Skip to content

Add Azure Linux 3 prow template for testing #5829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 18, 2025
+3,272 −3
Merged

Add Azure Linux 3 prow template for testing #5829

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
482 changes: 482 additions & 0 deletions templates/test/ci/cluster-template-prow-azl3.yaml
View file
Open in desktop

Large diffs are not rendered by default.

1,438 changes: 1,438 additions & 0 deletions templates/test/ci/cluster-template-prow-ci-version-azl3.yaml
View file
Open in desktop

Large diffs are not rendered by default.

696 changes: 696 additions & 0 deletions templates/test/ci/cluster-template-prow-dalec-custom-builds.yaml
View file
Open in desktop

Large diffs are not rendered by default.

36 changes: 36 additions & 0 deletions templates/test/ci/prow-azl3/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ../../../flavors/default
- ../../../addons/cluster-api-helm/calico.yaml
- ../../../addons/cluster-api-helm/azuredisk-csi-driver.yaml
- ../../../addons/cluster-api-helm/cloud-provider-azure.yaml
- ../../../addons/cluster-api-helm/cloud-provider-azure-ci.yaml
patches:
- path: ../patches/tags.yaml
- path: ../patches/mhc.yaml
- path: ../patches/controller-manager.yaml
- path: ../patches/uami-md-0.yaml
- path: ../patches/uami-control-plane.yaml
- path: ../patches/cluster-label-calico.yaml
- path: ../patches/cluster-label-cloud-provider-azure.yaml
- path: patches/controller-manager.yaml
target:
group: controlplane.cluster.x-k8s.io
kind: KubeadmControlPlane
name: .*-control-plane
version: v1beta1
- path: patches/kubeadm-config-template-azl3.yaml
target:
group: bootstrap.cluster.x-k8s.io
kind: KubeadmConfigTemplate
name: .*-md-0
namespace: default
version: v1beta1
- path: patches/azuremachinetemplate-azl3-image.yaml
- path: patches/cloud-provider-azure-cacertdir.yaml
- path: patches/cloud-provider-azure-ci-cacertdir.yaml

sortOptions:
order: fifo
25 changes: 25 additions & 0 deletions templates/test/ci/prow-azl3/patches/azuremachinetemplate-azl3-image.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AzureMachineTemplate
metadata:
name: ${CLUSTER_NAME}-control-plane
spec:
template:
spec:
image:
computeGallery:
gallery: ClusterAPI-f72ceb4f-5159-4c26-a0fe-2ea738f0d019
name: capi-azurelinux-3
version: ${AZL3_VERSION}
---
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AzureMachineTemplate
metadata:
name: ${CLUSTER_NAME}-md-0
spec:
template:
spec:
image:
computeGallery:
gallery: ClusterAPI-f72ceb4f-5159-4c26-a0fe-2ea738f0d019
name: capi-azurelinux-3
version: ${AZL3_VERSION}
12 changes: 12 additions & 0 deletions templates/test/ci/prow-azl3/patches/cloud-provider-azure-cacertdir.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: addons.cluster.x-k8s.io/v1alpha1
kind: HelmChartProxy
metadata:
name: cloud-provider-azure-chart
spec:
valuesTemplate: |
infra:
clusterName: {{ .Cluster.metadata.name }}
cloudControllerManager:
caCertDir: "/etc/pki/tls/certs"
clusterCIDR: {{ .Cluster.spec.clusterNetwork.pods.cidrBlocks | join "," }}
logVerbosity: 4
23 changes: 23 additions & 0 deletions templates/test/ci/prow-azl3/patches/cloud-provider-azure-ci-cacertdir.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: addons.cluster.x-k8s.io/v1alpha1
kind: HelmChartProxy
metadata:
name: cloud-provider-azure-chart-ci
spec:
valuesTemplate: |
infra:
clusterName: {{ .Cluster.metadata.name }}
cloudControllerManager:
caCertDir: "/etc/pki/tls/certs"
cloudConfig: ${CLOUD_CONFIG:-"/etc/kubernetes/azure.json"}
cloudConfigSecretName: ${CONFIG_SECRET_NAME:-""}
clusterCIDR: {{ .Cluster.spec.clusterNetwork.pods.cidrBlocks | join "," }}
imageName: "${CCM_IMAGE_NAME:-""}"
imageRepository: "${IMAGE_REGISTRY:-""}"
imageTag: "${IMAGE_TAG_CCM:-""}"
logVerbosity: ${CCM_LOG_VERBOSITY:-4}
replicas: ${CCM_COUNT:-1}
enableDynamicReloading: ${ENABLE_DYNAMIC_RELOADING:-false}
cloudNodeManager:
imageName: "${CNM_IMAGE_NAME:-""}"
imageRepository: "${IMAGE_REGISTRY:-""}"
imageTag: "${IMAGE_TAG_CNM:-""}"
46 changes: 46 additions & 0 deletions templates/test/ci/prow-azl3/patches/controller-manager.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
- op: add
path: /spec/kubeadmConfigSpec/files/0
value:
content: |
#!/bin/bash

set -o nounset
set -o pipefail
set -o errexit

# Install ca-certificates packages for Azure Linux
tdnf install -y ca-certificates ca-certificates-legacy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This setup looks reasonable to me. We should move some of this to the image-builder ansible scripts for Azure Linux--I'll create an issue or PR once this merges.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I figured out most of these ips from trial and error. I tried using netstat but there were more ips I needed to enable from what that told me.

update-ca-trust

# Allow Azure service IP addresses (required for Azure resources)
iptables -A INPUT -s 168.63.129.16 -j ACCEPT
iptables -A OUTPUT -d 168.63.129.16 -j ACCEPT

# Kubernetes API Server (port 6443) - bound to all IPv6 interfaces, needs external access
iptables -A INPUT -p tcp --dport 6443 -j ACCEPT

# etcd server communication
iptables -A INPUT -p tcp --dport 2379 -j ACCEPT
iptables -A INPUT -p tcp --dport 2380 -j ACCEPT

# Allow traffic to Kubernetes service network (10.96.0.0/12)
iptables -A OUTPUT -d 10.96.0.0/12 -j ACCEPT
iptables -A INPUT -s 10.96.0.0/12 -j ACCEPT

# Allow traffic to/from node network (10.1.0.0/24)
iptables -A OUTPUT -d 10.1.0.0/24 -j ACCEPT
iptables -A INPUT -s 10.1.0.0/24 -j ACCEPT

# Allow traffic to/from Calico pod network
iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT

# Save the rules following Azure Linux 3 approach
iptables-save > /etc/systemd/scripts/ip4save
path: /tmp/azl3-setup.sh
owner: "root:root"
permissions: "0744"
- op: add
path: /spec/kubeadmConfigSpec/preKubeadmCommands/0
value:
bash -c /tmp/azl3-setup.sh
17 changes: 17 additions & 0 deletions templates/test/ci/prow-azl3/patches/disable-vm-bootstrap-extension.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AzureMachineTemplate
metadata:
name: ${CLUSTER_NAME}-control-plane
spec:
template:
spec:
disableVMBootstrapExtension: true
---
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AzureMachineTemplate
metadata:
name: ${CLUSTER_NAME}-md-0
spec:
template:
spec:
disableVMBootstrapExtension: true
63 changes: 63 additions & 0 deletions templates/test/ci/prow-azl3/patches/kubeadm-config-template-azl3.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
- op: add
path: /spec/template/spec/files/0
value:
content: |
#!/bin/bash

set -o nounset
set -o pipefail
set -o errexit

# Allow Azure service IP addresses (required for Azure resources)
iptables -A INPUT -s 168.63.129.16 -j ACCEPT
iptables -A OUTPUT -d 168.63.129.16 -j ACCEPT

# Allow localhost traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH (port 22)
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Kubelet API (port 10250)
iptables -A INPUT -p tcp --dport 10250 -j ACCEPT

# Allow traffic to Kubernetes service network (10.96.0.0/12)
iptables -A OUTPUT -d 10.96.0.0/12 -j ACCEPT
iptables -A INPUT -s 10.96.0.0/12 -j ACCEPT

# Allow traffic to/from Calico pod network (192.168.0.0/16)
iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT

# Allow traffic to/from node network (10.1.0.0/24)
iptables -A OUTPUT -d 10.1.0.0/24 -j ACCEPT
iptables -A INPUT -s 10.1.0.0/24 -j ACCEPT

# Calico networking requirements
# Calico Typha (port 5473)
iptables -A INPUT -p tcp --dport 5473 -j ACCEPT

# VXLAN for overlay networking (port 4789 UDP)
iptables -A INPUT -p udp --dport 4789 -j ACCEPT

# BGP for node-to-node communication (port 179)
iptables -A INPUT -p tcp --d port 179 -j ACCEPT

# DNS (port 53)
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

# Save the rules following Azure Linux 3 approach
iptables-save > /etc/systemd/scripts/ip4save
path: /tmp/azl3-setup.sh
owner: "root:root"
permissions: "0744"
- op: add
path: /spec/template/spec/preKubeadmCommands/0
value:
bash -c /tmp/azl3-setup.sh
19 changes: 19 additions & 0 deletions templates/test/ci/prow-azl3/patches/remove-marketplace-image.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AzureMachineTemplate
metadata:
name: ${CLUSTER_NAME}-control-plane
spec:
template:
spec:
image:
marketplace: null
---
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AzureMachineTemplate
metadata:
name: ${CLUSTER_NAME}-md-0
spec:
template:
spec:
image:
marketplace: null
26 changes: 26 additions & 0 deletions templates/test/ci/prow-ci-version-azl3/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ../prow-ci-version
patches:
- path: ../prow-azl3/patches/controller-manager.yaml
target:
group: controlplane.cluster.x-k8s.io
kind: KubeadmControlPlane
name: .*-control-plane
version: v1beta1
- path: ../prow-azl3/patches/kubeadm-config-template-azl3.yaml
target:
group: bootstrap.cluster.x-k8s.io
kind: KubeadmConfigTemplate
name: .*-md-0
namespace: default
version: v1beta1
- path: ../prow-azl3/patches/azuremachinetemplate-azl3-image.yaml
- path: ../prow-azl3/patches/remove-marketplace-image.yaml
- path: ../prow-azl3/patches/cloud-provider-azure-cacertdir.yaml
- path: ../prow-azl3/patches/cloud-provider-azure-ci-cacertdir.yaml

sortOptions:
order: fifo
31 changes: 31 additions & 0 deletions templates/test/ci/prow-dalec-custom-builds/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ../prow-apiserver-ilb-custom-images
- patches/azl3-machine-deployment.yaml
patches:
- path: patches/kubeadm-bootstrap-custom-builds.yaml
target:
group: bootstrap.cluster.x-k8s.io
kind: KubeadmConfigTemplate
name: ^[^-]*-md-0$
namespace: default
version: v1beta1
- path: patches/control-plane-custom-builds.yaml
target:
group: controlplane.cluster.x-k8s.io
kind: KubeadmControlPlane
name: .*-control-plane
version: v1beta1
- path: patches/delete-machine-health-check.yaml
target:
group: cluster.x-k8s.io
kind: MachineHealthCheck
name: .*-control-plane
namespace: default
version: v1beta1

sortOptions:
order: fifo

Loading