-
Notifications
You must be signed in to change notification settings - Fork 199
Storing the user assigned managed identity in the scaleset table #255
Conversation
self.save() | ||
|
||
def set_identity(self, vmss: Any) -> None: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does this handle pre-existing scalesets during the upgrade case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Existing scalesets are handled in the is_authorized function in agent_authorization.py.
- if the scaleset had a system assigned managed identity it would have been assigned to client_object_id
- if the scaleset used a user assigned managed identity before this change we fall back to the existing behavior of querying the azure.
Unfortunately we cannot update the object id of the scaleset because the token does not contain the scaleset id.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If a user starts the creation of a scaleset and another user starts an upgrade shortly afterwards, this could leave that newly created scaleset in a bad place such that it does not have the client_object_id
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I Updated the logic to make sure we only set the node to running if we are able to set the object_client_id. your scenario will result in a failed node creation.
Summary of the Pull Request
Closes #249
PR Checklist
Info on Pull Request
What does this include?
Validation Steps Performed
How does someone test & validate?