✨ Add support for private dns zones

[CecileRobertMichon]

What type of PR is this?
/kind feature

What this PR does / why we need it: This PR adds private dns support for private clusters. When a cluster with an internal api server LB is created, capz will create a private dns zone with it and link it to the cluster's vnet. The internal LB IP is then added to the dns zone as a record with hostname apiserver. This allows reaching the API Server from within the vnet with FQDN apiserver.$CLUSTER_NAME.capz.io. It also fixes the hairpin routing issue on all control plane VMs by adding a hosts entry so control planes resolve apiserver as localhost.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #1016

Special notes for your reviewer:

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

• squashed commits
• includes documentation
• adds unit tests

Release note:

Add support for private dns zones

[devigned]

Had a couple questions. Looks great!

[nader-ziada]

all good except for one small kind of nit

[nader-ziada]

/lgtm

[voor]

Does Azure Private DNS allow setting a recursive resolver? My very limited experience with it seemed to cause DNS issues, but there's a good chance it wasn't configured properly.

[devigned]

Couple requested changes. Per the sorted imports, I'll open a PR with a linter rule to enforce.

[devigned]

@jadarsie what do you think of private DNS entries with regard to Azure Stack?

[CecileRobertMichon]

Does Azure Private DNS allow setting a recursive resolver? My very limited experience with it seemed to cause DNS issues, but there's a good chance it wasn't configured properly.

@voor it does not, but Azure VMs are already configured to have "a recursive DNS service that is provided separately as part of Azure's infrastructure" (source https://docs.microsoft.com/en-us/azure/dns/dns-domain-delegation#resolution-and-delegation). What kind of issues did you run into? I have not observed any issues while testing this so far.

[devigned]

/lgtm

[devigned]

/retest

[CecileRobertMichon]

(testing something unrelated)

/test pull-cluster-api-provider-azure-capi-e2e

[CecileRobertMichon]

/test pull-cluster-api-provider-azure-capi-e2e

[CecileRobertMichon]

/test pull-cluster-api-provider-azure-capi-e2e

fixed the cred issue in #1043

[CecileRobertMichon]

/retest

[nader-ziada]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nader-ziada

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [nader-ziada]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[CecileRobertMichon]

/retest

[CecileRobertMichon]

different flake :(

/retest

[nader-ziada]

/test pull-cluster-api-provider-azure-e2e

[dlipovetsky]

It also fixes the hairpin routing issue on all control plane VMs by adding a hosts entry so control planes resolve apiserver as localhost.

For reference, the page linked in the description doesn't include the relevant issue; I think it was moved here: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot-backend-traffic#cause-4-accessing-the-internal-load-balancer-frontend-from-the-participating-load-balancer-backend-pool-vm