Skip to content

Add flex node added into / remove from Private AKS cluster#55

Open
weiliu2dev wants to merge 5 commits intoAzure:mainfrom
weiliu2dev:weiliu2/private-cluster-flex
Open

Add flex node added into / remove from Private AKS cluster#55
weiliu2dev wants to merge 5 commits intoAzure:mainfrom
weiliu2dev:weiliu2/private-cluster-flex

Conversation

@weiliu2dev
Copy link
Collaborator

@weiliu2dev weiliu2dev commented Feb 2, 2026
edited
Loading

Summary

Add support for joining nodes to private AKS clusters (clusters with no public API endpoint) via WireGuard VPN through a Gateway VM in
Azure.

  • New pkg/privatecluster/ package implementing StepExecutor (Installer) and Executor (Uninstaller) interfaces
  • Automatically provisions a Gateway VM with WireGuard, establishes VPN tunnel, and configures /etc/hosts for API server access
  • For non-private clusters, IsCompleted() returns true immediately — zero overhead, step is skipped
  • Uninstaller supports two cleanup modes: local (keep Gateway for other nodes) and full (remove all Azure resources)
  • Uses Azure Go SDK (track2) for Azure resource management (no az CLI dependency). System tools (WireGuard, SSH, kubectl) are invoked via shell commands.

Files Changed

New package pkg/privatecluster/:

  • installer.go — StepExecutor: Gateway provisioning, VPN setup, kubectl/kubelogin install
  • uninstaller.go — Executor: Node drain/delete, VPN teardown, Gateway cleanup
  • vpn.go — WireGuard key generation, config, interface management
  • azure_client.go — Azure SDK client for Gateway VM lifecycle
  • ssh.go — SSH key generation and Gateway SSH operations
  • tool_installer.go — kubectl and kubelogin binary download/install
  • types.go — Gateway config types and defaults
  • utils.go — Helper functions (hosts file, file I/O, hostname)
  • privatecluster_test.go — Unit tests
  • README.md — Usage documentation
  • create_private_cluster.md — Private cluster setup guide

Modified files:

  • pkg/bootstrapper/bootstrapper.go — Add privatecluster as first bootstrap/unbootstrap step
  • pkg/config/structs.go — Add TargetClusterConfig fields (private, gateway, cleanupMode)
  • commands.go — Add --cleanup-mode flag for unbootstrap
  • pkg/utils/utils.go — Add RunCommandWithOutputContext and RunCommandSilentContext

Test plan

  • go build ./... passes
  • go test ./... passes
  • gofmt and golangci-lint pass
  • E2E: Bootstrap node to private AKS cluster via VPN
  • E2E: Unbootstrap with --cleanup-mode=local and --cleanup-mode=full

Private AKS cluster: add core types, VPN, and SSH support
e1ff0af 
Add the foundational privatecluster package for joining nodes to
private AKS clusters via WireGuard VPN through a Gateway VM.
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from d4d925c to 69604af Compare February 2, 2026 08:44
wenxuan0923
wenxuan0923 reviewed Feb 2, 2026
View reviewed changes
wenxuan0923
wenxuan0923 reviewed Feb 2, 2026
View reviewed changes
Change VPN install/uninstall from bash to Go, remove bash scripts
f583f12 
Replace shell scripts with native Go implementation using Azure SDK:
- azure_client.go: Azure SDK client for Gateway VM lifecycle
- installer.go: StepExecutor for Gateway provisioning and VPN setup
- uninstaller.go: Executor for node cleanup and Gateway teardown
- tool_installer.go: kubectl and kubelogin binary downloads
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 4, 2026
View reviewed changes
Copy link

@github-advanced-security github-advanced-security bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gosec found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch 3 times, most recently from ffdc990 to bd3daff Compare February 4, 2026 22:43
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 4, 2026
View reviewed changes
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch 3 times, most recently from 81f6179 to 204ad26 Compare February 6, 2026 23:02
@weiliu2dev
Copy link
Collaborator Author

weiliu2dev commented Feb 6, 2026

@Neo-NZ please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

  • (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
@microsoft-github-policy-service agree
  • (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement
@microsoft-github-policy-service agree company="Microsoft“

@weiliu2dev
Copy link
Collaborator Author

weiliu2dev commented Feb 6, 2026

@Neo-NZ please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

  • (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
@microsoft-github-policy-service agree
  • (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement
@microsoft-github-policy-service agree company="Microsoft“

@microsoft-github-policy-service agree company="Microsoft"

@weiliu2dev weiliu2dev closed this Feb 6, 2026
@weiliu2dev weiliu2dev reopened this Feb 6, 2026
@wenxuan0923
Copy link
Collaborator

wenxuan0923 commented Feb 7, 2026

I suggest spending a bit more time reviewing our codebase before starting to contribute. Thanks!

wenxuan0923
wenxuan0923 reviewed Feb 7, 2026
View reviewed changes
wenxuan0923
wenxuan0923 reviewed Feb 7, 2026
View reviewed changes
wenxuan0923
wenxuan0923 reviewed Feb 7, 2026
View reviewed changes
@weiliu2dev
Copy link
Collaborator Author

weiliu2dev commented Feb 10, 2026

I suggest spending a bit more time reviewing our codebase before starting to contribute. Thanks!

make senses.

weiliu2 added 2 commits February 11, 2026 19:07
Integrate privatecluster with bootstrapper framework
2997606 
- Add privatecluster as first bootstrap/unbootstrap step
- Add TargetClusterConfig fields (private, gateway, cleanupMode)
- Add --cleanup-mode flag for unbootstrap command
- Remove unused config field from BaseExecutor
Add privatecluster unit tests
7b43aeb
wenxuan0923
wenxuan0923 reviewed Feb 13, 2026
View reviewed changes
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch 6 times, most recently from e5d9229 to eee87ae Compare February 22, 2026 11:04
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 22, 2026
View reviewed changes
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from eee87ae to c1ab0f9 Compare February 22, 2026 11:08
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from c1ab0f9 to 9369be3 Compare February 22, 2026 11:13
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from c6afa59 to 643199c Compare February 22, 2026 12:01
@weiliu2dev weiliu2dev mentioned this pull request Feb 22, 2026
Open
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from 643199c to 88f8a4c Compare February 22, 2026 21:46
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from 88f8a4c to 7c1096a Compare February 22, 2026 21:55
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from 7c1096a to ac63471 Compare February 22, 2026 22:52
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from ac63471 to de348c7 Compare February 23, 2026 07:44
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 23, 2026
View reviewed changes
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from de348c7 to 70a406b Compare February 23, 2026 07:55
@weiliu2dev weiliu2dev force-pushed the weiliu2/private-cluster-flex branch from 70a406b to 66e48e0 Compare February 23, 2026 08:06
anson627
anson627 reviewed Feb 23, 2026
View reviewed changes
pkg/privatecluster/create_private_cluster.md
@@ -0,0 +1,165 @@
# Create Private AKS Cluster
Copy link
Collaborator

@anson627 anson627 Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

move to docs folder?

Copy link
Collaborator Author

@weiliu2dev weiliu2dev Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, good

pkg/privatecluster/README.md
@@ -0,0 +1,99 @@
# Private AKS Cluster - Edge Node Join/Leave
Copy link
Collaborator

@anson627 anson627 Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

consolidate with create_private_cluster.md into one usage doc?

Copy link
Collaborator Author

@weiliu2dev weiliu2dev Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, will do it.

.gitignore

# Config files with sensitive data (keep sample config)
config.json
Standard_D8pds_v6_sku.json
Copy link
Collaborator

@anson627 anson627 Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rm?

Copy link
Collaborator Author

@weiliu2dev weiliu2dev Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

pkg/config/structs.go
Location string `json:"location"` // Azure region of the cluster (e.g., "eastus", "westus2")
ResourceID string `json:"resourceId"` // Full resource ID of the target AKS cluster
Location string `json:"location"` // Azure region of the cluster (e.g., "eastus", "westus2")
IsPrivateCluster bool `json:"private" mapstructure:"private"` // Whether this is a private AKS cluster (requires Gateway/VPN setup)
Copy link
Collaborator

@anson627 anson627 Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reconsider the naming private cluster, since this applies to other use cases: VM/BM within VPC from 3rd party cloud, physical machine behind office firewall

Copy link
Collaborator Author

@weiliu2dev weiliu2dev Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. Agreed. VPN connections are not limited to private clusters. Currently, "private: true" is used as the trigger condition; this can be changed to "gateway: true" or other conditions in the future to support more network scenarios.

Copy link
Collaborator Author

@weiliu2dev weiliu2dev Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we update it in the following PR as the current PR is already big?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anson627 anson627 anson627 left review comments

@wenxuan0923 wenxuan0923 wenxuan0923 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@weiliu2dev @wenxuan0923 @anson627