Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Add enableAad parameter to conditionally configure AAD profile in Kubernetes #3828

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
+87 −24
Open

fix: Add enableAad parameter to conditionally configure AAD profile in Kubernetes #3828

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
0941723
add .yml
Menghua1 Sep 4, 2024
b893575
Merge branch 'Azure:main' into main
Menghua1 Sep 5, 2024
9c3dc76
Merge branch 'Azure:main' into main
Menghua1 Sep 10, 2024
27dc229
add avm.ptn.azd.ml-project.yml
Menghua1 Sep 10, 2024
7a4db43
Merge branch 'Azure:main' into main
Menghua1 Sep 11, 2024
818d862
add ml-ai-environment yml
Menghua1 Sep 11, 2024
42c1674
Merge branch 'Azure:main' into main
Menghua1 Oct 9, 2024
cfddbc2
Merge branch 'Azure:main' into main
Menghua1 Oct 10, 2024
757118a
Merge branch 'Azure:main' into main
Menghua1 Oct 11, 2024
1e7a26a
Merge branch 'Azure:main' into main
Menghua1 Oct 11, 2024
f51ee59
Merge branch 'Azure:main' into main
Menghua1 Oct 11, 2024
6ffd725
Merge branch 'Azure:main' into main
Menghua1 Oct 11, 2024
be96ada
Merge branch 'Azure:main' into main
Menghua1 Oct 15, 2024
4f34881
Merge branch 'Azure:main' into main
Menghua1 Oct 15, 2024
09a0caa
Merge branch 'Azure:main' into main
Menghua1 Nov 20, 2024
b462fa9
Merge branch 'Azure:main' into main
Menghua1 Nov 22, 2024
3de5818
Add conditional judgment for aadProfile parameters
Menghua1 Nov 22, 2024
71933fd
update test parameter
Menghua1 Nov 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions avm/res/container-service/managed-cluster/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
// Non-required parameters
autoNodeOsUpgradeProfileUpgradeChannel: 'NodeImage'
disableLocalAccounts: true
enableAad: true
enableKeyvaultSecretsProvider: true
enableSecretRotation: true
kedaAddon: true
Expand Down Expand Up @@ -142,6 +143,9 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
"disableLocalAccounts": {
"value": true
},
"enableAad": {
"value": true
},
"enableKeyvaultSecretsProvider": {
"value": true
},
Expand Down Expand Up @@ -236,6 +240,7 @@ param primaryAgentPoolProfiles = [
// Non-required parameters
param autoNodeOsUpgradeProfileUpgradeChannel = 'NodeImage'
param disableLocalAccounts = true
param enableAad = true
param enableKeyvaultSecretsProvider = true
param enableSecretRotation = true
param kedaAddon = true
Expand Down Expand Up @@ -385,6 +390,7 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
}
]
diskEncryptionSetResourceId: '<diskEncryptionSetResourceId>'
enableAad: true
enableAzureDefender: true
enableAzureMonitorProfileMetrics: true
enableKeyvaultSecretsProvider: true
Expand Down Expand Up @@ -654,6 +660,9 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
"diskEncryptionSetResourceId": {
"value": "<diskEncryptionSetResourceId>"
},
"enableAad": {
"value": true
},
"enableAzureDefender": {
"value": true
},
Expand Down Expand Up @@ -953,6 +962,7 @@ param diagnosticSettings = [
}
]
param diskEncryptionSetResourceId = '<diskEncryptionSetResourceId>'
param enableAad = true
param enableAzureDefender = true
param enableAzureMonitorProfileMetrics = true
param enableKeyvaultSecretsProvider = true
Expand Down Expand Up @@ -1127,6 +1137,7 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
}
]
// Non-required parameters
enableAad: true
location: '<location>'
managedIdentities: {
systemAssigned: true
Expand Down Expand Up @@ -1162,6 +1173,9 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
]
},
// Non-required parameters
"enableAad": {
"value": true
},
"location": {
"value": "<location>"
},
Expand Down Expand Up @@ -1195,6 +1209,7 @@ param primaryAgentPoolProfiles = [
}
]
// Non-required parameters
param enableAad = true
param location = '<location>'
param managedIdentities = {
systemAssigned: true
Expand Down Expand Up @@ -1228,6 +1243,7 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
}
]
// Non-required parameters
enableAad: true
enableKeyvaultSecretsProvider: true
enableSecretRotation: true
istioServiceMeshCertificateAuthority: {
Expand Down Expand Up @@ -1277,6 +1293,9 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
]
},
// Non-required parameters
"enableAad": {
"value": true
},
"enableKeyvaultSecretsProvider": {
"value": true
},
Expand Down Expand Up @@ -1336,6 +1355,7 @@ param primaryAgentPoolProfiles = [
}
]
// Non-required parameters
param enableAad = true
param enableKeyvaultSecretsProvider = true
param enableSecretRotation = true
param istioServiceMeshCertificateAuthority = {
Expand Down Expand Up @@ -1452,6 +1472,7 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
workspaceResourceId: '<workspaceResourceId>'
}
]
enableAad: true
location: '<location>'
managedIdentities: {
userAssignedResourcesIds: [
Expand Down Expand Up @@ -1587,6 +1608,9 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
}
]
},
"enableAad": {
"value": true
},
"location": {
"value": "<location>"
},
Expand Down Expand Up @@ -1722,6 +1746,7 @@ param diagnosticSettings = [
workspaceResourceId: '<workspaceResourceId>'
}
]
param enableAad = true
param location = '<location>'
param managedIdentities = {
userAssignedResourcesIds: [
Expand Down Expand Up @@ -1840,6 +1865,7 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
}
]
dnsServiceIP: '10.10.200.10'
enableAad: true
enablePrivateCluster: true
location: '<location>'
managedIdentities: {
Expand Down Expand Up @@ -1944,6 +1970,9 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
"dnsServiceIP": {
"value": "10.10.200.10"
},
"enableAad": {
"value": true
},
"enablePrivateCluster": {
"value": true
},
Expand Down Expand Up @@ -2052,6 +2081,7 @@ param agentPools = [
}
]
param dnsServiceIP = '10.10.200.10'
param enableAad = true
param enablePrivateCluster = true
param location = '<location>'
param managedIdentities = {
Expand Down Expand Up @@ -2183,6 +2213,7 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
]
disableLocalAccounts: true
dnsServiceIP: '10.10.200.10'
enableAad: true
enableAzureDefender: true
enablePrivateCluster: true
location: '<location>'
Expand Down Expand Up @@ -2369,6 +2400,9 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
"dnsServiceIP": {
"value": "10.10.200.10"
},
"enableAad": {
"value": true
},
"enableAzureDefender": {
"value": true
},
Expand Down Expand Up @@ -2563,6 +2597,7 @@ param diagnosticSettings = [
]
param disableLocalAccounts = true
param dnsServiceIP = '10.10.200.10'
param enableAad = true
param enableAzureDefender = true
param enablePrivateCluster = true
param location = '<location>'
Expand Down Expand Up @@ -2684,6 +2719,7 @@ param tags = {
| [`dnsPrefix`](#parameter-dnsprefix) | string | Specifies the DNS prefix specified when creating the managed cluster. |
| [`dnsServiceIP`](#parameter-dnsserviceip) | string | Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. |
| [`dnsZoneResourceId`](#parameter-dnszoneresourceid) | string | Specifies the resource ID of connected DNS zone. It will be ignored if `webApplicationRoutingEnabled` is set to `false`. |
| [`enableAad`](#parameter-enableaad) | bool | Enable Azure Active Directory integration. |
| [`enableAzureDefender`](#parameter-enableazuredefender) | bool | Whether to enable Azure Defender. |
| [`enableAzureMonitorProfileMetrics`](#parameter-enableazuremonitorprofilemetrics) | bool | Whether the metric state of the kubenetes cluster is enabled. |
| [`enableContainerInsights`](#parameter-enablecontainerinsights) | bool | Indicates if Azure Monitor Container Insights Logs Addon is enabled. |
Expand Down Expand Up @@ -4063,6 +4099,14 @@ Specifies the resource ID of connected DNS zone. It will be ignored if `webAppli
- Required: No
- Type: string

### Parameter: `enableAad`

Enable Azure Active Directory integration.

- Required: No
- Type: bool
- Default: `False`

### Parameter: `enableAzureDefender`

Whether to enable Azure Defender.
Expand Down
9 changes: 6 additions & 3 deletions avm/res/container-service/managed-cluster/agent-pool/main.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.31.34.60546",
"templateHash": "13504241837980660061"
"version": "0.31.92.45157",
"templateHash": "10548754747426289718"
},
"name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools",
"description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.",
Expand Down Expand Up @@ -355,7 +355,10 @@
"vmSize": "[parameters('vmSize')]",
"vnetSubnetID": "[parameters('vnetSubnetResourceId')]",
"workloadRuntime": "[parameters('workloadRuntime')]"
}
},
"dependsOn": [
"managedCluster"
]
}
},
"outputs": {
Expand Down
7 changes: 5 additions & 2 deletions avm/res/container-service/managed-cluster/main.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,9 @@ param adminUsername string = 'azureuser'
@description('Optional. Specifies the SSH RSA public key string for the Linux nodes.')
param sshPublicKey string?

@description('Optional. Enable Azure Active Directory integration.')
param enableAad bool = false

@description('Conditional. Information about a service principal identity for the cluster to use for manipulating Azure APIs. Required if no managed identities are assigned to the cluster.')
param aksServicePrincipalProfile object?

Expand Down Expand Up @@ -739,15 +742,15 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-03-02-p
}
}
publicNetworkAccess: publicNetworkAccess
aadProfile: {
aadProfile: enableAad ? {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there are any required parameters, would it not maybe be simpler to change this condition do something like aadProfile: !empty(aadProfileClientAppID) ? { ?

Mind you, I have no clue if any of those parameter is required, so this is just an example.

An alternative, by the way, would be to add a user defined type for the aadProfile that is used by a corresponding parameter: param aadProfile aadProfileType? and would contain all the below properties. If implemented, the above suggested check could be changed to something like aadProfile: !empty(aadProfile) ? {

Just some ideas 😏

clientAppID: aadProfileClientAppID
serverAppID: aadProfileServerAppID
serverAppSecret: aadProfileServerAppSecret
managed: aadProfileManaged
enableAzureRBAC: aadProfileEnableAzureRBAC
adminGroupObjectIDs: aadProfileAdminGroupObjectIDs
tenantID: aadProfileTenantId
}
} : null
autoScalerProfile: {
'balance-similar-node-groups': toLower(string(autoScalerProfileBalanceSimilarNodeGroups))
expander: autoScalerProfileExpander
Expand Down
39 changes: 22 additions & 17 deletions avm/res/container-service/managed-cluster/main.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.31.34.60546",
"templateHash": "178765084464759811"
"version": "0.31.92.45157",
"templateHash": "518997977608883939"
},
"name": "Azure Kubernetes Service (AKS) Managed Clusters",
"description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.",
Expand Down Expand Up @@ -926,6 +926,13 @@
"description": "Optional. Specifies the SSH RSA public key string for the Linux nodes."
}
},
"enableAad": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Optional. Enable Azure Active Directory integration."
}
},
"aksServicePrincipalProfile": {
"type": "object",
"nullable": true,
Expand Down Expand Up @@ -1678,7 +1685,10 @@
"apiVersion": "2023-02-01",
"subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]",
"resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]",
"name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]"
"name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]",
"dependsOn": [
"cMKKeyVault"
]
},
"avmTelemetry": {
"condition": "[parameters('enableTelemetry')]",
Expand Down Expand Up @@ -1803,15 +1813,7 @@
}
},
"publicNetworkAccess": "[parameters('publicNetworkAccess')]",
"aadProfile": {
"clientAppID": "[parameters('aadProfileClientAppID')]",
"serverAppID": "[parameters('aadProfileServerAppID')]",
"serverAppSecret": "[parameters('aadProfileServerAppSecret')]",
"managed": "[parameters('aadProfileManaged')]",
"enableAzureRBAC": "[parameters('aadProfileEnableAzureRBAC')]",
"adminGroupObjectIDs": "[parameters('aadProfileAdminGroupObjectIDs')]",
"tenantID": "[parameters('aadProfileTenantId')]"
},
"aadProfile": "[if(parameters('enableAad'), createObject('clientAppID', parameters('aadProfileClientAppID'), 'serverAppID', parameters('aadProfileServerAppID'), 'serverAppSecret', parameters('aadProfileServerAppSecret'), 'managed', parameters('aadProfileManaged'), 'enableAzureRBAC', parameters('aadProfileEnableAzureRBAC'), 'adminGroupObjectIDs', parameters('aadProfileAdminGroupObjectIDs'), 'tenantID', parameters('aadProfileTenantId')), null())]",
"autoScalerProfile": {
"balance-similar-node-groups": "[toLower(string(parameters('autoScalerProfileBalanceSimilarNodeGroups')))]",
"expander": "[parameters('autoScalerProfileExpander')]",
Expand Down Expand Up @@ -2005,8 +2007,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.31.34.60546",
"templateHash": "3191846535289543816"
"version": "0.31.92.45157",
"templateHash": "17300977997310482979"
},
"name": "Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations",
"description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations.",
Expand Down Expand Up @@ -2202,8 +2204,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.31.34.60546",
"templateHash": "13504241837980660061"
"version": "0.31.92.45157",
"templateHash": "10548754747426289718"
},
"name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools",
"description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.",
Expand Down Expand Up @@ -2552,7 +2554,10 @@
"vmSize": "[parameters('vmSize')]",
"vnetSubnetID": "[parameters('vnetSubnetResourceId')]",
"workloadRuntime": "[parameters('workloadRuntime')]"
}
},
"dependsOn": [
"managedCluster"
]
}
},
"outputs": {
Expand Down
4 changes: 2 additions & 2 deletions avm/res/container-service/managed-cluster/maintenance-configurations/main.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.31.34.60546",
"templateHash": "3191846535289543816"
"version": "0.31.92.45157",
"templateHash": "17300977997310482979"
},
"name": "Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations",
"description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations.",
Expand Down
1 change: 1 addition & 0 deletions avm/res/container-service/managed-cluster/tests/e2e/automatic/main.test.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ module testDeployment '../../../main.bicep' = [
enableSecretRotation: true
kedaAddon: true
kubernetesVersion: '1.28'
enableAad: true
maintenanceConfigurations: [
{
name: 'aksManagedAutoUpgradeSchedule'
Expand Down
1 change: 1 addition & 0 deletions avm/res/container-service/managed-cluster/tests/e2e/azure/main.test.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,7 @@ module testDeployment '../../../main.bicep' = [
enableKeyvaultSecretsProvider: true
enablePodSecurityPolicy: false
enableAzureMonitorProfileMetrics: true
enableAad: true
customerManagedKey: {
keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName
keyVaultNetworkAccess: 'Public'
Expand Down
1 change: 1 addition & 0 deletions avm/res/container-service/managed-cluster/tests/e2e/defaults/main.test.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ module testDeployment '../../../main.bicep' = [
mode: 'System'
}
]
enableAad: true
}
}
]
1 change: 1 addition & 0 deletions avm/res/container-service/managed-cluster/tests/e2e/istio/main.test.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ module testDeployment '../../../main.bicep' = [
params: {
name: '${namePrefix}${serviceShort}001'
location: resourceLocation
enableAad: true
managedIdentities: {
systemAssigned: true
}
Expand Down
Loading