Further removed unnecessary stuff

Author: HigashikataZhangsuke

azure/scope/azure_secret_cloud.go

@@ -10,6 +10,7 @@ import (
 	"path/filepath"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
@@ -120,10 +121,14 @@ func updateGlobalTransportLocked(certData []byte) error {
 		// No custom certificate, use system defaults
 		globalCertPool = nil
 		globalTransport = &http.Transport{
-			Proxy: http.ProxyFromEnvironment,
+			Proxy:                 http.ProxyFromEnvironment,
+			TLSHandshakeTimeout:   10 * time.Second,
+			ResponseHeaderTimeout: 30 * time.Second,
+			ExpectContinueTimeout: 1 * time.Second,
 		}
 		globalHTTPClient = &http.Client{
 			Transport: globalTransport,
+			Timeout:   60 * time.Second,
 		}
 		azurepkg.GlobalHTTPClient = globalHTTPClient
 		return nil
@@ -147,12 +152,16 @@ func updateGlobalTransportLocked(certData []byte) error {
 			RootCAs:            globalCertPool,
 			InsecureSkipVerify: false,
 		},
-		Proxy: http.ProxyFromEnvironment,
+		Proxy:                 http.ProxyFromEnvironment,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ResponseHeaderTimeout: 30 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
 	}
 
 	// Create global HTTP client
 	globalHTTPClient = &http.Client{
 		Transport: globalTransport,
+		Timeout:   60 * time.Second,
 	}
 
 	// Store in azure package globals for backward compatibility

azure/services/managedclusters/managedclusters.go

@@ -142,43 +142,54 @@ func postCreateOrUpdateResourceHook(ctx context.Context, scope ManagedClusterSco
   The user needs to ensure to provide service principal with admin AAD privileges.
 */
 func reconcileKubeconfig(ctx context.Context, scope ManagedClusterScope, namespace string) (adminKubeConfigData []byte, userKubeConfigData []byte, err error) {
+	fmt.Printf("=== DEBUG: reconcileKubeconfig() called for cluster: %s ===\n", scope.ClusterName())
+	fmt.Printf("DEBUG: Namespace: %s\n", namespace)
+	fmt.Printf("DEBUG: IsAADEnabled: %v\n", scope.IsAADEnabled())
+	fmt.Printf("DEBUG: AreLocalAccountsDisabled: %v\n", scope.AreLocalAccountsDisabled())
+
 	if scope.IsAADEnabled() {
+		fmt.Printf("DEBUG: AAD is enabled, getting user kubeconfig data\n")
 		if userKubeConfigData, err = getUserKubeconfigData(ctx, scope, namespace); err != nil {
+			fmt.Printf("DEBUG: ERROR - Failed to get user kubeconfig: %v\n", err)
 			return nil, nil, errors.Wrap(err, "error while trying to get user kubeconfig")
 		}
+		fmt.Printf("DEBUG: Got user kubeconfig data: %d bytes\n", len(userKubeConfigData))
 	}
 
 	if scope.AreLocalAccountsDisabled() {
+		fmt.Printf("DEBUG: Local accounts disabled, using user kubeconfig with token path\n")
 		userKubeconfigWithToken, err := getUserKubeConfigWithToken(ctx, userKubeConfigData, scope)
 		if err != nil {
+			fmt.Printf("DEBUG: ERROR - Failed to get user kubeconfig with token: %v\n", err)
 			return nil, nil, errors.Wrap(err, "error while trying to get user kubeconfig with token")
 		}
+		fmt.Printf("DEBUG: Successfully got user kubeconfig with token: %d bytes\n", len(userKubeconfigWithToken))
 		return userKubeconfigWithToken, userKubeConfigData, nil
 	}
 
+	fmt.Printf("DEBUG: Using admin kubeconfig path (local accounts enabled)\n")
 	asoSecret := &corev1.Secret{}
+	secretName := adminKubeconfigSecretName(scope.ClusterName())
+	fmt.Printf("DEBUG: Looking for ASO admin kubeconfig secret: %s/%s\n", namespace, secretName)
+
 	err = scope.GetClient().Get(
 		ctx,
 		client.ObjectKey{
 			Namespace: namespace,
-			Name:      adminKubeconfigSecretName(scope.ClusterName()),
+			Name:      secretName,
 		},
 		asoSecret,
 	)
 	if err != nil {
+		fmt.Printf("DEBUG: ERROR - Failed to get ASO admin kubeconfig secret: %v\n", err)
 		return nil, nil, errors.Wrap(err, "failed to get ASO admin kubeconfig secret")
 	}
-	adminKubeConfigData = asoSecret.Data[secret.KubeconfigDataName]
 
-	// PATCH POINT: Inject custom CA certificate data into admin kubeconfig
-	// This allows patching CA certificates for admin kubeconfig retrieved from ASO
-	if adminKubeConfigData != nil && len(adminKubeConfigData) > 0 {
-		if patchedAdminConfig, err := patchKubeconfigWithCustomCA(adminKubeConfigData, scope.ClusterName()); err == nil {
-			adminKubeConfigData = patchedAdminConfig
-		}
-		// Note: We could log the error but not fail the reconciliation if patching fails
-	}
+	adminKubeConfigData = asoSecret.Data[secret.KubeconfigDataName]
+	fmt.Printf("DEBUG: Retrieved admin kubeconfig from ASO secret: %d bytes\n", len(adminKubeConfigData))
 
+	fmt.Printf("DEBUG: reconcileKubeconfig() completed - admin: %d bytes, user: %d bytes\n",
+		len(adminKubeConfigData), len(userKubeConfigData))
 	return adminKubeConfigData, userKubeConfigData, nil
 }
 
@@ -215,60 +226,16 @@ func getUserKubeConfigWithToken(ctx context.Context, userKubeConfigData []byte,
 		auth.Exec = nil
 	}
 
-	// PATCH POINT: Inject custom CA certificate data here
-	// This is where you could add logic to replace the certificate-authority-data
-	// with your custom CA certificate
-	if customCACert := getCustomCACertificate(); customCACert != nil {
-		for _, cluster := range config.Clusters {
-			cluster.CertificateAuthorityData = customCACert
-		}
-	}
-
 	kubeconfig, err := clientcmd.Write(*config)
 	if err != nil {
 		return nil, errors.Wrap(err, "error while trying to marshal new user kubeconfig with token")
 	}
 	return kubeconfig, nil
 }
 
-// getCustomCACertificate returns custom CA certificate data if available
-// This function leverages the same certificate that is used for Azure authentication
-// by checking the global AzSecretCertPool that gets populated during Azure client initialization
-func getCustomCACertificate() []byte {
-	// Check if we have a certificate in the global AzSecretCertPool
-	// This is the same certificate pool used for Azure authentication
-	if azure.IsAzSecretCertConfigured() && azure.AzSecretCertPool != nil {
-		// Return the raw certificate data stored in AzSecretCertData
-		// This contains the original PEM data that was used to populate the certificate pool
-		if len(azure.AzSecretCertData) > 0 {
-			return azure.AzSecretCertData
-		}
-	}
-
-	return nil
-}
-
-// patchKubeconfigWithCustomCA patches kubeconfig data with custom CA certificate
-func patchKubeconfigWithCustomCA(kubeconfigData []byte, clusterName string) ([]byte, error) {
-	customCACert := getCustomCACertificate()
-	if customCACert == nil {
-		return kubeconfigData, nil // No custom CA, return original
-	}
-
-	config, err := clientcmd.Load(kubeconfigData)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to load kubeconfig for CA patching")
-	}
-
-	// Replace CA data in all clusters
-	for _, cluster := range config.Clusters {
-		cluster.CertificateAuthorityData = customCACert
-	}
-
-	patchedKubeconfig, err := clientcmd.Write(*config)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to write patched kubeconfig")
+func min(a, b int) int {
+	if a < b {
+		return a
 	}
-
-	return patchedKubeconfig, nil
+	return b
 }

controllers/azureasomanagedcontrolplane_controller.go

@@ -325,10 +325,41 @@ func (r *AzureASOManagedControlPlaneReconciler) reconcileKubeconfig(ctx context.
 
 		// PATCH POINT: Inject custom CA certificate data here
 		// This allows patching CA certificates for AAD-enabled clusters with local accounts disabled
+		fmt.Printf("=== DEBUG: ASO Controller CA injection for cluster: %s ===\n", cluster.Name)
 		if customCACert := getCustomCACertificateForCluster(cluster.Name); customCACert != nil {
-			for _, clusterInfo := range kubeconfig.Clusters {
-				clusterInfo.CertificateAuthorityData = customCACert
+			fmt.Printf("DEBUG: ASO - Custom CA certificate found (%d bytes), proceeding with COMBINATION\n", len(customCACert))
+			patchedCount := 0
+			for clusterName, clusterInfo := range kubeconfig.Clusters {
+				fmt.Printf("DEBUG: ASO - Processing cluster '%s'\n", clusterName)
+				fmt.Printf("DEBUG: ASO - Original CA data length: %d bytes\n", len(clusterInfo.CertificateAuthorityData))
+
+				if clusterInfo.CertificateAuthorityData != nil && len(clusterInfo.CertificateAuthorityData) > 0 {
+					fmt.Printf("DEBUG: ASO - Combining original CA with custom CA\n")
+					// Combine: original + newline + custom CA
+					combinedCA := make([]byte, 0, len(clusterInfo.CertificateAuthorityData)+1+len(customCACert))
+					combinedCA = append(combinedCA, clusterInfo.CertificateAuthorityData...)
+
+					// Add newline separator if original doesn't end with newline
+					if clusterInfo.CertificateAuthorityData[len(clusterInfo.CertificateAuthorityData)-1] != '\n' {
+						combinedCA = append(combinedCA, '\n')
+					}
+
+					combinedCA = append(combinedCA, customCACert...)
+					clusterInfo.CertificateAuthorityData = combinedCA
+
+					fmt.Printf("DEBUG: ASO - Combined CA data length: %d bytes (original: %d + custom: %d)\n",
+						len(combinedCA), len(clusterInfo.CertificateAuthorityData)-len(customCACert)-1, len(customCACert))
+				} else {
+					fmt.Printf("DEBUG: ASO - No original CA data, using only custom CA\n")
+					// No original CA, just use custom
+					clusterInfo.CertificateAuthorityData = customCACert
+					fmt.Printf("DEBUG: ASO - Set CA data length: %d bytes\n", len(clusterInfo.CertificateAuthorityData))
+				}
+				patchedCount++
 			}
+			fmt.Printf("DEBUG: ASO - Combined CA certificates in %d clusters total\n", patchedCount)
+		} else {
+			fmt.Printf("DEBUG: ASO - No custom CA certificate found, keeping original kubeconfig\n")
 		}
 
 		kubeconfigData, err = clientcmd.Write(*kubeconfig)
@@ -366,19 +397,46 @@ func (r *AzureASOManagedControlPlaneReconciler) reconcileKubeconfig(ctx context.
 // This function leverages the same certificate that is used for Azure authentication
 // by checking the global AzSecretCertPool that gets populated during Azure client initialization
 func getCustomCACertificateForCluster(clusterName string) []byte {
+	fmt.Printf("=== DEBUG: ASO getCustomCACertificateForCluster() called for cluster: %s ===\n", clusterName)
+
+	// Debug the condition checks
+	isConfigured := azure.IsAzSecretCertConfigured()
+	poolNotNil := azure.AzSecretCertPool != nil
+	dataLength := len(azure.AzSecretCertData)
+
+	fmt.Printf("DEBUG: ASO - azure.IsAzSecretCertConfigured() = %v\n", isConfigured)
+	fmt.Printf("DEBUG: ASO - azure.AzSecretCertPool != nil = %v\n", poolNotNil)
+	fmt.Printf("DEBUG: ASO - len(azure.AzSecretCertData) = %d\n", dataLength)
+
 	// Check if we have a certificate in the global AzSecretCertPool
 	// This is the same certificate pool used for Azure authentication
 	if azure.IsAzSecretCertConfigured() && azure.AzSecretCertPool != nil {
+		fmt.Printf("DEBUG: ASO - Passed first condition check (IsConfigured && PoolNotNil)\n")
 		// Return the raw certificate data stored in AzSecretCertData
 		// This contains the original PEM data that was used to populate the certificate pool
 		if len(azure.AzSecretCertData) > 0 {
+			fmt.Printf("DEBUG: ASO - Found certificate data, returning %d bytes\n", len(azure.AzSecretCertData))
+			fmt.Printf("DEBUG: ASO - Certificate data preview (first 100 chars): %s...\n",
+				string(azure.AzSecretCertData[:min(100, len(azure.AzSecretCertData))]))
 			return azure.AzSecretCertData
+		} else {
+			fmt.Printf("DEBUG: ASO - Certificate data is empty, returning nil\n")
 		}
+	} else {
+		fmt.Printf("DEBUG: ASO - Failed condition check - IsConfigured: %v, PoolNotNil: %v\n", isConfigured, poolNotNil)
 	}
 
+	fmt.Printf("DEBUG: ASO - getCustomCACertificateForCluster() returning nil\n")
 	return nil
 }
 
+func min(a, b int) int {
+	if a < b {
+		return a
+	}
+	return b
+}
+
 func (r *AzureASOManagedControlPlaneReconciler) reconcilePaused(ctx context.Context, asoManagedControlPlane *infrav1alpha.AzureASOManagedControlPlane) (ctrl.Result, error) {
 	ctx, log, done := tele.StartSpanWithLogger(ctx, "controllers.AzureASOManagedControlPlaneReconciler.reconcilePaused")
 	defer done()

controllers/azuremanagedcontrolplane_reconciler.go

@@ -130,6 +130,62 @@ func (r *azureManagedControlPlaneService) reconcileKubeconfig(ctx context.Contex
 		if len(kubeConfigData) == 0 {
 			continue
 		}
+
+		// PATCH POINT: Inject custom CA certificate data into kubeconfig before storing in secret
+		fmt.Printf("=== DEBUG: AMCP reconcileKubeconfig() - Processing kubeconfig %d (admin=0, user=1) ===\n", i)
+		fmt.Printf("DEBUG: AMCP - Original kubeconfig size: %d bytes\n", len(kubeConfigData))
+
+		if customCACert := getCustomCACertificateForAMCP(r.scope.ClusterName()); customCACert != nil {
+			fmt.Printf("DEBUG: AMCP - Custom CA certificate found (%d bytes), proceeding with COMBINATION\n", len(customCACert))
+
+			// Parse kubeconfig
+			kubeconfig, err := clientcmd.Load(kubeConfigData)
+			if err != nil {
+				fmt.Printf("DEBUG: AMCP - ERROR: Failed to parse kubeconfig: %v\n", err)
+			} else {
+				patchedCount := 0
+				for clusterName, clusterInfo := range kubeconfig.Clusters {
+					fmt.Printf("DEBUG: AMCP - Processing cluster '%s'\n", clusterName)
+					fmt.Printf("DEBUG: AMCP - Original CA data length: %d bytes\n", len(clusterInfo.CertificateAuthorityData))
+
+					if clusterInfo.CertificateAuthorityData != nil && len(clusterInfo.CertificateAuthorityData) > 0 {
+						fmt.Printf("DEBUG: AMCP - Combining original CA with custom CA\n")
+						// Combine: original + newline + custom CA
+						combinedCA := make([]byte, 0, len(clusterInfo.CertificateAuthorityData)+1+len(customCACert))
+						combinedCA = append(combinedCA, clusterInfo.CertificateAuthorityData...)
+
+						// Add newline separator if original doesn't end with newline
+						if clusterInfo.CertificateAuthorityData[len(clusterInfo.CertificateAuthorityData)-1] != '\n' {
+							combinedCA = append(combinedCA, '\n')
+						}
+
+						combinedCA = append(combinedCA, customCACert...)
+						clusterInfo.CertificateAuthorityData = combinedCA
+
+						fmt.Printf("DEBUG: AMCP - Combined CA data length: %d bytes (original: %d + custom: %d)\n",
+							len(combinedCA), len(clusterInfo.CertificateAuthorityData)-len(customCACert)-1, len(customCACert))
+					} else {
+						fmt.Printf("DEBUG: AMCP - No original CA data, using only custom CA\n")
+						// No original CA, just use custom
+						clusterInfo.CertificateAuthorityData = customCACert
+						fmt.Printf("DEBUG: AMCP - Set CA data length: %d bytes\n", len(clusterInfo.CertificateAuthorityData))
+					}
+					patchedCount++
+				}
+				fmt.Printf("DEBUG: AMCP - Combined CA certificates in %d clusters total\n", patchedCount)
+
+				// Write back the modified kubeconfig
+				if patchedKubeconfig, err := clientcmd.Write(*kubeconfig); err != nil {
+					fmt.Printf("DEBUG: AMCP - ERROR: Failed to write patched kubeconfig: %v\n", err)
+				} else {
+					kubeConfigData = patchedKubeconfig
+					fmt.Printf("DEBUG: AMCP - Successfully wrote combined kubeconfig (%d bytes)\n", len(kubeConfigData))
+				}
+			}
+		} else {
+			fmt.Printf("DEBUG: AMCP - No custom CA certificate found, keeping original kubeconfig\n")
+		}
+
 		kubeConfigSecret := r.scope.MakeEmptyKubeConfigSecret()
 		if i == 1 {
 			// 2nd kubeconfig is the user kubeconfig
@@ -152,6 +208,8 @@ func (r *azureManagedControlPlaneService) reconcileKubeconfig(ctx context.Contex
 		}); err != nil {
 			return errors.Wrap(err, "failed to reconcile kubeconfig secret for cluster")
 		}
+
+		fmt.Printf("DEBUG: AMCP - Successfully stored kubeconfig secret '%s' with CA injection\n", kubeConfigSecret.Name)
 	}
 
 	// store cluster-info for the cluster with the admin kubeconfig.
@@ -179,3 +237,40 @@ func (r *azureManagedControlPlaneService) reconcileKubeconfig(ctx context.Contex
 
 	return nil
 }
+
+// getCustomCACertificateForAMCP returns custom CA certificate data for Azure Managed Control Plane clusters
+// This function leverages the same certificate that is used for Azure authentication
+// by checking the global AzSecretCertPool that gets populated during Azure client initialization
+func getCustomCACertificateForAMCP(clusterName string) []byte {
+	fmt.Printf("=== DEBUG: AMCP getCustomCACertificateForAMCP() called for cluster: %s ===\n", clusterName)
+
+	// Debug the condition checks
+	isConfigured := azure.IsAzSecretCertConfigured()
+	poolNotNil := azure.AzSecretCertPool != nil
+	dataLength := len(azure.AzSecretCertData)
+
+	fmt.Printf("DEBUG: AMCP - azure.IsAzSecretCertConfigured() = %v\n", isConfigured)
+	fmt.Printf("DEBUG: AMCP - azure.AzSecretCertPool != nil = %v\n", poolNotNil)
+	fmt.Printf("DEBUG: AMCP - len(azure.AzSecretCertData) = %d\n", dataLength)
+
+	// Check if we have a certificate in the global AzSecretCertPool
+	// This is the same certificate pool used for Azure authentication
+	if azure.IsAzSecretCertConfigured() && azure.AzSecretCertPool != nil {
+		fmt.Printf("DEBUG: AMCP - Passed first condition check (IsConfigured && PoolNotNil)\n")
+		// Return the raw certificate data stored in AzSecretCertData
+		// This contains the original PEM data that was used to populate the certificate pool
+		if len(azure.AzSecretCertData) > 0 {
+			fmt.Printf("DEBUG: AMCP - Found certificate data, returning %d bytes\n", len(azure.AzSecretCertData))
+			fmt.Printf("DEBUG: AMCP - Certificate data preview (first 100 chars): %s...\n",
+				string(azure.AzSecretCertData[:min(100, len(azure.AzSecretCertData))]))
+			return azure.AzSecretCertData
+		} else {
+			fmt.Printf("DEBUG: AMCP - Certificate data is empty, returning nil\n")
+		}
+	} else {
+		fmt.Printf("DEBUG: AMCP - Failed condition check - IsConfigured: %v, PoolNotNil: %v\n", isConfigured, poolNotNil)
+	}
+
+	fmt.Printf("DEBUG: AMCP - getCustomCACertificateForAMCP() returning nil\n")
+	return nil
+}

main.go

@@ -328,6 +328,12 @@ func main() {
 
 	restConfig := ctrl.GetConfigOrDie()
 	restConfig.UserAgent = "cluster-api-provider-azure-manager"
+
+	// Configure longer timeouts for cluster connections, especially for custom Azure environments
+	restConfig.Timeout = 30 * time.Second
+	restConfig.QPS = 20
+	restConfig.Burst = 30
+
 	mgr, err := ctrl.NewManager(restConfig, ctrl.Options{
 		Scheme:                     scheme,
 		LeaderElection:             enableLeaderElection,