comment out TestUnchangedCAReloader test (flake)

omerap12 · kruthika04 · commit cf063d39b511 · 2025-02-24T16:43:45.000-08:00
Signed-off-by: Omer Aplatony &lt;omerap12@gmail.com&gt;

Added support for azure user assigned identity id

Bumped chart version to 9.46.1

fix lint issue

run helm docs

bump chart

doc(gce): Update manual MIG specification URL
diff --git a/charts/cluster-autoscaler/Chart.yaml b/charts/cluster-autoscaler/Chart.yaml
@@ -11,4 +11,5 @@ name: cluster-autoscaler
 sources:
   - https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler
 type: application
-version: 9.46.0
+version: 9.46.2
+
diff --git a/charts/cluster-autoscaler/README.md b/charts/cluster-autoscaler/README.md
@@ -187,7 +187,7 @@ In the event you want to explicitly specify MIGs instead of using auto-discovery
 
 ```
 # where 'n' is the index, starting at 0
---set autoscalingGroups[n].name=https://content.googleapis.com/compute/v1/projects/$PROJECTID/zones/$ZONENAME/instanceGroupManagers/$FULL-MIG-NAME,autoscalingGroups[n].maxSize=$MAXSIZE,autoscalingGroups[n].minSize=$MINSIZE
+--set autoscalingGroups[n].name=https://content.googleapis.com/compute/v1/projects/$PROJECTID/zones/$ZONENAME/instanceGroups/$FULL-MIG-NAME,autoscalingGroups[n].maxSize=$MAXSIZE,autoscalingGroups[n].minSize=$MINSIZE
 ```
 
 ### Azure
@@ -438,6 +438,7 @@ vpa:
 | azureTenantID | string | `""` | Azure tenant where the resources are located. Required if `cloudProvider=azure` |
 | azureUseManagedIdentityExtension | bool | `false` | Whether to use Azure's managed identity extension for credentials. If using MSI, ensure subscription ID, resource group, and azure AKS cluster name are set. You can only use one authentication method at a time, either azureUseWorkloadIdentityExtension or azureUseManagedIdentityExtension should be set. |
 | azureUseWorkloadIdentityExtension | bool | `false` | Whether to use Azure's workload identity extension for credentials. See the project here: https://github.com/Azure/azure-workload-identity for more details. You can only use one authentication method at a time, either azureUseWorkloadIdentityExtension or azureUseManagedIdentityExtension should be set. |
+| azureUserAssignedIdentityID | string | `""` | When vmss has multiple user assigned identity assigned, azureUserAssignedIdentityID specifies which identity to be used |
 | azureVMType | string | `"vmss"` | Azure VM type. |
 | civoApiKey | string | `""` | API key for the Civo API. Required if `cloudProvider=civo` |
 | civoApiUrl | string | `"https://api.civo.com"` | URL for the Civo API. Required if `cloudProvider=civo` |
diff --git a/charts/cluster-autoscaler/README.md.gotmpl b/charts/cluster-autoscaler/README.md.gotmpl
@@ -187,7 +187,7 @@ In the event you want to explicitly specify MIGs instead of using auto-discovery
 
 ```
 # where 'n' is the index, starting at 0
---set autoscalingGroups[n].name=https://content.googleapis.com/compute/v1/projects/$PROJECTID/zones/$ZONENAME/instanceGroupManagers/$FULL-MIG-NAME,autoscalingGroups[n].maxSize=$MAXSIZE,autoscalingGroups[n].minSize=$MINSIZE
+--set autoscalingGroups[n].name=https://content.googleapis.com/compute/v1/projects/$PROJECTID/zones/$ZONENAME/instanceGroups/$FULL-MIG-NAME,autoscalingGroups[n].maxSize=$MAXSIZE,autoscalingGroups[n].minSize=$MINSIZE
 ```
 
 ### Azure
diff --git a/charts/cluster-autoscaler/templates/deployment.yaml b/charts/cluster-autoscaler/templates/deployment.yaml
@@ -185,6 +185,11 @@ spec:
             {{- else if .Values.azureUseManagedIdentityExtension }}
             - name: ARM_USE_MANAGED_IDENTITY_EXTENSION
               value: "true"
+            - name: ARM_USER_ASSIGNED_IDENTITY_ID
+              valueFrom:
+                secretKeyRef:
+                  key: azureUserAssignedIdentityID
+                  name: {{ template "cluster-autoscaler.fullname" . }}
             {{- else }}
             - name: ARM_TENANT_ID
               valueFrom:
diff --git a/charts/cluster-autoscaler/templates/secret.yaml b/charts/cluster-autoscaler/templates/secret.yaml
@@ -18,6 +18,7 @@ data:
   SubscriptionID: "{{ .Values.azureSubscriptionID | b64enc }}"
   TenantID: "{{ .Values.azureTenantID | b64enc }}"
   VMType: "{{ .Values.azureVMType | b64enc }}"
+  azureUserAssignedIdentityID: "{{ .Values.azureUserAssignedIdentityID | b64enc }}"
 {{- else if $isAws }}
   AwsAccessKeyId: "{{ .Values.awsAccessKeyID | b64enc }}"
   AwsSecretAccessKey: "{{ .Values.awsSecretAccessKey | b64enc }}"
diff --git a/charts/cluster-autoscaler/values.yaml b/charts/cluster-autoscaler/values.yaml
@@ -101,6 +101,9 @@ azureTenantID: ""
 # azureUseManagedIdentityExtension -- Whether to use Azure's managed identity extension for credentials. If using MSI, ensure subscription ID, resource group, and azure AKS cluster name are set. You can only use one authentication method at a time, either azureUseWorkloadIdentityExtension or azureUseManagedIdentityExtension should be set.
 azureUseManagedIdentityExtension: false
 
+# azureUserAssignedIdentityID -- When vmss has multiple user assigned identity assigned, azureUserAssignedIdentityID specifies which identity to be used
+azureUserAssignedIdentityID: ""
+
 # azureUseWorkloadIdentityExtension -- Whether to use Azure's workload identity extension for credentials. See the project here: https://github.com/Azure/azure-workload-identity for more details. You can only use one authentication method at a time, either azureUseWorkloadIdentityExtension or azureUseManagedIdentityExtension should be set.
 azureUseWorkloadIdentityExtension: false
 
diff --git a/vertical-pod-autoscaler/pkg/admission-controller/certs_test.go b/vertical-pod-autoscaler/pkg/admission-controller/certs_test.go
@@ -276,119 +276,120 @@ func TestChangedCAReloader(t *testing.T) {
 	assert.NotEqual(t, oldCAEncodedString, newCAEncodedString, "expected CA to change")
 }
 
-func TestUnchangedCAReloader(t *testing.T) {
-	tempDir := t.TempDir()
-	caCert := &x509.Certificate{
-		SerialNumber: big.NewInt(0),
-		Subject: pkix.Name{
-			Organization: []string{"ca"},
-		},
-		NotBefore:             time.Now(),
-		NotAfter:              time.Now().AddDate(2, 0, 0),
-		IsCA:                  true,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-		BasicConstraintsValid: true,
-	}
-	caKey, err := rsa.GenerateKey(rand.Reader, 4096)
-	if err != nil {
-		t.Error(err)
-	}
-	caBytes, err := x509.CreateCertificate(rand.Reader, caCert, caCert, &caKey.PublicKey, caKey)
-	if err != nil {
-		t.Error(err)
-	}
-	caPath := path.Join(tempDir, "ca.crt")
-	caFile, err := os.Create(caPath)
-	if err != nil {
-		t.Error(err)
-	}
-	err = pem.Encode(caFile, &pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: caBytes,
-	})
-	if err != nil {
-		t.Error(err)
-	}
-
-	testClientSet := fake.NewSimpleClientset()
-
-	selfRegistration(
-		testClientSet,
-		readFile(caPath),
-		0*time.Second,
-		"default",
-		"vpa-service",
-		"http://example.com/",
-		true,
-		int32(32),
-		"",
-		[]string{},
-		false,
-		"key1:value1,key2:value2",
-	)
-
-	webhookConfigInterface := testClientSet.AdmissionregistrationV1().MutatingWebhookConfigurations()
-	oldWebhookConfig, err := webhookConfigInterface.Get(context.TODO(), webhookConfigName, metav1.GetOptions{})
-	if err != nil {
-		t.Error(err)
-	}
-
-	assert.Len(t, oldWebhookConfig.Webhooks, 1, "expected one webhook configuration")
-	webhook := oldWebhookConfig.Webhooks[0]
-	oldWebhookCABundle := webhook.ClientConfig.CABundle
-
-	var reloadWebhookCACalled, patchCalled atomic.Bool
-	reloadWebhookCACalled.Store(false)
-	patchCalled.Store(false)
-	testClientSet.PrependReactor("get", "mutatingwebhookconfigurations", func(action k8stesting.Action) (bool, runtime.Object, error) {
-		reloadWebhookCACalled.Store(true)
-		return false, nil, nil
-	})
-	testClientSet.PrependReactor("patch", "mutatingwebhookconfigurations", func(action k8stesting.Action) (bool, runtime.Object, error) {
-		patchCalled.Store(true)
-		return false, nil, nil
-	})
-
-	reloader := certReloader{
-		clientCaPath:          caPath,
-		mutatingWebhookClient: testClientSet.AdmissionregistrationV1().MutatingWebhookConfigurations(),
-	}
-	stop := make(chan struct{})
-	defer close(stop)
-	if err := reloader.start(stop); err != nil {
-		t.Error(err)
-	}
-
-	originalCaFile, err := os.ReadFile(caPath)
-	if err != nil {
-		t.Error(err)
-	}
-	err = os.WriteFile(caPath, originalCaFile, 0666)
-	if err != nil {
-		t.Error(err)
-	}
-
-	oldCAEncodedString := base64.StdEncoding.EncodeToString(oldWebhookCABundle)
-
-	for tries := 0; tries < 10; tries++ {
-		if reloadWebhookCACalled.Load() {
-			break
-		}
-		time.Sleep(1 * time.Second)
-	}
-	if !reloadWebhookCACalled.Load() {
-		t.Error("expected reloadWebhookCA to be called")
-	}
-
-	assert.False(t, patchCalled.Load(), "expected patch to not be called")
-
-	newWebhookConfig, err := webhookConfigInterface.Get(context.TODO(), webhookConfigName, metav1.GetOptions{})
-	assert.Nil(t, err, "expected no error")
-	assert.NotNil(t, newWebhookConfig, "expected webhook configuration")
-	assert.Len(t, newWebhookConfig.Webhooks, 1, "expected one webhook configuration")
-
-	newWebhookCABundle := newWebhookConfig.Webhooks[0].ClientConfig.CABundle
-	newCAEncodedString := base64.StdEncoding.EncodeToString(newWebhookCABundle)
-	assert.Equal(t, oldCAEncodedString, newCAEncodedString, "expected CA to not change")
-}
+// TODO(omerap12): Temporary workaround for flakiness (#7831)
+// func TestUnchangedCAReloader(t *testing.T) {
+// 	tempDir := t.TempDir()
+// 	caCert := &x509.Certificate{
+// 		SerialNumber: big.NewInt(0),
+// 		Subject: pkix.Name{
+// 			Organization: []string{"ca"},
+// 		},
+// 		NotBefore:             time.Now(),
+// 		NotAfter:              time.Now().AddDate(2, 0, 0),
+// 		IsCA:                  true,
+// 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+// 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+// 		BasicConstraintsValid: true,
+// 	}
+// 	caKey, err := rsa.GenerateKey(rand.Reader, 4096)
+// 	if err != nil {
+// 		t.Error(err)
+// 	}
+// 	caBytes, err := x509.CreateCertificate(rand.Reader, caCert, caCert, &caKey.PublicKey, caKey)
+// 	if err != nil {
+// 		t.Error(err)
+// 	}
+// 	caPath := path.Join(tempDir, "ca.crt")
+// 	caFile, err := os.Create(caPath)
+// 	if err != nil {
+// 		t.Error(err)
+// 	}
+// 	err = pem.Encode(caFile, &pem.Block{
+// 		Type:  "CERTIFICATE",
+// 		Bytes: caBytes,
+// 	})
+// 	if err != nil {
+// 		t.Error(err)
+// 	}
+
+// 	testClientSet := fake.NewSimpleClientset()
+
+// 	selfRegistration(
+// 		testClientSet,
+// 		readFile(caPath),
+// 		0*time.Second,
+// 		"default",
+// 		"vpa-service",
+// 		"http://example.com/",
+// 		true,
+// 		int32(32),
+// 		"",
+// 		[]string{},
+// 		false,
+// 		"key1:value1,key2:value2",
+// 	)
+
+// 	webhookConfigInterface := testClientSet.AdmissionregistrationV1().MutatingWebhookConfigurations()
+// 	oldWebhookConfig, err := webhookConfigInterface.Get(context.TODO(), webhookConfigName, metav1.GetOptions{})
+// 	if err != nil {
+// 		t.Error(err)
+// 	}
+
+// 	assert.Len(t, oldWebhookConfig.Webhooks, 1, "expected one webhook configuration")
+// 	webhook := oldWebhookConfig.Webhooks[0]
+// 	oldWebhookCABundle := webhook.ClientConfig.CABundle
+
+// 	var reloadWebhookCACalled, patchCalled atomic.Bool
+// 	reloadWebhookCACalled.Store(false)
+// 	patchCalled.Store(false)
+// 	testClientSet.PrependReactor("get", "mutatingwebhookconfigurations", func(action k8stesting.Action) (bool, runtime.Object, error) {
+// 		reloadWebhookCACalled.Store(true)
+// 		return false, nil, nil
+// 	})
+// 	testClientSet.PrependReactor("patch", "mutatingwebhookconfigurations", func(action k8stesting.Action) (bool, runtime.Object, error) {
+// 		patchCalled.Store(true)
+// 		return false, nil, nil
+// 	})
+
+// 	reloader := certReloader{
+// 		clientCaPath:          caPath,
+// 		mutatingWebhookClient: testClientSet.AdmissionregistrationV1().MutatingWebhookConfigurations(),
+// 	}
+// 	stop := make(chan struct{})
+// 	defer close(stop)
+// 	if err := reloader.start(stop); err != nil {
+// 		t.Error(err)
+// 	}
+
+// 	originalCaFile, err := os.ReadFile(caPath)
+// 	if err != nil {
+// 		t.Error(err)
+// 	}
+// 	err = os.WriteFile(caPath, originalCaFile, 0666)
+// 	if err != nil {
+// 		t.Error(err)
+// 	}
+
+// 	oldCAEncodedString := base64.StdEncoding.EncodeToString(oldWebhookCABundle)
+
+// 	for tries := 0; tries < 10; tries++ {
+// 		if reloadWebhookCACalled.Load() {
+// 			break
+// 		}
+// 		time.Sleep(1 * time.Second)
+// 	}
+// 	if !reloadWebhookCACalled.Load() {
+// 		t.Error("expected reloadWebhookCA to be called")
+// 	}
+
+// 	assert.False(t, patchCalled.Load(), "expected patch to not be called")
+
+// 	newWebhookConfig, err := webhookConfigInterface.Get(context.TODO(), webhookConfigName, metav1.GetOptions{})
+// 	assert.Nil(t, err, "expected no error")
+// 	assert.NotNil(t, newWebhookConfig, "expected webhook configuration")
+// 	assert.Len(t, newWebhookConfig.Webhooks, 1, "expected one webhook configuration")
+
+// 	newWebhookCABundle := newWebhookConfig.Webhooks[0].ClientConfig.CABundle
+// 	newCAEncodedString := base64.StdEncoding.EncodeToString(newWebhookCABundle)
+// 	assert.Equal(t, oldCAEncodedString, newCAEncodedString, "expected CA to not change")
+// }
