[Azure RBAC] Deprecate 3P mode flags, fix Azure RBAC enablement bug, add E2E coverage and improve logging (#20)

* add pester tests for connectedk8s cli extension

* Pass the force delete param to the API call (#4)

* forcedelete

* format

* add code owner

* mypy

* Parameterize for airgapped clouds (#5)

* Add parameterization for the airgapped clouds

* Fix azdev style

* MCR path function

* azdev, ruff, and mypy

---------

Co-authored-by: Matthew McNeal (from Dev Box) <[email protected]>

* Oras client fix to work with different MCRs (#6)

Co-authored-by: mmcneal <[email protected]>

* fix CI testcases for nodepool image issues (#8)

* update errors for the config and connectivity issues (#11)

* update errors

* format

* style

* update python version to 3.13 (#12)

* Update cluster diagnostics image to 1.29.3 (#7)

* Update cluster diagnostics helm chart to 1.29.3

* Fix lint issues

---------

Co-authored-by: bgriddaluru <[email protected]>

* RBAC deprecation & fix the issue

* typo

* fix comments

* update tests

* add pester tests for connectedk8s cli extension

* Pass the force delete param to the API call (#4)

* forcedelete

* format

* add code owner

* mypy

* fix CI testcases for nodepool image issues (#8)

* update errors for the config and connectivity issues (#11)

* update errors

* format

* style

* update python version to 3.13 (#12)

* rebase

* fix tests

* fix version

* fix mypy, lint

* fix test

* fix test

* fix test

* fix test

* fix test

* rename test

* deprecate flags

* rebase

* rebase

* bump version for release

---------

Co-authored-by: Bavneet Singh <[email protected]>
Co-authored-by: Atchut Kumar Barli <[email protected]>
Co-authored-by: mcnealm13 <[email protected]>
Co-authored-by: Matthew McNeal (from Dev Box) <[email protected]>
Co-authored-by: Bavneet Singh <[email protected]>
Co-authored-by: bgriddaluru <[email protected]>
Co-authored-by: bgriddaluru <[email protected]>
Co-authored-by: vithumma <[email protected]>

Author: 9 people

src/connectedk8s/HISTORY.rst

@@ -2,6 +2,12 @@
 
 Release History
 ===============
+1.10.10
++++++
+* Deprecated '--app-id' and '--app-secret' RBAC parameters from the extension by adding them to _breaking_change.py.
+* Bug fix for https://github.com/Azure/azure-cli-extensions/issues/8498.
+* Update warning to use the latest kubelogin version which has support for generating PoP token.
+
 1.10.9
 ++++++
 * Added support for associating and disassociating gateways in CLI and updated SDK version to '2025-08-01-preview'.
@@ -78,7 +84,7 @@ Release History
 ++++++
 * New api version 2024-07-1-preview added
 * Adding functionality for workload identity feature.
-* Cluster create and update waits for agent state 
+* Cluster create and update waits for agent state
 
 1.7.3
 ++++++

src/connectedk8s/azext_connectedk8s/_breaking_change.py

@@ -0,0 +1,8 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+from azure.cli.core.breaking_change import register_argument_deprecate
+
+register_argument_deprecate("connectedk8s enable-features", "--app-id")
+register_argument_deprecate("connectedk8s enable-features", "--app-secret")

src/connectedk8s/azext_connectedk8s/_utils.py

@@ -1056,10 +1056,10 @@ def arm_exception_handler(
         status_code = ex.status_code
         if status_code == 404 and return_if_not_found:
             return
-        if status_code is not None and status_code // 100 == 4:
+        if status_code and status_code // 100 == 4:
             telemetry.set_user_fault()
         telemetry.set_exception(exception=ex, fault_type=fault_type, summary=summary)
-        if status_code is not None and status_code // 100 == 5:
+        if status_code and status_code // 100 == 5:
             raise AzureInternalError(
                 "Http response error occured while making ARM request: "
                 + str(ex)

src/connectedk8s/azext_connectedk8s/custom.py

@@ -2993,6 +2993,10 @@ def enable_features(
         utils.check_features_to_update(features)
     )
 
+    # Initialize these variables to ensure they are always defined, preventing UnboundLocalError if only a subset of features is enabled.
+    final_enable_cl = False
+    custom_locations_oid = None
+
     # Check if cluster is private link enabled
     connected_cluster = client.get(resource_group_name, cluster_name)
 
@@ -3152,8 +3156,9 @@ def enable_features(
         #  apps for authN/authZ.
         cmd_helm_upgrade.extend(["--set", "systemDefaultValues.guard.authnMode=arc"])
         logger.warning(
-            "Please use the kubelogin version v0.0.32 or higher which has support for generating PoP token(s). "
-            "This is needed by guard running in 'arc' authN mode."
+            "[Azure RBAC] For secure authentication, ensure you have the latest kubelogin installed which supports PoP tokens. "
+            "This is required for Azure RBAC. Download or upgrade at: https://github.com/Azure/kubelogin/releases. "
+            "If you encounter authentication errors, please verify your kubelogin version and refer to the documentation: https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/azure-rbac"
         )
         cmd_helm_upgrade.extend(
             [

src/connectedk8s/setup.py

@@ -13,7 +13,7 @@
 # TODO: Confirm this is the right version number you want and it matches your
 # HISTORY.rst entry.
 
-VERSION = "1.10.9"
+VERSION = "1.10.10"
 
 # The full list of classifiers is available at
 # https://pypi.python.org/pypi?%3Aaction=list_classifiers

testing/pipeline/k8s-custom-pipelines.yml

@@ -28,6 +28,10 @@ stages:
     parameters:
       jobName: BasicOnboardingTest
       path: ./test/configurations/BasicOnboarding.Tests.ps1
+  - template: ./templates/run-test.yml
+    parameters:
+      jobName: EnableDisableFeaturesTest
+      path: ./test/configurations/EnableDisableFeatures.Tests.ps1
   - template: ./templates/run-test.yml
     parameters:
       jobName: AutoUpdateTest
@@ -177,13 +181,12 @@ stages:
           pip install pytest
           cd /home/vsts/work/1/s/src/connectedk8s/azext_connectedk8s/tests/unittests
           pytest --junitxml=test-results.xml
-          
         displayName: 'Run UnitTests test'
       - task: PublishTestResults@2
         inputs:
           testResultsFormat: 'JUnit'
           testResultsFiles: '**/test-results.xml'
-          failTaskOnFailedTests: true        
+          failTaskOnFailedTests: true
   - job: SourceTests
     displayName: "Integration Tests, Build Tests"
     pool:

testing/pipeline/templates/run-test.yml

@@ -41,7 +41,7 @@ jobs:
       azdev extension build $(EXTENSION_NAME)
     workingDirectory: $(CLI_REPO_PATH)
     displayName: "Setup and Build Extension with azdev"
-      
+
   - bash: |
       K8S_CONFIG_VERSION=$(ls ${EXTENSION_FILE_NAME}* | cut -d "-" -f2)
       echo "##vso[task.setvariable variable=K8S_CONFIG_VERSION]$K8S_CONFIG_VERSION"
@@ -60,7 +60,7 @@ jobs:
                         --arg AKS_CLUSTER_NAME "$AKS_CLUSTER_NAME" \
                         --arg ARC_CLUSTER_NAME "$ARC_CLUSTER_NAME" \
                         --arg K8S_CONFIG_VERSION "$K8S_CONFIG_VERSION" \
-                        '{subscriptionId: $SUB_ID, resourceGroup: $RG, aksClusterName: $AKS_CLUSTER_NAME, arcClusterName: $ARC_CLUSTER_NAME, extensionVersion: {"connectedk8s": $K8S_CONFIG_VERSION}}')
+                        '{subscriptionId: $SUB_ID, resourceGroup: $RG, aksClusterName: $AKS_CLUSTER_NAME, arcClusterName: $ARC_CLUSTER_NAME, extensionVersion: {"connectedk8s": $K8S_CONFIG_VERSION}, customLocationsOid: "51dfe1e8-70c6-4de5-a08e-e18aff23d815"}')
         echo $JSON_STRING > settings.json
         cat settings.json
     workingDirectory: $(TEST_PATH)
@@ -74,7 +74,6 @@ jobs:
       chmod +x ./kind
       ./kind create cluster
     displayName: "Create and Start the Kind cluster"
-  
   - bash: |
       curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
     displayName: "Upgrade az to latest version"
@@ -94,7 +93,6 @@ jobs:
       inlineScript: |
         .\Bootstrap.ps1 -CI
       workingDirectory: $(TEST_PATH)
-            
   - task: AzureCLI@2
     displayName: Run the Test Suite for ${{ parameters.path }}
     inputs:

testing/test/configurations/BasicOnboarding.Tests.ps1

@@ -10,7 +10,7 @@ Describe 'Basic Onboarding Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
@@ -34,7 +34,7 @@ Describe 'Basic Onboarding Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)

testing/test/configurations/EnableDisableFeatures.Tests.ps1

@@ -0,0 +1,111 @@
+Describe 'ConnectedK8s Enable Disable Features Scenario' {
+    BeforeAll {
+        . $PSScriptRoot/../helper/Constants.ps1
+
+        function Invoke-AzCommand {
+            param (
+                [string]$Command
+            )
+            Write-Host "Executing: $Command" -ForegroundColor Yellow
+            $result = Invoke-Expression $Command
+            return $result
+        }
+
+        function Wait-ForProvisioning {
+            param (
+                [string]$expectedProvisioningState,
+                [string]$expectedAutoUpdate
+            )
+            $n = 0
+            do {
+                $output = Invoke-AzCommand "az connectedk8s show -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup)"
+                $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
+                $provisioningState = ($output | ConvertFrom-Json).provisioningState
+                $autoUpdate = $jsonOutput.RootElement.GetProperty("arcAgentProfile").GetProperty("agentAutoUpgrade").GetString()
+                Write-Host "Provisioning State: $provisioningState"
+                Write-Host "Auto Update: $autoUpdate"
+                if ($provisioningState -eq $expectedProvisioningState -and $autoUpdate -eq $expectedAutoUpdate) {
+                    break
+                }
+                Start-Sleep -Seconds 10
+                $n += 1
+            } while ($n -le $MAX_RETRY_ATTEMPTS)
+            $n | Should -BeLessOrEqual $MAX_RETRY_ATTEMPTS
+        }
+    }
+
+    It 'Onboard Connected cluster with no features enabled' {
+        Invoke-AzCommand "az connectedk8s connect -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) -l $ARC_LOCATION --no-wait"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Enable azure-rbac feature' {
+        Invoke-AzCommand "az connectedk8s enable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features azure-rbac"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Disable azure-rbac feature' {
+        Invoke-AzCommand "az connectedk8s disable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features azure-rbac --yes"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Enable cluster-connect feature' {
+        Invoke-AzCommand "az connectedk8s enable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features cluster-connect"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Disable cluster-connect feature' {
+        Invoke-AzCommand "az connectedk8s disable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features cluster-connect --yes"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Enable custom-locations feature' {
+        Invoke-AzCommand "az connectedk8s enable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features custom-locations --custom-locations-oid $($ENVCONFIG.customLocationsOid)"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Disable custom-locations feature' {
+        Invoke-AzCommand "az connectedk8s disable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features custom-locations --yes"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Enable all features (cluster-connect, custom-locations, azure-rbac) together' {
+        Invoke-AzCommand "az connectedk8s enable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features cluster-connect custom-locations azure-rbac --custom-locations-oid $($ENVCONFIG.customLocationsOid)"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Disable all features (cluster-connect, custom-locations, azure-rbac) together' {
+        Invoke-AzCommand "az connectedk8s disable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features cluster-connect custom-locations azure-rbac --yes"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It "Delete the connected instance" {
+        Invoke-AzCommand "az connectedk8s delete -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) -y"
+        $? | Should -BeTrue
+
+        # Wait for deletion to propagate through the resource model
+        Start-Sleep -Seconds 30
+
+        # Configuration should be removed from the resource model - expect ResourceNotFound error
+        $output = Invoke-AzCommand "az connectedk8s show -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup)" 2>&1
+        $output | Should -Match "ResourceNotFound"
+    }
+}

testing/test/configurations/Gateway.Tests.ps1

@@ -12,7 +12,7 @@ Describe 'Onboarding with Gateway Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
@@ -36,12 +36,12 @@ Describe 'Onboarding with Gateway Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
             $provisioningState = ($output | ConvertFrom-Json).provisioningState
-            $gatewayStatus = $jsonOutput.RootElement.GetProperty("gateway").GetProperty("enabled").GetBoolean() 
+            $gatewayStatus = $jsonOutput.RootElement.GetProperty("gateway").GetProperty("enabled").GetBoolean()
             Write-Host "Provisioning State: $provisioningState"
             Write-Host "Gateway Status: $gatewayStatus"
             if ($provisioningState -eq $SUCCEEDED -and $gatewayStatus -eq $false) {
@@ -60,7 +60,7 @@ Describe 'Onboarding with Gateway Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
@@ -84,12 +84,12 @@ Describe 'Onboarding with Gateway Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
             $provisioningState = ($output | ConvertFrom-Json).provisioningState
-            $gatewayStatus = $jsonOutput.RootElement.GetProperty("gateway").GetProperty("enabled").GetBoolean() 
+            $gatewayStatus = $jsonOutput.RootElement.GetProperty("gateway").GetProperty("enabled").GetBoolean()
             Write-Host "Provisioning State: $provisioningState"
             Write-Host "Gateway Status: $gatewayStatus"
             if ($provisioningState -eq $SUCCEEDED -and $gatewayStatus -eq $false) {