Public preview wif changes (#7785)

Azure · Jul 23, 2024 · bd83635 · bd83635
1 parent 7ffe3f4
commit bd83635
Show file tree

Hide file tree

Showing 32 changed files with 6,502 additions and 27 deletions.
diff --git a/src/connectedk8s/HISTORY.rst b/src/connectedk8s/HISTORY.rst
@@ -3,6 +3,12 @@
 Release History
 ===============
 
+1.8.0
+++++++
+* New api version 2024-07-1-preview added
+* Adding functionality for workload identity feature.
+* Cluster create and update waits for agent state 
+
 1.7.3
 ++++++
 * Skip helm archive download if helm is already installed.

diff --git a/src/connectedk8s/azext_connectedk8s/_client_factory.py b/src/connectedk8s/azext_connectedk8s/_client_factory.py
@@ -64,6 +64,19 @@ def cf_connectedk8s_prev_2023_11_01(cli_ctx, *_):
 def cf_connected_cluster_prev_2023_11_01(cli_ctx, _):
     return cf_connectedk8s_prev_2023_11_01(cli_ctx).connected_cluster
 
+def cf_connectedk8s_prev_2024_07_01(cli_ctx, *_):
+    from azext_connectedk8s.vendored_sdks.preview_2024_07_01 import ConnectedKubernetesClient
+    if os.getenv(consts.Azure_Access_Token_Variable):
+        validate_custom_token()
+        credential = AccessTokenCredential(access_token=os.getenv(consts.Azure_Access_Token_Variable))
+        return get_mgmt_service_client(cli_ctx, ConnectedKubernetesClient,
+                                       subscription_id=os.getenv('AZURE_SUBSCRIPTION_ID'),
+                                       credential=credential)
+    return get_mgmt_service_client(cli_ctx, ConnectedKubernetesClient)
+
+
+def cf_connected_cluster_prev_2024_07_01(cli_ctx, _):
+    return cf_connectedk8s_prev_2024_07_01(cli_ctx).connected_cluster
 
 def cf_connectedmachine(cli_ctx, subscription_id):
     from azure.mgmt.hybridcompute import HybridComputeManagementClient

diff --git a/src/connectedk8s/azext_connectedk8s/_help.py b/src/connectedk8s/azext_connectedk8s/_help.py
@@ -30,6 +30,10 @@
       text: az connectedk8s connect -g resourceGroupName -n connectedClusterName --enable-private-link true --private-link-scope-resource-id pls/resource/arm/id
     - name: Onboard a connected kubernetes cluster with custom onboarding timeout.
       text: az connectedk8s connect -g resourceGroupName -n connectedClusterName --onboarding-timeout 600
+    - name: Onboard a connected kubernetes cluster with oidc issuer and the workload identity webhook enabled.
+      text: az connectedk8s connect -g resourceGroupName -n connectedClusterName --enable-oidc-issuer --enable-workload-identity
+    - name: Onboard a connected kubernetes cluster with oidc issuer enabled using a self hosted issuer url for public cloud cluster.
+      text: az connectedk8s connect -g resourceGroupName -n connectedClusterName --enable-oidc-issuer --self-hosted-issuer aksissuerurl
 
 """
 
@@ -43,6 +47,12 @@
       text: az connectedk8s update -g resourceGroupName -n connectedClusterName --disable-proxy
     - name: Disable auto-upgrade of agents
       text: az connectedk8s update -g resourceGroupName -n connectedClusterName --auto-upgrade false
+    - name: Update a connected kubernetes cluster with oidc issuer and the workload identity webhook enabled.
+      text: az connectedk8s update -g resourceGroupName -n connectedClusterName --enable-oidc-issuer --enable-workload-identity
+    - name: Update a connected kubernetes cluster with oidc issuer enabled using a self hosted issuer url for public cloud cluster.
+      text: az connectedk8s update -g resourceGroupName -n connectedClusterName --enable-oidc-issuer --self-hosted-issuer aksissuerurl
+    - name: Disable the workload identity webhook on a connected kubernetes cluster.
+      text: az connectedk8s update -g resourceGroupName -n connectedClusterName --disable-workload-identity
 """
 
 helps['connectedk8s upgrade'] = """

diff --git a/src/connectedk8s/azext_connectedk8s/_params.py b/src/connectedk8s/azext_connectedk8s/_params.py
@@ -51,6 +51,9 @@ def load_arguments(self, _):
         c.argument('container_log_path', help='Override the default container log path to enable fluent-bit logging')
         c.argument('skip_ssl_verification', action='store_true', help='Skip SSL verification for any cluster connection.')
         c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
+        c.argument('enable_oidc_issuer', arg_type=get_three_state_flag(), help="Enable creation of OIDC issuer url used for workload identity", is_preview=True)
+        c.argument('self_hosted_issuer', options_list=['--self-hosted-issuer'], help="Self hosted issuer url for public cloud clusters - AKS, GKE, EKS", is_preview=True)
+        c.argument('enable_workload_identity', options_list=["--enable-workload-identity", "--enable-wi"], arg_type=get_three_state_flag(), help="Enable workload identity webhook", is_preview=True)
 
     with self.argument_context('connectedk8s update') as c:
         c.argument('tags', tags_type)
@@ -69,6 +72,10 @@ def load_arguments(self, _):
         c.argument('container_log_path', help='Override the default container log path to enable fluent-bit logging')
         c.argument('skip_ssl_verification', action='store_true', help='Skip SSL verification for any cluster connection.')
         c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
+        c.argument('enable_oidc_issuer', arg_type=get_three_state_flag(), help="Enable creation of OIDC issuer url used for workload identity", is_preview=True)
+        c.argument('self_hosted_issuer',options_list=["--self-hosted-issuer"], help="Self hosted issuer url for public cloud clusters - AKS, GKE, EKS", is_preview=True)
+        c.argument('enable_workload_identity', options_list=["--enable-workload-identity", "--enable-wi"], arg_type=get_three_state_flag(), help="Enable workload identity webhook", is_preview=True)
+        c.argument('disable_workload_identity', options_list=["--disable-workload-identity", "--disable-wi"], arg_type=get_three_state_flag(), help="Disable workload identity webhook", is_preview=True)
 
     with self.argument_context('connectedk8s upgrade') as c:
         c.argument('cluster_name', options_list=['--name', '-n'], id_part='name', help='The name of the connected cluster.')

diff --git a/src/connectedk8s/azext_connectedk8s/_utils.py b/src/connectedk8s/azext_connectedk8s/_utils.py
@@ -375,7 +375,6 @@ def add_helm_repo(kube_config, kube_context, helm_client_location):
                                 summary='Failed to add helm repository')
         raise CLIInternalError("Unable to add repository {} to helm: ".format(repo_url) + error_helm_repo.decode("ascii"))
 
-
 def get_helm_registry(cmd, config_dp_endpoint, release_train_custom=None):
     # Setting uri
     api_version = "2019-11-01-preview"
@@ -655,7 +654,6 @@ def helm_install_release(resource_manager, chart_path, subscription_id, kubernet
         logger.warning("Please check if the azure-arc namespace was deployed and run 'kubectl get pods -n azure-arc' to check if all the pods are in running state. A possible cause for pods stuck in pending state could be insufficient resources on the kubernetes cluster to onboard to arc.")
         raise CLIInternalError("Unable to install helm release: " + error_helm_install.decode("ascii"))
 
-
 def get_release_namespace(kube_config, kube_context, helm_client_location, release_name='azure-arc'):
     cmd_helm_release = [helm_client_location, "list", "-a", "--all-namespaces", "--output", "json"]
     if kube_config: