Skip to content

Commit

Permalink
Connectedk8s - RBAC: Add "arc "mode in Guard for using OBO service an…
Browse files Browse the repository at this point in the history
…d deprecate --app-id & --app-secret params (Azure#6675)
  • Loading branch information
vineeth-thumma authored Nov 30, 2023
1 parent 0185c63 commit a3c96db
Show file tree
Hide file tree
Showing 7 changed files with 23 additions and 22 deletions.
8 changes: 7 additions & 1 deletion src/connectedk8s/HISTORY.rst
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,12 @@
Release History
===============

1.5.5
++++++
* Deprecate '--app-id' and '--app-secret' RBAC params.
* Use 1P apps for authN/authZ when RBAC is enabled.
* Add warning to use kubelogin version v0.0.32 or higher which has support for generating PoP token.

1.5.4
++++++
* Log debug if 'arcConfigEndpoint' doesn't exist in 'dataplaneEndpoints' ARM metadata.
Expand Down Expand Up @@ -86,7 +92,7 @@ Release History
1.3.10
++++++
* Added CLI heuristics change
* Added AKS IOT infra support
* Added AKS IOT infra support
* Bug Fix in precheckutils

1.3.9
Expand Down
1 change: 0 additions & 1 deletion src/connectedk8s/azext_connectedk8s/_constants.py
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,6 @@
Operate_RG_Cluster_Name_Conflict = 'The provided cluster name and rg correspond to different cluster being operated on'
Custom_Locations_Registration_Check_Fault_Type = "Error while checking resource provider registration of custom locations."
Custom_Locations_OID_Fetch_Fault_Type = "Error while fetching oid for custom locations."
Application_Details_Not_Provided_For_Azure_RBAC_Fault = 'Application ID or secret not provided for Azure RBAC'
Successfully_Enabled_Features = 'Successsfully enabled features: {} for the Connected Cluster {}'
Successfully_Disabled_Features = 'Successsfully disabled features: {} for the Connected Cluster {}'
Error_enabling_Features = 'Error while updating agents for enabling features. Please run \"kubectl get pods -n azure-arc\" to check the pods in case of timeout error. Error: {}'
Expand Down
2 changes: 1 addition & 1 deletion src/connectedk8s/azext_connectedk8s/_help.py
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@
- name: Enables the Cluster-Connect feature.
text: az connectedk8s enable-features -n clusterName -g resourceGroupName --features cluster-connect
- name: Enable Azure RBAC feature.
text: az connectedk8s enable-features -n clusterName -g resourceGroupName --features azure-rbac --app-id appID --app-secret="appSecret" --skip-azure-rbac-list "user1@domain.com,spn_oid"
text: az connectedk8s enable-features -n clusterName -g resourceGroupName --features azure-rbac --skip-azure-rbac-list "user1@domain.com,spn_oid"
- name: Enable multiple features.
text: az connectedk8s enable-features -n clusterName -g resourceGroupName --features cluster-connect custom-locations
"""
Expand Down
4 changes: 2 additions & 2 deletions src/connectedk8s/azext_connectedk8s/_params.py
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,8 @@ def load_arguments(self, _):
c.argument('kube_config', options_list=['--kube-config'], help='Path to the kube config file.')
c.argument('kube_context', options_list=['--kube-context'], help='Kubconfig context from current machine.')
c.argument('features', features_types, options_list=['--features'], help='Space-separated list of features you want to enable.')
c.argument('azrbac_client_id', options_list=['--app-id'], arg_group='Azure RBAC', help='Application ID for enabling Azure RBAC. Specify when enabling azure-rbac.')
c.argument('azrbac_client_secret', options_list=['--app-secret'], arg_group='Azure RBAC', help='Application secret for enabling Azure RBAC. Specify when enabling azure-rbac.')
c.argument('azrbac_client_id', options_list=['--app-id'], arg_group='Azure RBAC', help='Application ID for enabling Azure RBAC.', deprecate_info=c.deprecate(hide=True))
c.argument('azrbac_client_secret', options_list=['--app-secret'], arg_group='Azure RBAC', help='Application secret for enabling Azure RBAC.', deprecate_info=c.deprecate(hide=True))
c.argument('azrbac_skip_authz_check', options_list=['--skip-azure-rbac-list'], arg_group='Azure RBAC', help='Comma separated list of names of usernames/email/oid. Azure RBAC will be skipped for these users. Specify when enabling azure-rbac.')
c.argument('cl_oid', options_list=['--custom-locations-oid'], help="OID of 'custom-locations' app")

Expand Down
9 changes: 3 additions & 6 deletions src/connectedk8s/azext_connectedk8s/custom.py
Original file line number Diff line number Diff line change
Expand Up @@ -1396,10 +1396,6 @@ def enable_features(cmd, client, resource_group_name, cluster_name, features, ku
raise InvalidArgumentValueError("The features 'cluster-connect' and 'custom-locations' cannot be enabled for a private link enabled connected cluster.")

if enable_azure_rbac:
if (azrbac_client_id is None) or (azrbac_client_secret is None):
telemetry.set_exception(exception='Application ID or secret is not provided for Azure RBAC', fault_type=consts.Application_Details_Not_Provided_For_Azure_RBAC_Fault,
summary='Application id, application secret is required to enable/update Azure RBAC feature')
raise RequiredArgumentMissingError("Please provide Application id, application secret to enable/update Azure RBAC feature")
if azrbac_skip_authz_check is None:
azrbac_skip_authz_check = ""
azrbac_skip_authz_check = escape_proxy_settings(azrbac_skip_authz_check)
Expand Down Expand Up @@ -1487,8 +1483,9 @@ def enable_features(cmd, client, resource_group_name, cluster_name, features, ku
cmd_helm_upgrade.extend(["--kube-context", kube_context])
if enable_azure_rbac:
cmd_helm_upgrade.extend(["--set", "systemDefaultValues.guard.enabled=true"])
cmd_helm_upgrade.extend(["--set", "systemDefaultValues.guard.clientId={}".format(azrbac_client_id)])
cmd_helm_upgrade.extend(["--set", "systemDefaultValues.guard.clientSecret={}".format(azrbac_client_secret)])
# Setting the default authnMode mode as "arc" for guard. This mode uses PoP token based auth. and Arc RBAC 1P apps for authN/authZ.
cmd_helm_upgrade.extend(["--set", "systemDefaultValues.guard.authnMode=arc"])
logger.warning("Please use the kubelogin version v0.0.32 or higher which has support for generating PoP token(s). This is needed by guard running in 'arc' authN mode.")
cmd_helm_upgrade.extend(["--set", "systemDefaultValues.guard.skipAuthzCheck={}".format(azrbac_skip_authz_check)])
if enable_cluster_connect:
cmd_helm_upgrade.extend(["--set", "systemDefaultValues.clusterconnect-agent.enabled=true"])
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -150,9 +150,8 @@ class Connectedk8sScenarioTest(LiveScenarioTest):
@live_only()
@ResourceGroupPreparer(name_prefix='conk8stest', location=CONFIG['location'], random_name_length=16)
def test_connect(self,resource_group):

managed_cluster_name = self.create_random_name(prefix='test-connect', length=24)
kubeconfig="%s" % (_get_test_data_file(managed_cluster_name + '-config.yaml'))
kubeconfig="%s" % (_get_test_data_file(managed_cluster_name + '-config.yaml'))
self.kwargs.update({
'rg': resource_group,
'name': self.create_random_name(prefix='cc-', length=12),
Expand Down Expand Up @@ -181,7 +180,7 @@ def test_connect(self,resource_group):
def test_forcedelete(self,resource_group):

managed_cluster_name = self.create_random_name(prefix='test-force-delete', length=24)
kubeconfig="%s" % (_get_test_data_file(managed_cluster_name + '-config.yaml'))
kubeconfig="%s" % (_get_test_data_file(managed_cluster_name + '-config.yaml'))
self.kwargs.update({
'rg': resource_group,
'name': self.create_random_name(prefix='cc-', length=12),
Expand Down Expand Up @@ -240,7 +239,7 @@ def test_enable_disable_features(self,resource_group):
'rbac_app_secret': CONFIG['rbacAppSecret'],
'location': CONFIG['location']
})

self.cmd('aks create -g {rg} -n {managed_cluster_name} --generate-ssh-keys')
self.cmd('aks get-credentials -g {rg} -n {managed_cluster_name} -f {kubeconfig} --admin')
self.cmd('connectedk8s connect -g {rg} -n {name} -l {location} --tags foo=doo --kube-config {kubeconfig} --kube-context {managed_cluster_name}-admin', checks=[
Expand Down Expand Up @@ -299,15 +298,15 @@ def test_enable_disable_features(self,resource_group):
assert(enabled_cmd1["systemDefaultValues"]['customLocations']['enabled'] == bool(1))
assert(enabled_cmd1["systemDefaultValues"]['clusterconnect-agent']['enabled'] == bool(1))

# scenario-4: azure rbac turned off and turning azure rbac on again using app id and app secret
# scenario-4: azure rbac turned off and turning azure rbac on again using 1P
self.cmd('connectedk8s disable-features -n {name} -g {rg} --features azure-rbac --kube-config {kubeconfig} --kube-context {managed_cluster_name}-admin -y')
cmd_output1 = subprocess.Popen(cmd, stdout=PIPE, stderr=PIPE)
_, error_helm_delete = cmd_output1.communicate()
assert(cmd_output1.returncode == 0)
disabled_cmd1 = json.loads(cmd_output1.communicate()[0].strip())
assert(disabled_cmd1["systemDefaultValues"]['guard']['enabled'] == bool(0))

self.cmd('az connectedk8s enable-features -n {name} -g {rg} --kube-config {kubeconfig} --kube-context {managed_cluster_name}-admin --features azure-rbac --app-id {rbac_app_id} --app-secret {rbac_app_secret}')
self.cmd('az connectedk8s enable-features -n {name} -g {rg} --kube-config {kubeconfig} --kube-context {managed_cluster_name}-admin --features azure-rbac')

# deleting the cluster
self.cmd('connectedk8s delete -g {rg} -n {name} --kube-config {kubeconfig} --kube-context {managed_cluster_name}-admin -y')
Expand All @@ -323,14 +322,14 @@ def test_connectedk8s_list(self,resource_group):

managed_cluster_name = self.create_random_name(prefix='first', length=24)
managed_cluster_name_second = self.create_random_name(prefix='second', length=24)
kubeconfig="%s" % (_get_test_data_file(managed_cluster_name + '-config.yaml'))
kubeconfig="%s" % (_get_test_data_file(managed_cluster_name + '-config.yaml'))
kubeconfigpls="%s" % (_get_test_data_file('pls-config.yaml'))
name = self.create_random_name(prefix='cc-', length=12)
name_second = self.create_random_name(prefix='cc-', length=12)
managed_cluster_list=[]
managed_cluster_list.append(name)
managed_cluster_list.append(name_second)
managed_cluster_list.sort()
managed_cluster_list.sort()
self.kwargs.update({
'rg': resource_group,
'name': name,
Expand Down Expand Up @@ -396,7 +395,7 @@ def test_connectedk8s_list(self,resource_group):
def test_upgrade(self,resource_group):

managed_cluster_name = self.create_random_name(prefix='test-upgrade', length=24)
kubeconfig="%s" % (_get_test_data_file(managed_cluster_name + '-config.yaml'))
kubeconfig="%s" % (_get_test_data_file(managed_cluster_name + '-config.yaml'))
self.kwargs.update({
'name': self.create_random_name(prefix='cc-', length=12),
'rg': resource_group,
Expand Down Expand Up @@ -461,7 +460,7 @@ def test_upgrade(self,resource_group):
@ResourceGroupPreparer(name_prefix='conk8stest', location=CONFIG['location'], random_name_length=16)
def test_update(self,resource_group):
managed_cluster_name = self.create_random_name(prefix='test-update', length=24)
kubeconfig="%s" % (_get_test_data_file(managed_cluster_name + '-config.yaml'))
kubeconfig="%s" % (_get_test_data_file(managed_cluster_name + '-config.yaml'))
self.kwargs.update({
'name': self.create_random_name(prefix='cc-', length=12),
'kubeconfig': kubeconfig,
Expand Down
2 changes: 1 addition & 1 deletion src/connectedk8s/setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
# TODO: Confirm this is the right version number you want and it matches your
# HISTORY.rst entry.

VERSION = '1.5.4'
VERSION = '1.5.5'

# The full list of classifiers is available at
# https://pypi.python.org/pypi?%3Aaction=list_classifiers
Expand Down

0 comments on commit a3c96db

Please sign in to comment.