Merge branch 'master' of github.com:gardener/gardener-extension-provi…

…der-azure into multi-zone-nat6

.docforge/manifest.yaml

@@ -0,0 +1,13 @@
+{{- $vers := Split .versions "," -}}
+{{ $defaultBranch := (index $vers 0) }}
+structure:
+- name: _index.md
+  source: https://github.com/gardener/gardener-extension-provider-azure/blob/{{$defaultBranch}}/README.md
+- name: docs
+  nodes:
+  - nodesSelector:
+      path: https://github.com/gardener/gardener-extension-provider-azure/tree/{{$defaultBranch}}/docs
+links:
+  downloads:
+    scope:
+      "gardener/gardener-extension-provider-azure/(blob|raw)/(.*)/docs": ~

.github/ISSUE_TEMPLATE/support.md

@@ -10,5 +10,5 @@ STOP -- PLEASE READ!
 
 GitHub is not the right place for support requests.
 
-If you're looking for help, please post your question on the [Kubernetes Slack](http://slack.k8s.io/) ([#gardener](https://kubernetes.slack.com/messages/gardener) channel) or join our [weekly meetings](https://github.com/gardener/documentation/blob/master/CONTRIBUTING.md#weekly-meeting).
+If you're looking for help, please post your question on the [Kubernetes Slack](http://slack.k8s.io/) ([#gardener](https://kubernetes.slack.com/messages/gardener) channel) or join our [bi-weekly meetings](https://gardener.cloud/docs/contribute/#bi-weekly-meetings).
 -->

.golangci.yaml

@@ -5,3 +5,15 @@ run:
 linters:
   disable:
   - unused
+  enable:
+  - revive
+
+issues:
+  exclude-use-default: false
+  exclude:
+  # revive
+  - var-naming # ((var|const|struct field|func) .* should be .*
+  - dot-imports # should not use dot imports
+  - package-comments # package comment should be of the form
+  - indent-error-flow # if block ends with a return statement, so drop this else and outdent its block
+  - "exported: (type|func) name will be used as .* by other packages, and that stutters;"

Makefile

@@ -122,19 +122,19 @@ check:
 
 .PHONY: generate
 generate:
-	@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/generate.sh ./charts/... ./cmd/... ./pkg/... ./test/...
+	@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/generate.sh ./charts/... ./cmd/... ./pkg/...
 
 .PHONY: format
 format:
 	@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/format.sh ./cmd ./pkg ./test
 
 .PHONY: test
 test:
-	@SKIP_FETCH_TOOLS=1 $(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/test.sh ./cmd/... ./pkg/...
+	@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/test.sh ./cmd/... ./pkg/...
 
 .PHONY: test-cov
 test-cov:
-	@SKIP_FETCH_TOOLS=1 $(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/test-cover.sh ./cmd/... ./pkg/...
+	@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/test-cover.sh ./cmd/... ./pkg/...
 
 .PHONY: test-clean
 test-clean:

README.md

@@ -23,7 +23,7 @@ This extension controller supports the following Kubernetes versions:
 
 | Version         | Support     | Conformance test results |
 | --------------- | ----------- | ------------------------ |
-| Kubernetes 1.22 | 1.22.0+     | N/A |
+| Kubernetes 1.22 | 1.22.0+     | [![Gardener v1.22 Conformance Tests](https://testgrid.k8s.io/q/summary/conformance-gardener/Gardener,%20v1.22%20Azure/tests_status?style=svg)](https://testgrid.k8s.io/conformance-gardener#Gardener,%20v1.22%20Azure) |
 | Kubernetes 1.21 | 1.21.0+     | [![Gardener v1.21 Conformance Tests](https://testgrid.k8s.io/q/summary/conformance-gardener/Gardener,%20v1.21%20Azure/tests_status?style=svg)](https://testgrid.k8s.io/conformance-gardener#Gardener,%20v1.21%20Azure) |
 | Kubernetes 1.20 | 1.20.0+     | [![Gardener v1.20 Conformance Tests](https://testgrid.k8s.io/q/summary/conformance-gardener/Gardener,%20v1.20%20Azure/tests_status?style=svg)](https://testgrid.k8s.io/conformance-gardener#Gardener,%20v1.20%20Azure) |
 | Kubernetes 1.19 | 1.19.0+     | [![Gardener v1.19 Conformance Tests](https://testgrid.k8s.io/q/summary/conformance-gardener/Gardener,%20v1.19%20Azure/tests_status?style=svg)](https://testgrid.k8s.io/conformance-gardener#Gardener,%20v1.19%20Azure) |

VERSION

@@ -1 +1 @@
-v1.22.0-dev
+v1.23.0-dev

charts/gardener-extension-admission-azure/charts/application/templates/validatingwebhook-validator.yaml

@@ -31,7 +31,7 @@ webhooks:
       name: {{ include "name" . }}
       path: /webhooks/validate
     {{- end }}
-    caBundle: {{ required ".Values.webhookConfig.caBundle is required" (b64enc .Values.global.webhookConfig.caBundle) }}
+    caBundle: {{ required ".Values.global.webhookConfig.caBundle is required" .Values.global.webhookConfig.caBundle | b64enc }}
 - name: secrets.validation.azure.provider.extensions.gardener.cloud
   rules:
   - apiGroups:
@@ -58,4 +58,4 @@ webhooks:
       name: {{ include "name" . }}
       path: /webhooks/validate/secrets
     {{- end }}
-    caBundle: {{ required ".Values.webhookConfig.caBundle is required" (b64enc .Values.global.webhookConfig.caBundle) }}
+    caBundle: {{ required ".Values.global.webhookConfig.caBundle is required" .Values.global.webhookConfig.caBundle | b64enc }}

charts/gardener-extension-admission-azure/charts/runtime/templates/secret-cert.yaml

@@ -11,5 +11,5 @@ metadata:
     heritage: "{{ .Release.Service }}"
 type: Opaque
 data:
-  tls.crt: {{ required ".Values.global.webhookConfig.tls.crt is required" (b64enc .Values.global.webhookConfig.tls.crt) }}
-  tls.key: {{ required ".Values.global.webhookConfig.tls.key is required" (b64enc .Values.global.webhookConfig.tls.key) }}
+  tls.crt: {{ required ".Values.global.webhookConfig.tls.crt is required" .Values.global.webhookConfig.tls.crt | b64enc }}
+  tls.key: {{ required ".Values.global.webhookConfig.tls.key is required" .Values.global.webhookConfig.tls.key | b64enc }}

charts/gardener-extension-provider-azure/templates/configmap-logging.yaml

@@ -29,13 +29,13 @@ data:
         Reserve_Data        True
 
     [FILTER]
-        Name                rewrite_tag
+        Name                modify
         Match               kubernetes.*
-        Rule                $tag ^kubernetes\.var\.log\.containers\.(cloud-controller-manager-.+?_.+?_azure-cloud-controller-manager|csi-driver-controller-.+?_.+?_azure-csi) user-exposed.$TAG true
-        Emitter_Name        re_emitted-provider-azure
+        Condition           Key_value_matches tag ^kubernetes\.var\.log\.containers\.(cloud-controller-manager-.+?_.+?_azure-cloud-controller-manager|csi-driver-controller-.+?_.+?_azure-csi)
+        Add                 __gardener_multitenant_id__ operator;user
 
     [FILTER]
-        Name                rewrite_tag
+        Name                modify
         Match               kubernetes.*
-        Rule                $tag ^kubernetes\.var\.log\.containers\.machine-controller-manager-.+?_.+?_(machine-controller-manager-provider-azure|azure-machine-controller-manager) user-exposed.$TAG true
-        Emitter_Name        re_emitted-provider-azure-mcm
+        Condition           Key_value_matches tag ^kubernetes\.var\.log\.containers\.machine-controller-manager-.+?_.+?_(machine-controller-manager-provider-azure|azure-machine-controller-manager)
+        Add                 __gardener_multitenant_id__ operator;user

charts/gardener-extension-provider-azure/templates/secret-serviceprincipal.yaml

@@ -0,0 +1,15 @@
+{{- range .Values.servicePrincipals }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: service-principal-{{ print .tenantID .clientID .clientSecret | sha256sum | trunc 12 }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    azure.provider.extensions.gardener.cloud/purpose: tenant-service-principal-secret
+data:
+  tenantID: {{ .tenantID }}
+  clientID: {{ .clientID }}
+  clientSecret: {{ .clientSecret }}
+type: Opaque
+{{- end }}

charts/gardener-extension-provider-azure/values.yaml

@@ -76,3 +76,11 @@ config:
 gardener:
   seed:
     provider: azure
+
+# servicePrincipals:
+# - tenantID: tenant-1
+#   clientID: spn-1
+#   clientSecret: secret-1
+# - tenantID: tenant-2
+#   clientID: spn-2
+#   clientSecret: secret-2

charts/images.yaml

@@ -2,7 +2,7 @@ images:
 - name: terraformer
   sourceRepository: github.com/gardener/terraformer
   repository: eu.gcr.io/gardener-project/gardener/terraformer-azure
-  tag: "v2.9.0"
+  tag: "v2.13.0"
 
 - name: cloud-controller-manager
   sourceRepository: github.com/kubernetes/kubernetes
@@ -26,30 +26,30 @@ images:
 - name: cloud-controller-manager
   sourceRepository: github.com/gardener/cloud-provider-azure
   repository: eu.gcr.io/gardener-project/kubernetes/cloud-provider-azure
-  tag: "v1.20.10"
+  tag: "v1.20.12"
   targetVersion: "1.20.x"
 - name: cloud-controller-manager
   sourceRepository: github.com/gardener/cloud-provider-azure
   repository: eu.gcr.io/gardener-project/kubernetes/cloud-provider-azure
-  tag: "v1.21.4"
+  tag: "v1.21.6"
   targetVersion: "1.21.x"
 - name: cloud-controller-manager
   sourceRepository: github.com/gardener/cloud-provider-azure
   repository: eu.gcr.io/gardener-project/kubernetes/cloud-provider-azure
-  tag: "v1.22.0"
+  tag: "v1.22.3"
   targetVersion: ">= 1.22"
 - name: machine-controller-manager
   sourceRepository: github.com/gardener/machine-controller-manager
   repository: eu.gcr.io/gardener-project/gardener/machine-controller-manager
-  tag: "v0.40.0"
+  tag: "v0.42.0"
 - name: machine-controller-manager-provider-azure
   sourceRepository: github.com/gardener/machine-controller-manager-provider-azure
   repository: eu.gcr.io/gardener-project/gardener/machine-controller-manager-provider-azure
   tag: "v0.5.0"
 - name: csi-driver-disk
   sourceRepository: github.com/kubernetes-sigs/azuredisk-csi-driver
   repository: mcr.microsoft.com/k8s/csi/azuredisk-csi
-  tag: "v1.2.0"
+  tag: "v1.6.0"
 - name: csi-driver-file
   sourceRepository: github.com/kubernetes-sigs/azurefile-csi-driver
   repository: mcr.microsoft.com/k8s/csi/azurefile-csi
@@ -86,4 +86,4 @@ images:
 - name: remedy-controller-azure
   sourceRepository: github.com/gardener/remedy-controller
   repository: eu.gcr.io/gardener-project/gardener/remedy-controller/remedy-controller-azure
-  tag: "v0.8.0"
+  tag: "v0.9.0"

charts/internal/seed-controlplane/charts/csi-driver-controller/templates/_deployment.tpl

@@ -44,6 +44,11 @@ spec:
         - --endpoint=$(CSI_ENDPOINT)
         {{- if eq .role "disk" }}
         - --kubeconfig=/var/lib/csi-driver-controller-disk/kubeconfig
+        {{- if hasKey .Values "vmType" }}
+        {{- if eq .Values.vmType "vmss" }}
+        - --disable-avset-nodes=false
+        {{- end }}
+        {{- end }}
         {{- end }}
         {{- if eq .role "file" }}
         - --nodeid=dummy

cmd/gardener-extension-provider-azure/app/app.go

@@ -191,7 +191,7 @@ func NewControllerManagerCommand(ctx context.Context) *cobra.Command {
 			reconcileOpts.Completed().Apply(&azureworker.DefaultAddOptions.IgnoreOperationAnnotation)
 			workerCtrlOpts.Completed().Apply(&azureworker.DefaultAddOptions.Controller)
 
-			if _, _, err := webhookOptions.Completed().AddToManager(mgr); err != nil {
+			if _, _, err := webhookOptions.Completed().AddToManager(ctx, mgr); err != nil {
 				controllercmd.LogErrAndExit(err, "Could not add webhooks to manager")
 			}
 

docs/tutorials/kubernetes-cluster-on-azure-with-gardener/_index.md

@@ -0,0 +1,95 @@
+---
+title: Create a Kubernetes cluster on Azure with Gardener
+level: beginner
+category: Getting Started
+scope: app-developer
+---
+
+### Overview
+
+Gardener allows you to create a Kubernetes cluster on different infrastructure providers. This tutorial will guide you through the process of creating a cluster on Azure.
+
+### Prerequisites
+
+- You have created an [Azure account](https://azure.microsoft.com/en-us/).
+- You have access to the Gardener dashboard and have permissions to create projects.
+- You have an Azure Service Principal assigned to your subscription.
+
+### Steps
+
+1. Go to the Gardener dashboard and create a *Project*.
+
+    <img src="images/new-gardener-project.png">
+
+
+1. Get the properties of your Azure AD tenant, Subscription and Service Principal.
+    ```
+    Before you can provision and access a Kubernetes cluster on Azure, you need to add the Azure service principal, AD tenant and subscription credentials in Gardener. 
+    Gardener needs the credentials to provision and operate the Azure infrastructure for your Kubernetes cluster.
+
+    **Ensure that the Azure service principal has the `Contributor` role within your Subscription assigned.**
+    ```
+
+
+    - Tenant ID
+
+        To find your TenantID, follow this [guide](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-to-find-tenant).
+
+    - SubscriptionID
+
+        To find your SubscriptionID, search for and select *Subscriptions*.
+        <img src="images/azure-select-subscription.png">
+
+        After that, copy the SubscriptionID from your subscription of choice.
+        <img src="images/azure-choose-subscription.png">
+
+    - Service Principal (SPN)
+
+        A service principal consist of a `ClientID` (also called `ApplicationID`) and a Client Secret. For more information, see [here](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals). You need to obtain the:
+        - Client ID 
+
+            Access the [Azure Portal](https://portal.azure.com) and navigate to the `Active Directory` service.
+            Within the service navigate to `App registrations` and select your service principal. Copy the ClientID you see there.
+
+
+        - Client Secret
+
+            Secrets for the Azure Account/Service Principal can be generated/rotated via the Azure Portal.
+            After copying your ClientID, in the `Detail` view of your Service Principal navigate to `Certificates & secrets`. In the section, you can generate a new secret.
+
+1. Choose *Secrets*, then the plus icon <img src="images/plus-icon.png"> and select *Azure*.
+
+    <img src="images/create-secret-azure.png">
+
+1. Create your secret.
+
+    1. Type the name of your secret.
+    1. Copy and paste the `TenantID`, `SubscriptionID` and the Service Principal credentials (`ClientID` and `ClientSecret`).
+    3. Choose *Add secret*.
+    <img src="images/add-azure-secret.png">
+
+    >After completing these steps, you should see your newly created secret in the *Infrastructure Secrets* section.
+
+    <img src="images/secret-stored.png">
+
+1. To create a new cluster, choose *Clusters* and then the plus sign in the upper right corner.
+
+    <img src="images/new-cluster.png">
+
+1. In the *Create Cluster* section:
+    1. Select *Azure* in the *Infrastructure* tab.
+    1. Type the name of your cluster in the *Cluster Details* tab.
+    1. Choose the secret you created before in the *Infrastructure Details* tab.
+    1. Choose *Create*.
+
+    <img src="images/create-cluster.png">
+
+1. Wait for your cluster to get created.
+
+    <img src="images/processing-cluster.png">
+
+### Result
+
+After completing the steps in this tutorial, you will be able to see and download the kubeconfig of your cluster.
+
+  <img src="images/copy-kubeconfig.png">

docs/usage-as-end-user.md

@@ -11,7 +11,7 @@ Every shoot cluster references a `SecretBinding` which itself references a `Secr
 The `SecretBinding` is configurable in the [Shoot cluster](https://github.com/gardener/gardener/blob/master/example/90-shoot.yaml) with the field `secretBindingName`.
 
 Create an [Azure Application and Service Principle](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) and obtain its credentials.
-Please make sure the Azure application has the following IAM roles. 
+Please make sure the Azure application has the following IAM roles.
 - [Contributor](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor)
 
 The example below demonstrates how the secret containing the client credentials of the Azure Application has to look like:
@@ -33,6 +33,19 @@ data:
 ⚠️ Depending on your API usage it can be problematic to reuse the same Service Principal for different Shoot clusters due to rate limits.
 Please consider spreading your Shoots over Service Principals from different Azure subscriptions if you are hitting those limits.
 
+### Managed Service Principals
+
+The operators of the Gardener Azure extension can provide managed service principals.
+This eliminates the need for users to provide an own service principal for a Shoot.
+
+To make use of a managed service principal, the Azure secret of a Shoot cluster must contain only a `subscriptionID` and a `tenantID` field, but no `clientID` and `clientSecret`.
+Removing those fields from the secret of an existing Shoot will also let it adopt the managed service principal.
+
+Based on the `tenantID` field, the Gardener extension will try to assign the managed service principal to the Shoot.
+If no managed service principal can be assigned then the next operation on the Shoot will fail.
+
+⚠️ The managed service principal need to be assigned to the users Azure subscription with proper permissions before using it.
+
 ## `InfrastructureConfig`
 
 The infrastructure configuration mainly describes how the network layout looks like in order to create the shoot worker nodes in a later step, thus, prepares everything relevant to create VMs, load balancers, volumes, etc.

docs/usage-as-operator.md

@@ -172,6 +172,46 @@ data:
 
 #### Permissions for Azure Blob storage
 
-Please make sure the Azure application has the following IAM roles. 
+Please make sure the Azure application has the following IAM roles.
 - [Contributor](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor)
 
+## Miscellaneous
+
+### Gardener managed Service Principals
+
+The operators of the Gardener Azure extension can provide a list of managed service principals (technical users) that can be used for Azure Shoots.
+This eliminates the need for users to provide own service principals for their clusters.
+
+The user would need to grant the managed service principal access to their subscription with proper permissions.
+
+As service principals are managed in an Azure Active Directory for each supported Active Directory, an own service principal needs to be provided.
+
+In case the user provides an own service principal in the Shoot secret, this one will be used instead of the managed one provided by the operator.
+
+Each managed service principal will be maintained in a `Secret` like that:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: service-principal-my-tenant
+  namespace: extension-provider-azure
+  labels:
+    azure.provider.extensions.gardener.cloud/purpose: tenant-service-principal-secret
+data:
+  tenantID: base64(my-tenant)
+  clientID: base64(my-service-princiapl-id)
+  clientSecret: base64(my-service-princiapl-secret)
+type: Opaque
+```
+
+The user needs to provide in its Shoot secret a `tenantID` and `subscriptionID`.
+
+The managed service principal will be assigned based on the `tenantID`.
+In case there is a managed service principal secret with a matching `tenantID`, this one will be used for the Shoot.
+If there is no matching managed service principal secret then the next Shoot operation will fail.
+
+One of the benefits of having managed service principals is that the operator controls the lifecycle of the service principal and can rotate its secrets.
+
+After the service principal secret has been rotated and the corresponding secret is updated, all Shoot clusters using it need to be reconciled or the last operation to be retried.
+