fix Azure profile-aware AKS Flex bootstrap

[qike-ms]

Summary

• make AKS Flex config resolution honor
  
  AZURE_CONFIG_DIR when deriving the default Azure subscription ID
• make node bootstrap use the tenant from the selected Azure CLI profile instead of assuming the default profile tenant
• install Cilium in AKS BYOCNI mode using kubeconfig-derived API server settings so Flex cluster creation works with non-default Azure CLI profiles

Why

AKS Flex cluster creation and node bootstrap could silently use the wrong Azure CLI profile when users isolate multiple Azure accounts with different AZURE_CONFIG_DIR folders. That broke Flex cluster creation and external node bootstrap for clusters created from a non-default Azure profile.

Validation

• go test ./internal/config/... ./internal/aks/deploy/... in cli
• go test ./pkg/util/config/... in plugin
• end-to-end recreated a Flex cluster in a non-default Azure profile and joined external Linux nodes successfully

[Copilot]

Pull request overview

Improves AKS Flex bootstrap and related tooling to correctly respect non-default Azure CLI profiles (notably when users set AZURE_CONFIG_DIR), avoiding accidental use of the default profile during cluster creation, node bootstrap, and Cilium install.

Changes:

• Make default Azure subscription ID resolution read clouds.config from AZURE_CONFIG_DIR (with fallback to $HOME/.azure).
• Make kubeadm defaults pick the tenant ID from the Azure CLI profile under AZURE_CONFIG_DIR when creating AzureCLICredential.
• Install Cilium in AKS BYOCNI mode using kubeconfig-derived API server host/port, and update node bootstrap apt install flags.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
plugin/pkg/util/config/config.go	Honor AZURE_CONFIG_DIR when reading clouds.config for default subscription ID.
plugin/pkg/util/config/config_test.go	Adds test coverage for AZURE_CONFIG_DIR subscription resolution.
cli/internal/config/nodebootstrap/assets/script.sh.tmpl	Adjusts apt install command to allow changing held packages.
cli/internal/config/nodebootstrap/script_test.go	Updates expected rendered script line for apt install flag change.
cli/internal/config/configcmd/defaults.go	Uses Azure CLI profile tenant (from azureProfile.json) when building Azure CLI credential for kubeadm defaults.
cli/internal/config/configcmd/defaults_test.go	Adds test coverage for tenant ID resolution from AZURE_CONFIG_DIR profile.
cli/internal/aks/deploy/cilium.go	Switches to BYOCNI-oriented Cilium install flow and derives API server host/port from kubeconfig.
cli/internal/aks/deploy/cilium_test.go	Adds test coverage for kubeconfig API server parsing.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[bcho]

@copilot

[bcho]

this is actually easier to just extract the tenant id via getting the command output of az account show --query 'tenantId' -o tsv. This can avoid adding hard dependency on az cli's internal state.

@copilot

[bcho]

and we should move this function to pkg/util/config @copilot

[bcho]

i suppose these changes are included in 2a5060a already? Not sure why it still shows up in this pr. Maybe we should do a rebase here. @copilot

[bcho]

we can potentitally use implementations under

aks-flex/plugin/pkg/util/k8s/k8s.go

Line 48 in 2a5060a

func Kubeconfig(ctx context.Context, credentials azcore.TokenCredential, cfg *config.Config) (*api.Config, error) {

to simplify this impl, also prefer moving this function to there. @copilot

[Copilot]

@bcho I've opened a new pull request, #55, to work on those changes. Once the pull request is ready, I'll request review from you.

[bcho]

LGTM

[bcho]

@copilot run go mod tidy across all sub modules

[Copilot]

@bcho I've opened a new pull request, #56, to work on those changes. Once the pull request is ready, I'll request review from you.