AKS: support private cluster public fqdn feature with new api 2021-05-01 (Azure#3465)

* update sdk with latest swagger model

* support public fqdn feature for private cluster

* fix typo

* fix comments

* fix format

* fix release history

Co-authored-by: Li Ma <lima2@microsoft.com>

Author: levimm

src/aks-preview/HISTORY.md

@@ -3,6 +3,11 @@
 Release History
 ===============
 
+0.5.16
++++++
+* Vendor SDK using latest swagger with optional query parameter added
+* Support private cluster public fqdn feature
+
 0.5.15
 +++++
 * Update to use 2021-05-01 api-version

src/aks-preview/azext_aks_preview/_help.py

@@ -261,6 +261,9 @@
         - name: --fqdn-subdomain
           type: string
           short-summary: Prefix for FQDN that is created for private cluster with custom private dns zone scenario.
+        - name: --enable-public-fqdn
+          type: bool
+          short-summary: (Preview) Enable public fqdn feature for private cluster.
         - name: --enable-node-public-ip
           type: bool
           short-summary: Enable VMSS node public IP.
@@ -545,6 +548,12 @@
         - name: --enable-local-accounts
           type: bool
           short-summary: (Preview) If set to true, will enable getting static credential for this cluster.
+        - name: --enable-public-fqdn
+          type: bool
+          short-summary: (Preview) Enable public fqdn feature for private cluster.
+        - name: --disable-public-fqdn
+          type: bool
+          short-summary: (Preview) Disable public fqdn feature for private cluster.
     examples:
       - name: Enable cluster-autoscaler within node count range [1,5]
         text: az aks update --enable-cluster-autoscaler --min-count 1 --max-count 5 -g MyResourceGroup -n MyManagedCluster
@@ -1108,6 +1117,9 @@
   - name: --output -o
     type: string
     long-summary: Credentials are always in YAML format, so this argument is effectively ignored.
+  - name: --public-fqdn
+    type: bool
+    short-summary: (Preview) Get private cluster credential with server address to be public fqdn.
 examples:
   - name: Get access credentials for a managed Kubernetes cluster. (autogenerated)
     text: az aks get-credentials --name MyManagedCluster --resource-group MyResourceGroup

src/aks-preview/azext_aks_preview/_params.py

@@ -113,6 +113,7 @@ def load_arguments(self, _):
         c.argument('enable_private_cluster', action='store_true')
         c.argument('private_dns_zone')
         c.argument('fqdn_subdomain')
+        c.argument('enable_public_fqdn', action='store_true', is_preview=True)
         c.argument('enable_managed_identity', action='store_true')
         c.argument('assign_identity', type=str, validator=validate_assign_identity)
         c.argument('enable_sgxquotehelper', action='store_true')
@@ -150,6 +151,8 @@ def load_arguments(self, _):
         c.argument('api_server_authorized_ip_ranges', type=str, validator=validate_ip_ranges)
         c.argument('enable_pod_security_policy', action='store_true')
         c.argument('disable_pod_security_policy', action='store_true')
+        c.argument('enable_public_fqdn', action='store_true', is_preview=True)
+        c.argument('disable_public_fqdn', action='store_true', is_preview=True)
         c.argument('attach_acr', acr_arg_type, validator=validate_acr)
         c.argument('detach_acr', acr_arg_type, validator=validate_acr)
         c.argument('aks_custom_headers')
@@ -264,6 +267,7 @@ def load_arguments(self, _):
         c.argument('user', options_list=['--user', '-u'], default='clusterUser', validator=validate_user)
         c.argument('path', options_list=['--file', '-f'], type=file_type, completer=FilesCompleter(),
                    default=os.path.join(os.path.expanduser('~'), '.kube', 'config'))
+        c.argument('public_fqdn', default=False, action='store_true', is_preview=True)
 
     with self.argument_context('aks pod-identity') as c:
         c.argument('cluster_name', type=str, help='The cluster name.')

src/aks-preview/azext_aks_preview/custom.py

@@ -43,6 +43,7 @@
 import colorama  # pylint: disable=import-error
 from tabulate import tabulate  # pylint: disable=import-error
 from azure.cli.core.api import get_config_dir
+from azure.cli.core.azclierror import ManualInterrupt, InvalidArgumentValueError, UnclassifiedUserFault, CLIInternalError, FileOperationError, ClientRequestError, DeploymentError, ValidationError, ArgumentUsageError, MutuallyExclusiveArgumentError, RequiredArgumentMissingError, ResourceNotFoundError
 from azure.cli.core.commands.client_factory import get_mgmt_service_client, get_subscription_id
 from azure.cli.core.keys import is_valid_ssh_rsa_public_key
 from azure.cli.core.util import get_file_json, in_cloud_console, shell_safe_json_parse, truncate_text, sdk_no_wait
@@ -1010,6 +1011,7 @@ def aks_create(cmd,     # pylint: disable=too-many-locals,too-many-statements,to
                private_dns_zone=None,
                enable_managed_identity=True,
                fqdn_subdomain=None,
+               enable_public_fqdn=False,
                api_server_authorized_ip_ranges=None,
                aks_custom_headers=None,
                appgw_name=None,
@@ -1398,30 +1400,33 @@ def aks_create(cmd,     # pylint: disable=too-many-locals,too-many-statements,to
         mc.node_resource_group = node_resource_group
 
     use_custom_private_dns_zone = False
+    if not enable_private_cluster and enable_public_fqdn:
+        raise ArgumentUsageError("--enable-public-fqdn should only be used with --enable-private-cluster")
     if enable_private_cluster:
         if load_balancer_sku.lower() != "standard":
-            raise CLIError(
+            raise ArgumentUsageError(
                 "Please use standard load balancer for private cluster")
         mc.api_server_access_profile = ManagedClusterAPIServerAccessProfile(
             enable_private_cluster=True
         )
+        if enable_public_fqdn:
+            mc.api_server_access_profile.enable_private_cluster_public_fqdn = True
 
     if private_dns_zone:
         if not enable_private_cluster:
-            raise CLIError(
+            raise ArgumentUsageError(
                 "Invalid private dns zone for public cluster. It should always be empty for public cluster")
         mc.api_server_access_profile.private_dns_zone = private_dns_zone
         from msrestazure.tools import is_valid_resource_id
         if private_dns_zone.lower() != CONST_PRIVATE_DNS_ZONE_SYSTEM and private_dns_zone.lower() != CONST_PRIVATE_DNS_ZONE_NONE:
             if is_valid_resource_id(private_dns_zone):
                 use_custom_private_dns_zone = True
             else:
-                raise CLIError(private_dns_zone +
-                               " is not a valid Azure resource ID.")
+                raise ResourceNotFoundError(private_dns_zone + " is not a valid Azure resource ID.")
 
     if fqdn_subdomain:
         if not use_custom_private_dns_zone:
-            raise CLIError(
+            raise ArgumentUsageError(
                 "--fqdn-subdomain should only be used for private cluster with custom private dns zone")
         mc.fqdn_subdomain = fqdn_subdomain
 
@@ -1501,6 +1506,8 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
                disable_secret_rotation=False,
                disable_local_accounts=False,
                enable_local_accounts=False,
+               enable_public_fqdn=False,
+               disable_public_fqdn=False,
                yes=False,
                tags=None,
                windows_admin_password=None,
@@ -1540,7 +1547,9 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
        not tags and \
        not windows_admin_password and \
        not enable_local_accounts and \
-       not disable_local_accounts:
+       not disable_local_accounts and \
+       not enable_public_fqdn and \
+       not disable_public_fqdn:
         raise CLIError('Please specify "--enable-cluster-autoscaler" or '
                        '"--disable-cluster-autoscaler" or '
                        '"--update-cluster-autoscaler" or '
@@ -1571,7 +1580,9 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
                        '"--enable-azure-rbac" or '
                        '"--disable-azure-rbac" or '
                        '"--enable-local-accounts" or '
-                       '"--disable-local-accounts"')
+                       '"--disable-local-accounts" or '
+                       '"--enable-public-fqdn" or '
+                       '"--disable-public-fqdn"')
     instance = client.get(resource_group_name, name)
 
     if update_autoscaler and len(instance.agent_pool_profiles) > 1:
@@ -1740,6 +1751,21 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
     if disable_ahub:
         instance.windows_profile.license_type = 'None'
 
+    if enable_public_fqdn and disable_public_fqdn:
+        raise MutuallyExclusiveArgumentError(
+            'Cannot specify "--enable-public-fqdn" and "--disable-public-fqdn" at the same time')
+    is_private_cluster = instance.api_server_access_profile is not None and instance.api_server_access_profile.enable_private_cluster
+    if enable_public_fqdn:
+        if not is_private_cluster:
+            raise ArgumentUsageError('--enable-public-fqdn can only be used for private cluster')
+        instance.api_server_access_profile.enable_private_cluster_public_fqdn = True
+    if disable_public_fqdn:
+        if not is_private_cluster:
+            raise ArgumentUsageError('--disable-public-fqdn can only be used for private cluster')
+        if instance.api_server_access_profile.private_dns_zone.lower() == CONST_PRIVATE_DNS_ZONE_NONE:
+            raise ArgumentUsageError('--disable-public-fqdn cannot be applied for none mode private dns zone cluster')
+        instance.api_server_access_profile.enable_private_cluster_public_fqdn = False
+
     if instance.auto_upgrade_profile is None:
         instance.auto_upgrade_profile = ManagedClusterAutoUpgradeProfile()
 
@@ -1891,18 +1917,22 @@ def aks_get_credentials(cmd,    # pylint: disable=unused-argument
                         path=os.path.join(os.path.expanduser(
                             '~'), '.kube', 'config'),
                         overwrite_existing=False,
-                        context_name=None):
+                        context_name=None,
+                        public_fqdn=False):
     credentialResults = None
+    serverType = None
+    if public_fqdn:
+        serverType = 'public'
     if admin:
         credentialResults = client.list_cluster_admin_credentials(
-            resource_group_name, name)
+            resource_group_name, name, serverType)
     else:
         if user.lower() == 'clusteruser':
             credentialResults = client.list_cluster_user_credentials(
-                resource_group_name, name)
+                resource_group_name, name, serverType)
         elif user.lower() == 'clustermonitoringuser':
             credentialResults = client.list_cluster_monitoring_user_credentials(
-                resource_group_name, name)
+                resource_group_name, name, serverType)
         else:
             raise CLIError("The user is invalid.")
     if not credentialResults: