add ASO install

Makefile

@@ -374,8 +374,8 @@ docker-pull-prerequisites: ## Pull prerequisites for building controller-manager
 .PHONY: docker-build
 docker-build: docker-pull-prerequisites ## Build the docker image for controller-manager.
 	DOCKER_BUILDKIT=1 docker build --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" . -t $(CONTROLLER_IMG)-$(ARCH):$(TAG)
-	$(MAKE) set-manifest-image MANIFEST_IMG=$(CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./config/default/manager_image_patch.yaml"
-	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./config/default/manager_pull_policy.yaml"
+	$(MAKE) set-manifest-image MANIFEST_IMG=$(CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./config/capz/manager_image_patch.yaml"
+	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./config/capz/manager_pull_policy.yaml"
 
 .PHONY: docker-push
 docker-push: ## Push the docker image
@@ -412,12 +412,12 @@ docker-push-manifest: ## Push the fat manifest docker image.
 .PHONY: set-manifest-image
 set-manifest-image: ## Update kustomize image patch file for default resource.
 	$(info Updating kustomize image patch file for default resource)
-	sed -i'' -e 's@image: .*@image: '"${MANIFEST_IMG}:$(MANIFEST_TAG)"'@' ./config/default/manager_image_patch.yaml
+	sed -i'' -e 's@image: .*@image: '"${MANIFEST_IMG}:$(MANIFEST_TAG)"'@' ./config/capz/manager_image_patch.yaml
 
 .PHONY: set-manifest-pull-policy
 set-manifest-pull-policy: ## Update kustomize pull policy file for default resource.
 	$(info Updating kustomize pull policy file for default resource)
-	sed -i'' -e 's@imagePullPolicy: .*@imagePullPolicy: '"$(PULL_POLICY)"'@' ./config/default/manager_pull_policy.yaml
+	sed -i'' -e 's@imagePullPolicy: .*@imagePullPolicy: '"$(PULL_POLICY)"'@' ./config/capz/manager_pull_policy.yaml
 
 ## --------------------------------------
 ## Generate
@@ -686,8 +686,8 @@ test-e2e-skip-push: ## Run "docker-build" rule then run e2e tests.
 
 .PHONY: test-e2e-skip-build-and-push
 test-e2e-skip-build-and-push:
-	$(MAKE) set-manifest-image MANIFEST_IMG=$(CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./config/default/manager_image_patch.yaml"
-	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./config/default/manager_pull_policy.yaml" PULL_POLICY=IfNotPresent
+	$(MAKE) set-manifest-image MANIFEST_IMG=$(CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./config/capz/manager_image_patch.yaml"
+	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./config/capz/manager_pull_policy.yaml" PULL_POLICY=IfNotPresent
 	MANAGER_IMAGE=$(CONTROLLER_IMG)-$(ARCH):$(TAG) \
 	$(MAKE) test-e2e-run
 

config/aso/credentials.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: aso-controller-settings
+type: Opaque
+data:
+  AZURE_SUBSCRIPTION_ID: ${AZURE_SUBSCRIPTION_ID_B64:=""}
+  AZURE_TENANT_ID: ${AZURE_TENANT_ID_B64:=""}
+  AZURE_CLIENT_ID: ${AZURE_CLIENT_ID_B64:=""}
+  AZURE_CLIENT_SECRET: ${AZURE_CLIENT_SECRET_B64:=""}

config/aso/kustomization.yaml

@@ -0,0 +1,65 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+namespace: capz-system
+resources:
+- https://github.com/Azure/azure-service-operator/releases/download/v2.0.0/azureserviceoperator_v2.0.0.yaml
+- https://github.com/Azure/azure-service-operator/releases/download/v2.0.0/azureserviceoperator_customresourcedefinitions_v2.0.0.yaml
+- credentials.yaml
+
+patches:
+  - patch: |- # default kustomization includes a namespace already
+      $patch: delete
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: capz-system
+  - patch: |- # CAPZ will manage ASO's CRDs
+      - op: test
+        path: /spec/template/spec/containers/0/args/4
+        value: --crd-pattern=*
+      - op: remove
+        path: /spec/template/spec/containers/0/args/4
+    target:
+      group: apps
+      version: v1
+      kind: Deployment
+      name: azureserviceoperator-controller-manager
+  - patch: |- # remove permissions to manage CRDs
+      $patch: delete
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRole
+      metadata:
+        name: azureserviceoperator-crd-manager-role
+  - patch: |-
+      $patch: delete
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRoleBinding
+      metadata:
+        name: azureserviceoperator-crd-manager-rolebinding
+
+replacements:
+  - source:
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: azureserviceoperator-serving-cert
+      fieldPath: metadata.namespace
+    targets:
+      - select:
+          version: v1
+        fieldPaths:
+          - metadata.annotations.cert-manager\.io/inject-ca-from
+        options:
+          delimiter: /
+          index: 0
+      - select:
+          group: cert-manager.io
+          version: v1
+          kind: Certificate
+          name: azureserviceoperator-serving-cert
+        fieldPaths:
+          - spec.dnsNames.0
+          - spec.dnsNames.1
+        options:
+          delimiter: .
+          index: 1

config/capz/kustomization.yaml

@@ -0,0 +1,53 @@
+namespace: capz-system
+
+namePrefix: capz-
+
+resources:
+  - namespace.yaml
+  - credentials.yaml
+  - aad-pod-identity-deployment.yaml  
+
+bases:
+  - ../crd
+  - ../rbac
+  - ../manager
+  - ../webhook
+  - ../certmanager
+
+patchesStrategicMerge:
+  - manager_image_patch.yaml
+  - manager_pull_policy.yaml
+  - manager_credentials_patch.yaml
+  - manager_webhook_patch.yaml
+  - webhookcainjection_patch.yaml
+
+vars:
+  - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
+    objref:
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: serving-cert # this name should match the one in certificate.yaml
+    fieldref:
+      fieldpath: metadata.namespace
+  - name: CERTIFICATE_NAME
+    objref:
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: serving-cert # this name should match the one in certificate.yaml
+  - name: SERVICE_NAMESPACE # namespace of the service
+    objref:
+      kind: Service
+      version: v1
+      name: webhook-service
+    fieldref:
+      fieldpath: metadata.namespace
+  - name: SERVICE_NAME
+    objref:
+      kind: Service
+      version: v1
+      name: webhook-service
+
+configurations:
+  - kustomizeconfig.yaml

config/default/kustomization.yaml

@@ -1,57 +1,6 @@
-namespace: capz-system
-
-namePrefix: capz-
-
 # Labels to add to all resources and selectors.
 commonLabels:
   cluster.x-k8s.io/provider: "infrastructure-azure"
 
 resources:
-  - namespace.yaml
-  - credentials.yaml
-  - aad-pod-identity-deployment.yaml  
-
-bases:
-  - ../crd
-  - ../rbac
-  - ../manager
-  - ../webhook
-  - ../certmanager
-
-patchesStrategicMerge:
-  - manager_image_patch.yaml
-  - manager_pull_policy.yaml
-  - manager_credentials_patch.yaml
-  - manager_webhook_patch.yaml
-  - webhookcainjection_patch.yaml
-
-vars:
-  - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
-    objref:
-      kind: Certificate
-      group: cert-manager.io
-      version: v1
-      name: serving-cert # this name should match the one in certificate.yaml
-    fieldref:
-      fieldpath: metadata.namespace
-  - name: CERTIFICATE_NAME
-    objref:
-      kind: Certificate
-      group: cert-manager.io
-      version: v1
-      name: serving-cert # this name should match the one in certificate.yaml
-  - name: SERVICE_NAMESPACE # namespace of the service
-    objref:
-      kind: Service
-      version: v1
-      name: webhook-service
-    fieldref:
-      fieldpath: metadata.namespace
-  - name: SERVICE_NAME
-    objref:
-      kind: Service
-      version: v1
-      name: webhook-service
-
-configurations:
-  - kustomizeconfig.yaml
+  - ../capz

config/webhook/service.yaml

@@ -7,3 +7,5 @@ spec:
   ports:
     - port: 443
       targetPort: webhook-server
+  selector:
+    control-plane: capz-controller-manager