Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Module] managedClusters - Add ingressProfile support for AKS #3185

Merged
merged 39 commits into from
Jul 21, 2023
Merged
Show file tree
Hide file tree
Changes from 18 commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
f3b40be
add enable free tier tag
samuelya Apr 20, 2023
1682ae3
Merge pull request #1 from samuelya/users/samg/enableFreeTierForCosmosDb
samuelya Apr 20, 2023
40da679
Merge branch 'Azure:main' into main
samuelya Apr 24, 2023
815cdf6
update settings
samuelya Apr 24, 2023
681ddf4
Merge remote-tracking branch 'upstream/main'
samuelya Apr 25, 2023
d72b58c
Merge branch 'Azure:main' into main
samuelya May 9, 2023
cb59598
Issue #3183 adding ingressProfile
samuelya May 9, 2023
cdcd0f3
revert readme changes
samuelya May 9, 2023
7f66b83
upodate readme
samuelya May 9, 2023
bc949de
update agentpool readme
samuelya May 9, 2023
aa79b56
fix sku name from basic to base as update by api
samuelya May 9, 2023
76cb5d0
role Assignment of DNS Zone Contributor to aks
samuelya May 10, 2023
20a1025
revert settings update done by mistake
samuelya May 10, 2023
119d9b0
revert readme of documentdb
samuelya May 11, 2023
476a284
Merge branch 'main' into users/samg/add-ingress-profile-aks
samuelya May 12, 2023
d31269e
update description of dnsZoneResourceId and readme
samuelya May 12, 2023
2a041d6
revert dnsZoneResourceId description
samuelya May 12, 2023
87e0bee
update description of dnsZoneResourceId
samuelya May 12, 2023
079fdf5
Merge branch 'main' into users/samg/add-ingress-profile-aks
samuelya May 29, 2023
0c9ec0b
added enableDnsZoneContributorRoleAssignment flag
samuelya May 31, 2023
23c0306
Update API version of managedClusters
samuelya May 31, 2023
98578f1
add unit test for webApplicationRoutingEnabled
samuelya Jul 14, 2023
3af6479
update readme and fix prefix
samuelya Jul 14, 2023
2c195f1
Merge branch 'main' into add-ingress-profile-aks
samuelya Jul 14, 2023
f12e0ef
merge
samuelya Jul 14, 2023
8996307
update
samuelya Jul 14, 2023
122f9f2
revert settings file
samuelya Jul 14, 2023
8bbf9ee
replace << and >> by $. and .$
samuelya Jul 14, 2023
06ef19a
update version managed clustr to latest
samuelya Jul 14, 2023
692adbd
add build json
samuelya Jul 14, 2023
ee6a727
update to location
samuelya Jul 14, 2023
ffbc54d
test prefix
samuelya Jul 14, 2023
c1f4023
Merge branch 'main' into users/samg/add-ingress-profile-aks
samuelya Jul 20, 2023
7eaf9a5
revert settings
samuelya Jul 20, 2023
daefa34
update API version and readme
samuelya Jul 20, 2023
ec052a2
update arm json templates
samuelya Jul 20, 2023
ece6229
update dons location to global
samuelya Jul 20, 2023
e7fa3e0
revert namePrefix unused namePrefix
samuelya Jul 21, 2023
4f556f8
add missing reference
samuelya Jul 21, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ var builtInRoleNames = {
'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
}

resource managedCluster 'Microsoft.ContainerService/managedClusters@2022-11-01' existing = {
resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-03-02-preview' existing = {
name: last(split(resourceId, '/'))!
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ param keyVaultName string
@description('Required. The name of the Proximity Placement Group to create.')
param proximityPlacementGroupName string

@description('Required. The name of the DNS Zone to create.')
param dnsZoneName string

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-09-01' = {
name: virtualNetworkName
location: location
Expand Down Expand Up @@ -118,6 +121,11 @@ output subnetResourceIds array = [
virtualNetwork.properties.subnets[2].id
]

resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' = {
name: dnsZoneName
location: 'global'
}

@description('The principal ID of the created Managed Identity.')
output managedIdentityPrincipalId string = managedIdentity.properties.principalId

Expand All @@ -126,3 +134,6 @@ output diskEncryptionSetResourceId string = diskEncryptionSet.id

@description('The resource ID of the created Proximity Placement Group.')
output proximityPlacementGroupResourceId string = proximityPlacementGroup.id

@description('The resource ID of the created DNS Zone.')
output dnsZoneResourceId string = dnsZone.id
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ module nestedDependencies 'dependencies.bicep' = {
proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}'
// Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total)
keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}'
dnsZoneName: 'dep-${namePrefix}-dns-${serviceShort}.com'
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,24 @@ param location string = resourceGroup().location
@description('Required. The name of the Managed Identity to create.')
param managedIdentityName string

@description('Required. The name of the DNS Zone to create.')
param dnsZoneName string

resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: managedIdentityName
location: location
}

resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' = {
name: dnsZoneName
location: 'global'
}

@description('The principal ID of the created Managed Identity.')
output managedIdentityPrincipalId string = managedIdentity.properties.principalId

@description('The resource ID of the created Managed Identity.')
output managedIdentityResourceId string = managedIdentity.id

@description('The resource ID of the created DNS Zone.')
output dnsZoneResourceId string = dnsZone.id
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ module nestedDependencies 'dependencies.bicep' = {
name: '${uniqueString(deployment().name, location)}-nestedDependencies'
params: {
managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}'
dnsZoneName: 'dep-${namePrefix}-dns-${serviceShort}.com'
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,6 @@ param serviceShort string = 'csmmin'
@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
param enableDefaultTelemetry bool = true

@description('Optional. A token to inject into the name of each resource.')
param namePrefix string = '[[namePrefix]]'
samuelya marked this conversation as resolved.
Show resolved Hide resolved

// ============ //
// Dependencies //
// ============ //
Expand Down
5 changes: 3 additions & 2 deletions modules/container-service/managed-clusters/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.
| :-- | :-- |
| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
| `Microsoft.ContainerService/managedClusters` | [2023-03-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-03-02-preview/managedClusters) |
| `Microsoft.ContainerService/managedClusters/agentPools` | [2023-03-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-03-02-preview/managedClusters/agentPools) |
| `Microsoft.ContainerService/managedClusters` | [2023-05-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-05-02-preview/managedClusters) |
| `Microsoft.ContainerService/managedClusters/agentPools` | [2023-05-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-05-02-preview/managedClusters/agentPools) |
| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
| `Microsoft.KubernetesConfiguration/extensions` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/extensions) |
| `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/fluxConfigurations) |
Expand Down Expand Up @@ -98,6 +98,7 @@ This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.
| `dnsZoneResourceId` | string | `''` | | Specifies the resource ID of connected DNS zone. It will be ignored if `webApplicationRoutingEnabled` is set to `false`. |
| `enableAzureDefender` | bool | `False` | | Whether to enable Azure Defender. |
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). |
| `enableDnsZoneContributorRoleAssignment` | bool | `True` | | Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if `webApplicationRoutingEnabled` is set to `false` or `dnsZoneResourceId` not provided. |
| `enableKeyvaultSecretsProvider` | bool | `False` | | Specifies whether the KeyvaultSecretsProvider add-on is enabled or not. |
| `enableOidcIssuerProfile` | bool | `False` | | Whether the The OIDC issuer profile of the Managed Cluster is enabled. |
| `enablePodSecurityPolicy` | bool | `False` | | Whether to enable Kubernetes pod security policy. |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool

| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.ContainerService/managedClusters/agentPools` | [2023-03-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-03-02-preview/managedClusters/agentPools) |
| `Microsoft.ContainerService/managedClusters/agentPools` | [2023-05-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-05-02-preview/managedClusters/agentPools) |

## Parameters

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -166,11 +166,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena
}
}

resource managedCluster 'Microsoft.ContainerService/managedClusters@2022-11-01' existing = {
resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-05-02-preview' existing = {
name: managedClusterName
}

resource agentPool 'Microsoft.ContainerService/managedClusters/agentPools@2023-03-02-preview' = {
resource agentPool 'Microsoft.ContainerService/managedClusters/agentPools@2023-05-02-preview' = {
name: name
parent: managedCluster
properties: {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.18.4.5664",
"templateHash": "13561536489894419213"
"version": "0.19.5.34762",
"templateHash": "14718876477350380320"
}
},
"parameters": {
Expand Down Expand Up @@ -329,7 +329,7 @@
},
{
"type": "Microsoft.ContainerService/managedClusters/agentPools",
"apiVersion": "2022-11-01",
"apiVersion": "2023-05-02-preview",
"name": "[format('{0}/{1}', parameters('managedClusterName'), parameters('name'))]",
"properties": {
"availabilityZones": "[parameters('availabilityZones')]",
Expand Down
7 changes: 5 additions & 2 deletions modules/container-service/managed-clusters/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,9 @@ param webApplicationRoutingEnabled bool = false
@description('Optional. Specifies the resource ID of connected DNS zone. It will be ignored if `webApplicationRoutingEnabled` is set to `false`.')
param dnsZoneResourceId string = ''

@description('Optional. Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if `webApplicationRoutingEnabled` is set to `false` or `dnsZoneResourceId` not provided.')
param enableDnsZoneContributorRoleAssignment bool = true

@description('Optional. Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not.')
param ingressApplicationGatewayEnabled bool = false

Expand Down Expand Up @@ -406,7 +409,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (ena
}
}

resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-03-02-preview' = {
resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-05-02-preview' = {
name: name
location: location
tags: tags
Expand Down Expand Up @@ -635,7 +638,7 @@ resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = if (dnsZoneR
name: last(split(dnsZoneResourceId, '/'))!
}

resource dnsZone_roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (dnsZoneResourceId != null && webApplicationRoutingEnabled) {
resource dnsZone_roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (enableDnsZoneContributorRoleAssignment == true && dnsZoneResourceId != null && webApplicationRoutingEnabled) {
name: guid(dnsZoneResourceId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314'), 'DNS Zone Contributor')
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') // 'DNS Zone Contributor'
Expand Down
Loading