Support for Azure Private DNS Zone to be present in any resource group

Author: vishu2498

api/v1beta1/azurecluster_validation.go

@@ -203,6 +203,7 @@ func validateNetworkSpec(controlPlaneEnabled bool, networkSpec NetworkSpec, old
 		lbType = networkSpec.APIServerLB.Type
 	}
 	allErrs = append(allErrs, validatePrivateDNSZoneName(networkSpec.PrivateDNSZoneName, controlPlaneEnabled, lbType, fldPath.Child("privateDNSZoneName"))...)
+	allErrs = append(allErrs, validatePrivateDNSZoneResourceGroup(networkSpec.PrivateDNSZoneName, networkSpec.PrivateDNSZoneResourceGroup, fldPath.Child("privateDNSZoneResourceGroup"))...)
 
 	if len(allErrs) == 0 {
 		return nil
@@ -556,6 +557,24 @@ func validatePrivateDNSZoneName(privateDNSZoneName string, controlPlaneEnabled b
 	return allErrs
 }
 
+// validatePrivateDNSZoneResourceGroup validates the PrivateDNSZoneResourceGroup.
+// A private DNS Zone's resource group is valid as long as privateDNSZoneName is provided with the private dns resource group name
+func validatePrivateDNSZoneResourceGroup(privateDNSZoneName string, privateDNSZoneResourceGroup string, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+
+	if privateDNSZoneResourceGroup != "" {
+		if privateDNSZoneName == "" {
+			allErrs = append(allErrs, field.Invalid(fldPath, privateDNSZoneName,
+				"PrivateDNSZoneResourceGroup can only be used when PrivateDNSZoneName is provided"))
+		}
+		if err := validateResourceGroup(privateDNSZoneResourceGroup, fldPath); err != nil {
+			allErrs = append(allErrs, err)
+		}
+	}
+
+	return allErrs
+}
+
 // validateCloudProviderConfigOverrides validates CloudProviderConfigOverrides.
 func validateCloudProviderConfigOverrides(oldConfig, newConfig *CloudProviderConfigOverrides, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList

api/v1beta1/azurecluster_validation_test.go

@@ -1371,6 +1371,81 @@ func TestPrivateDNSZoneName(t *testing.T) {
 	}
 }
 
+func TestPrivateDNSZoneResourceGroup(t *testing.T) {
+	testcases := []struct {
+		name        string
+		network     NetworkSpec
+		wantErr     bool
+		expectedErr field.Error
+	}{
+		{
+			name: "testEmptyPrivateDNSZoneNameAndResourceGroup",
+			network: NetworkSpec{
+				NetworkClassSpec: NetworkClassSpec{
+					PrivateDNSZoneName:          "",
+					PrivateDNSZoneResourceGroup: "",
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "testValidPrivateDNSZoneNameAndResourceGroup",
+			network: NetworkSpec{
+				NetworkClassSpec: NetworkClassSpec{
+					PrivateDNSZoneName:          "good.dns.io",
+					PrivateDNSZoneResourceGroup: "test-rg",
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "testInvalidPrivateDNSZoneResourceGroup",
+			network: NetworkSpec{
+				NetworkClassSpec: NetworkClassSpec{
+					PrivateDNSZoneName:          "good.dns.io",
+					PrivateDNSZoneResourceGroup: "inv@lid-rg",
+				},
+			},
+			expectedErr: field.Error{
+				Type:     "FieldValueInvalid",
+				Field:    "spec.networkSpec.privateDNSZoneResourceGroup",
+				BadValue: "inv@lid-rg",
+				Detail:   "resourceGroup doesn't match regex ^[-\\w\\._\\(\\)]+$",
+			},
+			wantErr: true,
+		},
+		{
+			name: "testEmptyPrivateDNSZoneNameWithValidResourceGroup",
+			network: NetworkSpec{
+				NetworkClassSpec: NetworkClassSpec{
+					PrivateDNSZoneName:          "",
+					PrivateDNSZoneResourceGroup: "test-rg",
+				},
+			},
+			expectedErr: field.Error{
+				Type:     "FieldValueInvalid",
+				Field:    "spec.networkSpec.privateDNSZoneResourceGroup",
+				BadValue: "",
+				Detail:   "PrivateDNSZoneResourceGroup can only be used when PrivateDNSZoneName is provided",
+			},
+			wantErr: true,
+		},
+	}
+
+	for _, test := range testcases {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			g := NewWithT(t)
+			err := validatePrivateDNSZoneResourceGroup(test.network.PrivateDNSZoneName, test.network.PrivateDNSZoneResourceGroup, field.NewPath("spec", "networkSpec", "privateDNSZoneResourceGroup"))
+			if test.wantErr {
+				g.Expect(err).To(ContainElement(MatchError(test.expectedErr.Error())))
+			} else {
+				g.Expect(err).To(BeEmpty())
+			}
+		})
+	}
+}
+
 func TestValidateNodeOutboundLB(t *testing.T) {
 	testcases := []struct {
 		name        string

api/v1beta1/azurecluster_webhook.go

@@ -116,6 +116,13 @@ func (c *AzureCluster) ValidateUpdate(oldRaw runtime.Object) (admission.Warnings
 		allErrs = append(allErrs, err)
 	}
 
+	if err := webhookutils.ValidateImmutable(
+		field.NewPath("spec", "networkSpec", "privateDNSZoneResourceGroup"),
+		old.Spec.NetworkSpec.PrivateDNSZoneResourceGroup,
+		c.Spec.NetworkSpec.PrivateDNSZoneResourceGroup); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
 	// Allow enabling azure bastion but avoid disabling it.
 	if old.Spec.BastionSpec.AzureBastion != nil && !reflect.DeepEqual(old.Spec.BastionSpec.AzureBastion, c.Spec.BastionSpec.AzureBastion) {
 		allErrs = append(allErrs,

api/v1beta1/azureclustertemplate_validation.go

@@ -62,6 +62,8 @@ func (c *AzureClusterTemplate) validateClusterTemplateSpec() field.ErrorList {
 
 	allErrs = append(allErrs, c.validatePrivateDNSZoneName()...)
 
+	allErrs = append(allErrs, c.validatePrivateDNSZoneResourceGroup()...)
+
 	return allErrs
 }
 
@@ -169,3 +171,18 @@ func (c *AzureClusterTemplate) validatePrivateDNSZoneName() field.ErrorList {
 
 	return allErrs
 }
+
+func (c *AzureClusterTemplate) validatePrivateDNSZoneResourceGroup() field.ErrorList {
+	var allErrs field.ErrorList
+
+	fldPath := field.NewPath("spec").Child("template").Child("spec").Child("networkSpec").Child("privateDNSZoneResourceGroup")
+	networkSpec := c.Spec.Template.Spec.NetworkSpec
+
+	allErrs = append(allErrs, validatePrivateDNSZoneResourceGroup(
+		networkSpec.PrivateDNSZoneName,
+		networkSpec.PrivateDNSZoneResourceGroup,
+		fldPath,
+	)...)
+
+	return allErrs
+}

api/v1beta1/azureclustertemplate_validation_test.go

@@ -822,6 +822,96 @@ func TestValidatePrivateDNSZoneName(t *testing.T) {
 		})
 	}
 }
+
+func TestValidatePrivateDNSZoneResourceGroup(t *testing.T) {
+	cases := []struct {
+		name            string
+		clusterTemplate *AzureClusterTemplate
+		expectValid     bool
+		expectedErr     field.Error
+	}{
+		{
+			name: "not set",
+			clusterTemplate: &AzureClusterTemplate{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster-template",
+				},
+				Spec: AzureClusterTemplateSpec{
+					Template: AzureClusterTemplateResource{
+						Spec: AzureClusterTemplateResourceSpec{
+							NetworkSpec: NetworkTemplateSpec{},
+						},
+					},
+				},
+			},
+			expectValid: true,
+		},
+		{
+			name: "should be set if PrivateDNSZoneName is given",
+			clusterTemplate: &AzureClusterTemplate{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster-template",
+				},
+				Spec: AzureClusterTemplateSpec{
+					Template: AzureClusterTemplateResource{
+						Spec: AzureClusterTemplateResourceSpec{
+							NetworkSpec: NetworkTemplateSpec{
+								NetworkClassSpec: NetworkClassSpec{
+									PrivateDNSZoneName:          "e.f.g",
+									PrivateDNSZoneResourceGroup: "a.b.c",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectValid: true,
+		},
+		{
+			name: "should not be set if PrivateDNSZoneName is not given",
+			clusterTemplate: &AzureClusterTemplate{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster-template",
+				},
+				Spec: AzureClusterTemplateSpec{
+					Template: AzureClusterTemplateResource{
+						Spec: AzureClusterTemplateResourceSpec{
+							NetworkSpec: NetworkTemplateSpec{
+								NetworkClassSpec: NetworkClassSpec{
+									PrivateDNSZoneResourceGroup: "a.b.c",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectValid: false,
+			expectedErr: field.Error{
+				Type:     "FieldValueInvalid",
+				Field:    "spec.template.spec.networkSpec.privateDNSZoneResourceGroup",
+				BadValue: "",
+				Detail:   "PrivateDNSZoneResourceGroup can only be used when PrivateDNSZoneName is provided",
+			},
+		},
+	}
+
+	for _, c := range cases {
+		tc := c
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			g := NewWithT(t)
+			res := tc.clusterTemplate.validatePrivateDNSZoneResourceGroup()
+
+			if tc.expectValid {
+				g.Expect(res).To(BeNil())
+			} else {
+				g.Expect(res).NotTo(BeNil())
+				g.Expect(res).To(ContainElement(MatchError(tc.expectedErr.Error())))
+			}
+		})
+	}
+}
+
 func TestValidateNetworkSpec(t *testing.T) {
 	cases := []struct {
 		name            string

api/v1beta1/types_class.go

@@ -458,6 +458,11 @@ type NetworkClassSpec struct {
 	// PrivateDNSZoneName defines the zone name for the Azure Private DNS.
 	// +optional
 	PrivateDNSZoneName string `json:"privateDNSZoneName,omitempty"`
+
+	// PrivateDNSZoneResourceGroup defines the resource group to be used for Azure Private DNS Zone.
+	// If not specified, the resource group of the cluster will be used to create the Azure Private DNS Zone.
+	// +optional
+	PrivateDNSZoneResourceGroup string `json:"privateDNSZoneResourceGroup,omitempty"`
 }
 
 // VnetClassSpec defines the VnetSpec properties that may be shared across several Azure clusters.

azure/scope/cluster.go

@@ -558,9 +558,13 @@ func (s *ClusterScope) VNetSpec() azure.ASOResourceSpecGetter[*asonetworkv1api20
 // PrivateDNSSpec returns the private dns zone spec.
 func (s *ClusterScope) PrivateDNSSpec() (zoneSpec azure.ResourceSpecGetter, linkSpec, recordSpec []azure.ResourceSpecGetter) {
 	if s.IsAPIServerPrivate() {
+		resourceGroup := s.ResourceGroup()
+		if s.AzureCluster.Spec.NetworkSpec.PrivateDNSZoneResourceGroup != "" {
+			resourceGroup = s.AzureCluster.Spec.NetworkSpec.PrivateDNSZoneResourceGroup
+		}
 		zone := privatedns.ZoneSpec{
 			Name:           s.GetPrivateDNSZoneName(),
-			ResourceGroup:  s.ResourceGroup(),
+			ResourceGroup:  resourceGroup,
 			ClusterName:    s.ClusterName(),
 			AdditionalTags: s.AdditionalTags(),
 		}
@@ -572,7 +576,7 @@ func (s *ClusterScope) PrivateDNSSpec() (zoneSpec azure.ResourceSpecGetter, link
 			SubscriptionID:    s.SubscriptionID(),
 			VNetResourceGroup: s.Vnet().ResourceGroup,
 			VNetName:          s.Vnet().Name,
-			ResourceGroup:     s.ResourceGroup(),
+			ResourceGroup:     resourceGroup,
 			ClusterName:       s.ClusterName(),
 			AdditionalTags:    s.AdditionalTags(),
 		}
@@ -583,7 +587,7 @@ func (s *ClusterScope) PrivateDNSSpec() (zoneSpec azure.ResourceSpecGetter, link
 				SubscriptionID:    s.SubscriptionID(),
 				VNetResourceGroup: peering.ResourceGroup,
 				VNetName:          peering.RemoteVnetName,
-				ResourceGroup:     s.ResourceGroup(),
+				ResourceGroup:     resourceGroup,
 				ClusterName:       s.ClusterName(),
 				AdditionalTags:    s.AdditionalTags(),
 			}
@@ -596,7 +600,7 @@ func (s *ClusterScope) PrivateDNSSpec() (zoneSpec azure.ResourceSpecGetter, link
 				IP:       s.APIServerPrivateIP(),
 			},
 			ZoneName:      s.GetPrivateDNSZoneName(),
-			ResourceGroup: s.ResourceGroup(),
+			ResourceGroup: resourceGroup,
 		}
 
 		return zone, links, records

config/crd/bases/infrastructure.cluster.x-k8s.io_azureclusters.yaml

@@ -909,6 +909,11 @@ spec:
                     description: PrivateDNSZoneName defines the zone name for the
                       Azure Private DNS.
                     type: string
+                  privateDNSZoneResourceGroup:
+                    description: |-
+                      PrivateDNSZoneResourceGroup defines the resource group to be used for Azure Private DNS Zone.
+                      If not specified, the resource group of the cluster will be used to create the Azure Private DNS Zone.
+                    type: string
                   subnets:
                     description: Subnets is the configuration for the control-plane
                       subnet and the node subnet.

config/crd/bases/infrastructure.cluster.x-k8s.io_azureclustertemplates.yaml

@@ -576,6 +576,11 @@ spec:
                             description: PrivateDNSZoneName defines the zone name
                               for the Azure Private DNS.
                             type: string
+                          privateDNSZoneResourceGroup:
+                            description: |-
+                              PrivateDNSZoneResourceGroup defines the resource group to be used for Azure Private DNS Zone.
+                              If not specified, the resource group of the cluster will be used to create the Azure Private DNS Zone.
+                            type: string
                           subnets:
                             description: Subnets is the configuration for the control-plane
                               subnet and the node subnet.