Skip to content

OCPBUGS-4549: azure: fix MS Graph calls on Gov cloud #6844

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 2 commits into from
Feb 11, 2023
Merged

OCPBUGS-4549: azure: fix MS Graph calls on Gov cloud #6844

openshift-merge-robot merged 2 commits into from
Feb 11, 2023

Conversation

@r4f4
Copy link
Contributor

@r4f4 r4f4 commented Feb 9, 2023 

When doing API calls to the new MSGraph API, we need to override the URL used to connect to Microsoft Graph national cloud deployments.

This fixes the following error when trying to destroy a Gov cloud cluster:
```
02-07 14:39:50.162  level=debug msg=deleting application registrations
02-07 14:40:36.775  level=debug msg=failed to gather list of Service Principals by tag: Get "https://graph.microsoft.com/v1.0/servicePrincipals?$filter=startswith%28displayName%2C%20%27$INFRA_ID%27%29%20and%20tags%2Fany%28s%3As%20eq%20%27kubernetes.io_cluster.$INFRA_ID%3Downed%27%29": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
```

Notice the usage of `https://graph.microsoft.com/` (global service) instead of `https://graph.microsoft.us/` (US Gov cloud).

https://learn.microsoft.com/en-us/graph/sdks/national-clouds?tabs=go

r4f4 added 2 commits February 9, 2023 17:17
@r4f4
azure: session: dedup authentication code
1004051 
Getting a token credential differs from credentials vs certificates, but
once with have an azcore.TokenCredential object, acquiring authorizers
and creating a new Session object is exactly the same for both methods.

This will be helpful when properly setting up USGov authorization scopes
for both auth methods without duplicating code.
@r4f4
OCPBUGS-4549: azure: fix MS Graph calls on Gov cloud
fea1d3a 
When doing API calls to the new MSGraph API, we need to override the URL
used to connect to Microsoft Graph national cloud deployments.

This fixes the following error when trying to destroy a Gov cloud
cluster:
```
02-07 14:39:50.162  level=debug msg=deleting application registrations
02-07 14:40:36.775  level=debug msg=failed to gather list of Service Principals by tag: Get "https://graph.microsoft.com/v1.0/servicePrincipals?$filter=startswith%28displayName%2C%20%27$INFRA_ID%27%29%20and%20tags%2Fany%28s%3As%20eq%20%27kubernetes.io_cluster.$INFRA_ID%3Downed%27%29": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
```

Notice the usage of `https://graph.microsoft.com/` (global service) instead of
`https://graph.microsoft.us/` (US Gov cloud).

https://learn.microsoft.com/en-us/graph/sdks/national-clouds?tabs=go
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Feb 9, 2023
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 9, 2023

@r4f4: This pull request references Jira Issue OCPBUGS-4549, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.13.0) matches configured target version for branch (4.13.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jinyunma

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

When doing API calls to the new MSGraph API, we need to override the URL used to connect to Microsoft Graph national cloud deployments.

This fixes the following error when trying to destroy a Gov cloud cluster:

02-07 14:39:50.162  level=debug msg=deleting application registrations
02-07 14:40:36.775  level=debug msg=failed to gather list of Service Principals by tag: Get "https://graph.microsoft.com/v1.0/servicePrincipals?$filter=startswith%28displayName%2C%20%27$INFRA_ID%27%29%20and%20tags%2Fany%28s%3As%20eq%20%27kubernetes.io_cluster.$INFRA_ID%3Downed%27%29": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

Notice the usage of https://graph.microsoft.com/ (global service) instead of https://graph.microsoft.us/ (US Gov cloud).

https://learn.microsoft.com/en-us/graph/sdks/national-clouds?tabs=go

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@patrickdillon
Copy link
Contributor

patrickdillon commented Feb 10, 2023

/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 10, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 10, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 10, 2023
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 10, 2023

/retest-required

Remaining retests: 0 against base HEAD e28b058 and 2 for PR HEAD fea1d3a in total

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 10, 2023

@r4f4: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-azure-ovn-resourcegroup fea1d3a link false /test e2e-azure-ovn-resourcegroup
ci/prow/e2e-aws-ovn-workers-rhel8 fea1d3a link false /test e2e-aws-ovn-workers-rhel8
ci/prow/e2e-azurestack fea1d3a link false /test e2e-azurestack
ci/prow/e2e-aws-ovn-upgrade fea1d3a link false /test e2e-aws-ovn-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-robot openshift-merge-robot merged commit 546c3a6 into openshift:master Feb 11, 2023
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 11, 2023

@r4f4: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-4549 has been moved to the MODIFIED state.

Details

In response to this:

When doing API calls to the new MSGraph API, we need to override the URL used to connect to Microsoft Graph national cloud deployments.

This fixes the following error when trying to destroy a Gov cloud cluster:

02-07 14:39:50.162  level=debug msg=deleting application registrations
02-07 14:40:36.775  level=debug msg=failed to gather list of Service Principals by tag: Get "https://graph.microsoft.com/v1.0/servicePrincipals?$filter=startswith%28displayName%2C%20%27$INFRA_ID%27%29%20and%20tags%2Fany%28s%3As%20eq%20%27kubernetes.io_cluster.$INFRA_ID%3Downed%27%29": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

Notice the usage of https://graph.microsoft.com/ (global service) instead of https://graph.microsoft.us/ (US Gov cloud).

https://learn.microsoft.com/en-us/graph/sdks/national-clouds?tabs=go

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jinyunma jinyunma Awaiting requested review from jinyunma

@jhixson74 jhixson74 Awaiting requested review from jhixson74

@mtulio mtulio Awaiting requested review from mtulio

Assignees

@patrickdillon patrickdillon

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@r4f4 @openshift-ci-robot @patrickdillon @openshift-merge-robot