diff --git a/api/v1beta1/azuremanagedcontrolplane_types.go b/api/v1beta1/azuremanagedcontrolplane_types.go index 9fc61c7d9bb..82e159040b3 100644 --- a/api/v1beta1/azuremanagedcontrolplane_types.go +++ b/api/v1beta1/azuremanagedcontrolplane_types.go @@ -138,6 +138,14 @@ type AzureManagedControlPlaneSpec struct { // AutoscalerProfile is the parameters to be applied to the cluster-autoscaler when enabled // +optional AutoScalerProfile *AutoScalerProfile `json:"autoscalerProfile,omitempty"` + + // AzureEnvironment is the name of the AzureCloud to be used. + // The default value that would be used by most users is "AzurePublicCloud", other values are: + // - ChinaCloud: "AzureChinaCloud" + // - PublicCloud: "AzurePublicCloud" + // - USGovernmentCloud: "AzureUSGovernmentCloud" + // +optional + AzureEnvironment string `json:"azureEnvironment,omitempty"` } // AADProfile - AAD integration managed by AKS. diff --git a/api/v1beta1/azuremanagedcontrolplane_webhook.go b/api/v1beta1/azuremanagedcontrolplane_webhook.go index 8853d97ee5c..710b332e668 100644 --- a/api/v1beta1/azuremanagedcontrolplane_webhook.go +++ b/api/v1beta1/azuremanagedcontrolplane_webhook.go @@ -193,6 +193,13 @@ func (mw *azureManagedControlPlaneWebhook) ValidateUpdate(ctx context.Context, o allErrs = append(allErrs, err) } + if err := webhookutils.ValidateImmutable( + field.NewPath("Spec", "AzureEnvironment"), + old.Spec.AzureEnvironment, + m.Spec.AzureEnvironment); err != nil { + allErrs = append(allErrs, err) + } + if old.Spec.AADProfile != nil { if m.Spec.AADProfile == nil { allErrs = append(allErrs, diff --git a/api/v1beta1/types_class.go b/api/v1beta1/types_class.go index 04f33564d26..ede4187d734 100644 --- a/api/v1beta1/types_class.go +++ b/api/v1beta1/types_class.go @@ -16,7 +16,9 @@ limitations under the License. package v1beta1 -import corev1 "k8s.io/api/core/v1" +import ( + corev1 "k8s.io/api/core/v1" +) // AzureClusterClassSpec defines the AzureCluster properties that may be shared across several Azure clusters. type AzureClusterClassSpec struct { diff --git a/azure/scope/managedcontrolplane.go b/azure/scope/managedcontrolplane.go index a48baa86636..517855c3a69 100644 --- a/azure/scope/managedcontrolplane.go +++ b/azure/scope/managedcontrolplane.go @@ -73,7 +73,7 @@ func NewManagedControlPlaneScope(ctx context.Context, params ManagedControlPlane } if params.ControlPlane.Spec.IdentityRef == nil { - if err := params.AzureClients.setCredentials(params.ControlPlane.Spec.SubscriptionID, ""); err != nil { + if err := params.AzureClients.setCredentials(params.ControlPlane.Spec.SubscriptionID, params.ControlPlane.Spec.AzureEnvironment); err != nil { return nil, errors.Wrap(err, "failed to create Azure session") } } else { @@ -82,7 +82,7 @@ func NewManagedControlPlaneScope(ctx context.Context, params ManagedControlPlane return nil, errors.Wrap(err, "failed to init credentials provider") } - if err := params.AzureClients.setCredentialsWithProvider(ctx, params.ControlPlane.Spec.SubscriptionID, "", credentialsProvider); err != nil { + if err := params.AzureClients.setCredentialsWithProvider(ctx, params.ControlPlane.Spec.SubscriptionID, params.ControlPlane.Spec.AzureEnvironment, credentialsProvider); err != nil { return nil, errors.Wrap(err, "failed to configure azure settings and credentials for Identity") } } diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml index adaf16d646b..551dd56471e 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml @@ -217,6 +217,12 @@ spec: - "false" type: string type: object + azureEnvironment: + description: 'AzureEnvironment is the name of the AzureCloud to be + used. The default value that would be used by most users is "AzurePublicCloud", + other values are: - ChinaCloud: "AzureChinaCloud" - PublicCloud: + "AzurePublicCloud" - USGovernmentCloud: "AzureUSGovernmentCloud"' + type: string controlPlaneEndpoint: description: ControlPlaneEndpoint represents the endpoint used to communicate with the control plane. diff --git a/controllers/azuremanagedmachinepool_reconciler.go b/controllers/azuremanagedmachinepool_reconciler.go index 0558c332f92..3b670fd43b5 100644 --- a/controllers/azuremanagedmachinepool_reconciler.go +++ b/controllers/azuremanagedmachinepool_reconciler.go @@ -74,22 +74,28 @@ func (a *AgentPoolVMSSNotFoundError) Is(target error) bool { // newAzureManagedMachinePoolService populates all the services based on input scope. func newAzureManagedMachinePoolService(scope *scope.ManagedMachinePoolScope) (*azureManagedMachinePoolService, error) { - var authorizer azure.Authorizer = scope - if scope.Location() != "" { - regionalAuthorizer, err := azure.WithRegionalBaseURI(scope, scope.Location()) - if err != nil { - return nil, errors.Wrap(err, "failed to create a regional authorizer") - } - authorizer = regionalAuthorizer + scaleSetAuthorizer, err := scaleSetAuthorizer(scope) + if err != nil { + return nil, err } return &azureManagedMachinePoolService{ scope: scope, agentPoolsSvc: agentpools.New(scope), - scaleSetsSvc: scalesets.NewClient(authorizer), + scaleSetsSvc: scalesets.NewClient(scaleSetAuthorizer), }, nil } +// scaleSetAuthorizer takes a scope and determines if a regional authorizer is needed for scale sets +// see https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/1850 for context on region based authorizer. +func scaleSetAuthorizer(scope *scope.ManagedMachinePoolScope) (azure.Authorizer, error) { + if scope.ControlPlane.Spec.AzureEnvironment == azure.PublicCloudName { + return azure.WithRegionalBaseURI(scope, scope.Location()) // public cloud supports regional end points + } + + return scope, nil +} + // Reconcile reconciles all the services in a predetermined order. func (s *azureManagedMachinePoolService) Reconcile(ctx context.Context) error { ctx, log, done := tele.StartSpanWithLogger(ctx, "controllers.azureManagedMachinePoolService.Reconcile")