David/aks monitoring aad auth (Azure#3500)

daweim0 · zhoxing-ms · web-flow · commit cea0bd0b307b · 2021-07-01T10:08:03.000+08:00
* about to add check for if DCR is available in regions

* tested

* forgot to remove an exception

* fixed linter problems

* fixed some linter errors

* fixing linter errors

* fixing some feedback, more to come

* fixed all feedback and a bug

* cleanup

* addressed comments and static analyzer errors

* Update src/aks-preview/azext_aks_preview/_help.py

Co-authored-by: Xing Zhou &lt;Zhou.Xing@microsoft.com&gt;

* Update src/aks-preview/azext_aks_preview/_help.py

Co-authored-by: Xing Zhou &lt;Zhou.Xing@microsoft.com&gt;

* fix linter error

* fixed small errors

* added unit tests, cleaned up the msi/sp auth check

* adding unit tests

* commenting out tests which require a subscription-level feature flag

* uncommented tests, put them in a list to not run

Co-authored-by: Xing Zhou &lt;Zhou.Xing@microsoft.com&gt;
diff --git a/linter_exclusions.yml b/linter_exclusions.yml
@@ -76,6 +76,9 @@ aks create:
     workspace_resource_id:
       rule_exclusions:
       - option_length_too_long
+    enable_msi_auth_for_monitoring:
+      rule_exclusions:
+      - option_length_too_long
     enable_encryption_at_host:
       rule_exclusions:
       - option_length_too_long
@@ -93,6 +96,9 @@ aks enable-addons:
     workspace_resource_id:
       rule_exclusions:
       - option_length_too_long
+    enable_msi_auth_for_monitoring:
+      rule_exclusions:
+      - option_length_too_long
 aks nodepool add:
   parameters:
     enable_node_public_ip:
diff --git a/src/aks-preview/azcli_aks_live_test/configs/ext_matrix_default.json b/src/aks-preview/azcli_aks_live_test/configs/ext_matrix_default.json
@@ -26,7 +26,11 @@
             "test_aks_create_with_pod_identity_enabled",
             "test_aks_create_using_azurecni_with_pod_identity_enabled",
             "test_aks_pod_identity_usage",
-            "test_aks_create_with_fips"
+            "test_aks_create_with_fips",
+            "test_aks_create_with_monitoring_aad_auth_msi",
+            "test_aks_create_with_monitoring_aad_auth_uai",
+            "test_aks_enable_monitoring_with_aad_auth_msi",
+            "test_aks_enable_monitoring_with_aad_auth_uai"
         ],
         "unknown": [
             "test_aks_create_and_update_with_managed_aad_enable_azure_rbac",
diff --git a/src/aks-preview/azext_aks_preview/_consts.py b/src/aks-preview/azext_aks_preview/_consts.py
@@ -23,6 +23,7 @@
 
 CONST_MONITORING_ADDON_NAME = "omsagent"
 CONST_MONITORING_LOG_ANALYTICS_WORKSPACE_RESOURCE_ID = "logAnalyticsWorkspaceResourceID"
+CONST_MONITORING_USING_AAD_MSI_AUTH = "useAADAuth"
 
 CONST_VIRTUAL_NODE_ADDON_NAME = "aciConnector"
 CONST_VIRTUAL_NODE_SUBNET_NAME = "SubnetName"
diff --git a/src/aks-preview/azext_aks_preview/_help.py b/src/aks-preview/azext_aks_preview/_help.py
@@ -222,6 +222,9 @@
         - name: --workspace-resource-id
           type: string
           short-summary: The resource ID of an existing Log Analytics Workspace to use for storing monitoring data. If not specified, uses the default Log Analytics Workspace if it exists, otherwise creates one.
+        - name: --enable-msi-auth-for-monitoring
+          type: bool
+          short-summary: Send monitoring data to Log Analytics using the cluster's assigned identity (instead of the Log Analytics Workspace's shared key).
         - name: --enable-cluster-autoscaler
           type: bool
           short-summary: Enable cluster autoscaler, default value is false.
@@ -1042,6 +1045,9 @@
   - name: --workspace-resource-id
     type: string
     short-summary: The resource ID of an existing Log Analytics Workspace to use for storing monitoring data.
+  - name: --enable-msi-auth-for-monitoring
+    type: bool
+    short-summary: Send monitoring data to Log Analytics using the cluster's assigned identity (instead of the Log Analytics Workspace's shared key).
   - name: --subnet-name -s
     type: string
     short-summary: The subnet name for the virtual node to use.
diff --git a/src/aks-preview/azext_aks_preview/_params.py b/src/aks-preview/azext_aks_preview/_params.py
@@ -91,6 +91,7 @@ def load_arguments(self, _):
         c.argument('pod_subnet_id', type=str, validator=validate_pod_subnet_id)
         c.argument('ppg')
         c.argument('workspace_resource_id')
+        c.argument('enable_msi_auth_for_monitoring', arg_type=get_three_state_flag(), is_preview=True)
         c.argument('skip_subnet_role_assignment', action='store_true')
         c.argument('enable_fips_image', action='store_true', is_preview=True)
         c.argument('enable_cluster_autoscaler', action='store_true')
@@ -261,6 +262,8 @@ def load_arguments(self, _):
         c.argument('appgw_subnet_id', options_list=['--appgw-subnet-id'], arg_group='Application Gateway')
         c.argument('appgw_watch_namespace', options_list=['--appgw-watch-namespace'], arg_group='Application Gateway')
         c.argument('enable_secret_rotation', action='store_true')
+        c.argument('workspace_resource_id')
+        c.argument('enable_msi_auth_for_monitoring', arg_type=get_three_state_flag(), is_preview=True)
 
     with self.argument_context('aks get-credentials') as c:
         c.argument('admin', options_list=['--admin', '-a'], default=False)
diff --git a/src/aks-preview/azext_aks_preview/custom.py b/src/aks-preview/azext_aks_preview/custom.py
diff --git a/src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py b/src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py
