This repository has been archived by the owner on Oct 12, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 255
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: option to set Retry-After in NMI responses (#1114)
Adds a new feature flag to enable setting Retry-After header in the error response from NMI. The error is only when the identity is still being assigned by NMI or no valid AzureAssignedIdentity is found yet. This enables SDK's to retry based on the http status code 503 and the retry after header. Note: When enabling this feature, the default retries in NMI should be explicitly disabled to rather rely on the SDK for retries. --retry-attempts-for-created=1, --retry-attempts-for-assigned=1 and --find-identity-retry-interval=1. This will force NMI to return immediately with the Retry-After header 20s. Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
- Loading branch information
Showing
8 changed files
with
153 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
// +build e2e | ||
|
||
package e2e | ||
|
||
import ( | ||
aadpodv1 "github.com/Azure/aad-pod-identity/pkg/apis/aadpodidentity/v1" | ||
"github.com/Azure/aad-pod-identity/test/e2e/framework/azureassignedidentity" | ||
"github.com/Azure/aad-pod-identity/test/e2e/framework/azureidentity" | ||
"github.com/Azure/aad-pod-identity/test/e2e/framework/azureidentitybinding" | ||
"github.com/Azure/aad-pod-identity/test/e2e/framework/helm" | ||
"github.com/Azure/aad-pod-identity/test/e2e/framework/identityvalidator" | ||
"github.com/Azure/aad-pod-identity/test/e2e/framework/namespace" | ||
|
||
. "github.com/onsi/ginkgo" | ||
corev1 "k8s.io/api/core/v1" | ||
) | ||
|
||
var _ = Describe("When SetRetryAfter header is enabled", func() { | ||
var ( | ||
specName = "retry-after" | ||
ns *corev1.Namespace | ||
) | ||
|
||
BeforeEach(func() { | ||
ns = namespace.Create(namespace.CreateInput{ | ||
Creator: kubeClient, | ||
Name: specName, | ||
}) | ||
// upgrade pod identity to use the feature flag set-retry-after-header and | ||
// disable the internal retries. | ||
c := *config | ||
c.RetryAttemptsForCreated = 1 | ||
c.RetryAttemptsForAssigned = 1 | ||
c.FindIdentityRetryIntervalInSeconds = 1 | ||
c.SetRetryAfterHeader = true | ||
|
||
helm.Upgrade(helm.UpgradeInput{Config: &c}) | ||
}) | ||
|
||
AfterEach(func() { | ||
Cleanup(CleanupInput{ | ||
Namespace: ns, | ||
Getter: kubeClient, | ||
Lister: kubeClient, | ||
Deleter: kubeClient, | ||
}) | ||
// reset the feature flag | ||
helm.Upgrade(helm.UpgradeInput{Config: config}) | ||
}) | ||
|
||
It("should pass the identity validation with retries from SDK based on Retry-After header", func() { | ||
azureIdentity := azureidentity.Create(azureidentity.CreateInput{ | ||
Creator: kubeClient, | ||
Config: config, | ||
AzureClient: azureClient, | ||
Name: keyvaultIdentity, | ||
Namespace: ns.Name, | ||
IdentityType: aadpodv1.UserAssignedMSI, | ||
IdentityName: keyvaultIdentity, | ||
}) | ||
azureIdentityBinding := azureidentitybinding.Create(azureidentitybinding.CreateInput{ | ||
Creator: kubeClient, | ||
Name: keyvaultIdentityBinding, | ||
Namespace: ns.Name, | ||
AzureIdentityName: azureIdentity.Name, | ||
Selector: keyvaultIdentitySelector, | ||
}) | ||
|
||
identityValidator := identityvalidator.Create(identityvalidator.CreateInput{ | ||
Creator: kubeClient, | ||
Config: config, | ||
Namespace: ns.Name, | ||
IdentityBinding: azureIdentityBinding.Spec.Selector, | ||
}) | ||
|
||
azureassignedidentity.Wait(azureassignedidentity.WaitInput{ | ||
Getter: kubeClient, | ||
PodName: identityValidator.Name, | ||
Namespace: ns.Name, | ||
AzureIdentityName: azureIdentity.Name, | ||
StateToWaitFor: aadpodv1.AssignedIDAssigned, | ||
}) | ||
|
||
identityvalidator.Validate(identityvalidator.ValidateInput{ | ||
Getter: kubeClient, | ||
Config: config, | ||
KubeconfigPath: kubeconfigPath, | ||
PodName: identityValidator.Name, | ||
Namespace: ns.Name, | ||
IdentityClientID: azureIdentity.Spec.ClientID, | ||
IdentityResourceID: azureIdentity.Spec.ResourceID, | ||
}) | ||
}) | ||
}) |