Merge #148328 #153078

craig[bot] · golgeek · andyyang890 · craig[bot] · commit dbdfb73b8e02 · 2025-09-08T18:15:42.000Z
148328: roachprod: azure vm identity and role assignment r=golgeek a=golgeek Previously Azure VMs didn't have an identity attached at creation, which meant they couldn't perform actions requiring authentication via the Azure metadata server. As some roachtests require access to an Azure storage container to pull and push fixtures, a User Managed Identity will now be assigned to the VMs at creation in order to simplify the credentials management. One `rp-roachtest` UMI has been created in each subscription used to run roachtests. These UMIs have been assigned a `roachtest` role that grants blob management in Azure storage containers in the same subscription. Since VMs are only attached a single identity, this is compatible with `DefaultAzureCredential` without specifying any other credentials. The subscription scope ensures that no test-production fixtures will be created or updated during tests development (in the `Sponsorship` sub), and that the nightly tests triggered from TeamCity (in the `e2e-infra` sub) will always be isolated. This requires the creation of one storage account per subscription roachtests are triggered on, and will require the tests to implement logic to determine the storage account to use based on the current subscription ID, which can be accessed via the `AZURE_SUBSCRIPTION_ID` environment variable. Resolves #149811 Epic: none Release note: None 153078: jobfrontier: change Get to accept read-only frontier r=msbutler a=andyyang890 **span: redefine Frontier in terms of ReadOnlyFrontier** The `ReadOnlyFrontier` interface is a strict subset of `Frontier` and to reduce duplicate code, this commit redefines `Frontier` in terms of `ReadOnlyFrontier`. Release note: None --- **jobfrontier: change Get to accept read-only frontier** This patch changes `Get` to accept a read-only frontier to prevent any accidental modification of the passed-in frontier. Release note: None --- Epic: None Co-authored-by: Ludovic Leroux <ludo.leroux@cockroachlabs.com> Co-authored-by: Andy Yang <yang@cockroachlabs.com>
diff --git a/pkg/jobs/jobfrontier/frontier.go b/pkg/jobs/jobfrontier/frontier.go
@@ -82,7 +82,11 @@ func Get(
 // InfoStorage keys are prefixed with "frontier/", the passed name, and then a
 // chunk identifier.
 func Store(
-	ctx context.Context, txn isql.Txn, jobID jobspb.JobID, name string, frontier span.Frontier,
+	ctx context.Context,
+	txn isql.Txn,
+	jobID jobspb.JobID,
+	name string,
+	frontier span.ReadOnlyFrontier,
 ) error {
 	return storeChunked(ctx, txn, jobID, name, frontier, 2<<20 /* 2mb */)
 }
@@ -92,7 +96,7 @@ func storeChunked(
 	txn isql.Txn,
 	jobID jobspb.JobID,
 	name string,
-	frontier span.Frontier,
+	frontier span.ReadOnlyFrontier,
 	chunkSize int,
 ) error {
 	infoStorage := jobs.InfoStorageForJob(txn, jobID)
diff --git a/pkg/roachprod/vm/azure/azure.go b/pkg/roachprod/vm/azure/azure.go
@@ -46,6 +46,12 @@ const (
 	remoteUser   = "ubuntu"
 	tagComment   = "comment"
 	tagSubnet    = "subnetPrefix"
+
+	// UserManagedIdentity expected to exist in the subscription.
+	// This identity will be associated to the VMs and will grant permissions
+	// for roachprod testing.
+	userManagedIdentityName          = "rp-roachtest"
+	userManagedIdentityResourceGroup = "rp-roachtest"
 )
 
 // providerInstance is the instance to be registered into vm.Providers by Init.
@@ -983,6 +989,17 @@ func (p *Provider) createVM(
 		Location: group.Location,
 		Zones:    to.StringSlicePtr([]string{zone.AvailabilityZone}),
 		Tags:     tags,
+		Identity: &compute.VirtualMachineIdentity{
+			Type: compute.ResourceIdentityTypeUserAssigned,
+			UserAssignedIdentities: map[string]*compute.UserAssignedIdentitiesValue{
+				fmt.Sprintf(
+					"/subscriptions/%s/resourceGroups/%s/providers/Microsoft.ManagedIdentity/userAssignedIdentities/%s",
+					sub,
+					userManagedIdentityResourceGroup,
+					userManagedIdentityName,
+				): {},
+			},
+		},
 		VirtualMachineProperties: &compute.VirtualMachineProperties{
 			HardwareProfile: &compute.HardwareProfile{
 				VMSize: compute.VirtualMachineSizeTypes(providerOpts.MachineType),
@@ -1102,6 +1119,7 @@ func (p *Provider) createVM(
 	if err = future.WaitForCompletionRef(ctx, client.Client); err != nil {
 		return
 	}
+
 	return future.Result(client)
 }
 
diff --git a/pkg/util/span/frontier.go b/pkg/util/span/frontier.go
@@ -27,18 +27,14 @@ import (
 // Frontier is not safe for concurrent modification, but MakeConcurrentFrontier
 // can be used to make thread safe frontier.
 type Frontier interface {
+	ReadOnlyFrontier
+
 	// AddSpansAt adds the provided spans to the frontier at the provided timestamp.
 	// If the span overlaps any spans already tracked by the frontier, the tree is adjusted
 	// to hold union of the span and the overlaps, with all entries assigned startAt starting
 	// timestamp.
 	AddSpansAt(startAt hlc.Timestamp, spans ...roachpb.Span) error
 
-	// Frontier returns the minimum timestamp being tracked.
-	Frontier() hlc.Timestamp
-
-	// PeekFrontierSpan returns one of the spans at the Frontier.
-	PeekFrontierSpan() roachpb.Span
-
 	// Forward advances the timestamp for a span. Any part of the span that doesn't
 	// overlap the tracked span set will be ignored. True is returned if the
 	// frontier advanced as a result.
@@ -49,6 +45,16 @@ type Frontier interface {
 	// letting a frontier be GCed is safe in that it won't cause a memory leak,
 	// but it will prevent frontier nodes from being efficiently re-used.
 	Release()
+}
+
+// ReadOnlyFrontier is a subset of Frontier with only the methods
+// that are read-only.
+type ReadOnlyFrontier interface {
+	// Frontier returns the minimum timestamp being tracked.
+	Frontier() hlc.Timestamp
+
+	// PeekFrontierSpan returns one of the spans at the Frontier.
+	PeekFrontierSpan() roachpb.Span
 
 	// Entries returns an iterator over the entries in the frontier.
 	// Updates to the frontier are restricted until iteration is stopped.
diff --git a/pkg/util/span/multi_frontier.go b/pkg/util/span/multi_frontier.go
@@ -241,19 +241,6 @@ func (f *MultiFrontier[P]) String() string {
 	return buf.String()
 }
 
-// ReadOnlyFrontier is a subset of Frontier with only the methods
-// that are read-only.
-type ReadOnlyFrontier interface {
-	Frontier() hlc.Timestamp
-	PeekFrontierSpan() roachpb.Span
-	Entries() iter.Seq2[roachpb.Span, hlc.Timestamp]
-	SpanEntries(span roachpb.Span) iter.Seq2[roachpb.Span, hlc.Timestamp]
-	Len() int
-	String() string
-}
-
-var _ ReadOnlyFrontier = Frontier(nil)
-
 // Frontiers returns an iterator over the sub-frontiers (with read-only access).
 func (f *MultiFrontier[P]) Frontiers() iter.Seq2[P, ReadOnlyFrontier] {
 	return func(yield func(P, ReadOnlyFrontier) bool) {
