fix: Update Github Action to publish arc member agent helm charts to MCR (Azure#1162)

Author: MuhammadAliFleet

.github/workflows/build-publish-mcr.yml

@@ -8,6 +8,10 @@ on:
       releaseTag:
         description: 'Release tag to publish images, defaults to the latest one'
         type: string
+      arcExtensionVersion:
+        description: 'Release version of the Arc extension.'
+        type: string
+        required: true
 
 permissions:
   id-token: write
@@ -16,12 +20,14 @@ permissions:
 env:
   # `public` indicates images to MCR wil be publicly available, and will be removed in the final MCR images
   REGISTRY_REPO: public/aks/fleet
+  ARC_REGISTRY_REPO: public/microsoft.fleetmember
 
 jobs:
   prepare-variables:
     runs-on: ubuntu-latest
     outputs:
       release_tag: ${{ steps.vars.outputs.release_tag }}
+      fleet_networking_version: ${{ steps.vars.outputs.fleet_networking_version }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -37,6 +43,12 @@ jobs:
           fi
           echo "release_tag=$RELEASE_TAG" >> $GITHUB_OUTPUT
 
+          # Fetch the latest fleet-networking version
+          # NOTE: The fleet-networking image must be cut and pushed to MCR first before retrieving this version
+          FLEET_NETWORKING_VERSION="${FLEET_NETWORKING_VERSION:-$(curl "https://api.github.com/repos/Azure/fleet-networking/tags" | jq -r '.[0].name')}"
+          echo "fleet_networking_version=$FLEET_NETWORKING_VERSION" >> $GITHUB_OUTPUT
+          echo "Using Fleet Networking version: $FLEET_NETWORKING_VERSION"
+
           # NOTE: As exporting a variable from a secret is not possible, the shared variable registry obtained
           # from AZURE_REGISTRY secret is not exported from here.
 
@@ -76,3 +88,18 @@ jobs:
         env:
           CRD_INSTALLER_IMAGE_VERSION: ${{ needs.prepare-variables.outputs.release_tag }}
           REGISTRY: ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}
+      # Build Arc Extension for member clusters
+      # Arc-connected clusters can join fleets as member clusters through an Arc Extension.
+      # An Arc Extension is a packaged Helm chart that gets deployed to Arc clusters.
+      # This step packages both the fleet member agent and networking agents into a single
+      # Helm chart for Arc deployment, since Arc Extensions require all components to be bundled together.
+      - name: Build and publish ARC member cluster agents helm chart
+        run: |
+          make helm-package-arc-member-cluster-agents
+        env:
+          ARC_MEMBER_AGENT_HELMCHART_VERSION: ${{ inputs.arcExtensionVersion }}
+          MEMBER_AGENT_IMAGE_VERSION: ${{ needs.prepare-variables.outputs.release_tag }}
+          REFRESH_TOKEN_IMAGE_VERSION: ${{ needs.prepare-variables.outputs.release_tag }}
+          MCS_CONTROLLER_IMAGE_VERSION: ${{ needs.prepare-variables.outputs.fleet_networking_version }}
+          MEMBER_NET_CONTROLLER_IMAGE_VERSION: ${{ needs.prepare-variables.outputs.fleet_networking_version }}
+          REGISTRY: ${{ secrets.AZURE_REGISTRY }}/${{ env.ARC_REGISTRY_REPO}}

Makefile

@@ -12,6 +12,7 @@ HUB_AGENT_IMAGE_NAME ?= hub-agent
 MEMBER_AGENT_IMAGE_NAME ?= member-agent
 REFRESH_TOKEN_IMAGE_NAME ?= refresh-token
 CRD_INSTALLER_IMAGE_NAME ?= crd-installer
+ARC_MEMBER_AGENT_HELMCHART_NAME = arc-member-cluster-agents-helm-chart
 
 KUBECONFIG ?= $(HOME)/.kube/config
 HUB_SERVER_URL ?= https://172.19.0.2:6443
@@ -336,6 +337,15 @@ docker-build-crd-installer: docker-buildx-builder
 		--pull \
 		--tag $(REGISTRY)/$(CRD_INSTALLER_IMAGE_NAME):$(CRD_INSTALLER_IMAGE_VERSION) .
 
+# Fleet Agents and Networking Agents are packaged and pushed to MCR for Arc Extension.
+.PHONY: helm-package-arc-member-cluster-agents
+helm-package-arc-member-cluster-agents:
+	envsubst < charts/member-agent-arc/values.yaml > charts/member-agent-arc/values.yaml.tmp && \
+	mv charts/member-agent-arc/values.yaml.tmp charts/member-agent-arc/values.yaml && \
+	helm package charts/member-agent-arc/ --version $(ARC_MEMBER_AGENT_HELMCHART_VERSION)
+	
+	helm push $(ARC_MEMBER_AGENT_HELMCHART_NAME)-$(ARC_MEMBER_AGENT_HELMCHART_VERSION).tgz oci://$(REGISTRY)
+
 ## -----------------------------------
 ## Cleanup
 ## -----------------------------------

charts/member-agent-arc/.gitignore

@@ -0,0 +1 @@
+*.tgz

charts/member-agent-arc/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/member-agent-arc/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: arc-member-cluster-agents-helm-chart
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"

charts/member-agent-arc/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "fleet-member-agent.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "fleet-member-agent.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "fleet-member-agent.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "fleet-member-agent.labels" -}}
+helm.sh/chart: {{ include "fleet-member-agent.chart" . }}
+{{ include "fleet-member-agent.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "fleet-member-agent.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "fleet-member-agent.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "fleet-member-agent.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "fleet-member-agent.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/member-agent-arc/templates/azure-proxy-secrets.yaml

@@ -0,0 +1,10 @@
+{{- if and .Values.Azure.proxySettings.isProxyEnabled .Values.Azure.proxySettings.proxyCert }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: azure-proxy-cert
+  namespace: fleet-system
+type: Opaque
+data:
+  proxy-cert.crt: {{ .Values.Azure.proxySettings.proxyCert | b64enc | quote }}
+{{- end }}

charts/member-agent-arc/templates/crds/appliedworks.yaml

@@ -0,0 +1,130 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.4
+  labels:
+{{- if .Values.legacyAddonDelivery }}
+    addonmanager.kubernetes.io/mode: Reconcile
+{{- end }}
+    kubernetes.azure.com/managedby: fleet
+  name: appliedworks.placement.kubernetes-fleet.io
+spec:
+  group: placement.kubernetes-fleet.io
+  names:
+    categories:
+      - fleet
+      - fleet-placement
+    kind: AppliedWork
+    listKind: AppliedWorkList
+    plural: appliedworks
+    singular: appliedwork
+  scope: Cluster
+  versions:
+    - name: v1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              properties:
+                workName:
+                  type: string
+                workNamespace:
+                  type: string
+              required:
+                - workName
+                - workNamespace
+              type: object
+            status:
+              properties:
+                appliedResources:
+                  items:
+                    properties:
+                      group:
+                        type: string
+                      kind:
+                        type: string
+                      name:
+                        type: string
+                      namespace:
+                        type: string
+                      ordinal:
+                        type: integer
+                      resource:
+                        type: string
+                      uid:
+                        type: string
+                      version:
+                        type: string
+                    required:
+                      - ordinal
+                    type: object
+                  type: array
+              type: object
+          required:
+            - spec
+          type: object
+      served: true
+      storage: false
+      subresources:
+        status: {}
+    - name: v1beta1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              properties:
+                workName:
+                  type: string
+                workNamespace:
+                  type: string
+              required:
+                - workName
+                - workNamespace
+              type: object
+            status:
+              properties:
+                appliedResources:
+                  items:
+                    properties:
+                      group:
+                        type: string
+                      kind:
+                        type: string
+                      name:
+                        type: string
+                      namespace:
+                        type: string
+                      ordinal:
+                        type: integer
+                      resource:
+                        type: string
+                      uid:
+                        type: string
+                      version:
+                        type: string
+                    required:
+                      - ordinal
+                    type: object
+                  type: array
+              type: object
+          required:
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}