Helm feature

[sophsoph321]

This PR includes implementation for the following customizations for azure arc:

• In the yaml file, we introduced the ClusterType property in as one of the configmaps, which takes values such as ConnectedClusters, ManagedClusters, ArcAppliances etc.
• New Helm Collector class (see paragraph below)

Description of the new HelmCollector class:
This HelmCollector class is needed as one of the arc customizations for periscope because as part of the arc extensions feature, the extensions are deployed as helm packages. Therefore, for troubleshooting purposes, the HelmCollector class will be running the commands "helm list --all-namespaces" and "helm history". The command "helm list --all-namespaces" will list all of the releases across all namespaces that are deployed or failed. The command "helm history" will list the historical revisions of a release and provides information such as the following: revision numbers, date and time of the revision, its status, the name of the release chart, the version of the app, and the description.

[jonathan-innis]

Couple small things

[Tatsinnit]

💡 Thank you so much for this new PR, I have a feeling that This PR over-rides the old PR: #51 please feel free to close the Old PR.

Please let me know once this PR is ready for review? Thanks.

[sophsoph321]

@Tatsinnit so sorry for not getting back in advance! Yes, I have opened this PR so you and the periscope team can review it, it is no longer a draft. I will close PR #51 since this one has the latest changes. Thanks for your attention.

[davidkydd]

Thanks - looks good!

[davidkydd]

Thanks - looks good!

not validated integrations

[Tatsinnit]

💡 Thank you Sophie, few things as a checklist to make sure you have covered existing behaviours are:

• Make sure you locally run CI.

• Tip to locally test changes via image reside here: https://github.com/Azure/aks-periscope#programming-guide

  • Above will be a very important scenario to test, and feel free to reach out to us for anything.

• If you find any new functionality could be easily extracted to UT (unit test) then feel enabled to do so. (We could make it part of the CI as well)

• Once we have done all the above, we should have enough confidence to open PR for review.

Really appreciate it. 🙏

[Tatsinnit]

💡 🐛 I plan to add PR to your fork tonight, but see I noticed something interesting:

:= is Short variable declaration, but if you see carefully, up until line 53 you don't do anything with the output var.

I can make small updates and send small PR to your fort by tonight. Thanks.

[Tatsinnit]

🐛 More details here: #54 (comment)

[Tatsinnit]

💡 Let's just dig a little deeper for this: I think adding secrets to the list might be ok, and non-impacting, as this all runs with users permission and user in use will run it and that might enable the Arc - helm scenarios as well.

[Tatsinnit]

Lets add the secrets in resources and keep 1 yaml, I am not able to find out any issues with it, inc are we did we can always have a fallback idea anyways. Thank you. here is the small PR for it: sophsoph321#1 (Mainly to simplify all this)

[davidkydd]

This looks like a very risky set of permissions to me? This creates a ClusterRole with list permissions for secrets across all namespaces in the cluster.

What is this needed for? Is there any way we can scope the permissions down to e.g. enable secret get to just that secret which is required?

e.g. number 1 risky permission here: https://www.cyberark.com/resources/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions and description of using get instead of list
https://darkbit.io/blog/the-power-of-kubernetes-rbac-list

[sophsoph321]

@davidkydd The reasoning comes from here: https://helm.sh/docs/topics/rbac/#example-grant-a-user-read-only-access-at-the-cluster-scope
If you go all the way at the bottom of that link above, it says in order to run "helm list --all-namespaces", the user needs cluster-scope read access, which requires having both view and secret-reader access. I discussed this internally with arc team, and we couldn't figure out a different way other than this to work around the issues Tats was having with running "helm list".

[davidkydd]

not due to something experienced in the past , just jumped out as a red flag. Also note that while CLI deployment of periscope will be cleaned up once complete, non-CLI driven deployments aren't cleaned up automatically, and would potentially leave this dangling clusterRole.

Assumed you would be able to at least scope the secrets you need to read down so there wouldn't be need for full "list" permission on a clusterRole, but from the link @sophsoph321 posted it doesn't look like it. If this is already at least-privilege possible for the commands the helm collector needs to run then think thats probably fine.

As we will likely encounter with the CRD permissions - it seems we are forced to either:

1. introduce additional complexity (Arc CLI has to update roleBinding after deploy), or
2. violate least privilege by giving all flavours of deployments the full super-set of required permissions (AKS deployments of periscope will end up with CRD + secrets list permissions when it makes no use of them)

Again, a problem which could be avoided by using a different config / deployment / yaml file for each integration. If we aren't prepared to do that then I suggest violating least privilege and avoiding the need for additional complexity in the CLI.

[Tatsinnit]

Yeah, initial thought process to be careful was exactly what I thought, but essentially the use case for this tool will not have any security impact to the behaviour.

User will always run this tool on their known cluster context. I would see it as Helm enablement requirement since this issue common with Helm command.

To get more idea/opinion, I reached out to @JunSun17 (Thank you for reply) - as long as we are not logging any secrets in an exported file, it should be good. I think the tool can access secrets and use it in the program to perform some logic, just make sure the secret values are not written out when exporting, or it will be exposed.

Further, @safeermohammed kindly agrees to stay involved and if there is any need be Arc will need to change/own for plan-b and we can together make move forward.

Side note: I would say, we can go ahead given we have captured all the opinion and have plan-b in case we find any concrete scenario. Also, if this at all is any security bug in Helm then it will be helm issue and in that case I would rather prefer to disable the whole helm command.

Thanks guys. 🙏

[davidkydd]

Thanks @Tatsinnit - my concern was mostly driven by my own naivety re: k8s security :)

Believe this can be resolved if nothing else from Arc side

[JunSun17]

@Tatsinnit thanks for summarizing this! I totally agree with you on the security side.

[davidkydd]

As a quick note regarding "just make sure the secret values are not written out when exporting, or it will be exposed." Secrets will be exported out, but only those corresponding to helm releases, which is by design

[arnaud-tincelin]

There are 18 commits, do we squash them in one before merging or do we rewrite a concise history?

[arnaud-tincelin]

Rather than adding some packages on the Docker image and executing command lines from our code, could we use libraries instead ?
https://github.com/helm/helm/blob/0af54d0f5c0f2a108506733b64752039ee39d165/cmd/helm/chart_list.go#L33
https://github.com/helm/helm/blob/0af54d0f5c0f2a108506733b64752039ee39d165/cmd/helm/history.go#L54

That way we can have better error handling, smaller docker image and less external dependencies, which means less error at runtime.

Last point: it is best practice to create new variables rather than doing variables reuse (output, err = )

[sophsoph321]

Thank you @arnaud-tincelin, for taking the time to review my changes, these are very good suggestions.
Also tagging relevant people: @davidkydd @safeermohammed @Tatsinnit

Regarding the suggestion about utilizing helm library, one thing to keep in mind is that we, the arc team, are trying to get an MVP out by end of May (a.k.a. next week) which will include this new helm feature for periscope. Refactoring the helm classes so that it uses library functions seems to be a big change and the changes that I have so far have already been tested extensively.

After discussing offline with the periscope team, we had a suggestion for periscope team to make the collectors use library functions even for the kubectl commands in the code. So the helm collector can be taken care of as part of this refactoring.

For now, given the short amount of time we have left until the MVP needs to be released, my thinking is to freeze the code changes for the time being. But of course, I will do my best to fix the other smaller changes such as creating the new variables and combining the lines in the Dockerfile.

Please let me know your thoughts on this.

[davidkydd]

Later refactoring to utilize helm + kubectl from libs rather than invoking executables sounds good to me

[Tatsinnit]

+1, yes we should do it as part of refactor, I will add a workitem with more details by eod.

I will test any new changes sometime Monday our time or earlier. (Will kee you guys posted)

thanks guys 🙏

[Tatsinnit]

There are 18 commits, do we squash them in one before merging or do we rewrite a concise history?

Thank you for noticing this @arnaud-tincelin , @sophsoph321 if you notice any old item in issue log, it seems you have a commit which references every old issue in this repo issue log. (Which is incorrect)

For example go to the issue log and open any old item and you will see your commit referencing that workitem. Let’s fix this.

like:

Thanks, 🙏

[sophsoph321]

There are 18 commits, do we squash them in one before merging or do we rewrite a concise history?

Thank you for noticing this @arnaud-tincelin , @sophsoph321 if you notice any old item in issue log, it seems you have a commit which references every old issue in this repo issue log. (Which is incorrect)

For example go to the issue log and open any old item and you will see your commit referencing that workitem. Let’s fix this.

Thanks, 🙏

@Tatsinnit @arnaud-tincelin. Thanks for bringing this up. I squashed a lot of my commits, so this PR should now have 2 commits instead of 18.

About that commit which references all of the old issues, it comes from a different branch in my repo, so it won't affect this PR. It might have happened when I was trying to squash some commits in a different branch, I'm relatively new to the squash functionality for git commits and at one point, the commits doubled, which was not supposed to happen. Anyways, I'm trying to change the commit message right now so that it doesn't reference every issue, but am really struggling to get my updates in. Do you have any tips on how to fix this? Thanks.

[Tatsinnit]

There are 18 commits, do we squash them in one before merging or do we rewrite a concise history?

Thank you for noticing this @arnaud-tincelin , @sophsoph321 if you notice any old item in issue log, it seems you have a commit which references every old issue in this repo issue log. (Which is incorrect)
For example go to the issue log and open any old item and you will see your commit referencing that workitem. Let’s fix this.

Thanks, 🙏

@Tatsinnit @arnaud-tincelin. Thanks for bringing this up. I squashed a lot of my commits, so this PR should now have 2 commits instead of 18.

About that commit which references all of the old issues, it comes from a different branch in my repo, so it won't affect this PR. It might have happened when I was trying to squash some commits in a different branch, I'm relatively new to the squash functionality for git commits and at one point, the commits doubled, which was not supposed to happen. Anyways, I'm trying to change the commit message right now so that it doesn't reference every issue, but am really struggling to get my updates in. Do you have any tips on how to fix this? Thanks.

Thanks @sophsoph321 , ah, I think this commit which is appearing in all the issues is from this branch: https://github.com/sophsoph321/aks-periscope/commits/helm_class

So not from your current branch, I would say if this “helm_class” is not in need you can clean or you can rebase that branch for whatever purpose it was created.

this is the specific commit in that branch:

[sophsoph321]

There are 18 commits, do we squash them in one before merging or do we rewrite a concise history?

Thank you for noticing this @arnaud-tincelin , @sophsoph321 if you notice any old item in issue log, it seems you have a commit which references every old issue in this repo issue log. (Which is incorrect)
For example go to the issue log and open any old item and you will see your commit referencing that workitem. Let’s fix this.

Thanks, 🙏

@Tatsinnit @arnaud-tincelin. Thanks for bringing this up. I squashed a lot of my commits, so this PR should now have 2 commits instead of 18.
About that commit which references all of the old issues, it comes from a different branch in my repo, so it won't affect this PR. It might have happened when I was trying to squash some commits in a different branch, I'm relatively new to the squash functionality for git commits and at one point, the commits doubled, which was not supposed to happen. Anyways, I'm trying to change the commit message right now so that it doesn't reference every issue, but am really struggling to get my updates in. Do you have any tips on how to fix this? Thanks.

Thanks @sophsoph321 , ah, I think this commit which is appearing in all the issues is from this branch: https://github.com/sophsoph321/aks-periscope/commits/helm_class

So not from your current branch, I would say if this “helm_class” is not in need you can clean or you can rebase that branch for whatever purpose it was created.

Thanks @Tatsinnit. I have removed the helm_class branch from my repo since it is not needed. Unfortunately, the commit reference is still there, with a warning message saying that "This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository."

[Tatsinnit]

All good @sophsoph321 let's treat this as separate issue. I think the issue is that whatever your other branch has, it is not cleaned-up properly, hence even though that commit does't show up now, the rouge commit stays in that branch in your fork. Thanks.

[SanyaKochhar]

A request: would it be possible to use a generic name here like FEATURE_FLAGS? Specifically because in PR #48, based on feedback from @Tatsinnit, we are looking to reuse your flag for adding in 2 new collectors (SMI and OSM) that are not based on cluster type.

Ref: https://github.com/Azure/aks-periscope/pull/48/files#diff-cdb15eaf022fc76984176a66a52183b8c3cb0710176cc9349519c5d43fb1d2ffR49-R58

[Tatsinnit]

💡 Let's do this change in your PR, I think ARC folks have almost completed this, so as it looks like only thing you need is renaming this flag and we can do that as part of the OSM x SMI workitem.

cc: @safeermohammed - what do you think?

[SanyaKochhar]

Sounds good to me. We can make that change as a fast follow once this gets merged

cc: @shalier

[Tatsinnit]

Thank you @sophsoph321 , these changes looks good, I am approving it and I need to cut a release notes etc, before we formally release it.

Next step for me will be cut a release notes, plan a release. Also, we might have to add small read-me to the main doc as well, but I could do that and get your thoughts.

We need to do squash merge so I will do that tonight one @arnaud-tincelin or @JunSun17 has taken on final eyeballing for this PR.

Thanks. 🙏

[sophsoph321]

Thank you @sophsoph321 , these changes looks good, I am approving it and I need to cut a release notes etc, before we formally release it.

Next step for me will be cut a release notes, plan a release. Also, we might have to add small read-me to the main doc as well, but I could do that and get your thoughts.

We need to do squash merge so I will do that tonight one @arnaud-tincelin or @JunSun17 has taken on final eyeballing for this PR.

Thanks. 🙏

@Tatsinnit. This sounds good. About the documentation, the most compelling piece of documentation I can think of for now is updating the Appendix, so that the users know that they can customize values for the new configmap ClusterType. Would this new clusterType feature flag impact the az aks kollect cli as well? If yes, then then there should be an additional example in the User guide section of the ReadMe would also need to be updated. I will let you know if I think of other updates that need to be made for the documentation.

[Tatsinnit]

@Tatsinnit. This sounds good. About the documentation, the most compelling I can think of for now is updating the Appendix, so that the users know that they can customize values for the new configmap ClusterType. Would this new clusterType feature flag impact the az aks kollect cli? If yes, then then there should be an additional example in the User guide section of the ReadMe would also need to be updated. I will let you know if I think of other updates that need to be made for the documentation.

Thank you @sohpsoph321 , I think that sounds like good idea, a doc with the name of azure-arc.md what is enabled and what it achieves sounds like a good reading guide under the docs folder.

Your work should not effect current functionality, as long as you have tested your changes against vanilla deployment, because the new flag is only used to trigger arc mode on.

For read-me - we will add one liner as to what this new feature is.

Idealistically we can add documentation as part of the release cut we will do. Thank you 🙏