migrate private endpoints service to ASO

[nawazkh]

What type of PR is this?
/kind feature

What this PR does / why we need it:

• This PR migrates private endpoints service to use ASO framework.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #3530

Special notes for your reviewer:

• I tested it locally, and I was able to bring up a private-endpoint using the default template.

• cherry-pick candidate

TODOs:

• squashed commits
• includes documentation
• adds unit tests

Release note:

migrate Private Endpoints Service to use ASO Framework

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[codecov]

Codecov Report

Attention: 19 lines in your changes are missing coverage. Please review.

Comparison is base (50cd249) 60.45% compared to head (12a2c08) 60.89%.
Report is 8 commits behind head on main.

Files	Patch %	Lines
azure/services/privateendpoints/spec.go	81.69%	10 Missing and 3 partials ⚠️
...zure/services/privateendpoints/privateendpoints.go	0.00%	5 Missing ⚠️
azure/scope/cluster.go	96.66%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4108      +/-   ##
==========================================
+ Coverage   60.45%   60.89%   +0.43%     
==========================================
  Files         191      190       -1     
  Lines       19195    18983     -212     
==========================================
- Hits        11604    11559      -45     
+ Misses       6947     6787     -160     
+ Partials      644      637       -7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[nawazkh]

Updating unit tests.
/hold

[nawazkh]

/unhold

[nawazkh]

/unhold

[nawazkh]

/retest

[nawazkh]

/retest

[nawazkh]

/test pull-cluster-api-provider-azure-windows-containerd-upstream-custom-builds

[k8s-ci-robot]

@nawazkh: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

• /test pull-cluster-api-provider-azure-build
• /test pull-cluster-api-provider-azure-ci-entrypoint
• /test pull-cluster-api-provider-azure-e2e
• /test pull-cluster-api-provider-azure-e2e-aks
• /test pull-cluster-api-provider-azure-test
• /test pull-cluster-api-provider-azure-verify

The following commands are available to trigger optional jobs:

• /test pull-cluster-api-provider-azure-apidiff
• /test pull-cluster-api-provider-azure-apiversion-upgrade
• /test pull-cluster-api-provider-azure-capi-e2e
• /test pull-cluster-api-provider-azure-conformance
• /test pull-cluster-api-provider-azure-conformance-custom-builds
• /test pull-cluster-api-provider-azure-conformance-dual-stack-with-ci-artifacts
• /test pull-cluster-api-provider-azure-conformance-ipv6-with-ci-artifacts
• /test pull-cluster-api-provider-azure-conformance-with-ci-artifacts
• /test pull-cluster-api-provider-azure-e2e-optional
• /test pull-cluster-api-provider-azure-e2e-workload-upgrade
• /test pull-cluster-api-provider-azure-windows-containerd-upstream-with-ci-artifacts-serial-slow
• /test pull-cluster-api-provider-azure-windows-custom-builds
• /test pull-cluster-api-provider-azure-windows-with-ci-artifacts

Use /test all to run the following jobs that were automatically triggered:

• pull-cluster-api-provider-azure-apidiff
• pull-cluster-api-provider-azure-build
• pull-cluster-api-provider-azure-capi-e2e
• pull-cluster-api-provider-azure-ci-entrypoint
• pull-cluster-api-provider-azure-conformance
• pull-cluster-api-provider-azure-conformance-custom-builds
• pull-cluster-api-provider-azure-conformance-dual-stack-with-ci-artifacts
• pull-cluster-api-provider-azure-conformance-ipv6-with-ci-artifacts
• pull-cluster-api-provider-azure-conformance-with-ci-artifacts
• pull-cluster-api-provider-azure-e2e
• pull-cluster-api-provider-azure-e2e-aks
• pull-cluster-api-provider-azure-test
• pull-cluster-api-provider-azure-verify
• pull-cluster-api-provider-azure-windows-custom-builds
• pull-cluster-api-provider-azure-windows-with-ci-artifacts

In response to this:

/test pull-cluster-api-provider-azure-windows-containerd-upstream-custom-builds

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[nojnhuh]

This length check (along with the other similar ones) could be made redundant if we initialize the slices as nil:

Suggested change

	if len(s.ApplicationSecurityGroups) > 0 {
	applicationSecurityGroups := make([]asonetworkv1.ApplicationSecurityGroupSpec_PrivateEndpoint_SubResourceEmbedded, 0, len(s.ApplicationSecurityGroups))
	var applicationSecurityGroups []asonetworkv1.ApplicationSecurityGroupSpec_PrivateEndpoint_SubResourceEmbedded

Then the linter will complain that we're not pre-allocating the slice, but I'd be +1 to ignoring that since I can't imagine that makes any difference in performance unless users are defining 1000s of these in a single resource YAML.

[nawazkh]

I agree. But if this minor over-engineering guardrails us from unforeseen scenarios and adds a bit of performance, I am happy to take it. 😃

[nojnhuh]

I don't see where ASO lets us set these fields. Is that because they don't actually have any effect? Should we be setting these on the real subnet resource?

[nawazkh]

Good question @nojnhuh , Let me put a question on the ASO channel.

My theory from probing the Azure SDK request body params (xref: https://learn.microsoft.com/en-us/rest/api/virtualnetwork/private-endpoints/create-or-update?view=rest-virtualnetwork-2023-05-01&tabs=HTTP#request-body) is that PrivateEndpointNetworkPolicy: Disabled and PrivateLinkServiceNetworkPolicy: Enabled appear to be the default values for the fields being explicitly specified.

From the examples of creating PrivateEndpoints using Azure SDK, I see that privateEndpoints request payload only requires the SubnetIDs, I am guessing ASO is also following the same

But, let me confirm.

Update: scratch the theory.

[nojnhuh]

@nawazkh If there isn't one already, could you please open an issue to track adding e2e coverage for private endpoints?

[willie-yao]

Looks good pending one minor comment!

[nawazkh]

@nawazkh If there isn't one already, could you please open an issue to track adding e2e coverage for private endpoints?

Created #4336

[k8s-ci-robot]

@nawazkh: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cluster-api-provider-azure-windows-containerd-upstream-custom-builds	7c8f0d3	link	false	/test pull-cluster-api-provider-azure-windows-containerd-upstream-custom-builds

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[nojnhuh]

/retest

[nojnhuh]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: e4ff7a484cb390fd12a7e365e1b45dcd4d63281a

[willie-yao]

/lgtm

[nojnhuh]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nojnhuh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [nojnhuh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment