Refactor scalesets NIC config

[CecileRobertMichon]

What type of PR is this?

/kind cleanup

What this PR does / why we need it: When #2411 merged it added some duplicate/dead code in the VMSS spec for network interfaces. #3243 fixed some functional issues, this PR cleans up the code to remove dead code.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #3224

Special notes for your reviewer:

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

• squashed commits
• includes documentation
• adds unit tests

Release note:

NONE

[mweibel]

that's much better than before, thanks. I wonder if we should add some more tests (unit tests might suffice?) to ensure we have IP Forwarding enabled and accelerated networking set to the correct value?

[mweibel]

Unless I'm mistaken: if len(vmssSpec.NetworkInterfaces) == 0 this would not add any network configuration. Wondering how to handle this best. To keep code here simple, should we maybe add networkInterfaces to the defaulter webhook if none are specified?

[CecileRobertMichon]

Correct, the defaulting in the webhook is already being done so there should never be a case where len(vmssSpec.NetworkInterfaces) == 0:

https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/main/exp/api/v1beta1/azuremachinepool_default.go#L136

[mweibel]

hm, true. Wonder why this didn't catch when we upgraded CAPZ.. But maybe there were other issues. Looks fine like this.

[nawazkh]

What happens when the amp.Spec.Template.SubnetName and amp.Spec.Template.AcceleratedNetworking is not defined in the spec, will we be setting empty subnetName and dereferencing an empty pointer in the defaulting webhook?

[CecileRobertMichon]

and dereferencing an empty pointer

where do you see dereferencing of a pointer in the webhook?

If accelerated networking is nil we use the value of the SKU to determine if it's supported https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/3188/files#diff-a6779b0b37d0dcdbe7dcd6f00150a22e12ac067a96269038452d27ba39349a90R603

For empty subnet name it won't be empty because it's defaulted to the Cluster subnet name if empty before it reaches this part of the code on every reconcile loop:

cluster-api-provider-azure/azure/scope/machinepool.go

Line 726 in 2d7ffd3

if m.AzureMachinePool.Spec.Template.NetworkInterfaces[0].SubnetName == "" {

[nawazkh]

and dereferencing an empty pointer

where do you see dereferencing of a pointer in the webhook?

Sorry my bad, didn't post the question right.

My other concerns are addressed too. Thanks for pinning the info!

/lgtm

[mweibel]

Suggested change

	nicConfig.Name = pointer.String(vmssSpec.Name + "-nic-" + strconv.Itoa(i))
	nicConfig.Name = pointer.String(vmssSpec.Name + "-nic-" + strconv.Itoa(i))
	nicConfig.EnableIPForwarding = pointer.Bool(true)

EnableIPForwarding is necessary for the CNI to work

[CecileRobertMichon]

Added to maintain what's there, however I'm still not convinced this should be hardcoded. For VMs it's configurable: https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/main/azure/services/networkinterfaces/spec.go#L211

Can you expand on "is necessary for the CNI to work"? Which CNI? What IP family?

[CecileRobertMichon]

From the comment here, it's only needed for Calico + Ipv6

[mweibel]

I'm not the expert in CNIs but I believe it is needed for Calico with VXLAN (which is required when you use windows nodes and Calico CNI) - also in IPv4 mode. At least not having IP Forwarding enabled was the root cause of our issues when we ugpraded CAPZ.

Adding this flag as a property on the networkInterfaces object would be nice, however if it's not enabled it might be difficult to figure out whats wrong for a user.

[mweibel]

I'm not sure about the semantics of the IPConfiguration API resource. Is it namespaced below the nic config and the name does therefore not matter or do we need to include e.g. vmssSpec.Name in the name to avoid name collisions?

Asking because previous code used the vmss name in the IP configuration too.

[CecileRobertMichon]

I had the same question and tested this, IPConfig name is scoped to the NIC so we don't need VMSS name in there to avoid collision.

I don't have to change this (it works as-is) but the current naming is a bit awkward since all the IP configs end up having the scale set name in it which is not really relevant (especially in the scenario where you have more than 1 NIC per VMSS). This is better aligned with Azure naming conventions.

Also verified this won't be a breaking change. Because we never update the network config on existing scale sets, this change will only apply to new NICs created going forward.

[CecileRobertMichon]

@mweibel thanks for the review, I removed the ipv6 change from this PR since it's not quite working yet (it's blocked on #3221), so this is ready for review now.

[nawazkh]

Started taking a look at this
/assign

[CecileRobertMichon]

/retest

[CecileRobertMichon]

/test pull-cluster-api-provider-azure-e2e

just to see if by any chance this repros #3227

[CecileRobertMichon]

just to see if by any chance this repros #3227

...and it just did

/retest

[CecileRobertMichon]

/retest

[nawazkh]

Using this PR, I was able to bring up a cluster with multiple IPConfigs and with Azure CNI. So everything looks good to me so far, just had a concern which I have mentioned above.

❯ clusterctl describe cluster azure-cni-v1-30372
No default config file available
NAME                                                                   READY  SEVERITY  REASON  SINCE  MESSAGE
Cluster/azure-cni-v1-30372                                             True                     26m
├─ClusterInfrastructure - AzureCluster/azure-cni-v1-30372              True                     29m
├─ControlPlane - KubeadmControlPlane/azure-cni-v1-30372-control-plane  True                     26m
│ └─Machine/azure-cni-v1-30372-control-plane-zpxs8                     True                     26m
└─Workers
  └─MachineDeployment/azure-cni-v1-30372-md-0                          True                     24m
    └─2 Machines...                                                    True                     24m    See azure-cni-v1-30372-md-0-7459f94f6b-7kmg8, azure-cni-v1-30372-md-0-7459f94f6b-c4rxg

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: bc990f4f7d821f4e1a44e957c12c0b4b9e5bda7f

[CecileRobertMichon]

/assign @jackfrancis @mboersma

[mweibel]

LGTM

(can't resolve the conversations since I'm not part of kubernetes-sigs)

[mboersma]

/lgtm
/approve

You had me at "removes 128 lines of code."

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mboersma

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mboersma]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[nawazkh]

/lgtm