Add ManagedIdentity support for Aks (Azure#18385)

wyunchi-ms · web-flow · commit e5911da931e5 · 2022-06-06T10:23:32.000+08:00
diff --git a/src/Aks/Aks.Test/ScenarioTests/KubernetesTests.cs b/src/Aks/Aks.Test/ScenarioTests/KubernetesTests.cs
@@ -72,5 +72,12 @@ public void TestApiServiceAccess()
         {
             TestRunner.RunTestScript("Test-ApiServiceAccess");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestManagedIdentity()
+        {
+            TestRunner.RunTestScript("Test-ManagedIdentity");
+        }
     }
 }
diff --git a/src/Aks/Aks.Test/ScenarioTests/KubernetesTests.ps1 b/src/Aks/Aks.Test/ScenarioTests/KubernetesTests.ps1
@@ -305,4 +305,45 @@ function Test-ApiServiceAccess
     {
         Remove-AzResourceGroup -Name $resourceGroupName -Force
     }
+}
+
+
+
+function Test-ManagedIdentity
+{
+    # Setup
+    $resourceGroupName = Get-RandomResourceGroupName
+    $userAssignedkubeClusterName = Get-RandomClusterName
+    $systemAssignedkubeClusterName = Get-RandomClusterName
+    $setUserAssignedkubeClusterName = Get-RandomClusterName
+    $location = 'eastus'
+    $nodeVmSize = "Standard_D2_v2"
+
+    try
+    {
+        New-AzResourceGroup -Name $resourceGroupName -Location $location
+        
+        $credObject = $(createTestCredential "a6148f60-19b8-49b8-a5a5-54945aec926e" "xde7Q~bVRBoBzggfXn3Zw1uCqzRuLduEFPJXw")
+        New-AzAksCluster -ResourceGroupName $resourceGroupName -Name $userAssignedkubeClusterName -ServicePrincipalIdAndSecret $credObject -EnableManagedIdentity -AssignIdentity '/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/wyunchi/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity'
+        $cluster = Get-AzAksCluster -ResourceGroupName $resourceGroupName -Name $userAssignedkubeClusterName
+        Assert-NotNull $cluster.identity
+        Assert-AreEqual 'UserAssigned' $cluster.identity.Type
+
+        New-AzAksCluster -ResourceGroupName $resourceGroupName -Name $setUserAssignedkubeClusterName -ServicePrincipalIdAndSecret $credObject  
+        $cluster = Get-AzAksCluster -ResourceGroupName $resourceGroupName -Name $setUserAssignedkubeClusterName
+        Assert-Null $cluster.identity
+        Set-AzAksCluster -ResourceGroupName $resourceGroupName -Name $setUserAssignedkubeClusterName -EnableManagedIdentity -AssignIdentity '/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/wyunchi/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity'
+        $cluster = Get-AzAksCluster -ResourceGroupName $resourceGroupName -Name $setUserAssignedkubeClusterName
+        Assert-NotNull $cluster.identity
+        Assert-AreEqual 'UserAssigned' $cluster.identity.Type
+        
+        New-AzAksCluster -ResourceGroupName $resourceGroupName -Name $systemAssignedkubeClusterName -ServicePrincipalIdAndSecret $credObject -EnableManagedIdentity
+        $cluster = Get-AzAksCluster -ResourceGroupName $resourceGroupName -Name $systemAssignedkubeClusterName
+        Assert-NotNull $cluster.identity
+        Assert-AreEqual 'SystemAssigned' $cluster.identity.Type
+    }
+    finally
+    {
+        Remove-AzResourceGroup -Name $resourceGroupName -Force
+    }
 }
diff --git a/src/Aks/Aks.Test/SessionRecords/Commands.Aks.Test.ScenarioTests.KubernetesTests/TestManagedIdentity.json b/src/Aks/Aks.Test/SessionRecords/Commands.Aks.Test.ScenarioTests.KubernetesTests/TestManagedIdentity.json
diff --git a/src/Aks/Aks/ChangeLog.md b/src/Aks/Aks/ChangeLog.md
@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Added ManagedIdentity support for Aks[#15656].
 * Added property `PowerState` for the output of `Get-AzAksCluster`[#18271]
 * Updated the logic of `Set-AzAksCluster` for parameter `NodeImageOnly`.
 * Added parameter `NodeImageOnly` for `Update-AzAksNodePool`.
diff --git a/src/Aks/Aks/Commands/CreateOrUpdateKubeBase.cs b/src/Aks/Aks/Commands/CreateOrUpdateKubeBase.cs
@@ -40,6 +40,7 @@
 using Microsoft.Azure.Commands.Common.MSGraph.Version1_0.Applications.Models;
 using Microsoft.Azure.Commands.Common.MSGraph.Version1_0.Applications;
 using Microsoft.Azure.Commands.Common.MSGraph.Version1_0;
+using ResourceIdentityType = Microsoft.Azure.Management.ContainerService.Models.ResourceIdentityType;
 
 namespace Microsoft.Azure.Commands.Aks
 {
@@ -158,6 +159,12 @@ public abstract class CreateOrUpdateKubeBase : KubeCmdletBase
         [Parameter(Mandatory = false, HelpMessage = "The FQDN subdomain of the private cluster with custom private dns zone.")]
         public string FqdnSubdomain { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = "Using a managed identity to manage cluster resource group.")]
+        public SwitchParameter EnableManagedIdentity { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "ResourceId of user assign managed identity for cluster.")]
+        public string AssignIdentity { get; set; }
+
         protected void BeforeBuildNewCluster()
         {
             if (!string.IsNullOrEmpty(ResourceGroupName) && string.IsNullOrEmpty(Location))
@@ -566,5 +573,45 @@ protected ManagedClusterAPIServerAccessProfile CreateOrUpdateApiServerAccessProf
 
             return apiServerAccessProfile;
         }
+
+        protected ManagedCluster SetIdentity(ManagedCluster cluster)
+        {
+            if (this.IsParameterBound(c => c.EnableManagedIdentity))
+            {
+                if (!EnableManagedIdentity)
+                {
+                    cluster.Identity = null;
+                }
+                else
+                {
+                    if (cluster.Identity == null)
+                    {
+                        cluster.Identity = new ManagedClusterIdentity();
+                    }
+                }
+            }
+            if (this.IsParameterBound(c => c.AssignIdentity))
+            {
+                if (cluster.Identity == null)
+                {
+                    throw new AzPSArgumentException(Resources.NeedEnableManagedIdentity, nameof(AssignIdentity));
+                }
+                cluster.Identity.Type = ResourceIdentityType.UserAssigned;
+                cluster.Identity.UserAssignedIdentities = new Dictionary<string, ManagedClusterIdentityUserAssignedIdentitiesValue>
+                {
+                    { AssignIdentity, new ManagedClusterIdentityUserAssignedIdentitiesValue() }
+                };
+
+            }
+            else
+            {
+                if (cluster.Identity != null && cluster.Identity.Type == null)
+                {
+                    cluster.Identity.Type = ResourceIdentityType.SystemAssigned;
+                }
+            }
+
+            return cluster;
+        }
     }
 }
diff --git a/src/Aks/Aks/Commands/NewAzureRmAks.cs b/src/Aks/Aks/Commands/NewAzureRmAks.cs
@@ -355,6 +355,8 @@ private ManagedCluster BuildNewCluster()
                 networkProfile: networkProfile,
                 apiServerAccessProfile: apiServerAccessProfile);
 
+            SetIdentity(managedCluster);
+
             if (EnableRbac.IsPresent)
             {
                 managedCluster.EnableRBAC = EnableRbac;
diff --git a/src/Aks/Aks/Commands/SetAzureRmAks.cs b/src/Aks/Aks/Commands/SetAzureRmAks.cs
@@ -34,6 +34,8 @@
 using Microsoft.WindowsAzure.Commands.Common.CustomAttributes;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
 
+using ResourceIdentityType = Microsoft.Azure.Management.ContainerService.Models.ResourceIdentityType;
+
 namespace Microsoft.Azure.Commands.Aks
 {
     [Cmdlet("Set", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "AksCluster", DefaultParameterSetName = DefaultParamSet, SupportsShouldProcess = true)]
@@ -378,13 +380,15 @@ public override void ExecuteCmdlet()
                     {
                         cluster.FqdnSubdomain = FqdnSubdomain;
                     }
+                    SetIdentity(cluster);
 
                     var kubeCluster = Client.ManagedClusters.CreateOrUpdate(ResourceGroupName, Name, cluster);
 
                     WriteObject(PSMapper.Instance.Map<PSKubernetesCluster>(kubeCluster));
                 });
             }
         }
+
         private void RemoveAcrRoleAssignment(string acrName, string acrParameterName, AcsServicePrincipal acsServicePrincipal)
         {
             string acrResourceId = null;
diff --git a/src/Aks/Aks/Models/PSManagedClusterIdentity.cs b/src/Aks/Aks/Models/PSManagedClusterIdentity.cs
@@ -53,7 +53,7 @@ public IDictionary<string, PSManagedClusterIdentityUserAssignedIdentitiesValue>
         /// master components and an auto-created user assigned identity in MC_
         /// resource group in agent nodes. Type 'None' will not use MSI for the
         /// managed cluster, service principal will be used instead. Possible
-        /// values include: 'SystemAssigned', 'None'
+        /// values include: 'SystemAssigned', 'None', 'UserAssigned'
         /// </summary>
         public PSResourceIdentityType? Type { get; set; }
     }
diff --git a/src/Aks/Aks/Models/PSResourceIdentityType.cs b/src/Aks/Aks/Models/PSResourceIdentityType.cs
@@ -21,6 +21,9 @@ public enum PSResourceIdentityType
         [EnumMember(Value = "SystemAssigned")]
         SystemAssigned,
 
+        [EnumMember(Value = "UserAssigned")]
+        UserAssigned,
+
         [EnumMember(Value = "None")]
         None
     }
diff --git a/src/Aks/Aks/Properties/Resources.Designer.cs b/src/Aks/Aks/Properties/Resources.Designer.cs
diff --git a/src/Aks/Aks/Properties/Resources.resx b/src/Aks/Aks/Properties/Resources.resx
@@ -453,4 +453,7 @@
   <data name="ExecutingCommandOnCluster" xml:space="preserve">
     <value>Executing command on cluster {0}.</value>
   </data>
+  <data name="NeedEnableManagedIdentity" xml:space="preserve">
+    <value>Please set '-EnableManagedIdentity' first if you want to set 'AssignIdentity'.</value>
+  </data>
 </root>
diff --git a/src/Aks/Aks/help/Get-AzAksUpgradeProfile.md b/src/Aks/Aks/help/Get-AzAksUpgradeProfile.md
@@ -1,5 +1,5 @@
 ---
-external help file:
+external help file: Az.Aks-help.xml
 Module Name: Az.Aks
 online version: https://docs.microsoft.com/powershell/module/az.aks/get-azaksupgradeprofile
 schema: 2.0.0
@@ -15,12 +15,16 @@ Gets the details of the upgrade profile for a managed cluster with a specified r
 ### Get (Default)
 ```
 Get-AzAksUpgradeProfile -ClusterName <String> -ResourceGroupName <String> [-SubscriptionId <String[]>]
- [-DefaultProfile <PSObject>] [<CommonParameters>]
+ [-DefaultProfile <PSObject>] [-Break] [-HttpPipelineAppend <SendAsyncStep[]>]
+ [-HttpPipelinePrepend <SendAsyncStep[]>] [-Proxy <Uri>] [-ProxyCredential <PSCredential>]
+ [-ProxyUseDefaultCredentials] [<CommonParameters>]
 ```
 
 ### GetViaIdentity
 ```
-Get-AzAksUpgradeProfile -InputObject <IAksIdentity> [-DefaultProfile <PSObject>] [<CommonParameters>]
+Get-AzAksUpgradeProfile -InputObject <IAksIdentity> [-DefaultProfile <PSObject>] [-Break]
+ [-HttpPipelineAppend <SendAsyncStep[]>] [-HttpPipelinePrepend <SendAsyncStep[]>] [-Proxy <Uri>]
+ [-ProxyCredential <PSCredential>] [-ProxyUseDefaultCredentials] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -43,6 +47,21 @@ Get Aks upgrade profile with resource group name and cluster name.
 
 ## PARAMETERS
 
+### -Break
+Wait for .NET debugger to attach
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ClusterName
 The name of the managed cluster resource.
 
@@ -73,6 +92,36 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -HttpPipelineAppend
+SendAsync Pipeline Steps to be appended to the front of the pipeline
+
+```yaml
+Type: Microsoft.Azure.PowerShell.Cmdlets.Aks.Runtime.SendAsyncStep[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -HttpPipelinePrepend
+SendAsync Pipeline Steps to be prepended to the front of the pipeline
+
+```yaml
+Type: Microsoft.Azure.PowerShell.Cmdlets.Aks.Runtime.SendAsyncStep[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -InputObject
 Identity Parameter
 To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
@@ -89,6 +138,51 @@ Accept pipeline input: True (ByValue)
 Accept wildcard characters: False
 ```
 
+### -Proxy
+The URI for the proxy server to use
+
+```yaml
+Type: System.Uri
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ProxyCredential
+Credentials for a proxy server to use for the remote call
+
+```yaml
+Type: System.Management.Automation.PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ProxyUseDefaultCredentials
+Use the default credentials for the proxy
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ResourceGroupName
 The name of the resource group.
 
@@ -153,4 +247,3 @@ INPUTOBJECT <IAksIdentity>: Identity Parameter
   - `[SubscriptionId <String>]`: Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.
 
 ## RELATED LINKS
-
diff --git a/src/Aks/Aks/help/Get-AzAksVersion.md b/src/Aks/Aks/help/Get-AzAksVersion.md
diff --git a/src/Aks/Aks/help/New-AzAksCluster.md b/src/Aks/Aks/help/New-AzAksCluster.md
diff --git a/src/Aks/Aks/help/Set-AzAksCluster.md b/src/Aks/Aks/help/Set-AzAksCluster.md

Original file line number	Diff line number	Diff line change
`@@ -72,5 +72,12 @@ public void TestApiServiceAccess()`
`72`	`72`	`{`
`73`	`73`	`TestRunner.RunTestScript("Test-ApiServiceAccess");`
`74`	`74`	`}`
	`75`	`+`
	`76`	`+ [Fact]`
	`77`	`+ [Trait(Category.AcceptanceType, Category.CheckIn)]`
	`78`	`+ public void TestManagedIdentity()`
	`79`	`+ {`
	`80`	`+ TestRunner.RunTestScript("Test-ManagedIdentity");`
	`81`	`+ }`
`75`	`82`	`}`
`76`	`83`	`}`
Original file line number	Diff line number	Diff line change
`@@ -355,6 +355,8 @@ private ManagedCluster BuildNewCluster()`
`355`	`355`	`networkProfile: networkProfile,`
`356`	`356`	`apiServerAccessProfile: apiServerAccessProfile);`
`357`	`357`
	`358`	`+ SetIdentity(managedCluster);`
	`359`	`+`
`358`	`360`	`if (EnableRbac.IsPresent)`
`359`	`361`	`{`
`360`	`362`	`managedCluster.EnableRBAC = EnableRbac;`
Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,8 @@`
`34`	`34`	`using Microsoft.WindowsAzure.Commands.Common.CustomAttributes;`
`35`	`35`	`using Microsoft.WindowsAzure.Commands.Utilities.Common;`
`36`	`36`
	`37`	`+using ResourceIdentityType = Microsoft.Azure.Management.ContainerService.Models.ResourceIdentityType;`
	`38`	`+`
`37`	`39`	`namespace Microsoft.Azure.Commands.Aks`
`38`	`40`	`{`
`39`	`41`	`[Cmdlet("Set", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "AksCluster", DefaultParameterSetName = DefaultParamSet, SupportsShouldProcess = true)]`
`@@ -378,13 +380,15 @@ public override void ExecuteCmdlet()`
`378`	`380`	`{`
`379`	`381`	`cluster.FqdnSubdomain = FqdnSubdomain;`
`380`	`382`	`}`
	`383`	`+ SetIdentity(cluster);`
`381`	`384`
`382`	`385`	`var kubeCluster = Client.ManagedClusters.CreateOrUpdate(ResourceGroupName, Name, cluster);`
`383`	`386`
`384`	`387`	`WriteObject(PSMapper.Instance.Map<PSKubernetesCluster>(kubeCluster));`
`385`	`388`	`});`
`386`	`389`	`}`
`387`	`390`	`}`
	`391`	`+`
`388`	`392`	`private void RemoveAcrRoleAssignment(string acrName, string acrParameterName, AcsServicePrincipal acsServicePrincipal)`
`389`	`393`	`{`
`390`	`394`	`string acrResourceId = null;`
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ public IDictionary<string, PSManagedClusterIdentityUserAssignedIdentitiesValue>`
`53`	`53`	`/// master components and an auto-created user assigned identity in MC_`
`54`	`54`	`/// resource group in agent nodes. Type 'None' will not use MSI for the`
`55`	`55`	`/// managed cluster, service principal will be used instead. Possible`
`56`		`- /// values include: 'SystemAssigned', 'None'`
	`56`	`+ /// values include: 'SystemAssigned', 'None', 'UserAssigned'`
`57`	`57`	`/// </summary>`
`58`	`58`	`public PSResourceIdentityType? Type { get; set; }`
`59`	`59`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,9 @@ public enum PSResourceIdentityType`
`21`	`21`	`[EnumMember(Value = "SystemAssigned")]`
`22`	`22`	`SystemAssigned,`
`23`	`23`
	`24`	`+ [EnumMember(Value = "UserAssigned")]`
	`25`	`+ UserAssigned,`
	`26`	`+`
`24`	`27`	`[EnumMember(Value = "None")]`
`25`	`28`	`None`
`26`	`29`	`}`