClusterRoleBindings, which trigger deprecation warnings in k8s
1.19.11.
* Use the latest ASO helm chart from index.yaml
Since the clusters have been upgraded to 1.19.11 the cluster-release
task has started failing since helm is complaining about deprecated
v1beta1 ClusterRoleBindings in aad-pod-identity. Turn off the check so
the pipeline stops failing while we upgrade the aad-pod-identity
dependency.
* Add a target namespaces config, only watch resources therein
* Initial work on target namespace test
* Get target namespace test working in both cases
* More useful logging when creating test RG fails
* Run the no-target-namespaces test in the CI pipeline
This is handled in the same way as the secret naming version setting,
but the more settings we add (some more are on the way), the more
unwieldy it's going to be. We need to come up with a better way of
making different settings testable.
* Rework install- targets so they don't trample go.mod & .sum
Renamed them to install-tools and install-test-tools, since they're
installing binaries used in the build process rather than code
dependencies.
Run the `go get` commands in a temp directory and dummy module so that
they don't update the ASO go.mod and .sum files with dependencies that
our code doesn't actually depend on.
* Use the unfiltered API reader when looking for AAD identities
When target namespaces are set, there's no guarantee that the
operator's namespace is included. The identity finder always needs to
look in the operator namespace so pass it the API reader which
bypasses the filtered cache.
* Review tweaks, thanks @matthchr!
* Fix v1 secret naming
- Fix issue where namespace was mistakenly included in v1 secret
naming key generation. Some resources are not expected to have
namespace prefix in certain KeyVault scenarios.
* Increase build timeout a bit
* Don't create many different randoms in test
* SecretClient should not be modified
* Change region VM tests are run in
- Due to capacity constraints. We can move back later.
* Fix typo in readme
* Improve secrets documentation
* Return proper error if we cannot deserialize secret
* Add new AZURE_SECRET_NAMING_VERSION mode
The new mode allows us to fix inconsitencies in how secrets
were named without making a breaking change.
- AppInsights created secrets in the same namespace
as the resource but with name:
"appinsights-<resourceGroup>-<resourceName>"
- Storage created secrets in the same namespace
as the resource but with name:
"storage-<resourceGroup>-<resourceName>"
- AzureSQL resources created resources with
a different naming scheme as well.
- Other resources created a secret in the same
namespace with the secret name being the
resource name.
The new V2 mode ensures that all resources create secrets
in KeyVault and/or Kubernetes with a consistent naming pattern.
* Update Helm chart (but don't generate new package)
* Fix bug where SQLManagedUser Namespace could be empty
- This would prevent secrets from being created in Kubernetes
* Enable V2 secrets for EnvTest tests
* Use v1beta1 explicitly with controller-gen
* PR feedback
* PR feedback
* Better testing
* Azure SQL FailoverGroup improvements
- Fix bug preventing reconciliation of updates after a FailoverGroup
was created.
- Fix bug where status of long running operation was not properly
monitored.
* Add unit tests to CI
* Kubebuilder annotation for minlength should use = not :
* Add additional validations on MySQL users
* Add validations to more Azure SQL types
* Update some dependencies
- We're primarily interested in updating controller-runtime
as the newer version supports webhooks in envtest better.
* Don't allow DB name "master" to be used for Azure SQL users
* Fixes for CI
* Update Helm chart
- Use more best practices for Helm charts as defined here:
https://helm.sh/docs/chart_best_practices/conventions/
- Update chart to contain recently added resources.
- Update chart version to 1.0.0, so that we can begin following semver
more closely.
* Regenerated helm chart with controller-tools 0.2.5
Co-authored-by: Matthew Christopher <matthchr@users.noreply.github.com>
* Updating chart to make aad-pod-identity installation optional.
* Adding newline to end of Chart.yaml
* Updating chart to make aad-pod-identity installation optional.
* Adding newline to end of Chart.yaml
* Reverting chart version to 0.1.0
Co-authored-by: Kyle Schouviller <kyle0654@hotmail.com>
Co-authored-by: Matthew Christopher <matthchr@users.noreply.github.com>
Matthew Christopher
Bevan Arps
dependabot[bot]
Matthew Christopher
George Pollard
Christian Muirhead
Kyle Schouviller
jananivMS
Janani Vasudevan
Claudia Nadolny
jpflueger