Skip to content

Commit

Permalink
Add ManagedIdentity support for Aks (#18385)
Browse files Browse the repository at this point in the history
  • Loading branch information
wyunchi-ms authored Jun 6, 2022
1 parent 304e15c commit e5911da
Show file tree
Hide file tree
Showing 15 changed files with 5,173 additions and 22 deletions.
7 changes: 7 additions & 0 deletions src/Aks/Aks.Test/ScenarioTests/KubernetesTests.cs
Original file line number Diff line number Diff line change
Expand Up @@ -72,5 +72,12 @@ public void TestApiServiceAccess()
{
TestRunner.RunTestScript("Test-ApiServiceAccess");
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
public void TestManagedIdentity()
{
TestRunner.RunTestScript("Test-ManagedIdentity");
}
}
}
41 changes: 41 additions & 0 deletions src/Aks/Aks.Test/ScenarioTests/KubernetesTests.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -305,4 +305,45 @@ function Test-ApiServiceAccess
{
Remove-AzResourceGroup -Name $resourceGroupName -Force
}
}



function Test-ManagedIdentity
{
# Setup
$resourceGroupName = Get-RandomResourceGroupName
$userAssignedkubeClusterName = Get-RandomClusterName
$systemAssignedkubeClusterName = Get-RandomClusterName
$setUserAssignedkubeClusterName = Get-RandomClusterName
$location = 'eastus'
$nodeVmSize = "Standard_D2_v2"

try
{
New-AzResourceGroup -Name $resourceGroupName -Location $location

$credObject = $(createTestCredential "a6148f60-19b8-49b8-a5a5-54945aec926e" "xde7Q~bVRBoBzggfXn3Zw1uCqzRuLduEFPJXw")
New-AzAksCluster -ResourceGroupName $resourceGroupName -Name $userAssignedkubeClusterName -ServicePrincipalIdAndSecret $credObject -EnableManagedIdentity -AssignIdentity '/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/wyunchi/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity'
$cluster = Get-AzAksCluster -ResourceGroupName $resourceGroupName -Name $userAssignedkubeClusterName
Assert-NotNull $cluster.identity
Assert-AreEqual 'UserAssigned' $cluster.identity.Type

New-AzAksCluster -ResourceGroupName $resourceGroupName -Name $setUserAssignedkubeClusterName -ServicePrincipalIdAndSecret $credObject
$cluster = Get-AzAksCluster -ResourceGroupName $resourceGroupName -Name $setUserAssignedkubeClusterName
Assert-Null $cluster.identity
Set-AzAksCluster -ResourceGroupName $resourceGroupName -Name $setUserAssignedkubeClusterName -EnableManagedIdentity -AssignIdentity '/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/wyunchi/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity'
$cluster = Get-AzAksCluster -ResourceGroupName $resourceGroupName -Name $setUserAssignedkubeClusterName
Assert-NotNull $cluster.identity
Assert-AreEqual 'UserAssigned' $cluster.identity.Type

New-AzAksCluster -ResourceGroupName $resourceGroupName -Name $systemAssignedkubeClusterName -ServicePrincipalIdAndSecret $credObject -EnableManagedIdentity
$cluster = Get-AzAksCluster -ResourceGroupName $resourceGroupName -Name $systemAssignedkubeClusterName
Assert-NotNull $cluster.identity
Assert-AreEqual 'SystemAssigned' $cluster.identity.Type
}
finally
{
Remove-AzResourceGroup -Name $resourceGroupName -Force
}
}

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions src/Aks/Aks/ChangeLog.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
- Additional information about change #1
-->
## Upcoming Release
* Added ManagedIdentity support for Aks[#15656].
* Added property `PowerState` for the output of `Get-AzAksCluster`[#18271]
* Updated the logic of `Set-AzAksCluster` for parameter `NodeImageOnly`.
* Added parameter `NodeImageOnly` for `Update-AzAksNodePool`.
Expand Down
47 changes: 47 additions & 0 deletions src/Aks/Aks/Commands/CreateOrUpdateKubeBase.cs
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@
using Microsoft.Azure.Commands.Common.MSGraph.Version1_0.Applications.Models;
using Microsoft.Azure.Commands.Common.MSGraph.Version1_0.Applications;
using Microsoft.Azure.Commands.Common.MSGraph.Version1_0;
using ResourceIdentityType = Microsoft.Azure.Management.ContainerService.Models.ResourceIdentityType;

namespace Microsoft.Azure.Commands.Aks
{
Expand Down Expand Up @@ -158,6 +159,12 @@ public abstract class CreateOrUpdateKubeBase : KubeCmdletBase
[Parameter(Mandatory = false, HelpMessage = "The FQDN subdomain of the private cluster with custom private dns zone.")]
public string FqdnSubdomain { get; set; }

[Parameter(Mandatory = false, HelpMessage = "Using a managed identity to manage cluster resource group.")]
public SwitchParameter EnableManagedIdentity { get; set; }

[Parameter(Mandatory = false, HelpMessage = "ResourceId of user assign managed identity for cluster.")]
public string AssignIdentity { get; set; }

protected void BeforeBuildNewCluster()
{
if (!string.IsNullOrEmpty(ResourceGroupName) && string.IsNullOrEmpty(Location))
Expand Down Expand Up @@ -566,5 +573,45 @@ protected ManagedClusterAPIServerAccessProfile CreateOrUpdateApiServerAccessProf

return apiServerAccessProfile;
}

protected ManagedCluster SetIdentity(ManagedCluster cluster)
{
if (this.IsParameterBound(c => c.EnableManagedIdentity))
{
if (!EnableManagedIdentity)
{
cluster.Identity = null;
}
else
{
if (cluster.Identity == null)
{
cluster.Identity = new ManagedClusterIdentity();
}
}
}
if (this.IsParameterBound(c => c.AssignIdentity))
{
if (cluster.Identity == null)
{
throw new AzPSArgumentException(Resources.NeedEnableManagedIdentity, nameof(AssignIdentity));
}
cluster.Identity.Type = ResourceIdentityType.UserAssigned;
cluster.Identity.UserAssignedIdentities = new Dictionary<string, ManagedClusterIdentityUserAssignedIdentitiesValue>
{
{ AssignIdentity, new ManagedClusterIdentityUserAssignedIdentitiesValue() }
};

}
else
{
if (cluster.Identity != null && cluster.Identity.Type == null)
{
cluster.Identity.Type = ResourceIdentityType.SystemAssigned;
}
}

return cluster;
}
}
}
2 changes: 2 additions & 0 deletions src/Aks/Aks/Commands/NewAzureRmAks.cs
Original file line number Diff line number Diff line change
Expand Up @@ -355,6 +355,8 @@ private ManagedCluster BuildNewCluster()
networkProfile: networkProfile,
apiServerAccessProfile: apiServerAccessProfile);

SetIdentity(managedCluster);

if (EnableRbac.IsPresent)
{
managedCluster.EnableRBAC = EnableRbac;
Expand Down
4 changes: 4 additions & 0 deletions src/Aks/Aks/Commands/SetAzureRmAks.cs
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@
using Microsoft.WindowsAzure.Commands.Common.CustomAttributes;
using Microsoft.WindowsAzure.Commands.Utilities.Common;

using ResourceIdentityType = Microsoft.Azure.Management.ContainerService.Models.ResourceIdentityType;

namespace Microsoft.Azure.Commands.Aks
{
[Cmdlet("Set", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "AksCluster", DefaultParameterSetName = DefaultParamSet, SupportsShouldProcess = true)]
Expand Down Expand Up @@ -378,13 +380,15 @@ public override void ExecuteCmdlet()
{
cluster.FqdnSubdomain = FqdnSubdomain;
}
SetIdentity(cluster);

var kubeCluster = Client.ManagedClusters.CreateOrUpdate(ResourceGroupName, Name, cluster);

WriteObject(PSMapper.Instance.Map<PSKubernetesCluster>(kubeCluster));
});
}
}

private void RemoveAcrRoleAssignment(string acrName, string acrParameterName, AcsServicePrincipal acsServicePrincipal)
{
string acrResourceId = null;
Expand Down
2 changes: 1 addition & 1 deletion src/Aks/Aks/Models/PSManagedClusterIdentity.cs
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ public IDictionary<string, PSManagedClusterIdentityUserAssignedIdentitiesValue>
/// master components and an auto-created user assigned identity in MC_
/// resource group in agent nodes. Type 'None' will not use MSI for the
/// managed cluster, service principal will be used instead. Possible
/// values include: 'SystemAssigned', 'None'
/// values include: 'SystemAssigned', 'None', 'UserAssigned'
/// </summary>
public PSResourceIdentityType? Type { get; set; }
}
Expand Down
3 changes: 3 additions & 0 deletions src/Aks/Aks/Models/PSResourceIdentityType.cs
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ public enum PSResourceIdentityType
[EnumMember(Value = "SystemAssigned")]
SystemAssigned,

[EnumMember(Value = "UserAssigned")]
UserAssigned,

[EnumMember(Value = "None")]
None
}
Expand Down
11 changes: 10 additions & 1 deletion src/Aks/Aks/Properties/Resources.Designer.cs

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions src/Aks/Aks/Properties/Resources.resx
Original file line number Diff line number Diff line change
Expand Up @@ -453,4 +453,7 @@
<data name="ExecutingCommandOnCluster" xml:space="preserve">
<value>Executing command on cluster {0}.</value>
</data>
<data name="NeedEnableManagedIdentity" xml:space="preserve">
<value>Please set '-EnableManagedIdentity' first if you want to set 'AssignIdentity'.</value>
</data>
</root>
101 changes: 97 additions & 4 deletions src/Aks/Aks/help/Get-AzAksUpgradeProfile.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
external help file:
external help file: Az.Aks-help.xml
Module Name: Az.Aks
online version: https://docs.microsoft.com/powershell/module/az.aks/get-azaksupgradeprofile
schema: 2.0.0
Expand All @@ -15,12 +15,16 @@ Gets the details of the upgrade profile for a managed cluster with a specified r
### Get (Default)
```
Get-AzAksUpgradeProfile -ClusterName <String> -ResourceGroupName <String> [-SubscriptionId <String[]>]
[-DefaultProfile <PSObject>] [<CommonParameters>]
[-DefaultProfile <PSObject>] [-Break] [-HttpPipelineAppend <SendAsyncStep[]>]
[-HttpPipelinePrepend <SendAsyncStep[]>] [-Proxy <Uri>] [-ProxyCredential <PSCredential>]
[-ProxyUseDefaultCredentials] [<CommonParameters>]
```

### GetViaIdentity
```
Get-AzAksUpgradeProfile -InputObject <IAksIdentity> [-DefaultProfile <PSObject>] [<CommonParameters>]
Get-AzAksUpgradeProfile -InputObject <IAksIdentity> [-DefaultProfile <PSObject>] [-Break]
[-HttpPipelineAppend <SendAsyncStep[]>] [-HttpPipelinePrepend <SendAsyncStep[]>] [-Proxy <Uri>]
[-ProxyCredential <PSCredential>] [-ProxyUseDefaultCredentials] [<CommonParameters>]
```

## DESCRIPTION
Expand All @@ -43,6 +47,21 @@ Get Aks upgrade profile with resource group name and cluster name.

## PARAMETERS

### -Break
Wait for .NET debugger to attach

```yaml
Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -ClusterName
The name of the managed cluster resource.
Expand Down Expand Up @@ -73,6 +92,36 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -HttpPipelineAppend
SendAsync Pipeline Steps to be appended to the front of the pipeline
```yaml
Type: Microsoft.Azure.PowerShell.Cmdlets.Aks.Runtime.SendAsyncStep[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -HttpPipelinePrepend
SendAsync Pipeline Steps to be prepended to the front of the pipeline
```yaml
Type: Microsoft.Azure.PowerShell.Cmdlets.Aks.Runtime.SendAsyncStep[]
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -InputObject
Identity Parameter
To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
Expand All @@ -89,6 +138,51 @@ Accept pipeline input: True (ByValue)
Accept wildcard characters: False
```
### -Proxy
The URI for the proxy server to use
```yaml
Type: System.Uri
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -ProxyCredential
Credentials for a proxy server to use for the remote call
```yaml
Type: System.Management.Automation.PSCredential
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -ProxyUseDefaultCredentials
Use the default credentials for the proxy
```yaml
Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -ResourceGroupName
The name of the resource group.
Expand Down Expand Up @@ -153,4 +247,3 @@ INPUTOBJECT <IAksIdentity>: Identity Parameter
- `[SubscriptionId <String>]`: Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.

## RELATED LINKS

Loading

0 comments on commit e5911da

Please sign in to comment.