Merge pull request #3057 from willie-yao/bastion-sku

Add support for bastion tiers

Author: k8s-ci-robot

api/v1alpha4/azurecluster_conversion.go

@@ -81,7 +81,7 @@ func (src *AzureCluster) ConvertTo(dstRaw conversion.Hub) error {
 		}
 	}
 
-	// Restore Azure Bastion IP tags, ServiceEndpoints and PrivateEndpoints.
+	// Restore Azure Bastion IP tags, ServiceEndpoints, PrivateEndpoints, SKU, and EnableTunneling.
 	if restored.Spec.BastionSpec.AzureBastion != nil && dst.Spec.BastionSpec.AzureBastion != nil {
 		if restored.Spec.BastionSpec.AzureBastion.PublicIP.Name == dst.Spec.BastionSpec.AzureBastion.PublicIP.Name {
 			dst.Spec.BastionSpec.AzureBastion.PublicIP.IPTags = restored.Spec.BastionSpec.AzureBastion.PublicIP.IPTags
@@ -91,6 +91,8 @@ func (src *AzureCluster) ConvertTo(dstRaw conversion.Hub) error {
 		}
 		dst.Spec.BastionSpec.AzureBastion.Subnet.ServiceEndpoints = restored.Spec.BastionSpec.AzureBastion.Subnet.ServiceEndpoints
 		dst.Spec.BastionSpec.AzureBastion.Subnet.PrivateEndpoints = restored.Spec.BastionSpec.AzureBastion.Subnet.PrivateEndpoints
+		dst.Spec.BastionSpec.AzureBastion.Sku = restored.Spec.BastionSpec.AzureBastion.Sku
+		dst.Spec.BastionSpec.AzureBastion.EnableTunneling = restored.Spec.BastionSpec.AzureBastion.EnableTunneling
 	}
 
 	// Restore load balancers' backend pool name
@@ -372,3 +374,8 @@ func Convert_v1beta1_NatGateway_To_v1alpha4_NatGateway(in *infrav1.NatGateway, o
 func Convert_v1beta1_PublicIPSpec_To_v1alpha4_PublicIPSpec(in *infrav1.PublicIPSpec, out *PublicIPSpec, s apiconversion.Scope) error {
 	return autoConvert_v1beta1_PublicIPSpec_To_v1alpha4_PublicIPSpec(in, out, s)
 }
+
+// Convert_v1beta1_AzureBastion_To_v1alpha4_AzureBastion is an autogenerated conversion function.
+func Convert_v1beta1_AzureBastion_To_v1alpha4_AzureBastion(in *infrav1.AzureBastion, out *AzureBastion, s apiconversion.Scope) error {
+	return autoConvert_v1beta1_AzureBastion_To_v1alpha4_AzureBastion(in, out, s)
+}

api/v1alpha4/zz_generated.conversion.go

@@ -96,6 +96,10 @@ func (c *AzureCluster) validateClusterSpec(old *AzureCluster) field.ErrorList {
 	allErrs = append(allErrs, validateCloudProviderConfigOverrides(c.Spec.CloudProviderConfigOverrides, oldCloudProviderConfigOverrides,
 		field.NewPath("spec").Child("cloudProviderConfigOverrides"))...)
 
+	if err := validateBastionSpec(c.Spec.BastionSpec, field.NewPath("spec").Child("azureBastion").Child("bastionSpec")); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
 	return allErrs
 }
 
@@ -117,6 +121,15 @@ func (c *AzureCluster) validateClusterName() field.ErrorList {
 	return allErrs
 }
 
+// validateBastionSpec validates a BastionSpec.
+func validateBastionSpec(bastionSpec BastionSpec, fldPath *field.Path) *field.Error {
+	if bastionSpec.AzureBastion != nil && bastionSpec.AzureBastion.Sku != StandardBastionHostSku && bastionSpec.AzureBastion.EnableTunneling {
+		return field.Invalid(fldPath.Child("sku"), bastionSpec.AzureBastion.Sku,
+			"sku must be Standard if tunneling is enabled")
+	}
+	return nil
+}
+
 // validateNetworkSpec validates a NetworkSpec.
 func validateNetworkSpec(networkSpec NetworkSpec, old NetworkSpec, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList

api/v1beta1/azurecluster_validation.go

@@ -832,6 +832,16 @@ const (
 	AvailabilitySetRateLimit = "availabilitySetRateLimit"
 )
 
+// BastionHostSkuName is the name of the SKU used to specify the tier of Azure Bastion Host.
+type BastionHostSkuName string
+
+const (
+	// BasicBastionHostSku SKU for the Azure Bastion Host.
+	BasicBastionHostSku BastionHostSkuName = "Basic"
+	// StandardBastionHostSku SKU for the Azure Bastion Host.
+	StandardBastionHostSku BastionHostSkuName = "Standard"
+)
+
 // BastionSpec specifies how the Bastion feature should be set up for the cluster.
 type BastionSpec struct {
 	// +optional
@@ -846,6 +856,15 @@ type AzureBastion struct {
 	Subnet SubnetSpec `json:"subnet,omitempty"`
 	// +optional
 	PublicIP PublicIPSpec `json:"publicIP,omitempty"`
+	// BastionHostSkuName configures the tier of the Azure Bastion Host. Can be either Basic or Standard. Defaults to Basic.
+	// +kubebuilder:default=Basic
+	// +kubebuilder:validation:Enum=Basic;Standard
+	// +optional
+	Sku BastionHostSkuName `json:"sku,omitempty"`
+	// EnableTunneling enables the native client support feature for the Azure Bastion Host. Defaults to false.
+	// +kubebuilder:default=false
+	// +optional
+	EnableTunneling bool `json:"enableTunneling,omitempty"`
 }
 
 // BackendPool describes the backend pool of the load balancer.

api/v1beta1/types.go

@@ -520,12 +520,14 @@ func (s *ClusterScope) AzureBastionSpec() azure.ResourceSpecGetter {
 		publicIPID := azure.PublicIPID(s.SubscriptionID(), s.ResourceGroup(), s.AzureBastion().PublicIP.Name)
 
 		return &bastionhosts.AzureBastionSpec{
-			Name:          s.AzureBastion().Name,
-			ResourceGroup: s.ResourceGroup(),
-			Location:      s.Location(),
-			ClusterName:   s.ClusterName(),
-			SubnetID:      subnetID,
-			PublicIPID:    publicIPID,
+			Name:            s.AzureBastion().Name,
+			ResourceGroup:   s.ResourceGroup(),
+			Location:        s.Location(),
+			ClusterName:     s.ClusterName(),
+			SubnetID:        subnetID,
+			PublicIPID:      publicIPID,
+			Sku:             s.AzureBastion().Sku,
+			EnableTunneling: s.AzureBastion().EnableTunneling,
 		}
 	}
 

azure/scope/cluster.go

@@ -30,12 +30,14 @@ import (
 
 // AzureBastionSpec defines the specification for azure bastion feature.
 type AzureBastionSpec struct {
-	Name          string
-	ResourceGroup string
-	Location      string
-	ClusterName   string
-	SubnetID      string
-	PublicIPID    string
+	Name            string
+	ResourceGroup   string
+	Location        string
+	ClusterName     string
+	SubnetID        string
+	PublicIPID      string
+	Sku             infrav1.BastionHostSkuName
+	EnableTunneling bool
 }
 
 // AzureBastionSpecInput defines the required inputs to construct an azure bastion spec.
@@ -81,8 +83,12 @@ func (s *AzureBastionSpec) Parameters(ctx context.Context, existing interface{})
 			Name:        pointer.String(s.Name),
 			Role:        pointer.String("Bastion"),
 		})),
+		Sku: &network.Sku{
+			Name: network.BastionHostSkuName(s.Sku),
+		},
 		BastionHostPropertiesFormat: &network.BastionHostPropertiesFormat{
-			DNSName: pointer.String(fmt.Sprintf("%s-bastion", strings.ToLower(s.Name))),
+			EnableTunneling: pointer.Bool(s.EnableTunneling),
+			DNSName:         pointer.String(fmt.Sprintf("%s-bastion", strings.ToLower(s.Name))),
 			IPConfigurations: &[]network.BastionHostIPConfiguration{
 				{
 					Name: pointer.String(bastionHostIPConfigName),

azure/services/bastionhosts/spec.go

@@ -1318,6 +1318,11 @@ spec:
                     description: AzureBastion specifies how the Azure Bastion cloud
                       component should be configured.
                     properties:
+                      enableTunneling:
+                        default: false
+                        description: EnableTunneling enables the native client support
+                          feature for the Azure Bastion Host. Defaults to false.
+                        type: boolean
                       name:
                         type: string
                       publicIP:
@@ -1349,6 +1354,15 @@ spec:
                         required:
                         - name
                         type: object
+                      sku:
+                        default: Basic
+                        description: BastionHostSkuName configures the tier of the
+                          Azure Bastion Host. Can be either Basic or Standard. Defaults
+                          to Basic.
+                        enum:
+                        - Basic
+                        - Standard
+                        type: string
                       subnet:
                         description: SubnetSpec configures an Azure subnet.
                         properties:

config/crd/bases/infrastructure.cluster.x-k8s.io_azureclusters.yaml

@@ -107,6 +107,8 @@ spec:
         securityGroup: {} // No security group is assigned by default. You can choose to have one created and assigned by defining it. 
       publicIP:
         "name": "..." // The name of the Public IP, defaults to '<cluster name>-azure-bastion-pip'.
+      sku: "..." // The SKU/tier of the Azure Bastion resource. The options are `Standard` and `Basic`. The default value is `Basic`.
+      enableTunneling: "..." // Whether or not to enable tunneling/native client support. The default value is `false`.
 ```
 
 If you specify a security group to be associated with the Azure Bastion subnet, it needs to have some networking rules defined or

docs/book/src/topics/ssh-access.md

@@ -13,3 +13,5 @@ spec:
         - ${AZURE_BASTION_SUBNET_CIDR}
         name: AzureBastionSubnet
         role: bastion
+      sku: Standard
+      enableTunneling: true