enable cilium with private acr (#1088)

To make cilium image pulling more quicker, we leverage to use private
acr feature which can cache the image at private registery.

test passed:
https://dev.azure.com/akstelescope/telescope/_build/results?buildId=57173&view=results

Author: zqingqing1

modules/terraform/azure/acr/main.tf

@@ -0,0 +1,150 @@
+locals {
+  acr_config_map            = { for i, acr in var.acr_config_list : tostring(i) => acr }
+  acr_private_dns_zone_name = length(var.acr_config_list) > 0 ? try(var.acr_config_list[0].private_endpoint.private_dns_zone_name, "privatelink.azurecr.io") : "privatelink.azurecr.io"
+  acr_private_dns_enabled   = length([for acr in var.acr_config_list : acr if try(acr.private_endpoint != null, false)]) > 0
+
+  # Plan-known switch for whether an aks-cli role needs a kubelet identity / AcrPull grants.
+  # This is intentionally computed only from input configuration (acr_config_list), not from
+  # any resource IDs, to keep downstream `count`/`for_each` stable during planning.
+  acr_pull_enabled_by_aks_cli_role = {
+    for role in var.aks_cli_roles : role => length([
+      for acr in var.acr_config_list : 1
+      if contains(
+        concat(try(acr.acrpull_aks_cli_roles, []), try(acr.contributor_aks_cli_roles, [])),
+        role
+      )
+    ]) > 0
+  }
+
+  acr_private_dns_vnet_roles = distinct([
+    for acr in var.acr_config_list : var.subnet_to_network_role[acr.private_endpoint.subnet_name]
+    if try(acr.private_endpoint != null, false)
+  ])
+
+  # Terraform doesn't have regexreplace(); replace() supports regex when pattern is wrapped in /.../
+  acr_default_name_prefix = substr(replace(lower("acr${var.scenario_name}${var.run_id}"), "/[^0-9a-z]/", ""), 0, 45)
+
+  acr_name_map = {
+    for acr_key, acr in local.acr_config_map :
+    acr_key => (acr.name != null ? acr.name : substr("${local.acr_default_name_prefix}${acr_key}", 0, 50))
+  }
+
+  acr_id_map = {
+    for acr_key, acr_name in local.acr_name_map :
+    acr_key => format(
+      "/subscriptions/%s/resourceGroups/%s/providers/Microsoft.ContainerRegistry/registries/%s",
+      data.azurerm_client_config.current.subscription_id,
+      var.resource_group_name,
+      acr_name
+    )
+  }
+
+  acr_cache_rule_map = length(var.acr_config_list) > 0 ? merge([
+    for acr_key, acr in local.acr_config_map : {
+      for rule in try(acr.cache_rules, []) : "${acr_key}/${rule.name}" => {
+        acr_key                    = acr_key
+        name                       = rule.name
+        source_repository          = rule.source_repository
+        target_repository          = rule.target_repository
+        credential_set_resource_id = try(rule.credential_set_resource_id, null)
+      }
+    }
+  ]...) : {}
+
+  # Plan-stable map form of ACR pull scopes, keyed by the ACR config map key.
+  # Using stable keys avoids Terraform "Invalid for_each argument" when the list length
+  # of scopes is unknown at plan time.
+  acr_pull_scopes_map_by_aks_cli_role = {
+    for role in var.aks_cli_roles : role => {
+      for acr_key, acr in local.acr_config_map :
+      acr_key => local.acr_id_map[acr_key]
+      if contains(
+        concat(try(acr.acrpull_aks_cli_roles, []), try(acr.contributor_aks_cli_roles, [])),
+        role
+      )
+    }
+  }
+
+  bootstrap_container_registry_resource_id_by_aks_cli_role = {
+    for role, scopes_map in local.acr_pull_scopes_map_by_aks_cli_role : role => (
+      length(scopes_map) > 0 ? scopes_map[sort(keys(scopes_map))[0]] : null
+    )
+  }
+}
+
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_container_registry" "acr" {
+  for_each = local.acr_config_map
+
+  name                          = local.acr_name_map[each.key]
+  resource_group_name           = var.resource_group_name
+  location                      = var.location
+  sku                           = each.value.sku
+  admin_enabled                 = each.value.admin_enabled
+  public_network_access_enabled = each.value.public_network_access_enabled
+  tags                          = var.tags
+}
+
+resource "azurerm_private_dns_zone" "acr" {
+  count = local.acr_private_dns_enabled ? 1 : 0
+
+  name                = local.acr_private_dns_zone_name
+  resource_group_name = var.resource_group_name
+  tags                = var.tags
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "acr" {
+  for_each = local.acr_private_dns_enabled ? { for role in local.acr_private_dns_vnet_roles : role => role } : {}
+
+  name                  = "acr-dns-link-${each.key}"
+  resource_group_name   = var.resource_group_name
+  private_dns_zone_name = azurerm_private_dns_zone.acr[0].name
+  virtual_network_id    = var.vnet_ids_by_role[each.key]
+  registration_enabled  = false
+  tags                  = var.tags
+}
+
+resource "azurerm_private_endpoint" "acr" {
+  for_each = { for k, acr in local.acr_config_map : k => acr if try(acr.private_endpoint != null, false) }
+
+  name                = "acr-pe-${each.key}"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  subnet_id           = var.subnet_ids_by_name[each.value.private_endpoint.subnet_name]
+  tags                = var.tags
+
+  private_service_connection {
+    name                           = "acr-psc-${each.key}"
+    private_connection_resource_id = azurerm_container_registry.acr[each.key].id
+    subresource_names              = ["registry"]
+    is_manual_connection           = false
+  }
+
+  private_dns_zone_group {
+    name                 = "acr-dns-${each.key}"
+    private_dns_zone_ids = [azurerm_private_dns_zone.acr[0].id]
+  }
+
+  depends_on = [azurerm_private_dns_zone_virtual_network_link.acr]
+}
+
+resource "azapi_resource" "acr_cache_rule" {
+  for_each = local.acr_cache_rule_map
+
+  type      = "Microsoft.ContainerRegistry/registries/cacheRules@2023-07-01"
+  name      = each.value.name
+  parent_id = azurerm_container_registry.acr[each.value.acr_key].id
+
+  body = {
+    properties = merge(
+      {
+        sourceRepository = each.value.source_repository
+        targetRepository = each.value.target_repository
+      },
+      each.value.credential_set_resource_id != null ? { credentialSetResourceId = each.value.credential_set_resource_id } : {}
+    )
+  }
+
+  depends_on = [azurerm_container_registry.acr]
+}

modules/terraform/azure/acr/output.tf

@@ -0,0 +1,14 @@
+output "acr_pull_enabled_by_aks_cli_role" {
+  description = "Map of aks-cli role to a plan-known boolean indicating whether to enable kubelet identity + ACR pull grants for that role."
+  value       = local.acr_pull_enabled_by_aks_cli_role
+}
+
+output "acr_pull_scopes_map_by_aks_cli_role" {
+  description = "Map of aks-cli role to map of stable keys -> ACR scope IDs to grant AcrPull on. Use this to drive plan-stable for_each downstream."
+  value       = local.acr_pull_scopes_map_by_aks_cli_role
+}
+
+output "bootstrap_container_registry_resource_id_by_aks_cli_role" {
+  description = "Map of aks-cli role to a single ACR resource ID (first pull scope) used for bootstrap_artifact_source."
+  value       = local.bootstrap_container_registry_resource_id_by_aks_cli_role
+}

modules/terraform/azure/acr/variables.tf

@@ -0,0 +1,72 @@
+variable "acr_config_list" {
+  description = "Optional list of Azure Container Registries (ACR) to create. Each entry can also enable a Private Endpoint + Private DNS integration (Private Link)."
+  type = list(object({
+    name                          = optional(string, null)
+    sku                           = optional(string, "Premium")
+    admin_enabled                 = optional(bool, false)
+    public_network_access_enabled = optional(bool, true)
+
+    private_endpoint = optional(object({
+      subnet_name           = string
+      private_dns_zone_name = optional(string, "privatelink.azurecr.io")
+    }), null)
+
+    acrpull_aks_cli_roles     = optional(list(string), [])
+    contributor_aks_cli_roles = optional(list(string), [])
+
+    cache_rules = optional(list(object({
+      name                       = string
+      source_repository          = string
+      target_repository          = string
+      credential_set_resource_id = optional(string, null)
+    })), [])
+  }))
+  default = []
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "Resource group name where ACR resources will be created."
+}
+
+variable "location" {
+  type        = string
+  description = "Azure region for ACR resources."
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Tags to apply to ACR resources."
+  default     = {}
+}
+
+variable "scenario_name" {
+  type        = string
+  description = "Scenario name used for default ACR name generation."
+}
+
+variable "run_id" {
+  type        = string
+  description = "Run ID used for default ACR name generation and resource group name conventions."
+}
+
+variable "subnet_ids_by_name" {
+  type        = map(string)
+  description = "Map of subnet name to subnet ID."
+}
+
+variable "vnet_ids_by_role" {
+  type        = map(string)
+  description = "Map of network role to virtual network ID."
+}
+
+variable "subnet_to_network_role" {
+  type        = map(string)
+  description = "Map of subnet name to network role (used for Private DNS VNet linking)."
+}
+
+variable "aks_cli_roles" {
+  type        = list(string)
+  description = "List of aks-cli roles to compute ACR pull scopes for."
+  default     = []
+}

modules/terraform/azure/acr/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source = "hashicorp/azurerm"
+    }
+    azapi = {
+      source = "Azure/azapi"
+    }
+  }
+}

modules/terraform/azure/aks-cli/main.tf

@@ -4,6 +4,8 @@ locals {
     format("%s=%s", key, value)
   ]
 
+  acr_pull_scopes_for_each = (!var.aks_cli_config.dry_run && var.enable_kubelet_identity) ? var.acr_pull_scopes_map : {}
+
   extra_pool_map = {
     for pool in var.aks_cli_config.extra_node_pool :
     pool.name => pool
@@ -50,6 +52,7 @@ locals {
     null :
     try(var.subnets_map[var.aks_cli_config.subnet_name], null)
   )
+
   api_server_subnet_id = (
     var.aks_cli_config.api_server_subnet_name == null ?
     null :
@@ -114,6 +117,17 @@ locals {
     )
   )
 
+  kubelet_identity_parameter = (!var.enable_kubelet_identity || var.aks_cli_config.dry_run) ? "" : format(
+    "%s %s",
+    "--assign-kubelet-identity",
+    azurerm_user_assigned_identity.kubelet_identity[0].id,
+  )
+
+  bootstrap_parameters = join(" ", compact([
+    var.bootstrap_artifact_source != null ? format("--bootstrap-artifact-source %s", var.bootstrap_artifact_source) : null,
+    var.bootstrap_container_registry_resource_id != null ? format("--bootstrap-container-registry-resource-id %s", var.bootstrap_container_registry_resource_id) : null,
+  ]))
+
 
   api_server_vnet_integration_parameter = (var.aks_cli_config.enable_apiserver_vnet_integration && local.api_server_subnet_id != null ?
     format(
@@ -165,11 +179,13 @@ locals {
     local.custom_configurations,
     "--no-ssh-key",
     local.kubernetes_version,
+    local.bootstrap_parameters,
     local.optional_parameters,
     local.kms_parameters,
     local.disk_encryption_parameters,
     local.subnet_id_parameter,
     local.managed_identity_parameter,
+    local.kubelet_identity_parameter,
     local.api_server_vnet_integration_parameter,
     local.aad_parameter,
   ], local.default_node_pool_parameters))
@@ -202,6 +218,14 @@ resource "azurerm_user_assigned_identity" "userassignedidentity" {
   tags                = var.tags
 }
 
+resource "azurerm_user_assigned_identity" "kubelet_identity" {
+  count               = (!var.aks_cli_config.dry_run && var.enable_kubelet_identity) ? 1 : 0
+  location            = var.location
+  name                = "${var.aks_cli_config.aks_name}-kubelet-identity"
+  resource_group_name = var.resource_group_name
+  tags                = var.tags
+}
+
 resource "azurerm_role_assignment" "network_contributor" {
   count                = var.aks_cli_config.managed_identity_name != null && var.aks_cli_config.subnet_name != null ? 1 : 0
   role_definition_name = "Network Contributor"
@@ -217,6 +241,24 @@ resource "azurerm_role_assignment" "network_contributor_api_server_subnet" {
   principal_id         = azurerm_user_assigned_identity.userassignedidentity[0].principal_id
 }
 
+# Grant AcrPull access to ACR for kubelet identity (node identity) BEFORE cluster creation.
+resource "azurerm_role_assignment" "acr_pull_kubelet" {
+  for_each = local.acr_pull_scopes_for_each
+
+  scope                = each.value
+  role_definition_name = "AcrPull"
+  principal_id         = azurerm_user_assigned_identity.kubelet_identity[0].principal_id
+}
+
+# If the cluster uses a user-assigned identity, it must be able to assign/use the kubelet identity.
+resource "azurerm_role_assignment" "managed_identity_operator_kubelet" {
+  count = (!var.aks_cli_config.dry_run && var.enable_kubelet_identity && var.aks_cli_config.managed_identity_name != null) ? 1 : 0
+
+  scope                = azurerm_user_assigned_identity.kubelet_identity[0].id
+  role_definition_name = "Managed Identity Operator"
+  principal_id         = azurerm_user_assigned_identity.userassignedidentity[0].principal_id
+}
+
 resource "terraform_data" "enable_aks_cli_preview_extension" {
   count = var.aks_cli_config.use_aks_preview_cli_extension == true ? 1 : 0
 
@@ -247,7 +289,9 @@ resource "terraform_data" "aks_cli" {
     terraform_data.enable_aks_cli_preview_extension,
     azurerm_role_assignment.network_contributor,
     azurerm_role_assignment.network_contributor_api_server_subnet,
-    azurerm_role_assignment.aks_identity_kms_roles
+    azurerm_role_assignment.aks_identity_kms_roles,
+    azurerm_role_assignment.acr_pull_kubelet,
+    azurerm_role_assignment.managed_identity_operator_kubelet
   ]
 
   input = {
@@ -351,3 +395,4 @@ resource "azurerm_role_assignment" "des_reader_cluster" {
     local.aks_system_assigned_principal_id != null ? local.aks_system_assigned_principal_id : error("Unable to determine AKS system-assigned identity principalId via azapi; cannot grant DES Reader role.")
   )
 }
+

modules/terraform/azure/aks-cli/variables.tf

@@ -47,6 +47,30 @@ variable "aks_aad_enabled" {
   default     = false
 }
 
+variable "acr_pull_scopes_map" {
+  description = "Map of stable keys to Azure resource IDs (scopes) to grant the AKS kubelet identity AcrPull access to. Prefer this over acr_pull_scopes to keep for_each keys plan-stable."
+  type        = map(string)
+  default     = {}
+}
+
+variable "enable_kubelet_identity" {
+  description = "Whether to create and assign a user-assigned kubelet identity (and grant it ACR pull access when acr_pull_scopes are provided). Set false to disable kubelet identity entirely."
+  type        = bool
+  default     = false
+}
+
+variable "bootstrap_artifact_source" {
+  description = "Optional value for --bootstrap-artifact-source (for example, Cache or Direct). If null, the flag is omitted."
+  type        = string
+  default     = null
+}
+
+variable "bootstrap_container_registry_resource_id" {
+  description = "Optional ACR resource ID to pass to --bootstrap-container-registry-resource-id. If null, the flag is omitted."
+  type        = string
+  default     = null
+}
+
 variable "aks_cli_config" {
   type = object({
     role                              = string