Updated as comments, will do test later

Author: HigashikataZhangsuke

azure/scope/azure_secret_cloud.go

@@ -23,9 +23,6 @@ import (
 )
 
 const (
-	// Deprecated: Use ConfigMaps instead
-	AzureEnvironentFolderEnvName = "AZURE_ENVIRONMENT_FOLDER_CAPZ"
-
 	// ConfigMap names for Azure secret cloud configuration
 	AzureEnvConfigMapName  = "azure-capz-env-config"
 	AzureCertConfigMapName = "azure-capz-cert-config"
@@ -51,12 +48,6 @@ func init() {
 	defer done()
 
 	log.Info("Azure secret cloud init completed - ConfigMap initialization will be performed during controller setup")
-
-	// Check for deprecated environment variable
-	if path := os.Getenv(AzureEnvironentFolderEnvName); path != "" {
-		log.Info("DEPRECATED: AZURE_ENVIRONMENT_FOLDER_CAPZ is deprecated, use ConfigMaps instead")
-		fmt.Printf("CAPZ: WARNING - AZURE_ENVIRONMENT_FOLDER_CAPZ is deprecated. Please use ConfigMaps instead.\n")
-	}
 }
 
 // InitializeAzureConfigForCluster initializes Azure environment and certificates from ConfigMaps

azure/scope/cluster.go

@@ -158,7 +158,7 @@ func (s *ClusterScope) PublicIPSpecs() []azure.ResourceSpecGetter {
 
 	// Public IP specs for control plane outbound lb
 	var controlPlaneOutboundIPSpecs []azure.ResourceSpecGetter
-	if s.ControlPlaneOutboundLB() != nil {
+	if s.IsAPIServerPrivate() && s.ControlPlaneOutboundLB() != nil {
 		for _, ip := range s.ControlPlaneOutboundLB().FrontendIPs {
 			publicIPSpecs = append(publicIPSpecs, &publicips.PublicIPSpec{
 				Name:             ip.PublicIP.Name,
@@ -282,10 +282,6 @@ func (s *ClusterScope) LBSpecs() []azure.ResourceSpecGetter {
 				// or if the LB is of the type internal, save the only IP allowed for the frontend LB
 				if frontendIP.PublicIP != nil || frontendLB.Type == infrav1.Internal {
 					frontendLB.FrontendIPConfigs = []infrav1.FrontendIP{frontendIP}
-					// Log the IP configuration being used
-					if frontendLB.Type == infrav1.Internal && frontendIP.PrivateIPAddress != "" {
-						fmt.Printf("[CAPZ-DEBUG] Internal LB FrontendIP config - Name: %s, PrivateIP: %s\n", frontendIP.Name, frontendIP.PrivateIPAddress)
-					}
 					break
 				}
 			}

azure/services/managedclusters/spec_test.go

@@ -376,30 +376,6 @@ func TestParameters(t *testing.T) {
 			Spec: asocontainerservicev1.ManagedCluster_Spec{
 				DnsPrefix:               ptr.To("set by the user"),
 				EnablePodSecurityPolicy: ptr.To(true), // set by the user
-
-func getSampleManagedCluster() containerservice.ManagedCluster {
-	return containerservice.ManagedCluster{
-		ManagedClusterProperties: &containerservice.ManagedClusterProperties{
-			KubernetesVersion: to.StringPtr("v1.22.0"),
-			AgentPoolProfiles: &[]containerservice.ManagedClusterAgentPoolProfile{
-				converters.AgentPoolToManagedClusterAgentPoolProfile(azure.AgentPoolSpec{
-					Name:          "test-agentpool-0",
-					Mode:          string(infrav1exp.NodePoolModeSystem),
-					ResourceGroup: "test-rg",
-					Replicas:      int32(2),
-				}),
-				converters.AgentPoolToManagedClusterAgentPoolProfile(azure.AgentPoolSpec{
-					Name:              "test-agentpool-1",
-					Mode:              string(infrav1exp.NodePoolModeUser),
-					ResourceGroup:     "test-rg",
-					Replicas:          int32(4),
-					Cluster:           "test-managedcluster",
-					SKU:               "test_SKU",
-					Version:           to.StringPtr("v1.22.0"),
-					VnetSubnetID:      "fake/subnet/id",
-					MaxPods:           to.Int32Ptr(int32(32)),
-					AvailabilityZones: []string{"1", "2"},
-				}),
 			},
 			Status: asocontainerservicev1.ManagedCluster_STATUS{
 				AgentPoolProfiles: []asocontainerservicev1.ManagedClusterAgentPoolProfile_STATUS{},
@@ -420,6 +396,35 @@ func getSampleManagedCluster() containerservice.ManagedCluster {
 	})
 }
 
+func getSampleManagedCluster() asocontainerservicev1.ManagedCluster {
+	return asocontainerservicev1.ManagedCluster{
+		Spec: asocontainerservicev1.ManagedCluster_Spec{
+			KubernetesVersion: ptr.To("v1.22.0"),
+			AgentPoolProfiles: []asocontainerservicev1.ManagedClusterAgentPoolProfile{
+				{
+					Name:              ptr.To("test-agentpool-0"),
+					Mode:              ptr.To(asocontainerservicev1.AgentPoolMode("System")),
+					Count:             ptr.To(2),
+					EnableAutoScaling: ptr.To(false),
+					Type:              ptr.To(asocontainerservicev1.AgentPoolType_VirtualMachineScaleSets),
+				},
+				{
+					Name:              ptr.To("test-agentpool-1"),
+					Mode:              ptr.To(asocontainerservicev1.AgentPoolMode("User")),
+					Count:             ptr.To(4),
+					EnableAutoScaling: ptr.To(false),
+					Type:              ptr.To(asocontainerservicev1.AgentPoolType_VirtualMachineScaleSets),
+					VnetSubnetReference: &genruntime.ResourceReference{
+						ARMID: "fake/subnet/id",
+					},
+					MaxPods:           ptr.To(32),
+					AvailabilityZones: []string{"1", "2"},
+				},
+			},
+		},
+	}
+}
+
 func TestOIDCIssuerURLConfigMap(t *testing.T) {
 	t.Run("get oidc issuer profile", func(t *testing.T) {
 		g := NewGomegaWithT(t)
@@ -429,4 +434,4 @@ func TestOIDCIssuerURLConfigMap(t *testing.T) {
 
 		g.Expect(actualOIDCIssuerConfigMapName).To(Equal("my-cluster-aso-oidc-issuer-profile"))
 	})
-}
+}

azure/services/privatedns/link_reconciler.go

@@ -61,7 +61,9 @@ func (s *Service) reconcileLinks(ctx context.Context, links []azure.ResourceSpec
 			continue
 		}
 
-		// Enhanced logic: check all zones with the same name across all resource groups
+		// Enhanced logic: check all zones with the same name across all resource groups to prevent duplicate VNet links.
+		// This prevents DNS resolution conflicts by ensuring a VNet is not linked to multiple private DNS zones
+		// with the same name, even if they exist in different resource groups.
 		zoneName := linkSpec.OwnerResourceName()
 		vnetID := azure.VNetID(linkSpec.(LinkSpec).SubscriptionID, linkSpec.(LinkSpec).VNetResourceGroup, linkSpec.(LinkSpec).VNetName)
 		zones, err := s.zonesClient.ListAllZonesByName(ctx, zoneName)

controllers/azureasomanagedcontrolplane_controller.go

@@ -46,6 +46,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
+	"github.com/go-logr/logr"
 	infrav1alpha "sigs.k8s.io/cluster-api-provider-azure/api/v1alpha1"
 	"sigs.k8s.io/cluster-api-provider-azure/azure"
 	"sigs.k8s.io/cluster-api-provider-azure/pkg/mutators"
@@ -326,16 +327,16 @@ func (r *AzureASOManagedControlPlaneReconciler) reconcileKubeconfig(ctx context.
 
 		// PATCH POINT: Inject custom CA certificate data here
 		// This allows patching CA certificates for AAD-enabled clusters with local accounts disabled
-		fmt.Printf("=== DEBUG: ASO Controller CA injection for cluster: %s ===\n", cluster.Name)
-		if customCACert := getCustomCACertificateForCluster(cluster.Name); customCACert != nil {
-			fmt.Printf("DEBUG: ASO - Custom CA certificate found (%d bytes), proceeding with COMBINATION\n", len(customCACert))
+		log.V(4).Info("ASO Controller CA injection", "cluster", cluster.Name)
+		if customCACert := getCustomCACertificateForCluster(cluster.Name, log); customCACert != nil {
+			log.V(4).Info("Custom CA certificate found", "size", len(customCACert))
 			patchedCount := 0
 			for clusterName, clusterInfo := range kubeconfig.Clusters {
-				fmt.Printf("DEBUG: ASO - Processing cluster '%s'\n", clusterName)
-				fmt.Printf("DEBUG: ASO - Original CA data length: %d bytes\n", len(clusterInfo.CertificateAuthorityData))
+				log.V(4).Info("Processing cluster", "name", clusterName)
+				log.V(4).Info("Original CA data", "size", len(clusterInfo.CertificateAuthorityData))
 
 				if clusterInfo.CertificateAuthorityData != nil && len(clusterInfo.CertificateAuthorityData) > 0 {
-					fmt.Printf("DEBUG: ASO - Combining original CA with custom CA\n")
+					log.V(4).Info("Combining original CA with custom CA")
 					// Combine: original + newline + custom CA
 					combinedCA := make([]byte, 0, len(clusterInfo.CertificateAuthorityData)+1+len(customCACert))
 					combinedCA = append(combinedCA, clusterInfo.CertificateAuthorityData...)
@@ -348,19 +349,21 @@ func (r *AzureASOManagedControlPlaneReconciler) reconcileKubeconfig(ctx context.
 					combinedCA = append(combinedCA, customCACert...)
 					clusterInfo.CertificateAuthorityData = combinedCA
 
-					fmt.Printf("DEBUG: ASO - Combined CA data length: %d bytes (original: %d + custom: %d)\n",
-						len(combinedCA), len(clusterInfo.CertificateAuthorityData)-len(customCACert)-1, len(customCACert))
+					log.V(4).Info("Combined CA data",
+						"totalSize", len(combinedCA),
+						"originalSize", len(clusterInfo.CertificateAuthorityData)-len(customCACert)-1,
+						"customSize", len(customCACert))
 				} else {
-					fmt.Printf("DEBUG: ASO - No original CA data, using only custom CA\n")
+					log.V(4).Info("No original CA data, using only custom CA")
 					// No original CA, just use custom
 					clusterInfo.CertificateAuthorityData = customCACert
-					fmt.Printf("DEBUG: ASO - Set CA data length: %d bytes\n", len(clusterInfo.CertificateAuthorityData))
+					log.V(4).Info("Set CA data", "size", len(clusterInfo.CertificateAuthorityData))
 				}
 				patchedCount++
 			}
-			fmt.Printf("DEBUG: ASO - Combined CA certificates in %d clusters total\n", patchedCount)
+			log.V(4).Info("CA certificates combined", "patchedClusters", patchedCount)
 		} else {
-			fmt.Printf("DEBUG: ASO - No custom CA certificate found, keeping original kubeconfig\n")
+			log.V(4).Info("No custom CA certificate found, keeping original kubeconfig")
 		}
 
 		kubeconfigData, err = clientcmd.Write(*kubeconfig)
@@ -397,37 +400,36 @@ func (r *AzureASOManagedControlPlaneReconciler) reconcileKubeconfig(ctx context.
 // getCustomCACertificateForCluster returns custom CA certificate data for a specific cluster
 // This function leverages the same certificate that is used for Azure authentication
 // by checking the global AzSecretCertPool that gets populated during Azure client initialization
-func getCustomCACertificateForCluster(clusterName string) []byte {
-	fmt.Printf("=== DEBUG: ASO getCustomCACertificateForCluster() called for cluster: %s ===\n", clusterName)
+func getCustomCACertificateForCluster(clusterName string, log logr.Logger) []byte {
+	log.V(4).Info("ASO getCustomCACertificateForCluster() called for cluster", "clusterName", clusterName)
 
 	// Debug the condition checks
 	isConfigured := azure.IsAzSecretCertConfigured()
 	poolNotNil := azure.AzSecretCertPool != nil
 	dataLength := len(azure.AzSecretCertData)
 
-	fmt.Printf("DEBUG: ASO - azure.IsAzSecretCertConfigured() = %v\n", isConfigured)
-	fmt.Printf("DEBUG: ASO - azure.AzSecretCertPool != nil = %v\n", poolNotNil)
-	fmt.Printf("DEBUG: ASO - len(azure.AzSecretCertData) = %d\n", dataLength)
+	log.V(4).Info("ASO - azure.IsAzSecretCertConfigured()", "isConfigured", isConfigured)
+	log.V(4).Info("ASO - azure.AzSecretCertPool != nil", "poolNotNil", poolNotNil)
+	log.V(4).Info("ASO - len(azure.AzSecretCertData)", "dataLength", dataLength)
 
 	// Check if we have a certificate in the global AzSecretCertPool
 	// This is the same certificate pool used for Azure authentication
 	if azure.IsAzSecretCertConfigured() && azure.AzSecretCertPool != nil {
-		fmt.Printf("DEBUG: ASO - Passed first condition check (IsConfigured && PoolNotNil)\n")
+		log.V(4).Info("Passed first condition check (IsConfigured && PoolNotNil)")
 		// Return the raw certificate data stored in AzSecretCertData
 		// This contains the original PEM data that was used to populate the certificate pool
 		if len(azure.AzSecretCertData) > 0 {
-			fmt.Printf("DEBUG: ASO - Found certificate data, returning %d bytes\n", len(azure.AzSecretCertData))
-			fmt.Printf("DEBUG: ASO - Certificate data preview (first 100 chars): %s...\n",
-				string(azure.AzSecretCertData[:int(math.Min(100, float64(len(azure.AzSecretCertData))))]))
+			log.V(4).Info("Found certificate data, returning", "size", len(azure.AzSecretCertData))
+			log.V(4).Info("Certificate data preview (first 100 chars)", "preview", string(azure.AzSecretCertData[:int(math.Min(100, float64(len(azure.AzSecretCertData))))]))
 			return azure.AzSecretCertData
 		} else {
-			fmt.Printf("DEBUG: ASO - Certificate data is empty, returning nil\n")
+			log.V(4).Info("Certificate data is empty, returning nil")
 		}
 	} else {
-		fmt.Printf("DEBUG: ASO - Failed condition check - IsConfigured: %v, PoolNotNil: %v\n", isConfigured, poolNotNil)
+		log.V(4).Info("Failed condition check - IsConfigured", "isConfigured", isConfigured, "PoolNotNil", poolNotNil)
 	}
 
-	fmt.Printf("DEBUG: ASO - getCustomCACertificateForCluster() returning nil\n")
+	log.V(4).Info("ASO - getCustomCACertificateForCluster() returning nil")
 	return nil
 }
 

controllers/azuremanagedcontrolplane_reconciler.go

@@ -27,6 +27,7 @@ import (
 	"sigs.k8s.io/cluster-api/util/secret"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	"sigs.k8s.io/cluster-api-provider-azure/azure"
 	"sigs.k8s.io/cluster-api-provider-azure/azure/scope"
@@ -133,24 +134,25 @@ func (r *azureManagedControlPlaneService) reconcileKubeconfig(ctx context.Contex
 		}
 
 		// PATCH POINT: Inject custom CA certificate data into kubeconfig before storing in secret
-		fmt.Printf("=== DEBUG: AMCP reconcileKubeconfig() - Processing kubeconfig %d (admin=0, user=1) ===\n", i)
-		fmt.Printf("DEBUG: AMCP - Original kubeconfig size: %d bytes\n", len(kubeConfigData))
+		logger := log.FromContext(ctx)
+		logger.V(4).Info("Processing kubeconfig", "index", i, "type", map[int]string{0: "admin", 1: "user"}[i])
+		logger.V(4).Info("Original kubeconfig size", "bytes", len(kubeConfigData))
 
 		if customCACert := getCustomCACertificateForAMCP(r.scope.ClusterName()); customCACert != nil {
-			fmt.Printf("DEBUG: AMCP - Custom CA certificate found (%d bytes), proceeding with COMBINATION\n", len(customCACert))
+			logger.V(4).Info("Custom CA certificate found", "size_bytes", len(customCACert))
 
 			// Parse kubeconfig
 			kubeconfig, err := clientcmd.Load(kubeConfigData)
 			if err != nil {
-				fmt.Printf("DEBUG: AMCP - ERROR: Failed to parse kubeconfig: %v\n", err)
+				logger.V(4).Error(err, "Failed to parse kubeconfig")
 			} else {
 				patchedCount := 0
 				for clusterName, clusterInfo := range kubeconfig.Clusters {
-					fmt.Printf("DEBUG: AMCP - Processing cluster '%s'\n", clusterName)
-					fmt.Printf("DEBUG: AMCP - Original CA data length: %d bytes\n", len(clusterInfo.CertificateAuthorityData))
+					logger.V(4).Info("Processing cluster", "name", clusterName)
+					logger.V(4).Info("Original CA data length", "bytes", len(clusterInfo.CertificateAuthorityData))
 
 					if clusterInfo.CertificateAuthorityData != nil && len(clusterInfo.CertificateAuthorityData) > 0 {
-						fmt.Printf("DEBUG: AMCP - Combining original CA with custom CA\n")
+						logger.V(4).Info("Combining original CA with custom CA")
 						// Combine: original + newline + custom CA
 						combinedCA := make([]byte, 0, len(clusterInfo.CertificateAuthorityData)+1+len(customCACert))
 						combinedCA = append(combinedCA, clusterInfo.CertificateAuthorityData...)
@@ -163,28 +165,30 @@ func (r *azureManagedControlPlaneService) reconcileKubeconfig(ctx context.Contex
 						combinedCA = append(combinedCA, customCACert...)
 						clusterInfo.CertificateAuthorityData = combinedCA
 
-						fmt.Printf("DEBUG: AMCP - Combined CA data length: %d bytes (original: %d + custom: %d)\n",
-							len(combinedCA), len(clusterInfo.CertificateAuthorityData)-len(customCACert)-1, len(customCACert))
+						logger.V(4).Info("Combined CA data",
+							"total_bytes", len(combinedCA),
+							"original_bytes", len(clusterInfo.CertificateAuthorityData)-len(customCACert)-1,
+							"custom_bytes", len(customCACert))
 					} else {
-						fmt.Printf("DEBUG: AMCP - No original CA data, using only custom CA\n")
+						logger.V(4).Info("No original CA data, using only custom CA")
 						// No original CA, just use custom
 						clusterInfo.CertificateAuthorityData = customCACert
-						fmt.Printf("DEBUG: AMCP - Set CA data length: %d bytes\n", len(clusterInfo.CertificateAuthorityData))
+						logger.V(4).Info("Set CA data length", "bytes", len(clusterInfo.CertificateAuthorityData))
 					}
 					patchedCount++
 				}
-				fmt.Printf("DEBUG: AMCP - Combined CA certificates in %d clusters total\n", patchedCount)
+				logger.V(4).Info("Combined CA certificates", "clusters_patched", patchedCount)
 
 				// Write back the modified kubeconfig
 				if patchedKubeconfig, err := clientcmd.Write(*kubeconfig); err != nil {
-					fmt.Printf("DEBUG: AMCP - ERROR: Failed to write patched kubeconfig: %v\n", err)
+					logger.V(4).Error(err, "Failed to write patched kubeconfig")
 				} else {
 					kubeConfigData = patchedKubeconfig
-					fmt.Printf("DEBUG: AMCP - Successfully wrote combined kubeconfig (%d bytes)\n", len(kubeConfigData))
+					logger.V(4).Info("Successfully wrote combined kubeconfig", "bytes", len(kubeConfigData))
 				}
 			}
 		} else {
-			fmt.Printf("DEBUG: AMCP - No custom CA certificate found, keeping original kubeconfig\n")
+			logger.V(4).Info("No custom CA certificate found, keeping original kubeconfig")
 		}
 
 		kubeConfigSecret := r.scope.MakeEmptyKubeConfigSecret()
@@ -210,7 +214,7 @@ func (r *azureManagedControlPlaneService) reconcileKubeconfig(ctx context.Contex
 			return errors.Wrap(err, "failed to reconcile kubeconfig secret for cluster")
 		}
 
-		fmt.Printf("DEBUG: AMCP - Successfully stored kubeconfig secret '%s' with CA injection\n", kubeConfigSecret.Name)
+		logger.V(4).Info("Successfully stored kubeconfig secret with CA injection", "secret_name", kubeConfigSecret.Name)
 	}
 
 	// store cluster-info for the cluster with the admin kubeconfig.
@@ -243,35 +247,37 @@ func (r *azureManagedControlPlaneService) reconcileKubeconfig(ctx context.Contex
 // This function leverages the same certificate that is used for Azure authentication
 // by checking the global AzSecretCertPool that gets populated during Azure client initialization
 func getCustomCACertificateForAMCP(clusterName string) []byte {
-	fmt.Printf("=== DEBUG: AMCP getCustomCACertificateForAMCP() called for cluster: %s ===\n", clusterName)
+	logger := log.FromContext(context.Background()) // Changed to context.Background() to avoid context leak
+	logger.V(4).Info("getCustomCACertificateForAMCP called", "cluster_name", clusterName)
 
 	// Debug the condition checks
 	isConfigured := azure.IsAzSecretCertConfigured()
 	poolNotNil := azure.AzSecretCertPool != nil
 	dataLength := len(azure.AzSecretCertData)
 
-	fmt.Printf("DEBUG: AMCP - azure.IsAzSecretCertConfigured() = %v\n", isConfigured)
-	fmt.Printf("DEBUG: AMCP - azure.AzSecretCertPool != nil = %v\n", poolNotNil)
-	fmt.Printf("DEBUG: AMCP - len(azure.AzSecretCertData) = %d\n", dataLength)
+	logger.V(4).Info("Condition checks",
+		"is_configured", isConfigured,
+		"pool_not_nil", poolNotNil,
+		"data_length", dataLength)
 
 	// Check if we have a certificate in the global AzSecretCertPool
 	// This is the same certificate pool used for Azure authentication
 	if azure.IsAzSecretCertConfigured() && azure.AzSecretCertPool != nil {
-		fmt.Printf("DEBUG: AMCP - Passed first condition check (IsConfigured && PoolNotNil)\n")
+		logger.V(4).Info("Passed first condition check (IsConfigured && PoolNotNil)")
 		// Return the raw certificate data stored in AzSecretCertData
 		// This contains the original PEM data that was used to populate the certificate pool
 		if len(azure.AzSecretCertData) > 0 {
-			fmt.Printf("DEBUG: AMCP - Found certificate data, returning %d bytes\n", len(azure.AzSecretCertData))
-			fmt.Printf("DEBUG: AMCP - Certificate data preview (first 100 chars): %s...\n",
+			logger.V(4).Info("Found certificate data, returning", "bytes", len(azure.AzSecretCertData))
+			logger.V(4).Info("Certificate data preview (first 100 chars)", "preview",
 				string(azure.AzSecretCertData[:int(math.Min(100, float64(len(azure.AzSecretCertData))))]))
 			return azure.AzSecretCertData
 		} else {
-			fmt.Printf("DEBUG: AMCP - Certificate data is empty, returning nil\n")
+			logger.V(4).Info("Certificate data is empty, returning nil")
 		}
 	} else {
-		fmt.Printf("DEBUG: AMCP - Failed condition check - IsConfigured: %v, PoolNotNil: %v\n", isConfigured, poolNotNil)
+		logger.V(4).Info("Failed condition check - IsConfigured: false, PoolNotNil: false")
 	}
 
-	fmt.Printf("DEBUG: AMCP - getCustomCACertificateForAMCP() returning nil\n")
+	logger.V(4).Info("getCustomCACertificateForAMCP returning nil")
 	return nil
 }