Skip to content

Comments

Add flex node added into / remove from Private AKS cluster#55

Open
weiliu2dev wants to merge 5 commits intoAzure:mainfrom
weiliu2dev:weiliu2/private-cluster-flex
Open

Add flex node added into / remove from Private AKS cluster#55
weiliu2dev wants to merge 5 commits intoAzure:mainfrom
weiliu2dev:weiliu2/private-cluster-flex

Conversation

@weiliu2dev
Copy link
Collaborator

@weiliu2dev weiliu2dev commented Feb 2, 2026

Summary

Add support for joining nodes to private AKS clusters (clusters with no public API endpoint) via WireGuard VPN through a Gateway VM in
Azure.

  • New pkg/privatecluster/ package implementing StepExecutor (Installer) and Executor (Uninstaller) interfaces
  • Automatically provisions a Gateway VM with WireGuard, establishes VPN tunnel, and configures /etc/hosts for API server access
  • For non-private clusters, IsCompleted() returns true immediately — zero overhead, step is skipped
  • Uninstaller supports two cleanup modes: local (keep Gateway for other nodes) and full (remove all Azure resources)
  • Uses Azure Go SDK (track2) for Azure resource management (no az CLI dependency). System tools (WireGuard, SSH, kubectl) are invoked via shell commands.

Files Changed

New package pkg/privatecluster/:

  • installer.go — StepExecutor: Gateway provisioning, VPN setup, kubectl/kubelogin install
  • uninstaller.go — Executor: Node drain/delete, VPN teardown, Gateway cleanup
  • vpn.go — WireGuard key generation, config, interface management
  • azure_client.go — Azure SDK client for Gateway VM lifecycle
  • ssh.go — SSH key generation and Gateway SSH operations
  • tool_installer.go — kubectl and kubelogin binary download/install
  • types.go — Gateway config types and defaults
  • utils.go — Helper functions (hosts file, file I/O, hostname)
  • privatecluster_test.go — Unit tests
  • README.md — Usage documentation
  • create_private_cluster.md — Private cluster setup guide

Modified files:

  • pkg/bootstrapper/bootstrapper.go — Add privatecluster as first bootstrap/unbootstrap step
  • pkg/config/structs.go — Add TargetClusterConfig fields (private, gateway, cleanupMode)
  • commands.go — Add --cleanup-mode flag for unbootstrap
  • pkg/utils/utils.go — Add RunCommandWithOutputContext and RunCommandSilentContext

Test plan

  • go build ./... passes
  • go test ./... passes
  • gofmt and golangci-lint pass
  • E2E: Bootstrap node to private AKS cluster via VPN
  • E2E: Unbootstrap with --cleanup-mode=local and --cleanup-mode=full

Add the foundational privatecluster package for joining nodes to
private AKS clusters via WireGuard VPN through a Gateway VM.
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from d4d925c to 69604af Compare February 2, 2026 08:44
Replace shell scripts with native Go implementation using Azure SDK:
- azure_client.go: Azure SDK client for Gateway VM lifecycle
- installer.go: StepExecutor for Gateway provisioning and VPN setup
- uninstaller.go: Executor for node cleanup and Gateway teardown
- tool_installer.go: kubectl and kubelogin binary downloads
Copy link

@github-advanced-security github-advanced-security bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gosec found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch 3 times, most recently from ffdc990 to bd3daff Compare February 4, 2026 22:43
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch 3 times, most recently from 81f6179 to 204ad26 Compare February 6, 2026 23:02
@weiliu2dev
Copy link
Collaborator Author

@Neo-NZ please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

  • (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
@microsoft-github-policy-service agree
  • (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement
@microsoft-github-policy-service agree company="Microsoft“

@weiliu2dev
Copy link
Collaborator Author

@Neo-NZ please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

  • (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
@microsoft-github-policy-service agree
  • (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement
@microsoft-github-policy-service agree company="Microsoft“

@microsoft-github-policy-service agree company="Microsoft"

@wenxuan0923
Copy link
Collaborator

I suggest spending a bit more time reviewing our codebase before starting to contribute. Thanks!

@weiliu2dev
Copy link
Collaborator Author

I suggest spending a bit more time reviewing our codebase before starting to contribute. Thanks!

make senses.

weiliu2 added 2 commits February 11, 2026 19:07
- Add privatecluster as first bootstrap/unbootstrap step
- Add TargetClusterConfig fields (private, gateway, cleanupMode)
- Add --cleanup-mode flag for unbootstrap command
- Remove unused config field from BaseExecutor
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch 7 times, most recently from e5d9229 to eee87ae Compare February 22, 2026 11:04
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from eee87ae to c1ab0f9 Compare February 22, 2026 11:08
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from c1ab0f9 to 9369be3 Compare February 22, 2026 11:13
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from c6afa59 to 643199c Compare February 22, 2026 12:01
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from 643199c to 88f8a4c Compare February 22, 2026 21:46
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from 88f8a4c to 7c1096a Compare February 22, 2026 21:55
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from 7c1096a to ac63471 Compare February 22, 2026 22:52
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from ac63471 to de348c7 Compare February 23, 2026 07:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants