[Azure RBAC] Deprecate 3P mode flags, fix Azure RBAC enablement bug, add E2E coverage and improve logging (#20)

vineeth-thumma · Bavneet Singh · atchutbarli · Bavneet Singh · commit 3c08eac156b5 · 2025-09-30T09:40:08.000-07:00
* add pester tests for connectedk8s cli extension * Pass the force delete param to the API call (#4) * forcedelete * format * add code owner * mypy * Parameterize for airgapped clouds (#5) * Add parameterization for the airgapped clouds * Fix azdev style * MCR path function * azdev, ruff, and mypy --------- Co-authored-by: Matthew McNeal (from Dev Box) <mmcneal@microsoft.com> * Oras client fix to work with different MCRs (#6) Co-authored-by: mmcneal <mmcneal@microsoft.com> * fix CI testcases for nodepool image issues (#8) * update errors for the config and connectivity issues (#11) * update errors * format * style * update python version to 3.13 (#12) * Update cluster diagnostics image to 1.29.3 (#7) * Update cluster diagnostics helm chart to 1.29.3 * Fix lint issues --------- Co-authored-by: bgriddaluru <bharath.griddaluru@microsoft.com> * RBAC deprecation & fix the issue * typo * fix comments * update tests * add pester tests for connectedk8s cli extension * Pass the force delete param to the API call (#4) * forcedelete * format * add code owner * mypy * fix CI testcases for nodepool image issues (#8) * update errors for the config and connectivity issues (#11) * update errors * format * style * update python version to 3.13 (#12) * rebase * fix tests * fix version * fix mypy, lint * fix test * fix test * fix test * fix test * fix test * rename test * deprecate flags * rebase * rebase * bump version for release --------- Co-authored-by: Bavneet Singh <bavneetsingh@microsoft.com> Co-authored-by: Atchut Kumar Barli <atchut@gmail.com> Co-authored-by: mcnealm13 <57726243+mcnealm13@users.noreply.github.com> Co-authored-by: Matthew McNeal (from Dev Box) <mmcneal@microsoft.com> Co-authored-by: Bavneet Singh <33008256+bavneetsingh16@users.noreply.github.com> Co-authored-by: bgriddaluru <117554445+bgriddaluru@users.noreply.github.com> Co-authored-by: bgriddaluru <bharath.griddaluru@microsoft.com> Co-authored-by: vithumma <vithumma@microsoft.com>
diff --git a/testing/pipeline/k8s-custom-pipelines.yml b/testing/pipeline/k8s-custom-pipelines.yml
@@ -28,6 +28,10 @@ stages:
     parameters:
       jobName: BasicOnboardingTest
       path: ./test/configurations/BasicOnboarding.Tests.ps1
+  - template: ./templates/run-test.yml
+    parameters:
+      jobName: EnableDisableFeaturesTest
+      path: ./test/configurations/EnableDisableFeatures.Tests.ps1
   - template: ./templates/run-test.yml
     parameters:
       jobName: AutoUpdateTest
@@ -177,13 +181,12 @@ stages:
           pip install pytest
           cd /home/vsts/work/1/s/src/connectedk8s/azext_connectedk8s/tests/unittests
           pytest --junitxml=test-results.xml
-          
         displayName: 'Run UnitTests test'
       - task: PublishTestResults@2
         inputs:
           testResultsFormat: 'JUnit'
           testResultsFiles: '**/test-results.xml'
-          failTaskOnFailedTests: true        
+          failTaskOnFailedTests: true
   - job: SourceTests
     displayName: "Integration Tests, Build Tests"
     pool:
diff --git a/testing/pipeline/templates/run-test.yml b/testing/pipeline/templates/run-test.yml
@@ -41,7 +41,7 @@ jobs:
       azdev extension build $(EXTENSION_NAME)
     workingDirectory: $(CLI_REPO_PATH)
     displayName: "Setup and Build Extension with azdev"
-      
+
   - bash: |
       K8S_CONFIG_VERSION=$(ls ${EXTENSION_FILE_NAME}* | cut -d "-" -f2)
       echo "##vso[task.setvariable variable=K8S_CONFIG_VERSION]$K8S_CONFIG_VERSION"
@@ -60,7 +60,7 @@ jobs:
                         --arg AKS_CLUSTER_NAME "$AKS_CLUSTER_NAME" \
                         --arg ARC_CLUSTER_NAME "$ARC_CLUSTER_NAME" \
                         --arg K8S_CONFIG_VERSION "$K8S_CONFIG_VERSION" \
-                        '{subscriptionId: $SUB_ID, resourceGroup: $RG, aksClusterName: $AKS_CLUSTER_NAME, arcClusterName: $ARC_CLUSTER_NAME, extensionVersion: {"connectedk8s": $K8S_CONFIG_VERSION}}')
+                        '{subscriptionId: $SUB_ID, resourceGroup: $RG, aksClusterName: $AKS_CLUSTER_NAME, arcClusterName: $ARC_CLUSTER_NAME, extensionVersion: {"connectedk8s": $K8S_CONFIG_VERSION}, customLocationsOid: "51dfe1e8-70c6-4de5-a08e-e18aff23d815"}')
         echo $JSON_STRING > settings.json
         cat settings.json
     workingDirectory: $(TEST_PATH)
@@ -74,7 +74,6 @@ jobs:
       chmod +x ./kind
       ./kind create cluster
     displayName: "Create and Start the Kind cluster"
-  
   - bash: |
       curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
     displayName: "Upgrade az to latest version"
@@ -94,7 +93,6 @@ jobs:
       inlineScript: |
         .\Bootstrap.ps1 -CI
       workingDirectory: $(TEST_PATH)
-            
   - task: AzureCLI@2
     displayName: Run the Test Suite for ${{ parameters.path }}
     inputs:
diff --git a/testing/test/configurations/BasicOnboarding.Tests.ps1 b/testing/test/configurations/BasicOnboarding.Tests.ps1
@@ -10,7 +10,7 @@ Describe 'Basic Onboarding Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
@@ -34,7 +34,7 @@ Describe 'Basic Onboarding Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
diff --git a/testing/test/configurations/EnableDisableFeatures.Tests.ps1 b/testing/test/configurations/EnableDisableFeatures.Tests.ps1
@@ -0,0 +1,111 @@
+Describe 'ConnectedK8s Enable Disable Features Scenario' {
+    BeforeAll {
+        . $PSScriptRoot/../helper/Constants.ps1
+
+        function Invoke-AzCommand {
+            param (
+                [string]$Command
+            )
+            Write-Host "Executing: $Command" -ForegroundColor Yellow
+            $result = Invoke-Expression $Command
+            return $result
+        }
+
+        function Wait-ForProvisioning {
+            param (
+                [string]$expectedProvisioningState,
+                [string]$expectedAutoUpdate
+            )
+            $n = 0
+            do {
+                $output = Invoke-AzCommand "az connectedk8s show -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup)"
+                $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
+                $provisioningState = ($output | ConvertFrom-Json).provisioningState
+                $autoUpdate = $jsonOutput.RootElement.GetProperty("arcAgentProfile").GetProperty("agentAutoUpgrade").GetString()
+                Write-Host "Provisioning State: $provisioningState"
+                Write-Host "Auto Update: $autoUpdate"
+                if ($provisioningState -eq $expectedProvisioningState -and $autoUpdate -eq $expectedAutoUpdate) {
+                    break
+                }
+                Start-Sleep -Seconds 10
+                $n += 1
+            } while ($n -le $MAX_RETRY_ATTEMPTS)
+            $n | Should -BeLessOrEqual $MAX_RETRY_ATTEMPTS
+        }
+    }
+
+    It 'Onboard Connected cluster with no features enabled' {
+        Invoke-AzCommand "az connectedk8s connect -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) -l $ARC_LOCATION --no-wait"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Enable azure-rbac feature' {
+        Invoke-AzCommand "az connectedk8s enable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features azure-rbac"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Disable azure-rbac feature' {
+        Invoke-AzCommand "az connectedk8s disable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features azure-rbac --yes"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Enable cluster-connect feature' {
+        Invoke-AzCommand "az connectedk8s enable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features cluster-connect"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Disable cluster-connect feature' {
+        Invoke-AzCommand "az connectedk8s disable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features cluster-connect --yes"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Enable custom-locations feature' {
+        Invoke-AzCommand "az connectedk8s enable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features custom-locations --custom-locations-oid $($ENVCONFIG.customLocationsOid)"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Disable custom-locations feature' {
+        Invoke-AzCommand "az connectedk8s disable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features custom-locations --yes"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Enable all features (cluster-connect, custom-locations, azure-rbac) together' {
+        Invoke-AzCommand "az connectedk8s enable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features cluster-connect custom-locations azure-rbac --custom-locations-oid $($ENVCONFIG.customLocationsOid)"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Disable all features (cluster-connect, custom-locations, azure-rbac) together' {
+        Invoke-AzCommand "az connectedk8s disable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features cluster-connect custom-locations azure-rbac --yes"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It "Delete the connected instance" {
+        Invoke-AzCommand "az connectedk8s delete -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) -y"
+        $? | Should -BeTrue
+
+        # Wait for deletion to propagate through the resource model
+        Start-Sleep -Seconds 30
+
+        # Configuration should be removed from the resource model - expect ResourceNotFound error
+        $output = Invoke-AzCommand "az connectedk8s show -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup)" 2>&1
+        $output | Should -Match "ResourceNotFound"
+    }
+}
diff --git a/testing/test/configurations/Gateway.Tests.ps1 b/testing/test/configurations/Gateway.Tests.ps1
@@ -12,7 +12,7 @@ Describe 'Onboarding with Gateway Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
@@ -36,12 +36,12 @@ Describe 'Onboarding with Gateway Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
             $provisioningState = ($output | ConvertFrom-Json).provisioningState
-            $gatewayStatus = $jsonOutput.RootElement.GetProperty("gateway").GetProperty("enabled").GetBoolean() 
+            $gatewayStatus = $jsonOutput.RootElement.GetProperty("gateway").GetProperty("enabled").GetBoolean()
             Write-Host "Provisioning State: $provisioningState"
             Write-Host "Gateway Status: $gatewayStatus"
             if ($provisioningState -eq $SUCCEEDED -and $gatewayStatus -eq $false) {
@@ -60,7 +60,7 @@ Describe 'Onboarding with Gateway Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
@@ -84,12 +84,12 @@ Describe 'Onboarding with Gateway Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
             $provisioningState = ($output | ConvertFrom-Json).provisioningState
-            $gatewayStatus = $jsonOutput.RootElement.GetProperty("gateway").GetProperty("enabled").GetBoolean() 
+            $gatewayStatus = $jsonOutput.RootElement.GetProperty("gateway").GetProperty("enabled").GetBoolean()
             Write-Host "Provisioning State: $provisioningState"
             Write-Host "Gateway Status: $gatewayStatus"
             if ($provisioningState -eq $SUCCEEDED -and $gatewayStatus -eq $false) {
