{aks} Add Windows gMSAv2 support

src/aks-preview/HISTORY.md

@@ -2,6 +2,10 @@
 
 Release History
 ===============
+0.5.37
++++++
+* Add Windows gMSA v2 support. Add parameters `--enable-windows-gmsa`, `--gmsa-dns-server` and `--gmsa-root-domain-name`
+
 0.5.36
 +++++
 * Update to use 2021-09-01 api-version

src/aks-preview/azcli_aks_live_test/configs/ext_matrix_default.json

@@ -39,7 +39,9 @@
             "test_aks_create_and_update_with_managed_nat_gateway_outbound",
             "test_aks_create_with_http_proxy_config",
             "test_aks_nodepool_add_with_workload_runtime",
-            "test_aks_nodepool_add_with_gpu_instance_profile"
+            "test_aks_nodepool_add_with_gpu_instance_profile",
+            "test_aks_create_with_windows_gmsa",
+            "test_aks_update_with_windows_gmsa"
         ]
     }
 }

src/aks-preview/azext_aks_preview/_help.py

@@ -358,6 +358,21 @@
         - name: --gpu-instance-profile
           type: string
           short-summary: GPU instance profile to partition multi-gpu Nvidia GPUs.
+        - name: --enable-windows-gmsa
+          type: bool
+          short-summary: Enable Windows gmsa.
+        - name: --gmsa-dns-server
+          type: string
+          short-summary: Specify DNS server for Windows gmsa for this cluster.
+          long-summary: |-
+             You do not need to set this if you have set DNS server in the VNET used by the cluster.
+             You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
+        - name: --gmsa-root-domain-name
+          type: string
+          short-summary: Specify root domain name for Windows gmsa for this cluster.
+          long-summary: |-
+             You do not need to set this if you have set DNS server in the VNET used by the cluster.
+             You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
     examples:
         - name: Create a Kubernetes cluster with an existing SSH public key.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey
@@ -407,6 +422,10 @@
           text: az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --enable-azure-rbac
         - name: Create a kubernetes cluster with a specific os-sku
           text: az aks create -g MyResourceGroup -n MyManagedCluster --os-sku Ubuntu
+        - name: Create a kubernetes cluster with enabling Windows gmsa and with setting DNS server in the vnet used by the cluster.
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-windows-gmsa
+        - name: Create a kubernetes cluster with enabling Windows gmsa but without setting DNS server in the vnet used by the cluster.
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-windows-gmsa --gmsa-dns-server "10.240.0.4" --gmsa-root-domain-name "contoso.com"
 """.format(sp_cache=AKS_SERVICE_PRINCIPAL_CACHE)
 
 helps['aks scale'] = """
@@ -587,6 +606,21 @@
         - name: --disable-public-fqdn
           type: bool
           short-summary: Disable public fqdn feature for private cluster.
+        - name: --enable-windows-gmsa
+          type: bool
+          short-summary: Enable Windows gmsa on cluster.
+        - name: --gmsa-dns-server
+          type: string
+          short-summary: Specify DNS server for Windows gmsa on cluster.
+          long-summary: |-
+             You do not need to set this if you have set DNS server in the VNET used by the cluster.
+             You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
+        - name: --gmsa-root-domain-name
+          type: string
+          short-summary: Specify root domain name for Windows gmsa on cluster.
+          long-summary: |-
+             You do not need to set this if you have set DNS server in the VNET used by the cluster.
+             You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
     examples:
       - name: Enable cluster-autoscaler within node count range [1,5]
         text: az aks update --enable-cluster-autoscaler --min-count 1 --max-count 5 -g MyResourceGroup -n MyManagedCluster
@@ -638,6 +672,10 @@
         text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-azure-rbac
       - name: Disable Azure RBAC in a managed AAD AKS cluster
         text: az aks update -g MyResourceGroup -n MyManagedCluster --disable-azure-rbac
+      - name: Enable Windows gmsa for a kubernetes cluster with setting DNS server in the vnet used by the cluster.
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-windows-gmsa
+      - name: Enable Windows gmsa for a kubernetes cluster without setting DNS server in the vnet used by the cluster.
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-windows-gmsa --gmsa-dns-server "10.240.0.4" --gmsa-root-domain-name "contoso.com"
 """
 
 helps['aks kollect'] = """

src/aks-preview/azext_aks_preview/_params.py

@@ -146,6 +146,9 @@ def load_arguments(self, _):
         c.argument('assign_kubelet_identity', type=str, validator=validate_assign_kubelet_identity)
         c.argument('disable_local_accounts', action='store_true')
         c.argument('gpu_instance_profile', arg_type=get_enum_type(gpu_instance_profiles))
+        c.argument('enable_windows_gmsa', action='store_true', options_list=['--enable-windows-gmsa'])
+        c.argument('gmsa_dns_server', options_list=['--gmsa-dns-server'])
+        c.argument('gmsa_root_domain_name', options_list=['--gmsa-root-domain-name'])
         c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
         c.argument('workload_runtime', arg_type=get_enum_type(workload_runtimes), default=CONST_WORKLOAD_RUNTIME_OCI_CONTAINER)
 
@@ -183,6 +186,9 @@ def load_arguments(self, _):
         c.argument('windows_admin_password', options_list=['--windows-admin-password'])
         c.argument('disable_local_accounts', action='store_true')
         c.argument('enable_local_accounts', action='store_true')
+        c.argument('enable_windows_gmsa', action='store_true', options_list=['--enable-windows-gmsa'])
+        c.argument('gmsa_dns_server', options_list=['--gmsa-dns-server'])
+        c.argument('gmsa_root_domain_name', options_list=['--gmsa-root-domain-name'])
         c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
 
     with self.argument_context('aks scale') as c:

src/aks-preview/azext_aks_preview/custom.py

@@ -80,7 +80,8 @@
                                                                       ManagedClusterPodIdentityProfile,
                                                                       ManagedClusterPodIdentity,
                                                                       ManagedClusterPodIdentityException,
-                                                                      UserAssignedIdentity)
+                                                                      UserAssignedIdentity,
+                                                                      WindowsGmsaProfile)
 from ._client_factory import cf_resource_groups
 from ._client_factory import get_auth_management_client
 from ._client_factory import get_graph_rbac_management_client
@@ -821,6 +822,9 @@ def aks_create(cmd,     # pylint: disable=too-many-locals,too-many-statements,to
                assign_kubelet_identity=None,
                workload_runtime=None,
                gpu_instance_profile=None,
+               enable_windows_gmsa=False,
+               gmsa_dns_server=None,
+               gmsa_root_domain_name=None,
                yes=False):
     if not no_ssh_key:
         try:
@@ -925,10 +929,30 @@ def aks_create(cmd,     # pylint: disable=too-many-locals,too-many-statements,to
             windows_license_type = 'Windows_Server'
 
         windows_profile = ManagedClusterWindowsProfile(
+            # [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="no secret in next line")]
             admin_username=windows_admin_username,
             admin_password=windows_admin_password,
             license_type=windows_license_type)
 
+        if enable_windows_gmsa:
+            windows_profile.gmsa_profile = WindowsGmsaProfile(
+                enabled=True)
+            if gmsa_dns_server is not None and gmsa_root_domain_name is not None:
+                windows_profile.gmsa_profile.dns_server = gmsa_dns_server
+                windows_profile.gmsa_profile.root_domain_name = gmsa_root_domain_name
+            elif gmsa_dns_server is None and gmsa_root_domain_name is None:
+                msg = ('Please assure that you have set the DNS server in the vnet used by the cluster when not specifying --gmsa-dns-server and --gmsa-root-domain-name')
+                from knack.prompting import prompt_y_n
+                if not yes and not prompt_y_n(msg, default="n"):
+                    return None
+            else:
+                raise ArgumentUsageError(
+                    'You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time.')
+        else:
+            if gmsa_dns_server is not None or gmsa_root_domain_name is not None:
+                raise ArgumentUsageError(
+                    'You only can set --gmsa-dns-server and --gmsa-root-domain-name when setting --enable-windows-gmsa.')
+
     service_principal_profile = None
     principal_obj = None
     # If customer explicitly provides a service principal, disable managed identity.
@@ -1338,7 +1362,10 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
                tags=None,
                windows_admin_password=None,
                enable_azure_rbac=False,
-               disable_azure_rbac=False):
+               disable_azure_rbac=False,
+               enable_windows_gmsa=False,
+               gmsa_dns_server=None,
+               gmsa_root_domain_name=None):
     update_autoscaler = enable_cluster_autoscaler or disable_cluster_autoscaler or update_cluster_autoscaler
     update_acr = attach_acr is not None or detach_acr is not None
     update_pod_security = enable_pod_security_policy or disable_pod_security_policy
@@ -1377,7 +1404,8 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
        not enable_local_accounts and \
        not disable_local_accounts and \
        not enable_public_fqdn and \
-       not disable_public_fqdn:
+       not disable_public_fqdn and \
+       not enable_windows_gmsa:
         raise CLIError('Please specify "--enable-cluster-autoscaler" or '
                        '"--disable-cluster-autoscaler" or '
                        '"--update-cluster-autoscaler" or '
@@ -1412,7 +1440,8 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
                        '"--enable-local-accounts" or '
                        '"--disable-local-accounts" or '
                        '"--enable-public-fqdn" or '
-                       '"--disable-public-fqdn"')
+                       '"--disable-public-fqdn"'
+                       '"--enble-windows-gmsa"')
     instance = client.get(resource_group_name, name)
 
     if update_autoscaler and len(instance.agent_pool_profiles) > 1:
@@ -1701,6 +1730,24 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
     if windows_admin_password:
         instance.windows_profile.admin_password = windows_admin_password
 
+    if enable_windows_gmsa:
+        instance.windows_profile.gmsa_profile = WindowsGmsaProfile(enabled=True)
+        if gmsa_dns_server is not None and gmsa_root_domain_name is not None:
+            instance.windows_profile.gmsa_profile.dns_server = gmsa_dns_server
+            instance.windows_profile.gmsa_profile.root_domain_name = gmsa_root_domain_name
+        elif gmsa_dns_server is None and gmsa_root_domain_name is None:
+            msg = ('Please assure that you have set the DNS server in the vnet used by the cluster when not specifying --gmsa-dns-server and --gmsa-root-domain-name')
+            from knack.prompting import prompt_y_n
+            if not yes and not prompt_y_n(msg, default="n"):
+                return None
+        else:
+            raise ArgumentUsageError(
+                'You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time.')
+    else:
+        if gmsa_dns_server is not None or gmsa_root_domain_name is not None:
+            raise ArgumentUsageError(
+                'You only can set --gmsa-dns-server and --gmsa-root-domain-name when setting --enable-windows-gmsa.')
+
     headers = get_aks_custom_headers(aks_custom_headers)
 
     return _put_managed_cluster_ensuring_permission(cmd,