Add support for joining clusters to AKS Fleet

[willie-yao]

What type of PR is this?
/kind feature

What this PR does / why we need it:
This PR adds support for joining managed clusters to AKS Fleet via the field fleetManager in the AzureManagedControlPlane.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Steps to test:

1. Create a fleet manager in AKS. Microsoft docs: https://learn.microsoft.com/en-us/azure/kubernetes-fleet/quickstart-create-fleet-and-members
2. Add the following field to your AzureManagedControlPlane spec

fleetManager: 
    group: test-group
    managerName: fleet-manager-name
    managerResourceGroup: fleet-manager-rg

3. Create the managed cluster and observe it being added as a member to your fleet manager

• cherry-pick candidate

TODOs:

• squashed commits
• includes documentation
• adds unit tests

Release note:

Add support for joining clusters to AKS Fleet

[serbrech]

Why is fleetmember in the same namespace as AKS in ASO? that seems wrong? We release with a different SDK, different API version, etc...
our latest API version is 0815preview.

[willie-yao]

Hmm I'm not sure. ASO includes both under asocontainerservicev1 here: https://azure.github.io/azure-service-operator/reference/containerservice/

[serbrech]

why AzureName = ManagerName?
member.Name is the name of the member.
it shouldn't be the same as the fleet.

and same comment as further up on naming consistency. is the Azure prefix needed?

[willie-yao]

The AzureName is defined as a part of an ASO spec type, so I can't change that

[serbrech]

is s.ResourceGroup the resourceGroup of the target AKS cluster? or the resource group of the member resource?
I assume that memberSpec.ResourceGroup is the RG of the member?

[willie-yao]

It is the resource group of both the target AKS cluster and the member resource. The member resource is then attached the owning fleet manager. I may be misunderstanding how member resources work though. Are they supposed to be in a different resource group?

[serbrech]

the member resource is a child resource of the fleet manager, just like an agentpool is a child resource of an aks cluster.
the member cannot be in a different RG than the fleet manager.

the aks cluster that the member resource targets, can be anywhere.

it is the resource group of both the target AKS cluster and the member resource.

This would imply that all AKS clusters that join a fleet must be in the same resource group as the fleet manager, which means they would all have to be in the same subscription as well.

• subscription-1

  • MyFleet-RG
    • Fleet
      • Member A -> aks-a cluster (located anywhere)
      • Member B -> aks-b cluster (located anywhere)

• subscription-2

  • Cluster-A-RG
    • aks-a cluster

• subscription-3

  • Cluster-B-RG
    • aks-b cluster

[willie-yao]

the member cannot be in a different RG than the fleet manager.

Is the spec.Group field the resource group of the fleet member then? I don't see any other place where I specified the resource group for the member. If so, I can set Group to s.ManagerResourceGroup. For the ClusterResourceReference, I think the current logic makes sense as the cluster resource group is separate from the manager/member resource group.

[serbrech]

member.Group is an "UpdateGroup" that the user can provide to group members within a fleet.
"test", "staging", "prod-early", "prod" for example.
like a static annotation on the member if you will. not a resourcegroup.

[willie-yao]

Gotcha. I just re-tested and it seems like the member cluster I made is in a different resource group than the manager and it seems to be working fine?
Member cluster:

And my fleet manager is in a separate resource group fleet-test

[serbrech]

is that correct? why is the group under the fleetsManager?

[willie-yao]

This is defined in ASO's fleetsManager spec, so I'm not entirely sure: https://azure.github.io/azure-service-operator/reference/containerservice/v1api20230315preview/#containerservice.azure.com/v1api20230315preview.Fleets_Member_Spec

[codecov]

Codecov Report

Attention: 45 lines in your changes are missing coverage. Please review.

Comparison is base (2c47af5) 62.20% compared to head (ad60a09) 62.11%.
Report is 4 commits behind head on main.

Files	Patch %	Lines
azure/scope/managedcontrolplane.go	0.00%	16 Missing ⚠️
api/v1beta1/azuremanagedcontrolplane_webhook.go	36.84%	11 Missing and 1 partial ⚠️
azure/services/fleetsmembers/spec.go	60.00%	10 Missing ⚠️
azure/services/fleetsmembers/fleetsmembers.go	0.00%	5 Missing ⚠️
azure/defaults.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4316      +/-   ##
==========================================
- Coverage   62.20%   62.11%   -0.10%     
==========================================
  Files         187      189       +2     
  Lines       18568    18642      +74     
==========================================
+ Hits        11551    11580      +29     
- Misses       6381     6425      +44     
- Partials      636      637       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[willie-yao]

/retest

[willie-yao]

@serbrech I have addressed all comments and also made a few improvements to the implementation. Let me know what you think!

[willie-yao]

/retest

[serbrech]

I noticed in our fleet logs that your test was proactively trying to join the cluster as a member before it was created.
it gets repetitively 409.
Do you have a way to add a condition on your side to only join once the target cluster is created? or is it out of scope and unusual in cluster-api?

[Jont828]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 6ba3ca6e1cc7a596ccd48ae841e90d759a860158

[jackfrancis]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jackfrancis

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jackfrancis]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[nojnhuh]

/hold I have some comments queued up

[nojnhuh]

Do we need to do any validation for AzureManagedControlPlaneTemplate?

[willie-yao]

We don't need validation for the template since the name is the only thing we need to validate, and we don't specify the name in the template.

[nojnhuh]

Is there a link to AKS docs we could include here?

[nojnhuh]

Same here re: AKS doc link

[nojnhuh]

One way I can think of to get rid of this little dance is for AzureFleetsMemberSpec to return a slice of 0 or 1 elements instead of a possibly-nil pointer to one. Then this could just be:

Suggested change

	spec := scope.AzureFleetsMemberSpec()
	if spec != nil {
	svc.Specs = []azure.ASOResourceSpecGetter[*asocontainerservicev1.FleetsMember]{spec}
	}
	svc.Specs = scope.AzureFleetsMemberSpecs()

[nojnhuh]

Do we need this struct definition or can we refactor this like #4224?

[nojnhuh]

Not blocking this PR, but I'm still curious as to exactly what's being updated here if removing the fleets member field doesn't actually delete the ASO resource.

[willie-yao]

I think that there was an issue with the controller trying to reconcile the fleets member as we're trying to delete it, and it may have been causing some problems. I'll try testing it again without this step and maybe those problems were due to a different issue.

[willie-yao]

Found the error. It happens when I try to delete the fleets member:

this operation depends on is not in an expected state. Expected: ProvisioningState in (Succeeded, Canceled, Failed, Deleting, Upgrading). Actual: ProvisioningState is Updating. Change the resource to expected state and try again.

[nojnhuh]

This [AKS doc]: ... syntax basically only defines a variable that you need to reference for it to actually render in the generated docs:

Suggested change

	// [AKS doc]: https://learn.microsoft.com/en-us/azure/templates/microsoft.containerservice/2023-03-15-preview/fleets/members
	// See also [AKS doc].
	//
	// [AKS doc]: https://learn.microsoft.com/en-us/azure/templates/microsoft.containerservice/2023-03-15-preview/fleets/members

https://deploy-preview-4316--kubernetes-sigs-cluster-api-provider-azure.netlify.app/reference/v1beta1-api#infrastructure.cluster.x-k8s.io/v1beta1.FleetsMember

[nojnhuh]

/lgtm
/hold cancel

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 1bf6b4cf8533455daae165b411807cbe6661db79

[k8s-ci-robot]

@willie-yao: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cluster-api-provider-azure-conformance-custom-builds	434d82b	link	false	/test pull-cluster-api-provider-azure-conformance-custom-builds
pull-cluster-api-provider-azure-windows-custom-builds	ad60a09	link	false	/test pull-cluster-api-provider-azure-windows-custom-builds

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[willie-yao]

/retest

[willie-yao]

Looks like the PR merged without these tests passing... I think the custom windows one was failing but I don't think it's related to this PR