pkg/storage/azure: support private endpoint creation with custom network resource group

when users bring their our network, they will commonly have a dedicated
resource group where the network resources are. vnet and subnet ids
contain the resource group of where these resources exist in, so the
operator needs to distinguish between the cluster resource group, and
the user provided network resource group.

this commit adds support for such use-case.
note that it's importante that the private endpoint is created within
the cluster resource group, which is managed by the installer. this is
so that the private endpoint is guaranteed to be destroyed when the
cluster itself is destroyed.

Author: flavianmissi

pkg/storage/azure/azure.go

@@ -562,7 +562,6 @@ func (d *driver) assurePrivateAccount(cfg *Azure, infra *configv1.Infrastructure
 		ClientSecret:       cfg.ClientSecret,
 		FederatedTokenFile: cfg.FederatedTokenFile,
 		SubscriptionID:     cfg.SubscriptionID,
-		ResourceGroupName:  cfg.ResourceGroup,
 		TagSet:             tagset,
 	})
 	if err != nil {
@@ -581,24 +580,29 @@ func (d *driver) assurePrivateAccount(cfg *Azure, infra *configv1.Infrastructure
 		privateEndpointName = generateAccountName(infra.Status.InfrastructureName)
 	}
 
+	networkResourceGroup := cfg.ResourceGroup
+	if internalConfig.NetworkResourceGroupName != "" {
+		networkResourceGroup = internalConfig.NetworkResourceGroupName
+	}
+
 	// the last step in this function is to disable public network for the
 	// storage account - if we already did that, then none of the steps
 	// below need to be executed.
-	if azclient.IsStorageAccountPrivate(d.Context, accountName) {
+	if azclient.IsStorageAccountPrivate(d.Context, cfg.ResourceGroup, accountName) {
 		return privateEndpointName, nil
 	}
 
 	if internalConfig.VNetName == "" {
 		tagKey := fmt.Sprintf("kubernetes.io_cluster.%s", infra.Status.InfrastructureName)
-		vnet, err := azclient.GetVNetByTag(d.Context, tagKey, "owned", "shared")
+		vnet, err := azclient.GetVNetByTag(d.Context, networkResourceGroup, tagKey, "owned", "shared")
 		if err != nil {
 			return "", fmt.Errorf("failed to discover vnet name, please provide network details manually: %q", err)
 		}
 		internalConfig.VNetName = *vnet.Name
 	}
 
 	if internalConfig.SubnetName == "" {
-		subnet, err := azclient.GetSubnetsByVNet(d.Context, internalConfig.VNetName)
+		subnet, err := azclient.GetSubnetsByVNet(d.Context, networkResourceGroup, internalConfig.VNetName)
 		if err != nil {
 			return "", fmt.Errorf("failed to discover subnet name, please provide network details manually: %q", err)
 		}
@@ -609,11 +613,13 @@ func (d *driver) assurePrivateAccount(cfg *Azure, infra *configv1.Infrastructure
 	pe, err := azclient.CreatePrivateEndpoint(
 		d.Context,
 		&azureclient.PrivateEndpointCreateOptions{
-			Location:            cfg.Region,
-			VNetName:            internalConfig.VNetName,
-			SubnetName:          internalConfig.SubnetName,
-			PrivateEndpointName: privateEndpointName,
-			StorageAccountName:  accountName,
+			Location:                 cfg.Region,
+			ClusterResourceGroupName: cfg.ResourceGroup,
+			NetworkResourceGroupName: networkResourceGroup,
+			VNetName:                 internalConfig.VNetName,
+			SubnetName:               internalConfig.SubnetName,
+			PrivateEndpointName:      privateEndpointName,
+			StorageAccountName:       accountName,
 		},
 	)
 	if err != nil {
@@ -623,14 +629,14 @@ func (d *driver) assurePrivateAccount(cfg *Azure, infra *configv1.Infrastructure
 
 	klog.V(3).Info("configuring private DNS...")
 	if err := azclient.ConfigurePrivateDNS(
-		d.Context, pe, internalConfig.VNetName, accountName,
+		d.Context, pe, cfg.ResourceGroup, networkResourceGroup, internalConfig.VNetName, accountName,
 	); err != nil {
 		return privateEndpointName, err
 	}
 	klog.V(3).Info("private DNS configured")
 
 	klog.V(3).Infof("disabling public network access for storage account %q...", accountName)
-	if err := azclient.UpdateStorageAccountNetworkAccess(d.Context, accountName, false); err != nil {
+	if err := azclient.UpdateStorageAccountNetworkAccess(d.Context, cfg.ResourceGroup, accountName, false); err != nil {
 		return privateEndpointName, err
 	}
 
@@ -952,7 +958,6 @@ func (d *driver) RemoveStorage(cr *imageregistryv1.Config) (retry bool, err erro
 			ClientSecret:       cfg.ClientSecret,
 			FederatedTokenFile: cfg.FederatedTokenFile,
 			SubscriptionID:     cfg.SubscriptionID,
-			ResourceGroupName:  cfg.ResourceGroup,
 		})
 		if err != nil {
 			util.UpdateCondition(
@@ -966,6 +971,7 @@ func (d *driver) RemoveStorage(cr *imageregistryv1.Config) (retry bool, err erro
 		}
 		if err := azclient.DestroyPrivateDNS(
 			d.Context,
+			cfg.ResourceGroup,
 			d.Config.NetworkAccess.Internal.PrivateEndpointName,
 			d.Config.NetworkAccess.Internal.VNetName,
 			d.Config.AccountName,
@@ -980,7 +986,7 @@ func (d *driver) RemoveStorage(cr *imageregistryv1.Config) (retry bool, err erro
 			return false, err
 		}
 		if err := azclient.DeletePrivateEndpoint(
-			d.Context, d.Config.NetworkAccess.Internal.PrivateEndpointName,
+			d.Context, cfg.ResourceGroup, d.Config.NetworkAccess.Internal.PrivateEndpointName,
 		); err != nil {
 			util.UpdateCondition(
 				cr,