Allow configuring ASO for non-public cloud at install

Author: nojnhuh

api/v1beta1/azuremanagedcontrolplane_types.go

@@ -192,6 +192,18 @@ type AzureManagedControlPlaneSpec struct {
 	// - ChinaCloud: "AzureChinaCloud"
 	// - PublicCloud: "AzurePublicCloud"
 	// - USGovernmentCloud: "AzureUSGovernmentCloud"
+	//
+	// Note that values other than the default must also be accompanied by corresponding changes to the
+	// aso-controller-settings Secret to configure ASO to refer to the non-Public cloud. ASO currently does
+	// not support referring to multiple different clouds in a single installation. The following fields must
+	// be defined in the Secret:
+	// - AZURE_AUTHORITY_HOST
+	// - AZURE_RESOURCE_MANAGER_ENDPOINT
+	// - AZURE_RESOURCE_MANAGER_AUDIENCE
+	//
+	// See the [ASO docs] for more details.
+	//
+	// [ASO docs]: https://azure.github.io/azure-service-operator/guide/aso-controller-settings-options/
 	// +optional
 	AzureEnvironment string `json:"azureEnvironment,omitempty"`
 

api/v1beta1/types_class.go

@@ -46,6 +46,18 @@ type AzureClusterClassSpec struct {
 	// - GermanCloud: "AzureGermanCloud"
 	// - PublicCloud: "AzurePublicCloud"
 	// - USGovernmentCloud: "AzureUSGovernmentCloud"
+	//
+	// Note that values other than the default must also be accompanied by corresponding changes to the
+	// aso-controller-settings Secret to configure ASO to refer to the non-Public cloud. ASO currently does
+	// not support referring to multiple different clouds in a single installation. The following fields must
+	// be defined in the Secret:
+	// - AZURE_AUTHORITY_HOST
+	// - AZURE_RESOURCE_MANAGER_ENDPOINT
+	// - AZURE_RESOURCE_MANAGER_AUDIENCE
+	//
+	// See the [ASO docs] for more details.
+	//
+	// [ASO docs]: https://azure.github.io/azure-service-operator/guide/aso-controller-settings-options/
 	// +optional
 	AzureEnvironment string `json:"azureEnvironment,omitempty"`
 

config/aso/credentials.yaml

@@ -4,7 +4,7 @@ namespace: capz-system
 resources:
 - https://github.com/Azure/azure-service-operator/releases/download/v2.3.0/azureserviceoperator_v2.3.0.yaml
 - crds.yaml
-- credentials.yaml
+- settings.yaml
 
 patches:
   - patch: |- # default kustomization includes a namespace already

config/aso/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: aso-controller-settings
+type: Opaque
+stringData:
+  AZURE_AUTHORITY_HOST: ${AZURE_AUTHORITY_HOST:=""}
+  AZURE_RESOURCE_MANAGER_ENDPOINT: ${AZURE_RESOURCE_MANAGER_ENDPOINT:=""}
+  AZURE_RESOURCE_MANAGER_AUDIENCE: ${AZURE_RESOURCE_MANAGER_AUDIENCE:=""}
+  AZURE_SYNC_PERIOD: ${AZURE_SYNC_PERIOD:=""}
+  # Per-resource Secrets will be created based on a Cluster's AzureClusterIdentity.
+  AZURE_SUBSCRIPTION_ID: ""
+  AZURE_TENANT_ID: ""
+  AZURE_CLIENT_ID: ""

config/aso/settings.yaml

@@ -81,11 +81,17 @@ spec:
                   added by default.
                 type: object
               azureEnvironment:
-                description: 'AzureEnvironment is the name of the AzureCloud to be
-                  used. The default value that would be used by most users is "AzurePublicCloud",
-                  other values are: - ChinaCloud: "AzureChinaCloud" - GermanCloud:
-                  "AzureGermanCloud" - PublicCloud: "AzurePublicCloud" - USGovernmentCloud:
-                  "AzureUSGovernmentCloud"'
+                description: "AzureEnvironment is the name of the AzureCloud to be
+                  used. The default value that would be used by most users is \"AzurePublicCloud\",
+                  other values are: - ChinaCloud: \"AzureChinaCloud\" - GermanCloud:
+                  \"AzureGermanCloud\" - PublicCloud: \"AzurePublicCloud\" - USGovernmentCloud:
+                  \"AzureUSGovernmentCloud\" \n Note that values other than the default
+                  must also be accompanied by corresponding changes to the aso-controller-settings
+                  Secret to configure ASO to refer to the non-Public cloud. ASO currently
+                  does not support referring to multiple different clouds in a single
+                  installation. The following fields must be defined in the Secret:
+                  - AZURE_AUTHORITY_HOST - AZURE_RESOURCE_MANAGER_ENDPOINT - AZURE_RESOURCE_MANAGER_AUDIENCE
+                  \n See the [ASO docs] for more details. \n [ASO docs]: https://azure.github.io/azure-service-operator/guide/aso-controller-settings-options/"
                 type: string
               bastionSpec:
                 description: BastionSpec encapsulates all things related to the Bastions

config/crd/bases/infrastructure.cluster.x-k8s.io_azureclusters.yaml

@@ -54,11 +54,19 @@ spec:
                           addition to the ones added by default.
                         type: object
                       azureEnvironment:
-                        description: 'AzureEnvironment is the name of the AzureCloud
+                        description: "AzureEnvironment is the name of the AzureCloud
                           to be used. The default value that would be used by most
-                          users is "AzurePublicCloud", other values are: - ChinaCloud:
-                          "AzureChinaCloud" - GermanCloud: "AzureGermanCloud" - PublicCloud:
-                          "AzurePublicCloud" - USGovernmentCloud: "AzureUSGovernmentCloud"'
+                          users is \"AzurePublicCloud\", other values are: - ChinaCloud:
+                          \"AzureChinaCloud\" - GermanCloud: \"AzureGermanCloud\"
+                          - PublicCloud: \"AzurePublicCloud\" - USGovernmentCloud:
+                          \"AzureUSGovernmentCloud\" \n Note that values other than
+                          the default must also be accompanied by corresponding changes
+                          to the aso-controller-settings Secret to configure ASO to
+                          refer to the non-Public cloud. ASO currently does not support
+                          referring to multiple different clouds in a single installation.
+                          The following fields must be defined in the Secret: - AZURE_AUTHORITY_HOST
+                          - AZURE_RESOURCE_MANAGER_ENDPOINT - AZURE_RESOURCE_MANAGER_AUDIENCE
+                          \n See the [ASO docs] for more details. \n [ASO docs]: https://azure.github.io/azure-service-operator/guide/aso-controller-settings-options/"
                         type: string
                       bastionSpec:
                         description: BastionSpec encapsulates all things related to

config/crd/bases/infrastructure.cluster.x-k8s.io_azureclustertemplates.yaml

@@ -218,10 +218,17 @@ spec:
                     type: string
                 type: object
               azureEnvironment:
-                description: 'AzureEnvironment is the name of the AzureCloud to be
-                  used. The default value that would be used by most users is "AzurePublicCloud",
-                  other values are: - ChinaCloud: "AzureChinaCloud" - PublicCloud:
-                  "AzurePublicCloud" - USGovernmentCloud: "AzureUSGovernmentCloud"'
+                description: "AzureEnvironment is the name of the AzureCloud to be
+                  used. The default value that would be used by most users is \"AzurePublicCloud\",
+                  other values are: - ChinaCloud: \"AzureChinaCloud\" - PublicCloud:
+                  \"AzurePublicCloud\" - USGovernmentCloud: \"AzureUSGovernmentCloud\"
+                  \n Note that values other than the default must also be accompanied
+                  by corresponding changes to the aso-controller-settings Secret to
+                  configure ASO to refer to the non-Public cloud. ASO currently does
+                  not support referring to multiple different clouds in a single installation.
+                  The following fields must be defined in the Secret: - AZURE_AUTHORITY_HOST
+                  - AZURE_RESOURCE_MANAGER_ENDPOINT - AZURE_RESOURCE_MANAGER_AUDIENCE
+                  \n See the [ASO docs] for more details. \n [ASO docs]: https://azure.github.io/azure-service-operator/guide/aso-controller-settings-options/"
                 type: string
               controlPlaneEndpoint:
                 description: ControlPlaneEndpoint represents the endpoint used to

config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml

@@ -36,6 +36,19 @@ the resource will not be deleted in Azure.
 Additionally, BYO resources may include ASO resources managed by the user. CAPZ will not modify or delete such
 resources. Note that `clusterctl move` will not move user-managed ASO resources.
 
+## Configuration with Environment Variables
+
+These environment variables are passed through to the `aso-controller-settings` Secret to configure ASO when
+CAPZ is installed and are consumed by `clusterctl init`. They may also be modified directly in the Secret
+after installing ASO with CAPZ:
+
+- `AZURE_AUTHORITY_HOST`
+- `AZURE_RESOURCE_MANAGER_AUDIENCE`
+- `AZURE_RESOURCE_MANAGER_ENDPOINT`
+- `AZURE_SYNC_PERIOD`
+
+More details on each can be found in [ASO's documentation](https://azure.github.io/azure-service-operator/guide/aso-controller-settings-options/).
+
 ## Using ASO for non-CAPZ resources
 
 CAPZ's installation of ASO can be used directly to manage Azure resources outside the domain of