[AKS] Implement --enable-oidc-issuer (#4280)

* feat: define new argument * feat: construct oidc issuer profile from user input * feat: bump version * test: add unit tests * test: add live tests * fix: remove issuerUrl check * test: add recordings * doc: update history.md * chore: exclude tests
Azure · Jan 4, 2022 · c721194 · c721194
1 parent 3bcc340
commit c721194
Show file tree

Hide file tree

Showing 11 changed files with 1,801 additions and 5 deletions.
diff --git a/src/aks-preview/HISTORY.md b/src/aks-preview/HISTORY.md
@@ -2,6 +2,10 @@
 
 Release History
 ===============
+0.5.50
+++++++
+* Add support for enabling OIDC issuer with `--enable-oidc-issuer` flag.
+
 0.5.49
 ++++++
 * Add support for Alias Minor Version.

diff --git a/src/aks-preview/azcli_aks_live_test/configs/ext_matrix_default.json b/src/aks-preview/azcli_aks_live_test/configs/ext_matrix_default.json
@@ -24,7 +24,9 @@
             "test_aks_create_with_http_proxy_config",
             "test_aks_nodepool_add_with_workload_runtime",
             "test_aks_nodepool_add_with_gpu_instance_profile",
-            "test_aks_snapshot"
+            "test_aks_snapshot",
+            "test_aks_create_with_oidc_issuer_enabled",
+            "test_aks_update_with_oidc_issuer_enabled"
         ]
     }
-}
+}
diff --git a/src/aks-preview/azext_aks_preview/_help.py b/src/aks-preview/azext_aks_preview/_help.py
@@ -395,6 +395,9 @@
         - name: --snapshot-id
           type: string
           short-summary: The source snapshot id used to create this cluster.
+        - name: --enable-oidc-issuer
+          type: bool
+          short-summary: (PREVIEW) Enable OIDC issuer.
     examples:
         - name: Create a Kubernetes cluster with an existing SSH public key.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey
@@ -652,6 +655,9 @@
           long-summary: |-
              You do not need to set this if you have set DNS server in the VNET used by the cluster.
              You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
+        - name: --enable-oidc-issuer
+          type: bool
+          short-summary: (PREVIEW) Enable OIDC issuer.
     examples:
       - name: Enable cluster-autoscaler within node count range [1,5]
         text: az aks update --enable-cluster-autoscaler --min-count 1 --max-count 5 -g MyResourceGroup -n MyManagedCluster

diff --git a/src/aks-preview/azext_aks_preview/_params.py b/src/aks-preview/azext_aks_preview/_params.py
@@ -159,6 +159,7 @@ def load_arguments(self, _):
         c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
         c.argument('workload_runtime', arg_type=get_enum_type(workload_runtimes), default=CONST_WORKLOAD_RUNTIME_OCI_CONTAINER)
         c.argument('snapshot_id', type=str, validator=validate_snapshot_id, is_preview=True)
+        c.argument('enable_oidc_issuer', action='store_true', is_preview=True)
 
     with self.argument_context('aks update') as c:
         c.argument('enable_cluster_autoscaler', options_list=["--enable-cluster-autoscaler", "-e"], action='store_true')
@@ -202,6 +203,7 @@ def load_arguments(self, _):
         c.argument('gmsa_root_domain_name', options_list=['--gmsa-root-domain-name'])
         c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
         c.argument('nodepool_labels', nargs='*', validator=validate_nodepool_labels, help='space-separated labels: key[=value] [key[=value] ...]. See https://aka.ms/node-labels for syntax of labels.')
+        c.argument('enable_oidc_issuer', action='store_true', is_preview=True)
 
     with self.argument_context('aks scale') as c:
         c.argument('nodepool_name', type=str,

diff --git a/src/aks-preview/azext_aks_preview/custom.py b/src/aks-preview/azext_aks_preview/custom.py
@@ -757,6 +757,7 @@ def aks_create(cmd,
                gmsa_dns_server=None,
                gmsa_root_domain_name=None,
                snapshot_id=None,
+               enable_oidc_issuer=False,
                yes=False):
     # DO NOT MOVE: get all the original parameters and save them as a dictionary
     raw_parameters = locals()
@@ -833,7 +834,8 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
                disable_azure_rbac=False,
                enable_windows_gmsa=False,
                gmsa_dns_server=None,
-               gmsa_root_domain_name=None):
+               gmsa_root_domain_name=None,
+               enable_oidc_issuer=False):
     # DO NOT MOVE: get all the original parameters and save them as a dictionary
     raw_parameters = locals()
 

diff --git a/src/aks-preview/azext_aks_preview/decorator.py b/src/aks-preview/azext_aks_preview/decorator.py
@@ -77,6 +77,7 @@
 ManagedClusterHTTPProxyConfig = TypeVar("ManagedClusterHTTPProxyConfig")
 ContainerServiceNetworkProfile = TypeVar("ContainerServiceNetworkProfile")
 ManagedClusterAddonProfile = TypeVar("ManagedClusterAddonProfile")
+ManagedClusterOIDCIssuerProfile = TypeVar('ManagedClusterOIDCIssuerProfile')
 Snapshot = TypeVar("Snapshot")
 
 
@@ -114,6 +115,11 @@ def __init__(self, cmd: AzCommandsLoader, resource_type: ResourceType):
         self.init_nat_gateway_models()
         # holder for pod identity related models
         self.__pod_identity_models = None
+        self.ManagedClusterOIDCIssuerProfile = self.__cmd.get_models(
+            "ManagedClusterOIDCIssuerProfile",
+            resource_type=self.resource_type,
+            operation_group="managed_clusters",
+        )
 
     # TODO: convert this to @property
     def init_nat_gateway_models(self) -> None:
@@ -1492,6 +1498,24 @@ def get_node_vm_size(self) -> str:
         """
         return self._get_node_vm_size()
 
+    def get_oidc_issuer_profile(self) -> ManagedClusterOIDCIssuerProfile:
+        """Obtain the value of oidc_issuer_profile based on the user input.
+
+        :return: ManagedClusterOIDCIssuerProfile
+        """
+        enable_flag_value = bool(self.raw_param.get("enable_oidc_issuer"))
+        if not enable_flag_value:
+            # enable flag not set, return a None profile, server side will backfill the default/existing value
+            return None
+
+        profile = self.models.ManagedClusterOIDCIssuerProfile()
+        if self.decorator_mode == DecoratorMode.UPDATE:
+            if self.mc.oidc_issuer_profile is not None:
+                profile = self.mc.oidc_issuer_profile
+        profile.enabled = True
+
+        return profile
+
 
 class AKSPreviewCreateDecorator(AKSCreateDecorator):
     # pylint: disable=super-init-not-called
@@ -1799,6 +1823,15 @@ def set_up_windows_profile(self, mc: ManagedCluster) -> ManagedCluster:
         mc.windows_profile = windows_profile
         return mc
 
+    def set_up_oidc_issuer_profile(self, mc: ManagedCluster) -> ManagedCluster:
+        """Set up OIDC issuer profile for the ManagedCluster object.
+
+        :return: the ManagedCluster object
+        """
+        mc.oidc_issuer_profile = self.context.get_oidc_issuer_profile()
+
+        return mc
+
     def construct_mc_preview_profile(self) -> ManagedCluster:
         """The overall controller used to construct the preview ManagedCluster profile.
 
@@ -1817,6 +1850,7 @@ def construct_mc_preview_profile(self) -> ManagedCluster:
         mc = self.set_up_pod_security_policy(mc)
         # set up pod identity profile
         mc = self.set_up_pod_identity_profile(mc)
+        mc = self.set_up_oidc_issuer_profile(mc)
         return mc
 
     def create_mc_preview(self, mc: ManagedCluster) -> ManagedCluster:
@@ -1963,7 +1997,8 @@ def check_raw_parameters(self):
                 '"--enable-public-fqdn" or '
                 '"--disable-public-fqdn"'
                 '"--enble-windows-gmsa" or '
-                '"--nodepool-labels".'
+                '"--nodepool-labels" or '
+                '"--enable-oidc-issuer".'
             )
 
     def update_load_balancer_profile(self, mc: ManagedCluster) -> ManagedCluster:
@@ -2078,6 +2113,17 @@ def update_pod_identity_profile(self, mc: ManagedCluster) -> ManagedCluster:
             _update_addon_pod_identity(mc, enable=False, models=self.models.pod_identity_models)
         return mc
 
+    def update_oidc_issuer_profile(self, mc: ManagedCluster) -> ManagedCluster:
+        """Update OIDC issuer profile for the ManagedCluster object.
+
+        :return: the ManagedCluster object
+        """
+        self._ensure_mc(mc)
+
+        mc.oidc_issuer_profile = self.context.get_oidc_issuer_profile()
+
+        return mc
+
     def patch_mc(self, mc: ManagedCluster) -> ManagedCluster:
         """Helper function to patch the ManagedCluster object.
 
@@ -2109,6 +2155,7 @@ def update_mc_preview_profile(self) -> ManagedCluster:
         mc = self.update_nat_gateway_profile(mc)
         # update pod identity profile
         mc = self.update_pod_identity_profile(mc)
+        mc = self.update_oidc_issuer_profile(mc)
         return mc
 
     def update_mc_preview(self, mc: ManagedCluster) -> ManagedCluster: