►
Description
A Kubernetes community meeting about the Azure provider for Cluster API. Cluster API brings familiar, declarative APIs to Kubernetes cluster creation, configuration, and management.
We would love for you to join us! Follow along and set discussion topics at:
http://bit.ly/k8s-capz-agenda
A
Okay,
now
we
are,
I'm
just
talking
all
right:
we're
ready
to
go
cool.
Welcome
everybody
thanks
for
coming
it's
march
4th!
This
is
the
cluster
api
azure
provider
meeting.
We
are
a
project
under
sig
life
cycle
and
cluster
api
cluster
api
is
the
main
project
and
we're
here
to
talk
about
the
azure
support
for
cluster
api
as
we're
at
kubernetes
meeting.
Please
follow
the
standard
guidelines
which
basically
boils
down
to
be
nice
to
everyone.
A
A
Is
there
anybody
new
or
wants
to
introduce
themselves
or
tell
a
joke
or
do
something
random?
This
is
a
good
time
for.
A
B
B
A
Sometimes
I
have
to
click
this
little
button
that
says
what
is
it
in
english
optimize
for
video
clip,
and
I
bet
this
will
fix
it.
Oh
my,
but
now
I
have
to
install
some
driver.
A
C
Yeah,
so
all
the
new
types
are
merged
in
and
if
you
have
existing
pr
you'd
have
to
rebase
and
if
you're
making
any
changes
to
your
in
the
api,
folder
or
changing
of
types.
Please
just
make
sure
they're
in
the
you
an
alpha,
4,
folder
and
so
move
them
from
where
you
are,
when
your
basic
might
already
happen,
but
make
sure
they're
in
the
v1
alpha
4
types,
and
if
you
need
help
with
something
please
reach
out.
If
something
is
like
broken
or
whatever,.
C
And
that's
like
we
haven't
yet
done,
like
the
actual
changes
of
the
way
v1
alpha
4
to
change
them
to
like
the
new
breaking
changes
that
we're
expecting
to
do
and
removing
all
the
deprecated
and
stuff
these
issues
for
these
things,
but
we
haven't
done
them
yet.
This
was
just
pretty
much
moving
things,
as
is.
C
We
just
no.
This
is
just
moving
the
types
as
they
were
viewing
alpha
three,
so
we
had
like
a
list
of
new
things
that
we
wanted
to
do.
That
will
be
breaking
that
we're
waiting
to
be
on
alpha
for
these
ones
haven't
happened
yet
there
are
like
different
issues
for
each
one
of
them
or
a
bunch
of
issues
and
there's
a
list
of
deprecated
stuff
that
had
the
deprecated
tag
that
we
said
we
would
remove
when
we
have
b1
alpha
4,
which
also
hasn't
been
removed.
Yet.
A
D
Yeah,
so
we
have
been
plagued
lately
with
some
vmss
test
failures,
most
often
cropping
up
in
windows,
but
oddly
these
were
actually
not
related
to
windows.
It
was,
it
was
actually
just
an
artifact
caused
by
the
amount
of
time
that
it
took
a
windows
node
to
come
up,
which
is
slightly
longer
than
it
takes
a
linux
vmss
to
come
up.
D
So
what
what
we
found
was
happening
is
that
the
the
change
made
to
make
bmss
asynchronous,
meaning
that
it
starts
a
create
or
a
patch,
eventually
finding
like
reconciling
several
times,
possibly
and
then
eventually,
seeing
that
the
create
or
the
patch
had
succeeded
or
failed.
Perhaps
this
asynchronous
behavior
allowed
enabled
the
the
controller
to
start
patching
and
then
it
would
come
back
and
it
would
see
that
say
the
bootstrap
secret
had
changed
or
in
the
windows
case
the
admin
password
had
mutated.
D
D
The
operation
never
actually
terminated,
because
at
each
time
eventually,
we
would
end
up
running
into
another
change
to
the
bootstrap
secret
or
to
the
admin
password
causing
it
to
re-patch
again,
causing
this
to
never
get
into
a
settled
state,
never
get
into
succeeded
now,
occasionally
it
did,
and
so
occasionally
we
would
see
this
pass.
D
This
non-deterministic
behavior
ended
up
being
caused
by
this
timing
issue
and
by
the
mutation
of
the
the
actual
model,
so
in
1197
what
we
did
is
we.
We
changed
the
way
that
we
calculate
the
hash
for
the
model
and
that
hash
for
the
model
is
now
calculated
sans
the
admin
password
and
the
custom
data
custom
data
blob,
which
is
the
string,
the
bootstrap
data
secret.
So
that's
what's
there.
D
Hopefully
this
eliminates
those
issues
and
we
will
probably
be
eliminating
the
hash
as
well
to
do
just
a
a
actual
comparison
of
the
models
in
upcoming
vmss
work.
So
anybody
have
any
questions
about
this.
E
D
So
the
password
is
only
needed
on
the
first
on
the
creative
of
windows
vmss.
F
Yeah
and
and
so
just
so
cloud
base,
so
we're
using
cloud-based
init
on
the
windows
side,
which
is
a
kind
of
a
cross-platform
version
of
cloud
init
and
we've
configured
cloud-based
init
to
generate
a
password
on
first
boot,
a
completely
random
password,
so
that
initial
password
that
we
give
windows
is
just
for
to
satisfy
azure's
requirements
and
then
the
password
is
completely
random.
On
the
windows
side,
it's
a
120
character,
random
string
and
the
way.
D
Yeah,
we
we
really
wanted
to
you
know,
try
to
be
as
sure
as
possible
these.
These
kind
of
these
kind
of
issues
are
pernicious.
You
know
they're
just
they're
just
you
know
slight
odd
little
timing
issues,
but
they
they
crop
up
and
they're
they're
just
evil.
So
if
anybody
does
see
something
like
this
occurring,
please
alert
me
or
anybody
else
and
open
an
issue
and
we'll
get
some
eyes
on
it.
A
Well,
thanks
for
taking
notes
cecile,
I
probably
could
have
done
both,
but
I
was
lazy.
Any
questions
about
this
pr
and
the
vmss
test
failures
that
we're
hopefully
clear
of
now.
B
Yeah,
it's
actually
like
not
the
same
vmss,
or
at
least
it's
not
about
vmss,
but
so
some
of
you
might
have
run
into
this
error
before
when
you
try
to
provision
a
or
you're
exposing
a
service
on
your
kubernetes
cluster,
and
you
wait
for
a
cloud
provider
to
add
the
lb
rules
and
all
of
that
and
reconcile
the
load
balancer
and
then
expose
a
public
ip
for
your
service
or
an
internal
service.
B
Same
thing,
you
get
this
like
not
a
vmss
error
in
the
cloud
provider
logs,
so
controller
manager
logs.
So
I
have
been
digging
into
this
a
little
bit
more
this
week,
and
so
I
just
wanted
to
give
some
updates.
So,
first
of
all
this
this
error
happens
like
it's
a
it
doesn't
always
mean
the
same
thing.
When
it
happens,
you
can
see
that
error,
and
then
it
eventually
succeeds.
That's
something
that
you
know.
B
If
you
see
that
error
in
the
in
the
logs,
it
probably
means
that
it
hadn't
hasn't
found
the
the
vms
yet
because
the
cache
hasn't
refreshed.
So
that's
one
thing.
The
second
thing
is
there:
is
this
error
which
we've
identified
and
james
did
a
really
good
job
at
like
narrowing
it
down
and
what
he
wrote
in
this
issue.
Helped
me
a
ton,
but
it's
basically,
if
you
have-
and
we've
seen
this
happen
mostly
when
you
have
one
control
plane.
B
B
Yet
it
will
not
know
about
the
new
vms
that
join
for
the
new
nodes,
and
there
is
this
logic
in
there
that
for
new
node
that
checks
when
it
wants
to
add
it
to
the
load
bouncer
like,
is
it
a
vm
or
is
it
a
vmss
and
what
it
does
is
if
it
doesn't
find
it
in
the
vm
cache,
it
assumes
it's
a
vmss,
and
the
issue
with
that
is
the
vm.
B
Cache
might
not
always
be
up
to
date
so,
and
this
happens
for
cab
c,
because
we're
using
sorry
this
is
I'm
getting
a
bit
into
the
weeds.
But
I'm
happy
to
like
go
over
some
of
the
details
again,
if
I'm
being
very
confusing,
but
in
cab
z.
What
we're
doing
is
we're
kind
of
cheating
in
cloud
provider
and
we're
using
the
vmss
vm
type
for
all
clusters
like
we're,
setting
that,
by
default
in
the
azure
cloud
provider,
config
on
the
user's
behalf
and
the
reason
we're
doing.
B
That
is
because
we
were
advised
by
the
cloud
provider
maintainers
that
that's
the
way
to
get
clusters
to
allow
clusters
to
have
both
virtual
machines
and
skill
sets
in
the
same
cluster
like
mixed
nodes
clusters,
essentially,
and
so
that's
what
we're
doing
and
and
so
that's
why?
There's
that
logic
that
checks,
if
it's
a
vm
or
if
it's
a
vmss,
but
it's
a
little
hacky,
because
it's
kind
of
like
assuming
it's
a
vmss
unless
it's
not,
and
so
I
have
a
few
attempts
to
fix
it
in
that
issue.
B
It's
not
very
pretty
because,
essentially
we
don't
want
to
refresh
the
cash
every
time
because
otherwise,
like
that
means
people
who
are
actually
just
using
vmss,
are
going
to
get
cash.
Mitts
cash
misses
every
single
time
when
we
try
to
find
the
vm
and
it's
going
to
refresh
the
cache
every
single
time.
B
So
the
second
attempt
I
have
is
just
to
try
to
only
refresh
the
cache
if
the
node
has
been
the
note
that
we're
looking
for
was
not
there.
Last
time
we
got
the
cash
oh
david's,
gonna
expose
me
or
matt
is
gonna,
expose
me
and
show
my
code
in
front
of
everyone,
but
it's
it's
not
tested
yet,
but
yeah,
essentially,
I'm
like
keeping
the
notes,
cache
and
like
notes,
names
and
then
trying
to
see
like
if
something
got
added
since
last
time
anyways.
B
So
I
will
try
to
yeah
follow
up
with
that,
and
so
that's
one
thing
and
if
you're
running
into
that
error,
but
it
seems
different
as
in
it's
not
eventually
succeeding
after
15
minutes,
then
that's
probably
a
different
issue,
and
we
need
to
look
into
that.
I
think
nader
mentioned
in
slack
that
there
was
one
time
where
he
was
running
into
that
and
it
turned
out
to
be.
There
was
a
public
ip
quota
issue,
so
it
was
never
successful
but
that's
probably
bad
errors
in
the
cloud
provider.
B
So
we
need
to
make
that
better,
so
yeah.
B
Sorry
that
was
what
does
anyone
have
any
questions.
Any
comments
on
your
own
experience,
all
right.
B
B
So
that's
kind
of
what
I
was
suggesting
as
a
workaround
to
sean
who's.
Asking
about
this
issue
in
slack
was,
if
you
know,
you're
not
going
to
care
about
vmss
and
you're
not
going
to
use
vmss,
then
maybe
for
now
we
just
unblock
you
by
setting
it
to
standard.
What
I
do
want
to
do,
though,
is
I
want
to
work
on
a
proposal
for
cloud
provider
to
have
like
a
like,
truly
mixed,
like
hybrid
mode,
that
doesn't
care
what
types
the
vms
are
could
be
vms.
B
It
could
be
vmss,
and
then
I
think
eventually
that
should
be
the
default,
because
the
only
reason
we
have
standard
and
vmss
is
because
basic
load
bouncers
don't
support
both,
but
if
you're
using
a
standard
load
bouncer
which,
like
most
books,
are
these
days,
it's
kind
of
the
new
default
and
cabzi
doesn't
even
support
basic
load
bouncers,
then,
in
that
case
you
can
use
both.
It
doesn't
matter.
B
D
So
point
of
clarification:
real
quick,
cecile,
yeah
you're,
saying
that
you
would
remove
standard
or
vmss
and
cloud
provider
would
just
work.
B
I'm
saying
I
would
only
require
the
vm
type
field
if
you're
using
basic
load
bouncers,
and
so,
if
you're,
using
basic
load
balancer,
you
have
to
say
standard
or
vmss,
and
you
can't
use
mixed.
It
has
to
be
one
or
the
other.
If
you're
using
standard
load
balancers,
then
we
assume
you're
just
using
both
and
you
can
use
one
or
the
other
or
both
it
doesn't
matter.
C
The
other
quick
question
is,
you
said:
if
you
have
like
multiple
control
planes
that
would
make
this
less
probable
to
happen.
Is
that
true.
B
Yeah
the
reason
for
that
is
that
specific
15-minute
delay
because
of
the
cash
it's
because
we
think
because
the
leader
election
occurs.
If
a
new
control
plane
join
and
controller
manager
fetches
the
cash
again,
so
it
has
a
fresher
cash
and
in
cab,
z
or
in
cluster
api.
You
know
how,
if
you
have
several
control
planes,
the
first
control
plane
joins
and
then
the
worker
notes
start
joining
and
so
very
likely.
Your
worker
nodes
are
going
to
have
joined
the
cluster
before
your
last
control.
Plane
joins
the
cluster.
C
A
B
A
All
right,
so
that's
the
end
of
the
agenda
we've
written
down.
Do
we
have
any
other
questions
or
topics
or
randomness.
Anybody
wants
to
bring
up
david.
C
D
So
I
don't
think
it's.
I
don't
think
this.
Maybe
some
of
the
stuff
in
there
is
good,
but
more
so
having
the
other
group.
D
So
we
have
another
api
group.
Is
that
really
how
we
want
to
do
this?
Is
it
annoying?
Is
it
like
going
to
break
people
in
the
future
like
what
do
we
want
to
do?
How
do
we?
How
do
we
tell
users?
D
B
Why
would
we
get
rid
of
x
like
x,
the
folder,
or
I
completely
agree
about
the
api
grouping?
I
think
we
should
change
the
api
group
thing.
I
think
we
shouldn't
have
used
a
different
api
group
to
start
with,
so
the
sooner
we
rip
off
that
band-aid,
the
better
and
now
that
we
have
the
field,
we
went
off
four
types.
B
We
should
do
that
asap,
but
I
don't
think
we're
ready
to
get
rid
of
the
experimental
folder
right
so,
and
so
I
think
the
way
you
tell
users
is,
you
have
a
feature
feature
gate
for
those
and
they're
disabled
by
default
and
they're
in
the
experimental
folder
with
a
readme
that
says
this
is
experimental
use
at
your
own
risk
like
we
have.
D
I'm
just
thinking
about
when
you
start
adding
resources
or
something
like
that
and
now
you're
in
the
experimental
folder
has
its
own
project.
It
has
its
own,
like
the
tooling,
doesn't
work
quite
right.
You
know,
like
builder,
create
api.
D
C
B
One
thing
I
will
say
kind
of
counter
to
that
is
I
I
think
there
is
also
like
something
good
about
being
able
to
develop
in
a
completely
isolated,
folder
and
not
mess
with,
like
other
other
types
and
other
controllers
and
like
helpers
and
everything,
and
I'm
seeing
that,
especially
like
with
the
example
in
cappy
with
the
operator
right
now.
B
D
So
I
think
I
think
the
takeaway
from
that
is,
if
you
are
gonna,
generate
you're
gonna
generate
something
experimental.
You
can
still
do
that.
You
just
are
going
to
have
to
move
it
into
a
different,
a
different
go
path
and
it's
going
to
have
a
different
folder
directory,
which,
which
is
totally
cool.
That
makes
a
lot
of
sense.
It's
just
our
configs.
D
Our
yamls
are
going
to
we're
going
to
have
to
take
into
account
and
probably
put
it
into
the
generation
tasks,
to
look
into
those
folders
and
make
sure
it's
generated
with
the
proper
api
versions
and
stuff
groups
and
stuff.
Excuse
me.
B
No
changes
in
capi,
but
capy
also
has
a
an
issue
open
that
actually
I'm
assigned
to.
So
I
should
get
back
to
how
that
reminds
me
to
change
the
api
group
for
machine
pool,
because
machine
pool
also
uses
the
different
api
group,
but
cluster
resource
set,
which
is
also
an
experimental,
was
added
with
the
same
api
group
as
the
other
normal
types.
H
B
That's
the
open
question
on
the
table.
I,
like,
I
think,
we're
leaning
for
no,
but
because
it's
experimental-
and
it
would
just
add
a
lot
of
complexity
to
like
implement
like
we
could
do
it.
You
have
to
like
basically
have
like
a
controller
that
generates
the
new
type
like
for
the
new
resource
from
the
old
one,
but
I
think
we
haven't
also.
B
What
we
need
to
do
is
like
see
if
there's
anyone
out
there
who
comes
out
who
comes
out
and
says,
hey
like
I
need
this
like
I'm
using
it,
and
I
need
this
to
like
keep
working,
but
what
I
would
personally
prefer
is
if
we
were
able
to
like
break
it
but
break
it
once
as
in
like
we
change
the
api
group,
but
we
also
take
it
out
of
experimental.
So
it's
like
okay,
now
we're
duplicating
the
experimental
type
and
you're
gonna
have
to
recreate
a
new
new
one
with
the
new
non-experimental
type.
B
But
now
it's
not
experimental
anymore,
so
you
can
rely
on
it.
The
problem
is
we
move
it
out
of
that
api
group
into
a
new
api
group
in
the
experimental
folder,
and
now
it's
like.
Okay,
well,
you
have
to
like
go
through
that,
but
it's
still
not
guaranteed
that
in
the
future,
you're
not
going
to
be
we're
not
going
to
break
you
again.
H
Yeah
I
mean
I
I
can
give
one
example
right
now:
a
dance
form
we
are
using
the
machine,
pool
and
ash
machine
pool.
So
I
guess
if,
if
there
would
be
no
support
for
conversion
in
capricapsi,
we
would
probably
have
to
do
it
so
yeah.
I
know.
Maybe
we
could
work
together
on
that
in
that
case,
to
have
it
in
cap,
your
cab
g,
you
know
the
support
for
converting
old
crs
to
the
new
ones.
D
Issue
and
let's,
let's
make
a
plan
and
then
open
and
like
link
it
to
the
corresponding
issue
in
capy,
yeah
nicole.
If,
if
you
are
able
to
comment
on
that
issue,
just
you
know
express
your
concerns,
and
just
this
will
hurt.
Please
help
us.
A
A
Cool
any
other
questions
about
exp
and
api
groups.
H
Yeah
one
small
question,
so
I
asked
already
in
channel
about
if
the
capsis
system
namespace
can
be
customized
now,
do
you
replied
so
I'll
open
an
issue,
but
are
there
some
comments
from
other
folks,
maybe
so
in
in
cluster
ctl
unit?
There
is
a
parameter
to
a
specified
target
namespace,
so
the
controllers
can
be
deployed
in
a
any
namespace
you
you
specify.
H
This
is
not
related
to
experimentally,
just
the
general
capture
question
so
currently
in
cabzi.
I
think
azure
identity
is
using
cabsie-system
namespace,
there's
a
constant
that
uses
it.
So
are
there
some
concerns
around
making
it
possible
to
specify
a
different
namespace
and
having
capture
stuff
in
a
different
namespace.
H
I
I
didn't
try
to
be
honest,
but
one
of
the
colleagues
tested
it
and
stuff
got
deployed
in
in
a
customized
name
space.
So
he
managed
to
create
a
cluster,
but
I'm
not
sure
which
provider
that
he
used
so.
E
B
Yeah
but
I
think
it's
a
gap
in
the
identity
implementation
if
we
have
a
hard-coded
name
space,
that's
not
configurable,
and
I
think
we
had
seen
that
in
the
pr.
Actually,
it's
just
that
at
the
time
it
was,
I
think,
there's
like
discussion
around
it
in
the
pr
and
we
ended
up
not
fixing
that
or
not
knowing
how
to
fix
it.
But
I
think
we
should
look
into
that
again.
Okay,
I'll
open
an
issue
in
does.
B
Yeah
or
it
might
just
be
a
fix
in
cluster
cuddle
actually
too,
because
I
assume
the
way
it's
like
changing,
because
it's
when
you
specify
target
namespace,
how
does
it
like?
I
haven't,
looked
at
the
code,
but
I
assume
it
does
something
to
change
the
name
space
of
the
infrastructure
provider,
resources
right,
and
so
maybe
it
needs
to
do
it
to
all
the
resources
like
even
the
custom
ones.
B
H
I
Hey,
I
thought
to
my:
I
thought
cluster
cuddle
doesn't
care
about.
What's
I
guess
in
the
input
gamma,
it
kind
of
just
does
the
substitutions,
but
maybe
there's
only
a
list
of
resources
that
it
it
does
support
but
yeah.
I
would
give
this
a
try
before
even
calling
it.
C
Well,
the
identity,
one
for
sure
will
need
something
you
need
to
change
about
it,
but
the
other
one
might
be
fine,
because.
C
B
B
C
B
H
About
what
about
giant
sword
yeah,
we
are
still
experimenting,
so
we
are
not
still
running
cabzi
controllers,
but
I
believe
I
heard
read
somewhere
that
it's
recommended
to
build
our
own
images,
so
we
were
talking
about
doing
that,
but
for
now
in
in
our
tests
we
are
using
whatever
caps
it
has
in
the
repo
from
google
cloud.
B
Okay,
I
was
just
curious
because,
like
that's
something
yeah,
I'm
trying
to
what
I'm
just
trying
to
make
it
easy
and
clear
for
users
to
build
their
own
custom
images,
because
it's,
I
think,
right
now,
it's
a
little
bit
confusing
and
it's
also
not
always
very
obvious
that
you
should
like
we're
trying
to
make
the
documentation
say
that
very
clearly.
But
I
think
it's
easy
to
not
read
it
and
just
use
whatever
is
the
default.
So
I
wanted
to
see
if
anyone
had
experiences
around
that
thanks.