Disable local accounts for aks aad clusters

[LochanRn]

What type of PR is this?
/kind feature

What this PR does / why we need it:
Support to disable local accounts for aks aad clusters

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #2129

Special notes for your reviewer:

As access for admin kubeconfig will be disabled, the user must ensure to add the service principle to the admin group configured for enabling AAD.

• cherry-pick candidate

TODOs:

• squashed commits
• includes documentation
• adds unit tests

Release note:

Support disabling of local accounts for AKS clusters with Azure Active Directory enabled. Disables the back door to get admin kubeconfig for AAD based clusters. The user must ensure to add the service principle to admin groups in azure AAD for capz to be able to deploy the target cluster..

[codecov]

Codecov Report

Attention: 81 lines in your changes are missing coverage. Please review.

Comparison is base (b9430aa) 57.61% compared to head (1841617) 57.65%.
Report is 26 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4008      +/-   ##
==========================================
+ Coverage   57.61%   57.65%   +0.03%     
==========================================
  Files         188      188              
  Lines       19200    19320     +120     
==========================================
+ Hits        11062    11138      +76     
- Misses       7507     7550      +43     
- Partials      631      632       +1     

Files	Coverage Δ
api/v1beta1/azuremanagedcontrolplane_types.go	20.00% <ø> (ø)
api/v1beta1/azuremanagedcontrolplane_webhook.go	89.67% <100.00%> (+0.59%)	⬆️
azure/scope/managedcontrolplane.go	25.97% <65.21%> (+3.30%)	⬆️
azure/services/managedclusters/spec.go	52.95% <0.00%> (-0.99%)	⬇️
azure/services/managedclusters/client.go	0.00% <0.00%> (ø)
controllers/azuremanagedcontrolplane_reconciler.go	33.68% <0.00%> (-1.10%)	⬇️
azure/services/managedclusters/managedclusters.go	55.00% <28.00%> (-20.35%)	⬇️

... and 4 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Jont828]

Nice work! Just some small changes

[LochanRn]

/test pull-cluster-api-provider-azure-e2e

[LochanRn]

/test pull-cluster-api-provider-azure-e2e

[willie-yao]

PR looks good pending the unit test for ReconcileKubeconfig! Although I don't think it would be blocking the PR for merge.

/lgtm

[Jont828]

LGTM aside from pending comments and once tests pass. Great work so far!

[LochanRn]

/test pull-cluster-api-provider-azure-e2e

[CecileRobertMichon]

/lgtm
/approve

Thank you @LochanRn!

@nojnhuh FYI this PR might be disruptive for both #4052 and #4069 but it's worth merging as-is and rebasing the two big PRs on top since it's a feature that's been asked for for a while

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 519a076c6a9c1a104262a5bd495484b0403633ca

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CecileRobertMichon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [CecileRobertMichon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[LochanRn]

@CecileRobertMichon PTAL i added docs !

[CecileRobertMichon]

minor nits

[CecileRobertMichon]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: c66bb0f3835c52b003dd275b21c18b5be312144b

[nojnhuh]

Is this comment correct or should it be referring to the user kubeconfig instead of the admin one?

[LochanRn]

This comment is correct, if we refer to the user kubeconfig we will need kubelogin to access the cluster.