rebuild the AKS build cluster

Author: upodroid

infra/azure/terraform/k8s-infra-prow-build/aks.tf

@@ -15,21 +15,23 @@ limitations under the License.
 */
 
 module "prow_build" {
-  source                    = "Azure/aks/azurerm"
-  version                   = "9.2.0"
+  source                    = "Azure/aks/azurerm//v4"
+  version                   = "10.0.0"
   resource_group_name       = azurerm_resource_group.rg.name
   location                  = azurerm_resource_group.rg.location
   sku_tier                  = "Standard"
-  automatic_channel_upgrade = "patch"
-  kubernetes_version        = "1.32"
-  prefix                    = "k8s-infra"
+  automatic_channel_upgrade = "stable"
+  # kubernetes_version        = "1.34"
+  prefix = "k8s-infra"
 
   role_based_access_control_enabled = true
   workload_identity_enabled         = true
   oidc_issuer_enabled               = true
-  rbac_aad                          = true
-  rbac_aad_managed                  = true
-  local_account_disabled            = false
+  rbac_aad_azure_rbac_enabled       = true
+  rbac_aad_admin_group_object_ids = [
+    "2d1bde94-76f6-4538-9ac0-1b2ef459ba15" # aks-admins
+  ]
+  local_account_disabled = false
 
   identity_type = "UserAssigned"
   identity_ids  = [azurerm_user_assigned_identity.aks_identity.id]
@@ -42,10 +44,13 @@ module "prow_build" {
     user_assigned_identity_id = azurerm_user_assigned_identity.aks_kubelet_identity.id
   }
 
-  ebpf_data_plane     = "cilium"
-  network_plugin_mode = "overlay"
-  network_plugin      = "azure"
-  network_policy      = "cilium"
+  ebpf_data_plane       = "cilium"
+  network_plugin_mode   = "overlay"
+  network_plugin        = "azure"
+  network_policy        = "cilium"
+  network_ip_versions   = ["IPv4", "IPv6"]
+  network_data_plane    = "cilium"
+  net_profile_pod_cidrs = ["10.244.0.0/16", "fd12:3456:789a::/64"]
 
   enable_auto_scaling = true
   node_resource_group = "MC_${local.prefix}-prow-build-${azurerm_resource_group.rg.location}-aks-rg"
@@ -60,25 +65,47 @@ module "prow_build" {
   agents_max_pods              = 110
   agents_type                  = "VirtualMachineScaleSets"
   agents_availability_zones    = ["1", "3"]
-  os_sku                       = "AzureLinux"
+  os_sku                       = "Ubuntu"
   agents_size                  = "Standard_D4ds_v5"
   only_critical_addons_enabled = true
   temporary_name_for_rotation  = "tmpnodepool1"
   agents_tags                  = var.common_tags
-  vnet_subnet_id               = module.prow_network.subnets.prow_build_aks.resource_id
+  vnet_subnet = {
+    id = module.prow_network.subnets.prow_build_aks.resource_id
+  }
 
   storage_profile_enabled             = true
   storage_profile_blob_driver_enabled = false
   storage_profile_file_driver_enabled = false
 
   node_pools = {
-    pool1 = {
-      name                = "pool1"
-      vm_size             = "Standard_E8ds_v5"
+    pool-amd64 = {
+      name                = "amd64"
+      vm_size             = "Standard_D8ads_v6"
+      enable_auto_scaling = true
+      kubelet_disk_type   = "OS"
+      min_count           = 3
+      max_count           = 100
+      max_pods            = 110
+      os_disk_type        = "Ephemeral"
+      os_disk_size_gb     = 100
+      os_sku              = "Ubuntu"
+      vnet_subnet_id      = module.prow_network.subnets.prow_build_aks.resource_id
+
+      upgrade_settings = {
+        max_surge                     = "33%"
+        drain_timeout_in_minutes      = 90
+        node_soak_duration_in_minutes = 1
+      }
+    }
+    pool-arm64 = {
+      name                = "arm64"
+      vm_size             = "Standard_D8pds_v6"
       enable_auto_scaling = true
       kubelet_disk_type   = "OS"
       min_count           = 3
-      max_count           = 200
+      max_count           = 100
+      max_pods            = 110
       os_disk_type        = "Ephemeral"
       os_disk_size_gb     = 100
       os_sku              = "Ubuntu"

infra/azure/terraform/k8s-infra-prow-build/network.tf

@@ -15,16 +15,16 @@ limitations under the License.
 */
 
 module "prow_network" {
-  source              = "Azure/avm-res-network-virtualnetwork/azurerm"
-  version             = "0.6.0"
-  name                = "vnet-${azurerm_resource_group.rg.name}"
-  resource_group_name = azurerm_resource_group.rg.name
-  location            = azurerm_resource_group.rg.location
-  address_space       = ["10.52.0.0/16"]
+  source        = "Azure/avm-res-network-virtualnetwork/azurerm"
+  version       = "0.16.0"
+  name          = "vnet-${azurerm_resource_group.rg.name}"
+  parent_id     = azurerm_resource_group.rg.id
+  location      = azurerm_resource_group.rg.location
+  address_space = ["10.52.0.0/16", "fd00:d2cc:d945::/48"]
   subnets = {
     "prow_build_aks" = {
       name                                      = "snet-${azurerm_resource_group.rg.name}"
-      address_prefixes                          = ["10.52.1.0/24"]
+      address_prefixes                          = ["10.52.0.0/22", "fd00:d2cc:d945:1::/64"]
       service_endpoints                         = ["Microsoft.Storage", "Microsoft.ContainerRegistry"]
       private_endpoint_network_policies_enabled = false
     }
@@ -35,13 +35,12 @@ module "prow_network" {
 }
 
 module "private_dns_zones" {
-  source                          = "Azure/avm-ptn-network-private-link-private-dns-zones/azurerm"
-  version                         = "0.4.0"
-  location                        = azurerm_resource_group.rg.location
-  resource_group_name             = azurerm_resource_group.rg.name
-  resource_group_creation_enabled = false
-  tags                            = var.common_tags
-  enable_telemetry                = false
+  source           = "Azure/avm-ptn-network-private-link-private-dns-zones/azurerm"
+  version          = "0.23.0"
+  parent_id        = azurerm_resource_group.rg.id
+  location         = azurerm_resource_group.rg.location
+  tags             = var.common_tags
+  enable_telemetry = false
   private_link_private_dns_zones = {
     azure_aks_mgmt = {
       zone_name = "privatelink.{regionName}.azmk8s.io"
@@ -66,9 +65,9 @@ module "private_dns_zones" {
     }
   }
 
-  virtual_network_resource_ids_to_link_to = {
+  virtual_network_link_additional_virtual_networks = {
     "vnet_prow_build_aks" = {
-      vnet_resource_id = module.prow_network.resource_id
+      virtual_network_resource_id = module.prow_network.resource_id
     }
   }
 }

infra/azure/terraform/k8s-infra-prow-build/providers.tf

@@ -15,11 +15,15 @@ limitations under the License.
 */
 
 terraform {
-  required_version = "~> 1.9.0"
+  required_version = "~> 1.11.4"
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.51, < 4.0"
+      version = ">= 4.57, < 5.0"
+    }
+    azapi = {
+      source  = "azure/azapi"
+      version = ">= 2.8, < 3"
     }
   }
 

infra/azure/terraform/k8s-infra-prow-build/rbac.tf

@@ -34,3 +34,48 @@ resource "azurerm_role_assignment" "kubelet_mi_operator" {
   scope                = azurerm_resource_group.rg.id
   principal_id         = azurerm_user_assigned_identity.aks_kubelet_identity.principal_id
 }
+
+// aks-admin managed identity
+resource "azurerm_user_assigned_identity" "aks_admin" {
+  location            = azurerm_resource_group.rg.location
+  name                = "aks-admin"
+  resource_group_name = azurerm_resource_group.rg.name
+}
+
+resource "azurerm_federated_identity_credential" "aks_admin_argocd" {
+  for_each = toset([
+    "system:serviceaccount:argocd:argocd-application-controller",
+    "system:serviceaccount:argocd:argocd-server",
+  ])
+  name                = "argocd-${reverse(split(":", each.key))[0]}"
+  resource_group_name = azurerm_resource_group.rg.name
+  audience            = ["api://AzureADTokenExchange"]
+  issuer              = "https://container.googleapis.com/v1/projects/k8s-infra-prow/locations/us-central1/clusters/utility"
+  parent_id           = azurerm_user_assigned_identity.aks_admin.id
+  subject             = each.key
+}
+
+resource "azurerm_federated_identity_credential" "aks_admin_prow" {
+  // https://github.com/kubernetes/k8s.io/tree/main/kubernetes/gke-prow/prow
+  // all services that load kubeconfig should be listed here
+  for_each = toset([
+    "system:serviceaccount:default:deck",
+    "system:serviceaccount:default:config-bootstrapper",
+    "system:serviceaccount:default:crier",
+    "system:serviceaccount:default:sinker",
+    "system:serviceaccount:default:prow-controller-manager",
+    "system:serviceaccount:default:hook",
+  ])
+  name                = "prow-${reverse(split(":", each.key))[0]}"
+  resource_group_name = azurerm_resource_group.rg.name
+  audience            = ["api://AzureADTokenExchange"]
+  issuer              = "https://container.googleapis.com/v1/projects/k8s-infra-prow/locations/us-central1/clusters/prow"
+  parent_id           = azurerm_user_assigned_identity.aks_admin.id
+  subject             = each.key
+}
+
+resource "azurerm_role_assignment" "aks_admin" {
+  role_definition_name = "Azure Arc Kubernetes Cluster Admin"
+  scope                = azurerm_resource_group.rg.id
+  principal_id         = azurerm_user_assigned_identity.aks_kubelet_identity.principal_id
+}

infra/gcp/terraform/k8s-infra-prow-build/iam.tf

@@ -33,6 +33,7 @@ module "iam" {
       "serviceAccount:kubernetes-external-secrets@k8s-infra-prow-build.iam.gserviceaccount.com",
       "principal://iam.googleapis.com/projects/${module.project.project_number}/locations/global/workloadIdentityPools/${module.project.project_id}.svc.id.goog/subject/ns/external-secrets/sa/external-secrets",
       "principal://iam.googleapis.com/projects/180382678033/locations/global/workloadIdentityPools/k8s-infra-prow-build-trusted.svc.id.goog/subject/ns/external-secrets/sa/external-secrets",
+      "principal://iam.googleapis.com/projects/16065310909/locations/global/workloadIdentityPools/k8s-infra-prow.svc.id.goog/subject/ns/external-secrets/sa/external-secrets",
     ]
   }
 }
@@ -78,3 +79,29 @@ resource "google_iam_workload_identity_pool_provider" "eks_kops" {
     allowed_audiences = ["sts.googleapis.com"]
   }
 }
+
+
+resource "google_iam_workload_identity_pool" "aks_cluster" {
+  project = module.project.project_id
+
+  workload_identity_pool_id = "prow-aks"
+  display_name              = "AKS Prow Cluster"
+  description               = "Identity pool for CI on Azure using AKS clusters"
+}
+
+resource "google_iam_workload_identity_pool_provider" "aks_cluster" {
+  project = module.project.project_id
+
+  display_name                       = "AKS OIDC provider"
+  description                        = "Identity pool for CI on Azure using AKS clusters"
+  workload_identity_pool_id          = google_iam_workload_identity_pool.aks_cluster.workload_identity_pool_id
+  workload_identity_pool_provider_id = "oidc"
+  attribute_mapping = {
+    "google.subject" = "assertion.sub"
+  }
+  oidc {
+    # From AKS cluster created in https://github.com/kubernetes/k8s.io/tree/main/infra/azure/terraform/k8s-infra-prow-build
+    issuer_uri        = "https://eastus2.oic.prod-aks.azure.com/d1aa7522-0959-442e-80ee-8c4f7fb4c184/85d5aa19-bc3c-4cdb-bc17-0cf8703cfa3f"
+    allowed_audiences = ["sts.googleapis.com"]
+  }
+}

infra/gcp/terraform/k8s-infra-prow-build/serviceaccounts.tf

@@ -30,7 +30,8 @@ locals {
       project_roles     = ["roles/secretmanager.secretAccessor"],
       cluster_namespace = "kubernetes-external-secrets"
       additional_workload_identity_principals = [
-        "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.eks_cluster.name}/*"
+        "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.eks_cluster.name}/*",
+        "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.aks_cluster.name}/*"
       ]
     }
   }

kubernetes/README.md

@@ -0,0 +1,42 @@
+
+# Kubernetes clusters owned by SIG K8s-Infra
+
+This folder contains the declarative configuration for Kubernetes clusters managed by this repo.
+The general pattern is:
+
+- Per-cluster configuration lives in `kubernetes/<cluster-name>/...`.
+- Shared workloads are defined as Argo CD Applications/ApplicationSets in `kubernetes/apps/`.
+- Argo CD itself runs in the `gke-utility` cluster (see `kubernetes/gke-utility/argocd/`).
+
+We use ArgoCD to manage our cluster, you can access it at argo.k8s.io, to access the app, you need to:
+- be a member of the kubernetes github org
+- add your github user to the AuthorizationPolicy in this file: `kubernetes/gke-utility/argocd/extras.yaml#L62`
+
+## Clusters managed here
+
+Cluster directories under `kubernetes/` correspond to the clusters Argo CD manages:
+
+- `aks-prow-build` A Prow Build Cluster in AKS
+- `eks-prow-build` A Prow Build Cluster in EKS
+- `eks-prow-kops` A Prow Build Cluster in EKS
+- `gke-aaa` A shared GKE cluster that runs our applications
+- `gke-prow` Prow Control Plane Cluster on GKE
+- `gke-prow-build` A Prow Build Cluster in GKE
+- `gke-prow-build-trusted` A Prow Build Cluster in GKE, for trusted/sensitive jobs
+- `gke-utility` A GKE cluster running utility workloads such as ArgoCD, Atlantis, Unified Monitoring Stack, etc
+- `ibm-ppc64le` A Prow Build Cluster in IBM
+- `ibm-s390x` A Prow Build Cluster in IBM
+
+Cluster registration/labels used by ApplicationSets are defined in `kubernetes/gke-utility/argocd/clusters.yaml`.
+
+## Workloads
+
+This repo manages many workloads; common examples include:
+
+- `prow` this contains all components of prow deployed in test-pods namespace for all build clusters.
+- `datadog`, our monitoring, security tooling on all AKS/EKS/GKE clusters
+
+
+### Note
+
+- The `gke-aaa` kubernetes manifests are not being managed by ArgoCD yet, you can find them in the `apps` folder

kubernetes/aks-prow-build/datadog/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: datadog
+
+helmCharts:
+  - name: datadog
+    repo: https://helm.datadoghq.com
+    releaseName: datadog
+    version: 3.157.0
+    kubeVersion: "1.33"
+    valuesFile: values.yaml
+
+resources:
+  - secrets.yaml

kubernetes/aks-prow-build/datadog/secrets.yaml

@@ -0,0 +1,11 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: datadog-secret
+spec:
+  dataFrom:
+    - extract:
+        key: datadog-secrets
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: k8s-infra-prow-build

kubernetes/aks-prow-build/datadog/values.yaml

@@ -0,0 +1,40 @@
+registry: datadoghq.azurecr.io
+datadog:
+  apiKeyExistingSecret: datadog-secret
+  appKeyExistingSecret: datadog-secret
+  site: us5.datadoghq.com
+  clusterName: k8s-infra-aks-prow-build
+  logs:
+    enabled: true
+    containerCollectAll: true
+  prometheusScrape:
+    enabled: true
+    serviceEndpoints: true
+  kubeStateMetricsCore:
+    enabled: true
+  networkMonitoring:
+    enabled: true
+  processAgent:
+    enabled: true
+    processCollection: true
+  sbom:
+    enabled: true
+    containerImage:
+      enabled: true
+      uncompressedLayersSupport: true
+    host:
+      enabled: true
+  apm:
+    instrumentation:
+      skipKPITelemetry: true # https://github.com/DataDog/helm-charts/issues/1395
+clusterAgent:
+  tokenExistingSecret: datadog-secret
+agents:
+  tolerations: # datadog supports arm64
+    - key: kubernetes.io/arch
+      operator: Equal
+      value: arm64
+      effect: NoSchedule
+providers:
+  aks:
+    enabled: true