Add templates to test Azure Linux 3

Author: willie-yao

templates/test/ci/cluster-template-prow-azl3.yaml

@@ -0,0 +1,36 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+- ../../../flavors/default
+- ../../../addons/cluster-api-helm/calico.yaml
+- ../../../addons/cluster-api-helm/azuredisk-csi-driver.yaml
+- ../../../addons/cluster-api-helm/cloud-provider-azure.yaml
+- ../../../addons/cluster-api-helm/cloud-provider-azure-ci.yaml
+patches:
+- path: ../patches/tags.yaml
+- path: ../patches/mhc.yaml
+- path: ../patches/controller-manager.yaml
+- path: ../patches/uami-md-0.yaml
+- path: ../patches/uami-control-plane.yaml
+- path: ../patches/cluster-label-calico.yaml
+- path: ../patches/cluster-label-cloud-provider-azure.yaml
+- path: patches/controller-manager.yaml
+  target:
+    group: controlplane.cluster.x-k8s.io
+    kind: KubeadmControlPlane
+    name: .*-control-plane
+    version: v1beta1
+- path: patches/kubeadm-config-template-azl3.yaml
+  target:
+    group: bootstrap.cluster.x-k8s.io
+    kind: KubeadmConfigTemplate
+    name: .*-md-0
+    namespace: default
+    version: v1beta1
+- path: patches/azuremachinetemplate-azl3-image.yaml
+- path: patches/cloud-provider-azure-cacertdir.yaml
+- path: patches/cloud-provider-azure-ci-cacertdir.yaml
+
+sortOptions:
+  order: fifo

templates/test/ci/cluster-template-prow-ci-version-azl3.yaml

@@ -0,0 +1,25 @@
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: AzureMachineTemplate
+metadata:
+  name: ${CLUSTER_NAME}-control-plane
+spec:
+  template:
+    spec:
+      image:
+        computeGallery:
+          gallery: ClusterAPI-f72ceb4f-5159-4c26-a0fe-2ea738f0d019
+          name: capi-azurelinux-3
+          version: ${AZL3_VERSION}
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: AzureMachineTemplate
+metadata:
+  name: ${CLUSTER_NAME}-md-0
+spec:
+  template:
+    spec:
+      image:
+        computeGallery:
+          gallery: ClusterAPI-f72ceb4f-5159-4c26-a0fe-2ea738f0d019
+          name: capi-azurelinux-3
+          version: ${AZL3_VERSION}

templates/test/ci/prow-azl3/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: addons.cluster.x-k8s.io/v1alpha1
+kind: HelmChartProxy
+metadata:
+  name: cloud-provider-azure-chart
+spec:
+  valuesTemplate: |
+    infra:
+      clusterName: {{ .Cluster.metadata.name }}
+    cloudControllerManager:
+      caCertDir: "/etc/pki/tls/certs"
+      clusterCIDR: {{ .Cluster.spec.clusterNetwork.pods.cidrBlocks | join "," }}
+      logVerbosity: 4

templates/test/ci/prow-azl3/patches/azuremachinetemplate-azl3-image.yaml

@@ -0,0 +1,23 @@
+apiVersion: addons.cluster.x-k8s.io/v1alpha1
+kind: HelmChartProxy
+metadata:
+  name: cloud-provider-azure-chart-ci
+spec:
+  valuesTemplate: |
+    infra:
+      clusterName: {{ .Cluster.metadata.name }}
+    cloudControllerManager:
+      caCertDir: "/etc/pki/tls/certs"
+      cloudConfig: ${CLOUD_CONFIG:-"/etc/kubernetes/azure.json"}
+      cloudConfigSecretName: ${CONFIG_SECRET_NAME:-""}
+      clusterCIDR: {{ .Cluster.spec.clusterNetwork.pods.cidrBlocks | join "," }}
+      imageName: "${CCM_IMAGE_NAME:-""}"
+      imageRepository: "${IMAGE_REGISTRY:-""}"
+      imageTag: "${IMAGE_TAG_CCM:-""}"
+      logVerbosity: ${CCM_LOG_VERBOSITY:-4}
+      replicas: ${CCM_COUNT:-1}
+      enableDynamicReloading: ${ENABLE_DYNAMIC_RELOADING:-false}
+    cloudNodeManager:
+      imageName: "${CNM_IMAGE_NAME:-""}"
+      imageRepository: "${IMAGE_REGISTRY:-""}"
+      imageTag: "${IMAGE_TAG_CNM:-""}"

templates/test/ci/prow-azl3/patches/cloud-provider-azure-cacertdir.yaml

@@ -0,0 +1,50 @@
+- op: add
+  path: /spec/kubeadmConfigSpec/files/0
+  value:
+    content: |
+      #!/bin/bash
+
+      set -o nounset
+      set -o pipefail
+      set -o errexit
+
+      # Install ca-certificates packages for Azure Linux
+      tdnf install -y ca-certificates ca-certificates-legacy
+      update-ca-trust
+
+      # Allow Azure service IP addresses (required for Azure resources)
+      iptables -A INPUT -s 168.63.129.16 -j ACCEPT
+      iptables -A OUTPUT -d 168.63.129.16 -j ACCEPT
+
+      # Kubernetes API Server (port 6443) - bound to all IPv6 interfaces, needs external access
+      iptables -A INPUT -p tcp --dport 6443 -j ACCEPT
+
+      # etcd server communication - external access needed for cluster communication
+      # Port 2379 is bound to node IP (10.0.0.5), needs cluster access
+      iptables -A INPUT -p tcp --dport 2379 -j ACCEPT
+      # Port 2380 is bound to node IP (10.0.0.5), needs cluster access  
+      iptables -A INPUT -p tcp --dport 2380 -j ACCEPT
+      # Port 2381 is localhost only, no external rule needed
+
+      # Allow traffic to Kubernetes service network (10.96.0.0/12) - CRITICAL: required for pod-to-service communication
+      iptables -A OUTPUT -d 10.96.0.0/12 -j ACCEPT
+      iptables -A INPUT -s 10.96.0.0/12 -j ACCEPT
+
+      # Allow traffic to/from node network (10.1.0.0/24) - required for node-to-node communication
+      iptables -A OUTPUT -d 10.1.0.0/24 -j ACCEPT
+      iptables -A INPUT -s 10.1.0.0/24 -j ACCEPT
+
+      # Allow traffic to/from Calico pod network - more restrictive than full 192.168.0.0/16
+      # Only allow the specific pod CIDR ranges that Calico actually uses
+      iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT
+      iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
+
+      # Save the rules following Azure Linux 3 approach
+      iptables-save > /etc/systemd/scripts/ip4save
+    path: /tmp/azl3-setup.sh
+    owner: "root:root"
+    permissions: "0744"
+- op: add
+  path: /spec/kubeadmConfigSpec/preKubeadmCommands/0
+  value:
+    bash -c /tmp/azl3-setup.sh

templates/test/ci/prow-azl3/patches/cloud-provider-azure-ci-cacertdir.yaml

@@ -0,0 +1,17 @@
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: AzureMachineTemplate
+metadata:
+  name: ${CLUSTER_NAME}-control-plane
+spec:
+  template:
+    spec:
+      disableVMBootstrapExtension: true
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: AzureMachineTemplate
+metadata:
+  name: ${CLUSTER_NAME}-md-0
+spec:
+  template:
+    spec:
+      disableVMBootstrapExtension: true

templates/test/ci/prow-azl3/patches/controller-manager.yaml

@@ -0,0 +1,104 @@
+- op: add
+  path: /spec/template/spec/files/0
+  value:
+    content: |
+      #!/bin/bash
+
+      set -o nounset
+      set -o pipefail
+      set -o errexit
+
+      # Install ca-certificates packages for Azure Linux
+      tdnf install -y ca-certificates ca-certificates-legacy
+      update-ca-trust
+
+      # Azure Linux 3 firewall configuration for worker nodes
+      # Keep the default DROP policy for security, only add specific ACCEPT rules
+
+      # Allow Azure service IP addresses (required for Azure resources)
+      iptables -A INPUT -s 168.63.129.16 -j ACCEPT
+      iptables -A OUTPUT -d 168.63.129.16 -j ACCEPT
+      ip6tables -A INPUT -s fe80::1234:5678:9abc -j ACCEPT
+      ip6tables -A OUTPUT -d fe80::1234:5678:9abc -j ACCEPT
+
+      # Allow localhost traffic (required for many localhost-bound services)
+      iptables -A INPUT -i lo -j ACCEPT
+      iptables -A OUTPUT -o lo -j ACCEPT
+      ip6tables -A INPUT -i lo -j ACCEPT
+      ip6tables -A OUTPUT -o lo -j ACCEPT
+
+      # Allow established and related connections
+      iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+      iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+      ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+      ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+      # SSH (port 22) - bound to all interfaces, needs external access
+      iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+      ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
+
+      # Kubelet API (port 10250) - bound to all IPv6 interfaces, needs cluster access
+      iptables -A INPUT -p tcp --dport 10250 -j ACCEPT
+      ip6tables -A INPUT -p tcp --dport 10250 -j ACCEPT
+
+      # kube-proxy (port 10256) - bound to all IPv6 interfaces, needs cluster access
+      iptables -A INPUT -p tcp --dport 10256 -j ACCEPT
+      ip6tables -A INPUT -p tcp --dport 10256 -j ACCEPT
+
+      # Calico networking requirements
+      # Calico Typha (port 5473) - bound to all IPv6 interfaces, needs cluster access
+      iptables -A INPUT -p tcp --dport 5473 -j ACCEPT
+      ip6tables -A INPUT -p tcp --dport 5473 -j ACCEPT
+      
+      # VXLAN for overlay networking (port 4789 UDP) - bound to all interfaces
+      iptables -A INPUT -p udp --dport 4789 -j ACCEPT
+      ip6tables -A INPUT -p udp --dport 4789 -j ACCEPT
+
+      # Calico metrics ports (29603, 29605) - bound to all IPv6 interfaces
+      iptables -A INPUT -p tcp --dport 29603 -j ACCEPT
+      iptables -A INPUT -p tcp --dport 29605 -j ACCEPT
+      ip6tables -A INPUT -p tcp --dport 29603 -j ACCEPT
+      ip6tables -A INPUT -p tcp --dport 29605 -j ACCEPT
+      
+      # BGP for node-to-node communication (port 179) - not in netstat but needed for Calico
+      iptables -A INPUT -p tcp --dport 179 -j ACCEPT
+      ip6tables -A INPUT -p tcp --dport 179 -j ACCEPT
+      
+      # IP-in-IP protocol for Calico
+      iptables -A INPUT -p 4 -j ACCEPT
+      ip6tables -A INPUT -p 41 -j ACCEPT
+
+      # DHCP client (port 68 UDP) - for IP assignment
+      iptables -A INPUT -p udp --dport 68 -j ACCEPT
+      ip6tables -A INPUT -p udp --dport 68 -j ACCEPT
+
+      # NTP (port 323 UDP) - for time synchronization  
+      iptables -A INPUT -p udp --dport 323 -j ACCEPT
+      ip6tables -A INPUT -p udp --dport 323 -j ACCEPT
+
+      # Allow ICMP for connectivity checks
+      iptables -A INPUT -p icmp -j ACCEPT
+      ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
+
+      # Allow traffic to Kubernetes service network (10.96.0.0/12) - required for pod-to-service communication
+      iptables -A OUTPUT -d 10.96.0.0/12 -j ACCEPT
+      iptables -A INPUT -s 10.96.0.0/12 -j ACCEPT
+
+      # Allow traffic to/from Calico pod network (192.168.0.0/16) - required for pod-to-pod communication
+      iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
+      iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
+
+      # Allow traffic to/from node network (10.1.0.0/24) - required for node-to-node communication
+      iptables -A OUTPUT -d 10.1.0.0/24 -j ACCEPT
+      iptables -A INPUT -s 10.1.0.0/24 -j ACCEPT
+
+      # Save the rules following Azure Linux 3 approach
+      iptables-save > /etc/systemd/scripts/ip4save
+      ip6tables-save > /etc/systemd/scripts/ip6save
+    path: /tmp/azl3-setup.sh
+    owner: "root:root"
+    permissions: "0744"
+- op: add
+  path: /spec/template/spec/preKubeadmCommands/0
+  value:
+    bash -c /tmp/azl3-setup.sh

templates/test/ci/prow-azl3/patches/disable-vm-bootstrap-extension.yaml

@@ -0,0 +1,19 @@
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: AzureMachineTemplate
+metadata:
+  name: ${CLUSTER_NAME}-control-plane
+spec:
+  template:
+    spec:
+      image:
+        marketplace: null
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: AzureMachineTemplate
+metadata:
+  name: ${CLUSTER_NAME}-md-0
+spec:
+  template:
+    spec:
+      image:
+        marketplace: null