Merge pull request #5463 from k8s-infra-cherrypick-robot/cherry-pick-5451-to-release-1.18

[release-1.18] Tiltfile aks as mgmt improvements

Author: k8s-ci-robot

Makefile

@@ -753,6 +753,7 @@ kind-create: $(KUBECTL) ## Create capz kind cluster if needed.
 .PHONY: aks-create
 aks-create: $(KUBECTL) ## Create aks cluster as mgmt cluster.
 	./scripts/aks-as-mgmt.sh
+	MANIFEST_IMG=$(CONTROLLER_IMG) MANIFEST_TAG=$(TAG) $(MAKE) set-manifest-image
 
 .PHONY: tilt-up
 tilt-up: install-tools ## Start tilt and build kind cluster if needed.

Tiltfile

@@ -156,11 +156,8 @@ development will span both CAPZ and CAPI, then follow the [CAPI and CAPZ instruc
 <aside class="note warning">
   <h2>Warning</h2>
   <p>
-    To use an internal load balancer (ILB) intra-cluster node-apiserver traffic in your workload cluster, follow the
-    instructions in the
-    <a href="#tilt-for-dev-using-internal-load-balancer-ilb-for-intra-cluster-node-apiserver-traffic">
-      Tilt for Dev: Internal LB for Cluster VNet Communication
-    </a> section.
+    To use an internal load balancer (ILB) for intra-cluster node-apiserver traffic in your workload cluster, please refer to the
+    <a href="./tilt-with-aks-as-mgmt-ilb.md">Tilt with AKS as Management Cluster</a> guide.
   </p>
 </aside>
 
@@ -262,6 +259,8 @@ make delete-workload-cluster
 
 #### Tilt for dev using internal load balancer (ILB) for intra-cluster node-apiserver traffic
 
+
+
 This flow is for developers who want to leverage the internal load balancer for intra-cluster node-apiserver traffic.
 You can achieve this by setting the `EXP_APISERVER_ILB` environment variable to `true` in your shell (run `export EXP_APISERVER_ILB=true`) and then create the CAPZ management cluster.
 

docs/book/src/developers/development.md

@@ -0,0 +1,124 @@
+# Tilt with AKS as Management Cluster with Internal Load Balancer
+
+## Introduction
+This guide is explaining how to set up and use Azure Kubernetes Service (AKS) as a management cluster for Cluster API Provider Azure (CAPZ) development using Tilt and an internal load balancer (ILB).
+
+While the default Tilt setup recommends using a KIND cluster as the management cluster for faster development and experimentation, this guide demonstrates using AKS as an alternative management cluster. We also cover additional steps for working with stricter network policies - particularly useful for organizations that need to maintain all cluster communications within their Azure Virtual Network (VNet) infrastructure with enhanced access controls.
+
+### Who is this for?
+- Developers who want to use AKS as the management cluster for CAPZ development.
+- Developers working in environments with strict network security requirements.
+- Teams that need to keep all Kubernetes API traffic within Azure VNet
+
+
+**Note:** This is not a production ready solution and should not be used in a production environment. This is only meant to be used for development/testing purposes.
+
+### Prerequisites
+- All [general CAPZ prerequisites](../getting-started.md#prerequisites) should be satisfied
+- Basic understanding of Azure networking concepts.
+- Familiarity with Cluster API and CAPZ.
+- Tilt installed on your development machine.
+- `export REGISTRY=<registry_of_your-choice>` set to the registry of your choice.
+- If `tilt-settings.yaml` file exists in the root of your repo, clear out any values in `kustomize_settings` unless you want to use them instead of the values that will be set by running `make aks-create`.
+
+## Using Tilt with AKS as the Management Cluster
+
+To use Tilt with AKS as the management cluster, you need to run the following commands:
+- `make clean`
+- `make generate`
+- `make acr-login`
+- `make aks-create`
+- `make tilt-up`
+
+Using the tilt UI, click on the flavors you want to deploy and CAPZ will deploy the workload cluster with the selected flavor.
+
+## Leveraging internal load balancer
+
+By default using Tilt with Cluster API Provider Azure (CAPZ), the management cluster is exposed via a public endpoint. This works well for many development scenarios but presents challenges in environments with strict network security requirements.
+
+
+### Challenges and Solutions
+
+1. **Management to Workload Cluster Connectivity**
+
+   **Scenario:**
+   - Management cluster cannot connect to workload cluster's API server via workload cluster's FQDN.
+
+   **Solution:**
+   - Peer management and workload cluster VNets.
+   - Set Workload cluster API server replica count to 3. (Default is 1 when using KIND as the management cluster).
+      - This is done by setting `CONTROL_PLANE_MACHINE_COUNT` to 3 in the tilt-settings.yaml file.
+      - `make aks-create` will set this value to 3 for you.
+   - Create a internal load balancer (ILB) with the workload cluster's apiserver VMs as its backend pool in the workload cluster's VNet.
+      - This is achieved by setting `EXP_INTERNAL_LB=true`. `EXP_INTERNAL_LB` is set to `true` by default when running `make tilt-up`.
+   - Create private DNS zone with workload cluster's apiserver FQDN as its record to route management cluster calls to workload cluster's API server private IP.
+      - As of current release, a private DNS zone is automatically created in the tilt workflow for `apiserver-ilb` and `windows-apiserver-ilb` flavors.
+
+2. **Workload Cluster Node Communication**
+
+   **Scenario:**
+   - Workload cluster worker nodes should not be able to communicate with their workload cluster's API server's FQDN.
+
+   **Solution:**
+   - Update `/etc/hosts` on worker nodes via preKubeadmCommands in the `KubeadmConfigTemplate` with `- echo '${AZURE_INTERNAL_LB_PRIVATE_IP}   ${CLUSTER_NAME}-${APISERVER_LB_DNS_SUFFIX}.${AZURE_LOCATION}.cloudapp.azure.com' >> /etc/hosts`
+      - This essentially creates a static route (using the ILB's private IP) to the workload cluster's API server (FQDN) in the worker nodes.
+      - Deploying `apiserver-ilb` or `windows-apiserver-ilb` flavor will deploy worker nodes of the workload cluster with the private IP of the ILB as their default route.
+
+3. **Network Security Restrictions**
+
+   **Scenario:**
+   - Critical ports needed for management cluster to communicate with workload cluster.
+   - ports:
+     - `TCP: 443, 6443`
+     - `UDP: 53`
+
+   **Solution:**
+   - Once tilt UI is up and running, click on the `allow required ports on mgmt cluster` task to allow the required ports on the management cluster's API server.
+
+4. **Load Balancer Hairpin Routing**
+
+   **Challenge:**
+   - Workload cluster's control plane fails to bootstrap due to internal LB connectivity timeouts.
+   - Single control plane node setup causes hairpin routing issues.
+
+   **Solution:**
+   - Use 3 control plane nodes in a stacked etcd setup.
+      - Using aks as management cluster sets `CONTROL_PLANE_MACHINE_COUNT` to 3 by default.
+
+### Flavors leveraging internal load balancer
+- `cluster-template-apiserver-ilb.yaml`
+- `cluster-template-windows-apiserver-ilb.yaml`
+
+#### Tilt Workflow for AKS as Management Cluster with Internal Load Balancer
+
+- In tilt-settings.yaml, set subscription_type to "corporate" and remove any other env values unless you want to override env variables created by `make aks-create`. Example:
+   ```
+   .
+   .
+   kustomize_substitutions:
+   "SUBSCRIPTION_TYPE": "corporate"
+   .
+   ```
+- `make clean`
+  - This make target does not need to be run every time. Run it to remove bin and kubeconfigs.
+- `make generate`
+  - This make target does not need to be run every time. Run it to update your go related targets, manifests, flavors, e2e-templates and addons.
+  - Run it periodically upon updating your branch or if you want to make changes in your templates.
+- `make acr-login`
+  - Run this make target if you have `REGISTRY` set to an Azure Container Registry.
+- `make aks-create`
+  - Run this target to bring up an AKS cluster.
+  - Once the AKS cluster is created, you can reuse the cluster as many times as you like. Tilt ensures that the new image gets deployed every time there are changes in the Tiltfile and/or dependent files.
+  - Running `make aks-create` cleans up any existing `aks_as_mgmt_settings`.
+- `make tilt-up`
+  - Run this target to use underlying cluster being pointed by your `KUBECONFIG`.
+
+Once the tilt UI is up and running
+- Click on the `allow required ports on mgmt cluster` task to allow the required ports on the management cluster's API server.
+   - Note: This task will wait for the NSG rules to be created and then update them to allow the required ports.
+   - This task will take a few minutes to complete.
+   - This target can run in parallel and independent of deploying any cluster flavors.
+- Click on the flavors you want to deploy and CAPZ will deploy the workload cluster with the selected flavor.
+   - Flavors that leverage internal load balancer are:
+     - `apiserver-ilb`
+     - `windows-apiserver-ilb`

docs/book/src/developers/tilt-with-aks-as-mgmt-ilb.md

@@ -20,18 +20,29 @@ set -o pipefail
 SCRIPT_DIR="$(dirname "${BASH_SOURCE[0]}")"
 ROOT_PATH="$(cd "${SCRIPT_DIR}"/.. && pwd)"
 
-VERSION="0.29.0"
+VERSION="v8.0.3"
 
 MODE="check"
 
 if [[ "$*" == "fix" ]]; then
   MODE="fix"
 fi
 
-if [[ "${OSTYPE}" == "linux"* ]]; then
-  BINARY="buildifier"
-elif [[ "${OSTYPE}" == "darwin"* ]]; then
-  BINARY="buildifier.mac"
+OS="$(uname -s)"
+ARCH="$(uname -m)"
+
+# Determine OS-specific binary name
+if [[ "${OS}" == "Linux" ]]; then
+  BINARY="buildifier-linux"
+elif [[ "${OS}" == "Darwin" ]]; then
+  BINARY="buildifier-darwin"
+fi
+
+# Append architecture suffix for the appropriate binary
+if [[ "${ARCH}" == "x86_64" ]] || [[ "${ARCH}" == "amd64" ]]; then
+  BINARY="${BINARY}-amd64"  # No change needed, this is the default
+elif [[ "${ARCH}" == "arm64" ]] || [[ "${ARCH}" == "aarch64" ]]; then
+  BINARY="${BINARY}-arm64"
 fi
 
 # create a temporary directory
@@ -68,4 +79,4 @@ fi
 
 echo "Running buildifier..."
 cd "${ROOT_PATH}" || exit
-"${BUILDIFIER}" -mode=${MODE} Tiltfile >> "${OUT}" 2>&1
+"${BUILDIFIER}" -mode=${MODE} -v Tiltfile >> "${OUT}" 2>&1

hack/verify-starlark.sh

@@ -95,7 +95,7 @@ main() {
   fi
 
   create_aks_cluster
-  set_env_varaibles
+  set_env_variables
 }
 
 create_aks_cluster() {
@@ -197,61 +197,75 @@ create_aks_cluster() {
   ASO_CREDENTIAL_SECRET_MODE="podidentity"
 }
 
-set_env_varaibles(){
+set_env_variables(){
+  # Ensure temporary files are removed on exit.
+  trap 'rm -f tilt-settings-temp.yaml tilt-settings-new.yaml combined_contexts.yaml' EXIT
+
+  # Create a temporary settings file based on current environment values.
   cat <<EOF > tilt-settings-temp.yaml
-kustomize_substitutions:
-  AKS_RESOURCE_GROUP: "${AKS_RESOURCE_GROUP}"
-  AKS_NODE_RESOURCE_GROUP: "${AKS_NODE_RESOURCE_GROUP}"
+aks_as_mgmt_settings:
   AKS_MGMT_VNET_NAME: "${AKS_MGMT_VNET_NAME}"
-  MGMT_CLUSTER_NAME: "${MGMT_CLUSTER_NAME}"
+  AKS_NODE_RESOURCE_GROUP: "${AKS_NODE_RESOURCE_GROUP}"
+  AKS_RESOURCE_GROUP: "${AKS_RESOURCE_GROUP}"
+  APISERVER_LB_DNS_SUFFIX: "${APISERVER_LB_DNS_SUFFIX}"
+  ASO_CREDENTIAL_SECRET_MODE: "${ASO_CREDENTIAL_SECRET_MODE}"
+  AZURE_CLIENT_ID: "${AKS_MI_CLIENT_ID}"
   AZURE_CLIENT_ID_USER_ASSIGNED_IDENTITY: "${AKS_MI_CLIENT_ID}"
+  AZURE_LOCATION: "${AZURE_LOCATION}"
   CI_RG: "${MANAGED_IDENTITY_RG}"
-  USER_IDENTITY: "${MANAGED_IDENTITY_NAME}"
   CLUSTER_IDENTITY_TYPE: "UserAssignedMSI"
-  ASO_CREDENTIAL_SECRET_MODE: "${ASO_CREDENTIAL_SECRET_MODE}"
+  CONTROL_PLANE_MACHINE_COUNT: "3"
+  MGMT_CLUSTER_NAME: "${MGMT_CLUSTER_NAME}"
   REGISTRY: "${REGISTRY}"
-  APISERVER_LB_DNS_SUFFIX: "${APISERVER_LB_DNS_SUFFIX}"
+  USER_IDENTITY: "${MANAGED_IDENTITY_NAME}"
+  WORKER_MACHINE_COUNT: "1"
 allowed_contexts:
-  - "$MGMT_CLUSTER_NAME"
+  - "${MGMT_CLUSTER_NAME}"
   - "kind-capz"
-azure_location: "${AZURE_LOCATION}"
 EOF
 
-# create tilt-settings.yaml if it does not exist
-if [ -f tilt-settings.yaml ]; then
-  echo "tilt-settings.yaml exists"
-else
-  echo "tilt-settings.yaml does not exist, creating one"
-  touch tilt-settings.yaml
-fi
+  # create tilt-settings.yaml if it does not exist
+  if [ -f tilt-settings.yaml ]; then
+    echo "tilt-settings.yaml exists"
+  else
+    echo "tilt-settings.yaml does not exist, creating one"
+    touch tilt-settings.yaml
+  fi
 
-# copy over the existing allowed_contexts to tilt-settings.yaml if it does not exist
-allowed_contexts_exists=$(yq eval '.allowed_contexts' tilt-settings.yaml)
-if [ "$allowed_contexts_exists" == "null" ]; then
-  yq eval '.allowed_contexts = load("tilt-settings-temp.yaml") | .allowed_contexts' tilt-settings-temp.yaml > tilt-settings.yaml
-fi
+  # copy over the existing allowed_contexts to tilt-settings.yaml if it does not exist
+  allowed_contexts_exists=$(yq eval '.allowed_contexts' tilt-settings.yaml)
+  if [ "$allowed_contexts_exists" == "null" ]; then
+    yq eval --inplace '.allowed_contexts = load("tilt-settings-temp.yaml").allowed_contexts' tilt-settings.yaml
+  fi
+
+  # extract allowed_contexts from tilt-settings.yaml
+  current_contexts=$(yq eval '.allowed_contexts' tilt-settings.yaml | sort -u)
 
-# extract allowed_contexts from tilt-settings.yaml
-current_contexts=$(yq eval '.allowed_contexts' tilt-settings.yaml | sort -u)
+  # extract allowed_contexts from tilt-settings-new.yaml
+  new_contexts=$(yq eval '.allowed_contexts' tilt-settings-temp.yaml | sort -u)
 
-# extract allowed_contexts from tilt-settings-new.yaml
-new_contexts=$(yq eval '.allowed_contexts' tilt-settings-temp.yaml | sort -u)
+  # combine current and new contexts, keeping the union of both
+  combined_contexts=$(echo "$current_contexts"$'\n'"$new_contexts" | sort -u)
 
-# combine current and new contexts, keeping the union of both
-combined_contexts=$(echo "$current_contexts"$'\n'"$new_contexts" | sort -u)
+  # create a temporary file since env($combined_contexts) is not supported in yq
+  echo "$combined_contexts" > combined_contexts.yaml
 
-# create a temporary file since env($combined_contexts) is not supported in yq
-echo "$combined_contexts" > combined_contexts.yaml
+  # update allowed_contexts in tilt-settings.yaml with the combined contexts
+  yq eval --inplace ".allowed_contexts = load(\"combined_contexts.yaml\")" tilt-settings.yaml
+
+  # check if kustomize_substitutions exists, if not add empty one
+  kustomize_substitutions_exists=$(yq eval '.kustomize_substitutions' tilt-settings.yaml)
+  if [ "$kustomize_substitutions_exists" == "null" ]; then
+    yq eval --inplace '.kustomize_substitutions = {}' tilt-settings.yaml
+  fi
 
-# update allowed_contexts in tilt-settings.yaml with the combined contexts
-yq eval --inplace ".allowed_contexts = load(\"combined_contexts.yaml\")" tilt-settings.yaml
+  # clear out existing aks_as_mgmt_settings before merging new settings
+  yq eval --inplace 'del(.aks_as_mgmt_settings)' tilt-settings.yaml
 
-# merge the updated kustomize_substitution and azure_location with the existing one in tilt-settings.yaml
-yq eval-all 'select(fileIndex == 0) *+ {"kustomize_substitutions": select(fileIndex == 1).kustomize_substitutions, "azure_location": select(fileIndex == 1).azure_location}' tilt-settings.yaml tilt-settings-temp.yaml > tilt-settings-new.yaml
+  # merge the updated kustomize_substitution and azure_location with the existing one in tilt-settings.yaml
+  yq eval-all 'select(fileIndex == 0) *+ {"aks_as_mgmt_settings": select(fileIndex == 1).aks_as_mgmt_settings}' tilt-settings.yaml tilt-settings-temp.yaml > tilt-settings-new.yaml
 
-mv tilt-settings-new.yaml tilt-settings.yaml
-rm -r combined_contexts.yaml
-rm -f tilt-settings-temp.yaml
+  mv tilt-settings-new.yaml tilt-settings.yaml
 }
 
 main

scripts/aks-as-mgmt.sh

@@ -27,6 +27,23 @@ source "${REPO_ROOT}/hack/ensure-tags.sh"
 KUBECTL="${REPO_ROOT}/hack/tools/bin/kubectl"
 KIND="${REPO_ROOT}/hack/tools/bin/kind"
 AZWI="${REPO_ROOT}/hack/tools/bin/azwi"
+
+# Remove aks_as_mgmt_settings from tilt-settings.yaml if it exists
+TILT_SETTINGS_FILE="${REPO_ROOT}/tilt-settings.yaml"
+if [ -f "$TILT_SETTINGS_FILE" ]; then
+    # Check if yq is installed
+    if ! command -v yq &> /dev/null; then
+        echo "yq is required but not installed. Please install yq first."
+        exit 1
+    fi
+    
+    # Check if aks_as_mgmt_settings exists in the file
+    if yq e 'has("aks_as_mgmt_settings")' "$TILT_SETTINGS_FILE" | grep -q "true"; then
+        echo "Removing aks_as_mgmt_settings from tilt-settings.yaml"
+        yq e 'del(.aks_as_mgmt_settings)' -i "$TILT_SETTINGS_FILE"
+    fi
+fi
+
 AZWI_ENABLED="${AZWI_ENABLED:-true}"
 RANDOM_SUFFIX="${RANDOM_SUFFIX:-$(od -An -N4 -tu4 /dev/urandom | tr -d ' ' | head -c 8)}"
 export AZWI_STORAGE_ACCOUNT="capzcioidcissuer${RANDOM_SUFFIX}"