Set ARMClientOptions for Azure Stack

Sets ARM Client Options when using the Azure Stack environment. Extends
ARMClientOptions to accept an ARMEndpoint, which can be obtained from
the authorizer interface, the same source the cloud environment.

Sets the APIVersion to a hybrid cloud profile to ensure compatibility
with hybrid environments.

Author: patrickdillon

azure/defaults.go

@@ -28,6 +28,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5"
 	"github.com/Azure/azure-sdk-for-go/sdk/tracing/azotel"
+	"github.com/Azure/go-autorest/autorest/azure"
 
 	"sigs.k8s.io/cluster-api-provider-azure/pkg/ot"
 	"sigs.k8s.io/cluster-api-provider-azure/util/tele"
@@ -112,6 +113,12 @@ const (
 	CustomHeaderPrefix = "infrastructure.cluster.x-k8s.io/custom-header-"
 )
 
+const (
+	// StackAPIVersion is the API version profile to set for ARM clients. See:
+	// https://learn.microsoft.com/en-us/azure-stack/user/azure-stack-profiles-azure-resource-manager-versions?view=azs-2408#overview-of-the-2020-09-01-hybrid-profile
+	StackAPIVersionProfile = "2020-06-01"
+)
+
 var (
 	// LinuxBootstrapExtensionCommand is the command the VM bootstrap extension will execute to verify Linux nodes bootstrap completes successfully.
 	LinuxBootstrapExtensionCommand = fmt.Sprintf("for i in $(seq 1 %d); do test -f %s && break; if [ $i -eq %d ]; then exit 1; else sleep %d; fi; done", bootstrapExtensionRetries, bootstrapSentinelFile, bootstrapExtensionRetries, bootstrapExtensionSleep)
@@ -360,7 +367,7 @@ func UserAgent() string {
 }
 
 // ARMClientOptions returns default ARM client options for CAPZ SDK v2 requests.
-func ARMClientOptions(azureEnvironment string, extraPolicies ...policy.Policy) (*arm.ClientOptions, error) {
+func ARMClientOptions(azureEnvironment, armEndpoint string, extraPolicies ...policy.Policy) (*arm.ClientOptions, error) {
 	opts := &arm.ClientOptions{}
 
 	switch azureEnvironment {
@@ -370,6 +377,21 @@ func ARMClientOptions(azureEnvironment string, extraPolicies ...policy.Policy) (
 		opts.Cloud = cloud.AzureChina
 	case USGovernmentCloudName:
 		opts.Cloud = cloud.AzureGovernment
+	case StackCloudName:
+		cloudEnv, err := azure.EnvironmentFromURL(armEndpoint)
+		if err != nil {
+			return nil, fmt.Errorf("unable to get Azure Stack cloud environment: %w", err)
+		}
+		opts.APIVersion = StackAPIVersionProfile
+		opts.Cloud = cloud.Configuration{
+			ActiveDirectoryAuthorityHost: cloudEnv.ActiveDirectoryEndpoint,
+			Services: map[cloud.ServiceName]cloud.ServiceConfiguration{
+				cloud.ResourceManager: {
+					Audience: cloudEnv.TokenAudience,
+					Endpoint: cloudEnv.ResourceManagerEndpoint,
+				},
+			},
+		}
 	case "":
 		// No cloud name provided, so leave at defaults.
 	default:

azure/defaults_test.go

@@ -38,6 +38,7 @@ func TestARMClientOptions(t *testing.T) {
 	tests := []struct {
 		name          string
 		cloudName     string
+		armEndpoint   string
 		expectedCloud cloud.Configuration
 		expectError   bool
 	}{
@@ -72,7 +73,7 @@ func TestARMClientOptions(t *testing.T) {
 			t.Parallel()
 			g := NewWithT(t)
 
-			opts, err := ARMClientOptions(tc.cloudName)
+			opts, err := ARMClientOptions(tc.cloudName, tc.armEndpoint)
 			if tc.expectError {
 				g.Expect(err).To(HaveOccurred())
 				return
@@ -99,7 +100,7 @@ func TestPerCallPolicies(t *testing.T) {
 	defer server.Close()
 
 	// Call the factory function and ensure it has both PerCallPolicies.
-	opts, err := ARMClientOptions("")
+	opts, err := ARMClientOptions("", "")
 	g.Expect(err).NotTo(HaveOccurred())
 	g.Expect(opts.PerCallPolicies).To(HaveLen(2))
 	g.Expect(opts.PerCallPolicies).To(ContainElement(BeAssignableToTypeOf(correlationIDPolicy{})))
@@ -184,7 +185,7 @@ func TestCustomPutPatchHeaderPolicy(t *testing.T) {
 			// Create options with a custom PUT/PATCH header per-call policy
 			getterMock := mock_azure.NewMockResourceSpecGetterWithHeaders(mockCtrl)
 			getterMock.EXPECT().CustomHeaders().Return(tc.headers).AnyTimes()
-			opts, err := ARMClientOptions("", CustomPutPatchHeaderPolicy{Headers: tc.headers})
+			opts, err := ARMClientOptions("", "", CustomPutPatchHeaderPolicy{Headers: tc.headers})
 			g.Expect(err).NotTo(HaveOccurred())
 
 			// Create a request

azure/services/availabilitysets/client.go

@@ -34,7 +34,7 @@ type AzureClient struct {
 
 // NewClient creates a new availability sets client from an authorizer.
 func NewClient(auth azure.Authorizer) (*AzureClient, error) {
-	opts, err := azure.ARMClientOptions(auth.CloudEnvironment())
+	opts, err := azure.ARMClientOptions(auth.CloudEnvironment(), auth.BaseURI())
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create availabilitysets client options")
 	}

azure/services/disks/client.go

@@ -37,7 +37,7 @@ type azureClient struct {
 
 // newClient creates a new disks client from an authorizer.
 func newClient(auth azure.Authorizer, apiCallTimeout time.Duration) (*azureClient, error) {
-	opts, err := azure.ARMClientOptions(auth.CloudEnvironment())
+	opts, err := azure.ARMClientOptions(auth.CloudEnvironment(), auth.BaseURI())
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create disks client options")
 	}

azure/services/identities/client.go

@@ -41,7 +41,7 @@ type AzureClient struct {
 
 // NewClient creates a new MSI client from an authorizer.
 func NewClient(auth azure.Authorizer) (Client, error) {
-	opts, err := azure.ARMClientOptions(auth.CloudEnvironment())
+	opts, err := azure.ARMClientOptions(auth.CloudEnvironment(), auth.BaseURI())
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create identities client options")
 	}
@@ -54,7 +54,7 @@ func NewClient(auth azure.Authorizer) (Client, error) {
 
 // NewClientBySub creates a new MSI client with a given subscriptionID.
 func NewClientBySub(auth azure.Authorizer, subscriptionID string) (Client, error) {
-	opts, err := azure.ARMClientOptions(auth.CloudEnvironment())
+	opts, err := azure.ARMClientOptions(auth.CloudEnvironment(), auth.BaseURI())
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create identities client options")
 	}

azure/services/inboundnatrules/client.go

@@ -44,7 +44,7 @@ var _ client = (*azureClient)(nil)
 
 // newClient creates a new inbound NAT rules client from an authorizer.
 func newClient(auth azure.Authorizer, apiCallTimeout time.Duration) (*azureClient, error) {
-	opts, err := azure.ARMClientOptions(auth.CloudEnvironment())
+	opts, err := azure.ARMClientOptions(auth.CloudEnvironment(), auth.BaseURI())
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create inboundnatrules client options")
 	}

azure/services/loadbalancers/client.go

@@ -39,7 +39,7 @@ type azureClient struct {
 
 // newClient creates a new load balancer client from an authorizer.
 func newClient(auth azure.Authorizer, apiCallTimeout time.Duration) (*azureClient, error) {
-	opts, err := azure.ARMClientOptions(auth.CloudEnvironment())
+	opts, err := azure.ARMClientOptions(auth.CloudEnvironment(), auth.BaseURI())
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to get load balancer client options")
 	}
@@ -86,7 +86,7 @@ func (ac *azureClient) CreateOrUpdateAsync(ctx context.Context, spec azure.Resou
 	}
 
 	// Create a new client that knows how to add etag headers to the request.
-	clientOpts, err := azure.ARMClientOptions(ac.auth.CloudEnvironment(), extraPolicies...)
+	clientOpts, err := azure.ARMClientOptions(ac.auth.CloudEnvironment(), ac.auth.BaseURI(), extraPolicies...)
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "failed to create loadbalancer client options")
 	}

azure/services/networkinterfaces/client.go

@@ -37,7 +37,7 @@ type azureClient struct {
 
 // NewClient creates a new network interfaces client from an authorizer.
 func NewClient(auth azure.Authorizer, apiCallTimeout time.Duration) (*azureClient, error) { //nolint:revive // leave it as is
-	opts, err := azure.ARMClientOptions(auth.CloudEnvironment())
+	opts, err := azure.ARMClientOptions(auth.CloudEnvironment(), auth.BaseURI())
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create networkinterfaces client options")
 	}

azure/services/privatedns/link_client.go

@@ -37,7 +37,7 @@ type azureVirtualNetworkLinksClient struct {
 
 // newVirtualNetworkLinksClient creates a virtual network links client from an authorizer.
 func newVirtualNetworkLinksClient(auth azure.Authorizer, apiCallTimeout time.Duration) (*azureVirtualNetworkLinksClient, error) {
-	opts, err := azure.ARMClientOptions(auth.CloudEnvironment())
+	opts, err := azure.ARMClientOptions(auth.CloudEnvironment(), auth.BaseURI())
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create virtualnetworkslink client options")
 	}

azure/services/privatedns/record_client.go

@@ -34,7 +34,7 @@ type azureRecordsClient struct {
 
 // newRecordSetsClient creates a record sets client from an authorizer.
 func newRecordSetsClient(auth azure.Authorizer) (*azureRecordsClient, error) {
-	opts, err := azure.ARMClientOptions(auth.CloudEnvironment())
+	opts, err := azure.ARMClientOptions(auth.CloudEnvironment(), auth.BaseURI())
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create recordsets client options")
 	}