e2e: use helm to install out-of-tree cloud-provider-azure

[jackfrancis]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR updates the "external" (or out-of-tree) cloud-provider-azure templates and test implementation so that we use the official helm chart (see this PR: kubernetes-sigs/cloud-provider-azure#1306).

This approach has the following advantages:

• rather than define static versions of cloud-provider-azure to install, we rely upon the helm chart to choose the right version for the version of Kubernetes running in the cluster
• no longer rely upon ClusterResourceSet CRD, which is alpha and may not be enabled on your cluster-api mgmt cluster

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

• squashed commits
• includes documentation
• adds unit tests

Release note:

replace ClusterResourceSet with helm for external cloud-provider-azure templates

[jackfrancis]

/test pull-cluster-api-provider-azure-e2e-optional

[jsturtevant]

My concern with this is we now have two ways to install cluster addons on until the new proposal lands and goes forward. This just adds some complexity from maintenace and possible confusion. We are also suggesting using helm for most out of the box clusters. Is that what we desire? I don't have any strong objections just pointing it out.

We also probably need to add docs on how to do this post cluster creation.

[jsturtevant]

cool, didn't know about this!

[jackfrancis]

/test pull-cluster-api-provider-azure-e2e-optional

[jsturtevant]

This test doesn't run for windows currently, but if it did we would need to include WINDOWS_WORKER_MACHINE_COUNT here.

[jackfrancis]

Actually this brings up a good question. On this test, for example, this WorkerMachineCount value seems to apply to each node pool (not total number of expected worker nodes):

https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/v1.2.1/test/e2e/azure_test.go#L216

And indeed, this value seems to be used to populate the named env var that kustomize uses to configure a single value which by convention is shared across all MachinePools/MachineDeployments:

https://github.com/kubernetes-sigs/cluster-api/blob/v1.1.3/cmd/clusterctl/client/config.go#L436

This check is really here to know that we're ready to reliably perform a helm install against the cluster. We can simply check for 1 Running node to do that.

This will work for a Windows-enabled cluster.

Do we want to just convert the reference "external-cloud-provider" template to have a Windows MachineDeployment as well? @CecileRobertMichon for thoughts as well

[CecileRobertMichon]

IMO we should not change the existing external cloud provider template in this PR but instead change all the reference templates to use external cloud provider as we had started doing in #1889 in a follow PR. That will include various windows flavors.

[jackfrancis]

Makes sense

[jackfrancis]

/test pull-cluster-api-provider-azure-e2e-optional

[jackfrancis]

@CecileRobertMichon @jsturtevant the below is a proposed solution to ensuring these changes are back-compat with upstream cloud-provider-azure test-infra jobs that rely upon capz to test out-of-tree. This is how the current tests currently work:

1. TEST_CCM=true is set when calling scripts/ci-entrypoint.sh:

• https://github.com/kubernetes/test-infra/blob/f74bc266fbbff04f30769fbfcd736634c90d3b5f/config/jobs/kubernetes-sigs/cloud-provider-azure/cloud-provider-azure-config.yaml#L185

2. capz maintains a script to set the CI-built image data here:

• cluster-api-provider-azure/scripts/ci-entrypoint.sh

  Line 91 in 1352fa2

  source "${REPO_ROOT}/scripts/ci-build-azure-ccm.sh"

• cluster-api-provider-azure/scripts/ci-build-azure-ccm.sh

  Line 43 in 1352fa2

  export IMAGE_REGISTRY=${REGISTRY}

• cluster-api-provider-azure/scripts/ci-build-azure-ccm.sh

  Lines 34 to 36 in 1352fa2

  	declare CCM_IMAGE_NAME=azure-cloud-controller-manager
  	# cloud node manager image
  	declare CNM_IMAGE_NAME=azure-cloud-node-manager

• cluster-api-provider-azure/scripts/ci-build-azure-ccm.sh

  Line 44 in 1352fa2

  pushd "${AZURE_CLOUD_PROVIDER_ROOT}" && IMAGE_TAG=$(git rev-parse --short=7 HEAD) && export IMAGE_TAG && popd

These env vars aren't as specifically named as we'd ideally want, but re-using them as-is allows us to reduce the change surface area (don't have to update capz CI scripts and/or test-infra job defs).

[CecileRobertMichon]

the out of tree cloud provider PR tests and conformance tests don't run CAPZ e2e so they won't call InstallCloudProviderAzureHelmChart as far as I know. We may need to 1) modify ci-entrypoint.sh directly to do the helm install for out of tree cases, and 2) change conformance_test.go to use this custom control plane waiter too when testing out of tree

[CecileRobertMichon]

/cc @lzhecheng

[jackfrancis]

I don't think we have to worry about the conformance stuff yet (in this PR), it seems the only template flavors that it currently uses are default and windows (not the external templates).

When we eventually get to the part of this effort where we're testing out-of-tree by default, then yeah, the conformance ControlPlaneWaiters will need to get updated as well.

[jackfrancis]

/test pull-cluster-api-provider-azure-e2e-optional

[jackfrancis]

/test pull-cluster-api-provider-azure-e2e-optional

[jackfrancis]

@CecileRobertMichon @lzhecheng incorporated the helm stuff into the ci-entrypoint.sh script itself. The way this will work is basically the same way I implemented this in the Tiltfile (wait for kubeconfig secret, wait for successful get nodes). Reference:

cluster-api-provider-azure/Makefile

Lines 283 to 287 in 1352fa2

	# Wait for the kubeconfig to become available.
	timeout --foreground 300 bash -c "while ! kubectl get secrets | grep $(CLUSTER_NAME)-kubeconfig; do sleep 1; done"
	# Get kubeconfig and store it locally.
	kubectl get secrets $(CLUSTER_NAME)-kubeconfig -o json | jq -r .data.value | base64 --decode > ./kubeconfig
	timeout --foreground 600 bash -c "while ! kubectl --kubeconfig=./kubeconfig get nodes | grep control-plane; do sleep 1; done"

[jackfrancis]

/test pull-cluster-api-provider-azure-e2e-optional

[CecileRobertMichon]

should this be using a config interval variable here instead of hardcoding to 20 minutes? same question for intervals below

[jackfrancis]

reusing the WaitForControlPlaneIntervals var everywhere here

arguably you can tune these down per retryable operations, but it's debatable whether or not it's worth the effort

[jackfrancis]

/retest

[jackfrancis]

/test pull-cluster-api-provider-azure-e2e-optional

[jackfrancis]

/retest

[CecileRobertMichon]

/lgtm
/assign @jsturtevant

[CecileRobertMichon]

/hold cancel

[CecileRobertMichon]

/assign @mboersma

James is OOF this week

[mboersma]

Just a few questions, but this looks good.

[mboersma]

I wanted to suggest this would be better as an f-string, but then I remembered this is Starlark.

[mboersma]

I'm also mildly opposed to this change if it adds any noticeable time to testing targets. Could we maybe have the new target install just the tools that are actually shared, or is this still a maintenance headache?

install-tools: $(ENVSUBST) $(KUSTOMIZE) $(KUBECTL)

test-e2e-run: generate-e2e-templates install-tools $(GINKGO)

[jackfrancis]

/test pull-cluster-api-provider-azure-e2e-optional

[mboersma]

/lgtm

[CecileRobertMichon]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CecileRobertMichon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [CecileRobertMichon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment