diff --git a/src/aks-preview/HISTORY.rst b/src/aks-preview/HISTORY.rst index 038194b61fd..6f48e9b2ccb 100644 --- a/src/aks-preview/HISTORY.rst +++ b/src/aks-preview/HISTORY.rst @@ -13,7 +13,12 @@ Pending +++++++ * Vendor new SDK and bump API version to 2023-04-02-preview. +0.5.140 ++++++++ +* `az aks create` and `az aks enable-addons`: Change the default value of `--enable-msi-auth-for-monitoring` to `true` and add check for airgap clouds for monitoring addon + 0.5.139 ++++++++ * `az aks create` and `az aks nodepool add`: Add warning message when specifying `--os-sku` to `Mariner` or `CBLMariner`. 0.5.138 diff --git a/src/aks-preview/azext_aks_preview/addonconfiguration.py b/src/aks-preview/azext_aks_preview/addonconfiguration.py index 509e478cb07..30bd6a83a37 100644 --- a/src/aks-preview/azext_aks_preview/addonconfiguration.py +++ b/src/aks-preview/azext_aks_preview/addonconfiguration.py @@ -61,12 +61,16 @@ def enable_addons(cmd, rotation_poll_interval=None, no_wait=False, dns_zone_resource_id=None, - enable_msi_auth_for_monitoring=False, + enable_msi_auth_for_monitoring=True, enable_syslog=False, data_collection_settings=None): instance = client.get(resource_group_name, name) # this is overwritten by _update_addons(), so the value needs to be recorded here - msi_auth = True if instance.service_principal_profile.client_id == "msi" else False + msi_auth = False + if instance.service_principal_profile.client_id == "msi": + msi_auth = True + else: + enable_msi_auth_for_monitoring = False subscription_id = get_subscription_id(cmd.cli_ctx) instance = update_addons(cmd, instance, subscription_id, resource_group_name, name, addons, enable=True, @@ -139,17 +143,7 @@ def enable_addons(cmd, # adding a wait here since we rely on the result for role assignment result = LongRunningOperation(cmd.cli_ctx)( client.begin_create_or_update(resource_group_name, name, instance)) - cloud_name = cmd.cli_ctx.cloud.name - # mdm metrics supported only in Azure Public cloud so add the role assignment only in this cloud - if monitoring_addon_enabled and cloud_name.lower() == 'azurecloud': - from msrestazure.tools import resource_id - cluster_resource_id = resource_id( - subscription=subscription_id, - resource_group=resource_group_name, - namespace='Microsoft.ContainerService', type='managedClusters', - name=name - ) - add_monitoring_role_assignment(result, cluster_resource_id, cmd) + if ingress_appgw_addon_enabled: add_ingress_appgw_addon_role_assignment(result, cmd) if enable_virtual_node: @@ -177,7 +171,7 @@ def update_addons(cmd, # pylint: disable=too-many-branches,too-many-statements enable, check_enabled=True, workspace_resource_id=None, - enable_msi_auth_for_monitoring=False, + enable_msi_auth_for_monitoring=True, subnet_name=None, appgw_name=None, appgw_subnet_prefix=None, @@ -199,6 +193,9 @@ def update_addons(cmd, # pylint: disable=too-many-branches,too-many-statements os_type = 'Linux' + if instance.service_principal_profile.client_id != "msi": + enable_msi_auth_for_monitoring = False + # load model ManagedClusterAddonProfile = cmd.get_models( "ManagedClusterAddonProfile", @@ -262,9 +259,15 @@ def update_addons(cmd, # pylint: disable=too-many-branches,too-many-statements workspace_resource_id = sanitize_loganalytics_ws_resource_id( workspace_resource_id) + cloud_name = cmd.cli_ctx.cloud.name + if enable_msi_auth_for_monitoring and (cloud_name.lower() == 'ussec' or cloud_name.lower() == 'usnat'): + if instance.identity is not None and instance.identity.type is not None and instance.identity.type == "userassigned": + logger.warning("--enable_msi_auth_for_monitoring is not supported in %s cloud and continuing monitoring enablement without this flag.", cloud_name) + enable_msi_auth_for_monitoring = False + addon_profile.config = { logAnalyticsConstName: workspace_resource_id} - addon_profile.config[CONST_MONITORING_USING_AAD_MSI_AUTH] = enable_msi_auth_for_monitoring + addon_profile.config[CONST_MONITORING_USING_AAD_MSI_AUTH] = "true" if enable_msi_auth_for_monitoring else "false" elif addon == (CONST_VIRTUAL_NODE_ADDON_NAME + os_type): if addon_profile.enabled and check_enabled: raise CLIError('The virtual-node addon is already enabled for this managed cluster.\n' @@ -348,39 +351,6 @@ def update_addons(cmd, # pylint: disable=too-many-branches,too-many-statements return instance -def add_monitoring_role_assignment(result, cluster_resource_id, cmd): - service_principal_msi_id = None - # Check if service principal exists, if it does, assign permissions to service principal - # Else, provide permissions to MSI - if ( - hasattr(result, 'service_principal_profile') and - hasattr(result.service_principal_profile, 'client_id') and - result.service_principal_profile.client_id != 'msi' - ): - logger.info('valid service principal exists, using it') - service_principal_msi_id = result.service_principal_profile.client_id - is_service_principal = True - elif ( - (hasattr(result, 'addon_profiles')) and - (CONST_MONITORING_ADDON_NAME in result.addon_profiles) and - (hasattr(result.addon_profiles[CONST_MONITORING_ADDON_NAME], 'identity')) and - (hasattr( - result.addon_profiles[CONST_MONITORING_ADDON_NAME].identity, 'object_id')) - ): - logger.info('omsagent MSI exists, using it') - service_principal_msi_id = result.addon_profiles[CONST_MONITORING_ADDON_NAME].identity.object_id - is_service_principal = False - - if service_principal_msi_id is not None: - if not add_role_assignment(cmd, 'Monitoring Metrics Publisher', - service_principal_msi_id, is_service_principal, scope=cluster_resource_id): - logger.warning('Could not create a role assignment for Monitoring addon. ' - 'Are you an Owner on this subscription?') - else: - logger.warning('Could not find service principal or user assigned MSI for role' - 'assignment') - - def add_ingress_appgw_addon_role_assignment(result, cmd): service_principal_msi_id = None # Check if service principal exists, if it does, assign permissions to service principal diff --git a/src/aks-preview/azext_aks_preview/custom.py b/src/aks-preview/azext_aks_preview/custom.py index 82eecb6a694..30d217db4d6 100644 --- a/src/aks-preview/azext_aks_preview/custom.py +++ b/src/aks-preview/azext_aks_preview/custom.py @@ -62,7 +62,6 @@ from azext_aks_preview._resourcegroup import get_rg_location from azext_aks_preview.addonconfiguration import ( add_ingress_appgw_addon_role_assignment, - add_monitoring_role_assignment, add_virtual_node_role_assignment, enable_addons, ) @@ -500,7 +499,7 @@ def aks_create( # addons enable_addons=None, workspace_resource_id=None, - enable_msi_auth_for_monitoring=False, + enable_msi_auth_for_monitoring=True, enable_syslog=False, data_collection_settings=None, aci_subnet_name=None, @@ -1455,7 +1454,7 @@ def aks_addon_enable(cmd, client, resource_group_name, name, addon, workspace_re subnet_name=None, appgw_name=None, appgw_subnet_prefix=None, appgw_subnet_cidr=None, appgw_id=None, appgw_subnet_id=None, appgw_watch_namespace=None, enable_sgxquotehelper=False, enable_secret_rotation=False, rotation_poll_interval=None, - no_wait=False, enable_msi_auth_for_monitoring=False, + no_wait=False, enable_msi_auth_for_monitoring=True, dns_zone_resource_id=None, enable_syslog=False, data_collection_settings=None): return enable_addons(cmd, client, resource_group_name, name, addon, workspace_resource_id=workspace_resource_id, subnet_name=subnet_name, appgw_name=appgw_name, appgw_subnet_prefix=appgw_subnet_prefix, @@ -1475,14 +1474,21 @@ def aks_addon_update(cmd, client, resource_group_name, name, addon, workspace_re subnet_name=None, appgw_name=None, appgw_subnet_prefix=None, appgw_subnet_cidr=None, appgw_id=None, appgw_subnet_id=None, appgw_watch_namespace=None, enable_sgxquotehelper=False, enable_secret_rotation=False, rotation_poll_interval=None, - no_wait=False, enable_msi_auth_for_monitoring=False, + no_wait=False, enable_msi_auth_for_monitoring=None, dns_zone_resource_id=None, enable_syslog=False, data_collection_settings=None): instance = client.get(resource_group_name, name) addon_profiles = instance.addon_profiles + if instance.service_principal_profile.client_id != "msi": + enable_msi_auth_for_monitoring = False + if addon == "web_application_routing": if (instance.ingress_profile is None) or (instance.ingress_profile.web_app_routing is None) or not instance.ingress_profile.web_app_routing.enabled: raise InvalidArgumentValueError(f'Addon "{addon}" is not enabled in this cluster.') + + if addon == "monitoring" and enable_msi_auth_for_monitoring is None: + enable_msi_auth_for_monitoring = True + else: addon_key = ADDONS[addon] if not addon_profiles or addon_key not in addon_profiles or not addon_profiles[addon_key].enabled: @@ -1543,12 +1549,16 @@ def aks_disable_addons(cmd, client, resource_group_name, name, addons, no_wait=F def aks_enable_addons(cmd, client, resource_group_name, name, addons, workspace_resource_id=None, subnet_name=None, appgw_name=None, appgw_subnet_prefix=None, appgw_subnet_cidr=None, appgw_id=None, appgw_subnet_id=None, - appgw_watch_namespace=None, enable_sgxquotehelper=False, enable_secret_rotation=False, rotation_poll_interval=None, no_wait=False, enable_msi_auth_for_monitoring=False, + appgw_watch_namespace=None, enable_sgxquotehelper=False, enable_secret_rotation=False, rotation_poll_interval=None, no_wait=False, enable_msi_auth_for_monitoring=True, dns_zone_resource_id=None, enable_syslog=False, data_collection_settings=None): instance = client.get(resource_group_name, name) # this is overwritten by _update_addons(), so the value needs to be recorded here - msi_auth = True if instance.service_principal_profile.client_id == "msi" else False + msi_auth = False + if instance.service_principal_profile.client_id == "msi": + msi_auth = True + else: + enable_msi_auth_for_monitoring = False subscription_id = get_subscription_id(cmd.cli_ctx) instance = _update_addons(cmd, instance, subscription_id, resource_group_name, name, addons, enable=True, @@ -1610,17 +1620,7 @@ def aks_enable_addons(cmd, client, resource_group_name, name, addons, workspace_ # adding a wait here since we rely on the result for role assignment result = LongRunningOperation(cmd.cli_ctx)( client.begin_create_or_update(resource_group_name, name, instance)) - cloud_name = cmd.cli_ctx.cloud.name - # mdm metrics supported only in Azure Public cloud so add the role assignment only in this cloud - if monitoring and cloud_name.lower() == 'azurecloud': - from msrestazure.tools import resource_id - cluster_resource_id = resource_id( - subscription=subscription_id, - resource_group=resource_group_name, - namespace='Microsoft.ContainerService', type='managedClusters', - name=name - ) - add_monitoring_role_assignment(result, cluster_resource_id, cmd) + if ingress_appgw_addon_enabled: add_ingress_appgw_addon_role_assignment(result, cmd) if enable_virtual_node: @@ -1651,7 +1651,7 @@ def _update_addons(cmd, # pylint: disable=too-many-branches,too-many-statements addons, enable, workspace_resource_id=None, - enable_msi_auth_for_monitoring=False, + enable_msi_auth_for_monitoring=True, subnet_name=None, appgw_name=None, appgw_subnet_prefix=None, @@ -1736,9 +1736,15 @@ def _update_addons(cmd, # pylint: disable=too-many-branches,too-many-statements workspace_resource_id = sanitize_loganalytics_ws_resource_id( workspace_resource_id) + cloud_name = cmd.cli_ctx.cloud.name + if enable_msi_auth_for_monitoring and (cloud_name.lower() == 'ussec' or cloud_name.lower() == 'usnat'): + if instance.identity is not None and instance.identity.type is not None and instance.identity.type == "userassigned": + logger.warning("--enable_msi_auth_for_monitoring is not supported in %s cloud and continuing monitoring enablement without this flag.", cloud_name) + enable_msi_auth_for_monitoring = False + addon_profile.config = { logAnalyticsConstName: workspace_resource_id} - addon_profile.config[CONST_MONITORING_USING_AAD_MSI_AUTH] = enable_msi_auth_for_monitoring + addon_profile.config[CONST_MONITORING_USING_AAD_MSI_AUTH] = "true" if enable_msi_auth_for_monitoring else "false" elif addon == (CONST_VIRTUAL_NODE_ADDON_NAME + os_type): if addon_profile.enabled: raise CLIError('The virtual-node addon is already enabled for this managed cluster.\n' diff --git a/src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py b/src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py index 7e4f5436317..ae680cbda79 100644 --- a/src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py +++ b/src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py @@ -2756,7 +2756,6 @@ def create_new_cluster_with_monitoring_aad_auth(self, resource_group, resource_g create_cmd = f'aks create --resource-group={resource_group} --name={aks_name} --location={resource_group_location} ' \ '--enable-managed-identity ' \ '--enable-addons monitoring ' \ - '--enable-msi-auth-for-monitoring ' \ '--node-count 1 ' \ '--ssh-key-value={ssh_key_value} ' create_cmd += f'--assign-identity {identity_id} ' if user_assigned_identity else '' @@ -2765,7 +2764,7 @@ def create_new_cluster_with_monitoring_aad_auth(self, resource_group, resource_g response = self.cmd(create_cmd, checks=[ self.check('addonProfiles.omsagent.enabled', True), - self.check('addonProfiles.omsagent.config.useAADAuth', 'True') + self.check('addonProfiles.omsagent.config.useAADAuth', 'true') ]).get_output_in_json() cluster_resource_id = response["id"] @@ -2895,14 +2894,13 @@ def enable_monitoring_existing_cluster_aad_atuh(self, resource_group, resource_g enable_monitoring_cmd = 'aks addon enable -a monitoring ' else: enable_monitoring_cmd = 'aks enable-addons -a monitoring ' - enable_monitoring_cmd += f'--resource-group={resource_group} --name={aks_name} ' \ - '--enable-msi-auth-for-monitoring ' + enable_monitoring_cmd += f'--resource-group={resource_group} --name={aks_name} ' if syslog_enabled: enable_monitoring_cmd += f'--enable-syslog ' response = self.cmd(enable_monitoring_cmd, checks=[ self.check('addonProfiles.omsagent.enabled', True), - self.check('addonProfiles.omsagent.config.useAADAuth', 'True') + self.check('addonProfiles.omsagent.config.useAADAuth', 'true') ]).get_output_in_json() cluster_resource_id = response["id"] @@ -2963,8 +2961,7 @@ def test_aks_create_with_monitoring_legacy_auth(self, resource_group, resource_g response = self.cmd(create_cmd, checks=[ self.check('addonProfiles.omsagent.enabled', True), self.exists( - 'addonProfiles.omsagent.config.logAnalyticsWorkspaceResourceID'), - self.check('addonProfiles.omsagent.config.useAADAuth', 'False') + 'addonProfiles.omsagent.config.logAnalyticsWorkspaceResourceID') ]).get_output_in_json() # make sure a DCR was not created diff --git a/src/aks-preview/setup.py b/src/aks-preview/setup.py index d3c37dd27a5..5150c18a453 100644 --- a/src/aks-preview/setup.py +++ b/src/aks-preview/setup.py @@ -9,7 +9,7 @@ from setuptools import setup, find_packages -VERSION = "0.5.139" +VERSION = "0.5.140" CLASSIFIERS = [ "Development Status :: 4 - Beta",