Update connectedk8s helm binary download source & introduce new --ski…

…p-cluster-ssl-verification flag (#7294)
Azure · Apr 19, 2024 · 487d71d · 487d71d
1 parent 3c160d4
commit 487d71d
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 33 deletions.
diff --git a/src/connectedk8s/HISTORY.rst b/src/connectedk8s/HISTORY.rst
@@ -3,6 +3,11 @@
 Release History
 ===============
 
+1.7.0
+++++++
+* Update helm binary download source.
+* Introduce "--skip-ssl-verification" flag.
+
 1.6.8
 ++++++
 * Add support for running multiple proxy instances on the same machine using different ports.

diff --git a/src/connectedk8s/azext_connectedk8s/_params.py b/src/connectedk8s/azext_connectedk8s/_params.py
@@ -12,7 +12,7 @@
 from azext_connectedk8s._constants import Distribution_Enum_Values, Infrastructure_Enum_Values, Feature_Values, AHB_Enum_Values
 from knack.arguments import (CLIArgumentType, CaseInsensitiveList)
 
-from . _validators import validate_private_link_properties
+from ._validators import validate_private_link_properties
 
 features_types = CLIArgumentType(
     nargs='+',
@@ -49,6 +49,7 @@ def load_arguments(self, _):
         c.argument('no_wait', options_list=['--no-wait'], arg_group='Timeout', help="Do not wait for the long-running operation to finish.")
         c.argument('correlation_id', options_list=['--correlation-id'], help='A guid that is used to internally track the source of cluster onboarding. Please do not modify it unless advised', validator=override_client_request_id_header)
         c.argument('container_log_path', help='Override the default container log path to enable fluent-bit logging')
+        c.argument('skip_ssl_verification', action='store_true', help='Skip SSL verification for any cluster connection.')
         c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
 
     with self.argument_context('connectedk8s update') as c:
@@ -66,13 +67,15 @@ def load_arguments(self, _):
         c.argument('disable_proxy', options_list=['--disable-proxy'], arg_group='Proxy', action='store_true', help='Disables proxy settings for agents')
         c.argument('auto_upgrade', options_list=['--auto-upgrade'], help='Flag to enable/disable auto upgrade of arc agents. By default, auto upgrade of agents is enabled.', arg_type=get_enum_type(["true", "false"]))
         c.argument('container_log_path', help='Override the default container log path to enable fluent-bit logging')
+        c.argument('skip_ssl_verification', action='store_true', help='Skip SSL verification for any cluster connection.')
         c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
 
     with self.argument_context('connectedk8s upgrade') as c:
         c.argument('cluster_name', options_list=['--name', '-n'], id_part='name', help='The name of the connected cluster.')
         c.argument('kube_config', options_list=['--kube-config'], help='Path to the kube config file.')
         c.argument('kube_context', options_list=['--kube-context'], help='Kubconfig context from current machine.')
         c.argument('arc_agent_version', options_list=['--agent-version'], help='Version of agent to update the helm charts to.')
+        c.argument('skip_ssl_verification', action='store_true', help='Skip SSL verification for any cluster connection.')
         c.argument('upgrade_timeout', options_list=['--upgrade-timeout'], help='Time required (in seconds) for the arc-agent pods to be upgraded on the kubernetes cluster. Override this value if the hardware/network constraints on your cluster requires more time for upgrading the arc-agent pods.')
 
     with self.argument_context('connectedk8s enable-features') as c:
@@ -84,12 +87,14 @@ def load_arguments(self, _):
         c.argument('azrbac_client_secret', options_list=['--app-secret'], arg_group='Azure RBAC', help='Application secret for enabling Azure RBAC.', deprecate_info=c.deprecate(hide=True))
         c.argument('azrbac_skip_authz_check', options_list=['--skip-azure-rbac-list'], arg_group='Azure RBAC', help='Comma separated list of names of usernames/email/oid. Azure RBAC will be skipped for these users. Specify when enabling azure-rbac.')
         c.argument('cl_oid', options_list=['--custom-locations-oid'], help="OID of 'custom-locations' app")
+        c.argument('skip_ssl_verification', action='store_true', help='Skip SSL verification for any cluster connection.')
 
     with self.argument_context('connectedk8s disable-features') as c:
         c.argument('cluster_name', options_list=['--name', '-n'], id_part='name', help='The name of the connected cluster.')
         c.argument('kube_config', options_list=['--kube-config'], help='Path to the kube config file.')
         c.argument('kube_context', options_list=['--kube-context'], help='Kubconfig context from current machine.')
         c.argument('features', features_types, options_list=['--features'], help='Space-separated list of features you want to disable.')
+        c.argument('skip_ssl_verification', action='store_true', help='Skip SSL verification for any cluster connection.')
         c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
 
     with self.argument_context('connectedk8s list') as c:
@@ -103,6 +108,7 @@ def load_arguments(self, _):
         c.argument('kube_config', options_list=['--kube-config'], help='Path to the kube config file.')
         c.argument('kube_context', options_list=['--kube-context'], help='Kubconfig context from current machine.')
         c.argument('force_delete', options_list=['--force'], help='Force delete to remove all azure-arc resources from the cluster.', action='store_true')
+        c.argument('skip_ssl_verification', action='store_true', help='Skip SSL verification for any cluster connection.')
         c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
 
     with self.argument_context('connectedk8s proxy') as c:
@@ -116,4 +122,5 @@ def load_arguments(self, _):
         c.argument('tags', tags_type)
         c.argument('cluster_name', options_list=['--name', '-n'], help='The name of the connected cluster.')
         c.argument('kube_config', options_list=['--kube-config'], help='Path to the kube config file.')
-        c.argument('kube_context', options_list=['--kube-context'], help='Kubconfig context from current machine.')
+        c.argument('kube_context', options_list=['--kube-context'], help='Kubeconfig context from current machine.')
+        c.argument('skip_ssl_verification', action='store_true', help='Skip SSL verification for any cluster connection.')
diff --git a/src/connectedk8s/azext_connectedk8s/custom.py b/src/connectedk8s/azext_connectedk8s/custom.py
@@ -70,12 +70,10 @@
 # pylint: disable=line-too-long
 
 
-def create_connectedk8s(cmd, client, resource_group_name, cluster_name, correlation_id=None, https_proxy="",
-                        http_proxy="", no_proxy="", proxy_cert="", location=None, kube_config=None, kube_context=None,
-                        no_wait=False, tags=None, distribution='generic', infrastructure='generic',
-                        disable_auto_upgrade=False, cl_oid=None, onboarding_timeout="600", enable_private_link=None,
-                        private_link_scope_resource_id=None, distribution_version=None, azure_hybrid_benefit=None,
-                        yes=False, container_log_path=None):
+def create_connectedk8s(cmd, client, resource_group_name, cluster_name, correlation_id=None, https_proxy="", http_proxy="", no_proxy="", proxy_cert="", location=None,
+                        kube_config=None, kube_context=None, no_wait=False, tags=None, distribution='generic', infrastructure='generic',
+                        disable_auto_upgrade=False, cl_oid=None, onboarding_timeout="600", enable_private_link=None, private_link_scope_resource_id=None,
+                        distribution_version=None, azure_hybrid_benefit=None, skip_ssl_verification=False, yes=False, container_log_path=None):
     logger.warning("This operation might take a while...\n")
 
     # changing cli config to push telemetry in 1 hr interval
@@ -156,7 +154,7 @@ def create_connectedk8s(cmd, client, resource_group_name, cluster_name, correlat
     config_dp_endpoint, release_train = get_config_dp_endpoint(cmd, location, values_file, arm_metadata)
 
     # Loading the kubeconfig file in kubernetes client configuration
-    load_kube_config(kube_config, kube_context)
+    load_kube_config(kube_config, kube_context, skip_ssl_verification)
 
     # Checking the connection to kubernetes cluster.
     # This check was added to avoid large timeouts when connecting to AAD Enabled AKS clusters
@@ -212,7 +210,7 @@ def create_connectedk8s(cmd, client, resource_group_name, cluster_name, correlat
             filepath_with_timestamp, diagnostic_folder_status = \
                 utils.create_folder_diagnosticlogs(time_stamp, consts.Pre_Onboarding_Check_Logs)
 
-            if (diagnostic_folder_status is not True):
+            if diagnostic_folder_status is not True:
                 storage_space_available = False
 
             # Performing cluster-diagnostic-checks
@@ -516,7 +514,6 @@ def validate_existing_provisioned_cluster_for_reput(cluster_resource, kubernetes
         validation_values = [
             kubernetes_distro,
             kubernetes_infra,
-            enable_private_link,
             private_link_scope_resource_id,
             distribution_version,
             azure_hybrid_benefit,
@@ -608,17 +605,14 @@ def install_helm_client():
     telemetry.add_extension_event('connectedk8s', {'Context.Default.AzureCLI.MachineType': machine_type})
 
     # Set helm binary download & install locations
-    # TODO: [Kit] Move helm binaries to internal endpoints
-    if (operating_system == 'windows'):
+    if operating_system == 'windows':
         download_location_string = f'.azure\\helm\\{consts.HELM_VERSION}\\helm-{consts.HELM_VERSION}-{operating_system}-amd64.zip'
         install_location_string = f'.azure\\helm\\{consts.HELM_VERSION}\\{operating_system}-amd64\\helm.exe'
-        # requestUri = f'{consts.HELM_STORAGE_URL}/helm/helm-{consts.HELM_VERSION}-{operating_system}-amd64.zip'
-        requestUri = f'https://get.helm.sh/helm-{consts.HELM_VERSION}-{operating_system}-amd64.zip'
-    elif (operating_system == 'linux' or operating_system == 'darwin'):
+        requestUri = f'{consts.HELM_STORAGE_URL}/helmsigned/helm-{consts.HELM_VERSION}-{operating_system}-amd64.zip'
+    elif operating_system == 'linux' or operating_system == 'darwin':
         download_location_string = f'.azure/helm/{consts.HELM_VERSION}/helm-{consts.HELM_VERSION}-{operating_system}-amd64.tar.gz'
         install_location_string = f'.azure/helm/{consts.HELM_VERSION}/{operating_system}-amd64/helm'
-        # requestUri = f'{consts.HELM_STORAGE_URL}/helm/helm-{consts.HELM_VERSION}-{operating_system}-amd64.tar.gz'
-        requestUri = f'https://get.helm.sh/helm-{consts.HELM_VERSION}-{operating_system}-amd64.tar.gz'
+        requestUri = f'{consts.HELM_STORAGE_URL}/helm/helm-{consts.HELM_VERSION}-{operating_system}-amd64.tar.gz'
     else:
         telemetry.set_exception(exception='Unsupported OS for installing helm client', fault_type=consts.Helm_Unsupported_OS_Fault_Type,
                                 summary=f'{operating_system} is not supported for installing helm client')
@@ -732,9 +726,14 @@ def get_public_key(key_pair):
     return b64encode(enc).decode('utf-8')
 
 
-def load_kube_config(kube_config, kube_context):
+def load_kube_config(kube_config, kube_context, skip_ssl_verification):
     try:
         config.load_kube_config(config_file=kube_config, context=kube_context)
+        if skip_ssl_verification:
+            from kubernetes.client import Configuration
+            default_config = Configuration.get_default_copy()
+            default_config.verify_ssl = False
+            Configuration.set_default(default_config)
     except Exception as e:
         telemetry.set_exception(exception=e, fault_type=consts.Load_Kubeconfig_Fault_Type,
                                 summary='Problem loading the kubeconfig file')
@@ -961,7 +960,7 @@ def list_connectedk8s(cmd, client, resource_group_name=None):
 
 
 def delete_connectedk8s(cmd, client, resource_group_name, cluster_name,
-                        kube_config=None, kube_context=None, no_wait=False, force_delete=False, yes=False):
+                        kube_config=None, kube_context=None, no_wait=False, force_delete=False, skip_ssl_verification=False, yes=False):
 
     # The force delete prompt is added because it can be used in the case where the config map is missing
     # so we cannot check if the user context is pointing to the cluster that he intends to delete
@@ -986,7 +985,7 @@ def delete_connectedk8s(cmd, client, resource_group_name, cluster_name,
     kube_config = set_kube_config(kube_config)
 
     # Loading the kubeconfig file in kubernetes client configuration
-    load_kube_config(kube_config, kube_context)
+    load_kube_config(kube_config, kube_context, skip_ssl_verification)
 
     # Checking the connection to kubernetes cluster.
     # This check was added to avoid large timeouts when connecting to AAD Enabled
@@ -1096,7 +1095,7 @@ def update_connected_cluster_internal(client, resource_group_name, cluster_name,
 
 def update_connected_cluster(cmd, client, resource_group_name, cluster_name, https_proxy="", http_proxy="", no_proxy="", proxy_cert="",
                              disable_proxy=False, kube_config=None, kube_context=None, auto_upgrade=None, tags=None,
-                             distribution=None, distribution_version=None, azure_hybrid_benefit=None, yes=False, container_log_path=None):
+                             distribution=None, distribution_version=None, azure_hybrid_benefit=None, skip_ssl_verification=False, yes=False, container_log_path=None):
 
     # Prompt for confirmation for few parameters
     if azure_hybrid_benefit == "True":
@@ -1157,7 +1156,7 @@ def update_connected_cluster(cmd, client, resource_group_name, cluster_name, htt
     values_file = utils.get_values_file()
 
     # Loading the kubeconfig file in kubernetes client configuration
-    load_kube_config(kube_config, kube_context)
+    load_kube_config(kube_config, kube_context, skip_ssl_verification)
 
     # Checking the connection to kubernetes cluster.
     # This check was added to avoid large timeouts when connecting to AAD Enabled AKS clusters
@@ -1275,7 +1274,7 @@ def update_connected_cluster(cmd, client, resource_group_name, cluster_name, htt
         return patch_cc_response
 
 
-def upgrade_agents(cmd, client, resource_group_name, cluster_name, kube_config=None, kube_context=None, arc_agent_version=None, upgrade_timeout="600"):
+def upgrade_agents(cmd, client, resource_group_name, cluster_name, kube_config=None, kube_context=None, skip_ssl_verification=False, arc_agent_version=None, upgrade_timeout="600"):
     # Check if cluster supports upgrading
     connected_cluster = get_connectedk8s_2023_11_01(cmd, resource_group_name, cluster_name)
 
@@ -1294,7 +1293,7 @@ def upgrade_agents(cmd, client, resource_group_name, cluster_name, kube_config=N
     values_file = utils.get_values_file()
 
     # Loading the kubeconfig file in kubernetes client configuration
-    load_kube_config(kube_config, kube_context)
+    load_kube_config(kube_config, kube_context, skip_ssl_verification)
 
     # Checking the connection to kubernetes cluster.
     # This check was added to avoid large timeouts when connecting to AAD Enabled AKS clusters
@@ -1519,7 +1518,7 @@ def get_all_helm_values(release_namespace, kube_config, kube_context, helm_clien
 
 
 def enable_features(cmd, client, resource_group_name, cluster_name, features, kube_config=None, kube_context=None,
-                    azrbac_client_id=None, azrbac_client_secret=None, azrbac_skip_authz_check=None, cl_oid=None):
+                    azrbac_client_id=None, azrbac_client_secret=None, azrbac_skip_authz_check=None, skip_ssl_verification=False, cl_oid=None):
     logger.warning("This operation might take a while...\n")
 
     # Validate custom token operation
@@ -1565,7 +1564,7 @@ def enable_features(cmd, client, resource_group_name, cluster_name, features, ku
     values_file = utils.get_values_file()
 
     # Loading the kubeconfig file in kubernetes client configuration
-    load_kube_config(kube_config, kube_context)
+    load_kube_config(kube_config, kube_context, skip_ssl_verification)
 
     # Checking the connection to kubernetes cluster.
     # This check was added to avoid large timeouts when connecting to AAD Enabled AKS clusters
@@ -1653,7 +1652,7 @@ def enable_features(cmd, client, resource_group_name, cluster_name, features, ku
 
 
 def disable_features(cmd, client, resource_group_name, cluster_name, features, kube_config=None, kube_context=None,
-                     yes=False):
+                     yes=False, skip_ssl_verification=False):
 
     features = [x.lower() for x in features]
     confirmation_message = "Disabling few of the features may adversely impact dependent resources. Learn more about this at https://aka.ms/ArcK8sDependentResources. \n" + "Are you sure you want to disable these features: {}".format(features)
@@ -1679,7 +1678,7 @@ def disable_features(cmd, client, resource_group_name, cluster_name, features, k
     values_file = utils.get_values_file()
 
     # Loading the kubeconfig file in kubernetes client configuration
-    load_kube_config(kube_config, kube_context)
+    load_kube_config(kube_config, kube_context, skip_ssl_verification)
 
     # Checking the connection to kubernetes cluster.
     # This check was added to avoid large timeouts when connecting to AAD Enabled AKS clusters
@@ -2389,7 +2388,7 @@ def get_custom_locations_oid(cmd, cl_oid):
         return ""
 
 
-def troubleshoot(cmd, client, resource_group_name, cluster_name, kube_config=None, kube_context=None, no_wait=False, tags=None):
+def troubleshoot(cmd, client, resource_group_name, cluster_name, kube_config=None, kube_context=None, skip_ssl_verification=False, no_wait=False, tags=None):
 
     try:
 
@@ -2408,7 +2407,7 @@ def troubleshoot(cmd, client, resource_group_name, cluster_name, kube_config=Non
         kube_client.rest.logger.setLevel(logging.WARNING)
 
         # Loading the kubeconfig file in kubernetes client configuration
-        load_kube_config(kube_config, kube_context)
+        load_kube_config(kube_config, kube_context, skip_ssl_verification)
 
         # Install helm client
         helm_client_location = install_helm_client()

diff --git a/src/connectedk8s/azext_connectedk8s/tests/latest/test_connectedk8s_scenario.py b/src/connectedk8s/azext_connectedk8s/tests/latest/test_connectedk8s_scenario.py
@@ -759,4 +759,33 @@ def test_proxy(self, resource_group):
         # Delete the kube config files.
         os.remove(kubeconfig)
         os.remove(kubeconfig2)
-
+
+    @live_only()
+    @ResourceGroupPreparer(name_prefix='sslk8stest', location=CONFIG['location'], random_name_length=16)
+    def test_skipping_ssl_verification(self,resource_group):
+
+        managed_cluster_name = self.create_random_name(prefix='test-ssl', length=24)
+        kubeconfig = "%s" % (_get_test_data_file(managed_cluster_name + '-config.yaml'))
+        self.kwargs.update({
+            'rg': resource_group,
+            'name': self.create_random_name(prefix='cc-', length=12),
+            'kubeconfig': kubeconfig,
+            'managed_cluster_name': managed_cluster_name,
+            'location': CONFIG['location']
+        })
+
+        self.cmd('aks create -g {rg} -n {managed_cluster_name} --generate-ssh-keys')
+        self.cmd('aks get-credentials -g {rg} -n {managed_cluster_name} -f {kubeconfig} --admin')
+        self.cmd('connectedk8s connect -g {rg} -n {name} -l {location} --tags foo=doo --kube-config {kubeconfig} \
+            --kube-context {managed_cluster_name}-admin --skip-ssl-verification', checks=[
+            self.check('tags.foo', 'doo'),
+            self.check('resourceGroup', '{rg}'),
+            self.check('name', '{name}')
+        ])
+
+        self.cmd('connectedk8s delete -g {rg} -n {name} --kube-config {kubeconfig} --kube-context \
+            {managed_cluster_name}-admin -y')
+        self.cmd('aks delete -g {rg} -n {managed_cluster_name} -y')
+
+        # delete the kube config
+        os.remove("%s" % (_get_test_data_file(managed_cluster_name + '-config.yaml')))
diff --git a/src/connectedk8s/setup.py b/src/connectedk8s/setup.py
@@ -17,7 +17,7 @@
 # TODO: Confirm this is the right version number you want and it matches your
 # HISTORY.rst entry.
 
-VERSION = '1.6.8'
+VERSION = '1.7.0'
 
 # The full list of classifiers is available at
 # https://pypi.python.org/pypi?%3Aaction=list_classifiers