Azure
diff --git a/‎commands.go‎
Lines changed: 102 additions & 0 deletions b/‎commands.go‎
Lines changed: 102 additions & 0 deletions
diff --git a/‎main.go‎
Lines changed: 7 additions & 3 deletions b/‎main.go‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎pkg/privatecluster/README.md‎
Lines changed: 59 additions & 0 deletions b/‎pkg/privatecluster/README.md‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎pkg/privatecluster/create_private_cluster.md‎
Lines changed: 165 additions & 0 deletions b/‎pkg/privatecluster/create_private_cluster.md‎
Lines changed: 165 additions & 0 deletions
@@ -14,6 +14,7 @@ import (
 	"go.goms.io/aks/AKSFlexNode/pkg/bootstrapper"
 	"go.goms.io/aks/AKSFlexNode/pkg/config"
 	"go.goms.io/aks/AKSFlexNode/pkg/logger"
+	"go.goms.io/aks/AKSFlexNode/pkg/privatecluster"
 	"go.goms.io/aks/AKSFlexNode/pkg/status"
 )
 
@@ -118,6 +119,107 @@ func runVersion() {
 	fmt.Printf("Build Time: %s\n", BuildTime)
 }
 
+// Private cluster command variables
+var (
+	aksResourceID   string
+	cleanupModeFlag string
+)
+
+// NewPrivateJoinCommand creates a new private-join command
+func NewPrivateJoinCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "private-join",
+		Short: "Join a Private AKS cluster (requires sudo)",
+		Long: `Join a Private AKS cluster.
+
+Prerequisites:
+  1. A Private AKS cluster must exist with AAD and Azure RBAC enabled
+     See: pkg/privatecluster/create_private_cluster.md
+
+  2. Current user must have the following roles on the cluster:
+     - Azure Kubernetes Service Cluster Admin Role
+     - Azure Kubernetes Service RBAC Cluster Admin
+
+  3. Current user must be logged in via 'sudo az login'
+
+The full resource ID of the Private AKS cluster is required as the --aks-resource-id parameter.
+This same resource ID can be used later with the private-leave command.`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runPrivateJoin(cmd.Context())
+		},
+	}
+
+	cmd.Flags().StringVar(&aksResourceID, "aks-resource-id", "", "AKS cluster resource ID (required)")
+	cmd.MarkFlagRequired("aks-resource-id")
+
+	return cmd
+}
+
+// NewPrivateLeaveCommand creates a new private-leave command
+func NewPrivateLeaveCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "private-leave",
+		Short: "Leave a Private AKS cluster (--mode=local|full, requires sudo)",
+		Long: `Remove this edge node from a Private AKS cluster.
+
+Cleanup modes:
+  --local  Local cleanup only (default):
+           - Remove node from AKS cluster
+           - Run aks-flex-node unbootstrap
+           - Remove Arc Agent
+           - Stop VPN and remove client config
+           - Keep Gateway for other nodes
+
+  --full   Full cleanup (requires --aks-resource-id):
+           - All local cleanup steps
+           - Delete Gateway VM
+           - Delete Gateway subnet, NSG, Public IP
+           - Delete SSH keys
+
+This command requires the current user to be logged in via 'sudo az login'.`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runPrivateLeave(cmd.Context())
+		},
+	}
+
+	cmd.Flags().StringVar(&cleanupModeFlag, "mode", "local", "Cleanup mode: 'local' (keep Gateway) or 'full' (remove all Azure resources)")
+	cmd.Flags().StringVar(&aksResourceID, "aks-resource-id", "", "AKS cluster resource ID (required for --mode=full)")
+
+	return cmd
+}
+
+// runPrivateJoin executes the private cluster join process
+func runPrivateJoin(ctx context.Context) error {
+	if os.Getuid() != 0 {
+		return fmt.Errorf("this command requires root privileges, please run with 'sudo'")
+	}
+	runner := privatecluster.NewScriptRunner("")
+	return runner.RunPrivateInstall(ctx, aksResourceID)
+}
+
+// runPrivateLeave executes the private cluster leave process
+func runPrivateLeave(ctx context.Context) error {
+	if os.Getuid() != 0 {
+		return fmt.Errorf("this command requires root privileges, please run with 'sudo'")
+	}
+	// Validate cleanup mode
+	var mode privatecluster.CleanupMode
+	switch cleanupModeFlag {
+	case "local":
+		mode = privatecluster.CleanupModeLocal
+	case "full":
+		mode = privatecluster.CleanupModeFull
+		if aksResourceID == "" {
+			return fmt.Errorf("--aks-resource-id is required for full cleanup mode")
+		}
+	default:
+		return fmt.Errorf("invalid cleanup mode: %s (use 'local' or 'full')", cleanupModeFlag)
+	}
+
+	runner := privatecluster.NewScriptRunner("")
+	return runner.RunPrivateUninstall(ctx, mode, aksResourceID)
+}
+
 // runDaemonLoop runs the periodic status collection and bootstrap monitoring daemon
 func runDaemonLoop(ctx context.Context, cfg *config.Config) error {
 	logger := logger.GetLoggerFromContext(ctx)
 
@@ -25,13 +25,16 @@ func main() {
 	}
 
 	// Add global flags for configuration
-	rootCmd.PersistentFlags().StringVar(&configPath, "config", "", "Path to configuration JSON file (required)")
+	rootCmd.PersistentFlags().StringVar(&configPath, "config", "", "Path to configuration JSON file (required for agent/unbootstrap)")
+	rootCmd.PersistentFlags().MarkHidden("config") // Hide from global help, shown in agent/unbootstrap help
 	// Don't mark as required globally - we'll check in PersistentPreRunE for commands that need it
 
 	// Add commands
 	rootCmd.AddCommand(NewAgentCommand())
 	rootCmd.AddCommand(NewUnbootstrapCommand())
 	rootCmd.AddCommand(NewVersionCommand())
+	rootCmd.AddCommand(NewPrivateJoinCommand())
+	rootCmd.AddCommand(NewPrivateLeaveCommand())
 
 	// Set up context with signal handling
 	ctx, cancel := context.WithCancel(context.Background())
@@ -49,8 +52,9 @@ func main() {
 
 	// Set up persistent pre-run to initialize config and logger
 	rootCmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
-		// Skip config loading for version command
-		if cmd.Name() == "version" {
+		// Skip config loading for commands that don't need it
+		switch cmd.Name() {
+		case "version", "private-join", "private-leave":
 			return nil
 		}
 
 
@@ -0,0 +1,59 @@
+# Private AKS Cluster - Edge Node Join/Leave
+
+## Prerequisites
+
+### 1. Login to Azure CLI as root
+
+```bash
+sudo az login
+```
+
+### 2. Create a Private AKS Cluster
+
+Create a Private AKS cluster with AAD and Azure RBAC enabled, and assign the required roles to your user.
+
+See: [create_private_cluster.md](create_private_cluster.md)
+
+## Join Private AKS Cluster
+
+### 1. Build the project
+
+```bash
+go build -o aks-flex-node .
+```
+
+### 2. Join the cluster
+
+```bash
+sudo ./aks-flex-node private-join --aks-resource-id "<AKS_RESOURCE_ID>"
+```
+
+Example:
+```bash
+sudo ./aks-flex-node private-join \
+  --aks-resource-id "/subscriptions/xxx/resourcegroups/my-rg/providers/Microsoft.ContainerService/managedClusters/my-private-aks"
+```
+
+### 3. Verify
+
+```bash
+sudo kubectl get nodes
+```
+
+## Leave Private AKS Cluster
+
+```bash
+sudo ./aks-flex-node private-leave --mode=<local|full> [--aks-resource-id "<AKS_RESOURCE_ID>"]
+```
+
+### Mode Comparison
+
+| Mode | Command | Description |
+|------|---------|-------------|
+| `local` | `sudo ./aks-flex-node private-leave --mode=local` | Remove node and local components, **keep Gateway** for other nodes |
+| `full` | `sudo ./aks-flex-node private-leave --mode=full --aks-resource-id "..."` | Remove all components **including Gateway and Azure resources** |
+
+### When to use each mode
+
+- **`--mode=local`**: Other nodes are still using the Gateway, or you plan to rejoin later
+- **`--mode=full`**: Last node leaving, clean up all Azure resources (Gateway VM, subnet, NSG, public IP)
@@ -0,0 +1,165 @@
+# Create Private AKS Cluster
+
+This guide shows how to create a Private AKS Cluster with AAD and Azure RBAC enabled for edge node testing.
+
+## Prerequisites
+
+### 1. Login to Azure CLI as root
+
+```bash
+sudo az login
+```
+
+### 2. Set variables
+
+```bash
+# Required
+CLUSTER_NAME="my-private-aks"
+RESOURCE_GROUP="my-rg"
+LOCATION="eastus2"
+
+# Optional (defaults)
+VNET_NAME="${CLUSTER_NAME}-vnet"
+VNET_CIDR="10.224.0.0/12"
+SUBNET_NAME="aks-subnet"
+SUBNET_CIDR="10.224.0.0/16"
+NODE_COUNT=1
+NODE_VM_SIZE="Standard_D2s_v3"
+```
+
+## Step 1: Create Resource Group
+
+```bash
+az group create \
+  --name "$RESOURCE_GROUP" \
+  --location "$LOCATION"
+```
+
+## Step 2: Create VNet and Subnet
+
+```bash
+# Create VNet
+az network vnet create \
+  --resource-group "$RESOURCE_GROUP" \
+  --name "$VNET_NAME" \
+  --address-prefix "$VNET_CIDR"
+
+# Create Subnet
+az network vnet subnet create \
+  --resource-group "$RESOURCE_GROUP" \
+  --vnet-name "$VNET_NAME" \
+  --name "$SUBNET_NAME" \
+  --address-prefix "$SUBNET_CIDR"
+```
+
+## Step 3: Create Private AKS Cluster
+
+```bash
+# Get Subnet ID
+SUBNET_ID=$(az network vnet subnet show \
+  --resource-group "$RESOURCE_GROUP" \
+  --vnet-name "$VNET_NAME" \
+  --name "$SUBNET_NAME" \
+  --query id -o tsv)
+
+# Create Private AKS Cluster
+az aks create \
+  --resource-group "$RESOURCE_GROUP" \
+  --name "$CLUSTER_NAME" \
+  --location "$LOCATION" \
+  --node-count "$NODE_COUNT" \
+  --node-vm-size "$NODE_VM_SIZE" \
+  --network-plugin azure \
+  --vnet-subnet-id "$SUBNET_ID" \
+  --enable-private-cluster \
+  --enable-aad \
+  --enable-azure-rbac \
+  --generate-ssh-keys
+```
+
+> **Note:** This may take 5-10 minutes.
+
+## Step 4: Assign RBAC Roles to Current User
+
+The current user needs two roles to manage the cluster:
+
+| Role | Purpose |
+|------|---------|
+| Azure Kubernetes Service Cluster Admin Role | Get kubectl credentials |
+| Azure Kubernetes Service RBAC Cluster Admin | Perform cluster operations |
+
+```bash
+# Get current user's Object ID
+USER_OBJECT_ID=$(az ad signed-in-user show --query id -o tsv)
+
+# Get AKS Resource ID
+AKS_RESOURCE_ID=$(az aks show \
+  --resource-group "$RESOURCE_GROUP" \
+  --name "$CLUSTER_NAME" \
+  --query id -o tsv)
+
+# Assign Role 1: Azure Kubernetes Service Cluster Admin Role
+az role assignment create \
+  --assignee "$USER_OBJECT_ID" \
+  --role "Azure Kubernetes Service Cluster Admin Role" \
+  --scope "$AKS_RESOURCE_ID"
+
+# Assign Role 2: Azure Kubernetes Service RBAC Cluster Admin
+az role assignment create \
+  --assignee "$USER_OBJECT_ID" \
+  --role "Azure Kubernetes Service RBAC Cluster Admin" \
+  --scope "$AKS_RESOURCE_ID"
+```
+
+## Step 5: Get Kubectl Credentials
+
+```bash
+# Create kubeconfig directory
+sudo mkdir -p /root/.kube
+
+# Get credentials
+sudo az aks get-credentials \
+  --resource-group "$RESOURCE_GROUP" \
+  --name "$CLUSTER_NAME" \
+  --overwrite-existing \
+  --file /root/.kube/config
+
+# Convert kubeconfig for Azure CLI auth
+sudo kubelogin convert-kubeconfig -l azurecli --kubeconfig /root/.kube/config
+```
+
+## Step 6: Get Cluster Resource ID
+
+Save this for use with `private-join` and `private-leave` commands:
+
+```bash
+az aks show \
+  --resource-group "$RESOURCE_GROUP" \
+  --name "$CLUSTER_NAME" \
+  --query id -o tsv
+```
+
+Example output:
+```
+/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/my-rg/providers/Microsoft.ContainerService/managedClusters/my-private-aks
+```
+
+## Next Steps
+
+### Join an edge node to the private cluster
+
+```bash
+sudo ./aks-flex-node private-join \
+  --aks-resource-id "/subscriptions/.../resourcegroups/.../providers/Microsoft.ContainerService/managedClusters/my-private-aks"
+```
+
+### Leave the private cluster
+
+```bash
+# Local cleanup (keep Gateway for other nodes)
+sudo ./aks-flex-node private-leave --mode=local
+
+# Full cleanup (remove Gateway and all Azure resources)
+sudo ./aks-flex-node private-leave --mode=full \
+  --aks-resource-id "/subscriptions/.../resourcegroups/.../providers/Microsoft.ContainerService/managedClusters/my-private-aks"
+```