Adding Software Assurance support on connected clusters for AKS HCI

.github/CODEOWNERS

@@ -82,7 +82,7 @@
 
 /src/ip-group/ @necusjz @kairu-ms @jsntcy
 
-/src/connectedk8s/ @akashkeshari @alphaWizard
+/src/connectedk8s/ @akashkeshari @sirireddy12
 
 /src/storagesync/ @jsntcy
 

src/connectedk8s/HISTORY.rst

@@ -2,6 +2,13 @@
 
 Release History
 ===============
+1.3.5
+++++++
+
+* Added software assurance related changes for AKS HCI
+* Added parameter for overriding container log path
+* Updated kubernetes package dependency to 24.2.0
+
 1.3.4
 ++++++
 

src/connectedk8s/azext_connectedk8s/_client_factory.py

@@ -19,13 +19,13 @@ def cf_connected_cluster(cli_ctx, _):
     return cf_connectedk8s(cli_ctx).connected_cluster
 
 
-def cf_connectedk8s_prev_2022_05_01(cli_ctx, *_):
-    from azext_connectedk8s.vendored_sdks.preview_2022_05_01 import ConnectedKubernetesClient
+def cf_connectedk8s_prev_2022_10_01(cli_ctx, *_):
+    from azext_connectedk8s.vendored_sdks.preview_2022_10_01 import ConnectedKubernetesClient
     return get_mgmt_service_client(cli_ctx, ConnectedKubernetesClient)
 
 
-def cf_connected_cluster_prev_2022_05_01(cli_ctx, _):
-    return cf_connectedk8s_prev_2022_05_01(cli_ctx).connected_cluster
+def cf_connected_cluster_prev_2022_10_01(cli_ctx, _):
+    return cf_connectedk8s_prev_2022_10_01(cli_ctx).connected_cluster
 
 
 def cf_connectedmachine(cli_ctx, subscription_id):

src/connectedk8s/azext_connectedk8s/_constants.py

@@ -6,8 +6,9 @@
 
 # pylint: disable=line-too-long
 
-Distribution_Enum_Values = ["auto", "generic", "openshift", "rancher_rke", "kind", "k3s", "minikube", "gke", "eks", "aks", "aks_management", "aks_workload", "capz", "aks_engine", "tkg"]
+Distribution_Enum_Values = ["auto", "generic", "openshift", "rancher_rke", "kind", "k3s", "minikube", "gke", "eks", "aks", "aks_management", "aks_workload", "capz", "aks_engine", "tkg", "canonical", "karbon"]
 Infrastructure_Enum_Values = ["auto", "generic", "azure", "aws", "gcp", "azure_stack_hci", "azure_stack_hub", "azure_stack_edge", "vsphere", "windows_server"]
+AHB_Enum_Values = ["True", "False", "NotApplicable"]
 Feature_Values = ["cluster-connect", "azure-rbac", "custom-locations"]
 CRD_FOR_FORCE_DELETE = ["arccertificates.clusterconfig.azure.com", "azureclusteridentityrequests.clusterconfig.azure.com", "azureextensionidentities.clusterconfig.azure.com", "connectedclusters.arc.azure.com", "customlocationsettings.clusterconfig.azure.com", "extensionconfigs.clusterconfig.azure.com", "gitconfigs.clusterconfig.azure.com"]
 Custom_Locations_Provider_Namespace = 'Microsoft.ExtendedLocation'
@@ -57,7 +58,6 @@
 Get_HelmRegistery_Path_Fault_Type = 'helm-registry-path-fetch-error'
 Pull_HelmChart_Fault_Type = 'helm-chart-pull-error'
 Export_HelmChart_Fault_Type = 'helm-chart-export-error'
-Get_Kubernetes_Version_Fault_Type = 'kubernetes-get-version-error'
 Get_Kubernetes_Distro_Fault_Type = 'kubernetes-get-distribution-error'
 Get_Kubernetes_Namespace_Fault_Type = 'kubernetes-get-namespace-error'
 Update_Agent_Success = 'Agents for Connected Cluster {} have been updated successfully'

src/connectedk8s/azext_connectedk8s/_params.py

@@ -9,7 +9,7 @@
 from argcomplete.completers import FilesCompleter
 from azure.cli.core.commands.parameters import get_location_type, get_enum_type, file_type, tags_type, get_three_state_flag
 from azure.cli.core.commands.validators import get_default_location_from_resource_group
-from azext_connectedk8s._constants import Distribution_Enum_Values, Infrastructure_Enum_Values, Feature_Values
+from azext_connectedk8s._constants import Distribution_Enum_Values, Infrastructure_Enum_Values, Feature_Values, AHB_Enum_Values
 from knack.arguments import (CLIArgumentType, CaseInsensitiveList)
 
 from._validators import validate_private_link_properties
@@ -35,14 +35,18 @@ def load_arguments(self, _):
         c.argument('no_proxy', options_list=['--proxy-skip-range'], arg_group='Proxy', help='List of URLs/CIDRs for which proxy should not to be used.')
         c.argument('proxy_cert', options_list=['--proxy-cert', '--custom-ca-cert'], arg_group='Proxy', type=file_type, completer=FilesCompleter(), help='Path to the certificate file for proxy or custom Certificate Authority')
         c.argument('distribution', options_list=['--distribution'], help='The Kubernetes distribution which will be running on this connected cluster.', arg_type=get_enum_type(Distribution_Enum_Values))
+        c.argument('distribution_version', help='The Kubernetes distribution version of the connected cluster.')
         c.argument('infrastructure', options_list=['--infrastructure'], help='The infrastructure on which the Kubernetes cluster represented by this connected cluster will be running on.', arg_type=get_enum_type(Infrastructure_Enum_Values))
+        c.argument('azure_hybrid_benefit', help='Flag to enable/disable Azure Hybrid Benefit feature.', arg_type=get_enum_type(AHB_Enum_Values))
         c.argument('disable_auto_upgrade', options_list=['--disable-auto-upgrade'], action='store_true', help='Flag to disable auto upgrade of arc agents.')
         c.argument('cl_oid', options_list=['--custom-locations-oid'], help="OID of 'custom-locations' app")
         c.argument('enable_private_link', arg_type=get_three_state_flag(), arg_group='PrivateLink', help='Flag to enable/disable private link support on a connected cluster resource. Allowed values: false, true.', is_preview=True, validator=validate_private_link_properties)
         c.argument('private_link_scope_resource_id', pls_arm_id_type)
         c.argument('onboarding_timeout', options_list=['--onboarding-timeout'], arg_group='Timeout', help='Time required (in seconds) for the arc-agent pods to be installed on the kubernetes cluster. Override this value if the hardware/network constraints on your cluster requires more time for installing the arc-agent pods.')
         c.argument('no_wait', options_list=['--no-wait'], arg_group='Timeout', help="Do not wait for the long-running operation to finish.")
         c.argument('correlation_id', options_list=['--correlation-id'], help='A guid that is used to internally track the source of cluster onboarding. Please do not modify it unless advised', validator=override_client_request_id_header)
+        c.argument('container_log_path', help='Override the default container log path to enable fluent-bit logging')
+        c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
 
     with self.argument_context('connectedk8s update') as c:
         c.argument('tags', tags_type)
@@ -52,9 +56,14 @@ def load_arguments(self, _):
         c.argument('https_proxy', options_list=['--proxy-https'], arg_group='Proxy', help='Https proxy URL to be used.')
         c.argument('http_proxy', options_list=['--proxy-http'], arg_group='Proxy', help='Http proxy URL to be used.')
         c.argument('no_proxy', options_list=['--proxy-skip-range'], arg_group='Proxy', help='List of URLs/CIDRs for which proxy should not to be used.')
+        c.argument('distribution', help='The Kubernetes distribution which will be running on this connected cluster.', arg_type=get_enum_type(Distribution_Enum_Values))
+        c.argument('distribution_version', help='The Kubernetes distribution version of the connected cluster.')
+        c.argument('azure_hybrid_benefit', help='Flag to enable/disable Azure Hybrid Benefit feature.', arg_type=get_enum_type(AHB_Enum_Values))
         c.argument('proxy_cert', options_list=['--proxy-cert', '--custom-ca-cert'], arg_group='Proxy', type=file_type, completer=FilesCompleter(), help='Path to the certificate file for proxy or custom Certificate Authority')
         c.argument('disable_proxy', options_list=['--disable-proxy'], arg_group='Proxy', action='store_true', help='Disables proxy settings for agents')
         c.argument('auto_upgrade', options_list=['--auto-upgrade'], help='Flag to enable/disable auto upgrade of arc agents. By default, auto upgrade of agents is enabled.', arg_type=get_enum_type(["true", "false"]))
+        c.argument('container_log_path', help='Override the default container log path to enable fluent-bit logging')
+        c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
 
     with self.argument_context('connectedk8s upgrade') as c:
         c.argument('cluster_name', options_list=['--name', '-n'], id_part='name', help='The name of the connected cluster.')

src/connectedk8s/azext_connectedk8s/_troubleshootutils.py

@@ -65,14 +65,18 @@ def create_folder_diagnosticlogs(time_stamp):
         return "", False
 
 
-def fetch_kubectl_cluster_info(filepath_with_timestamp, storage_space_available, kubectl_client_location):
+def fetch_kubectl_cluster_info(filepath_with_timestamp, storage_space_available, kubectl_client_location, kube_config, kube_context):
 
     global diagnoser_output
     try:
         # If storage space available then only store the azure-arc events
         if storage_space_available:
             # CMD command to get events using kubectl and converting it to json format
             kubect_cluster_info_command = [kubectl_client_location, "cluster-info"]
+            if kube_config:
+                kubect_cluster_info_command.extend(["--kubeconfig", kube_config])
+            if kube_context:
+                kubect_cluster_info_command.extend(["--context", kube_context])
             # Using Popen to execute the command and fetching the output
             response_cluster_info = Popen(kubect_cluster_info_command, stdout=PIPE, stderr=PIPE)
             output_cluster_info, error_cluster_info = response_cluster_info.communicate()
@@ -210,14 +214,18 @@ def retrieve_arc_agents_logs(corev1_api_instance, filepath_with_timestamp, stora
     return consts.Diagnostic_Check_Failed, storage_space_available
 
 
-def retrieve_arc_agents_event_logs(filepath_with_timestamp, storage_space_available, kubectl_client_location):
+def retrieve_arc_agents_event_logs(filepath_with_timestamp, storage_space_available, kubectl_client_location, kube_config, kube_context):
 
     global diagnoser_output
     try:
         # If storage space available then only store the azure-arc events
         if storage_space_available:
             # CMD command to get events using kubectl and converting it to json format
             command = [kubectl_client_location, "get", "events", "-n", "azure-arc", "--output", "json"]
+            if kube_config:
+                command.extend(["--kubeconfig", kube_config])
+            if kube_context:
+                command.extend(["--context", kube_context])
             # Using Popen to execute the command and fetching the output
             response_kubectl_get_events = Popen(command, stdout=PIPE, stderr=PIPE)
             output_kubectl_get_events, error_kubectl_get_events = response_kubectl_get_events.communicate()
@@ -455,7 +463,7 @@ def check_agent_version(connected_cluster, azure_arc_agent_version):
     return consts.Diagnostic_Check_Incomplete
 
 
-def check_diagnoser_container(corev1_api_instance, batchv1_api_instance, filepath_with_timestamp, storage_space_available, absolute_path, probable_sufficient_resource_for_agents, helm_client_location, kubectl_client_location, release_namespace, probable_pod_security_policy_presence):
+def check_diagnoser_container(corev1_api_instance, batchv1_api_instance, filepath_with_timestamp, storage_space_available, absolute_path, probable_sufficient_resource_for_agents, helm_client_location, kubectl_client_location, release_namespace, probable_pod_security_policy_presence, kube_config, kube_context):
 
     global diagnoser_output
     try:
@@ -469,7 +477,7 @@ def check_diagnoser_container(corev1_api_instance, batchv1_api_instance, filepat
         dns_check = "Starting"
         outbound_connectivity_check = "Starting"
         # Executing the Diagnoser job and fetching diagnoser logs obtained
-        diagnoser_container_log = executing_diagnoser_job(corev1_api_instance, batchv1_api_instance, filepath_with_timestamp, storage_space_available, absolute_path, helm_client_location, kubectl_client_location, release_namespace, probable_pod_security_policy_presence)
+        diagnoser_container_log = executing_diagnoser_job(corev1_api_instance, batchv1_api_instance, filepath_with_timestamp, storage_space_available, absolute_path, helm_client_location, kubectl_client_location, release_namespace, probable_pod_security_policy_presence, kube_config, kube_context)
         # If diagnoser_container_log is not empty then only we will check for the results
         if(diagnoser_container_log is not None and diagnoser_container_log != ""):
             diagnoser_container_log_list = diagnoser_container_log.split("\n")
@@ -508,12 +516,16 @@ def check_diagnoser_container(corev1_api_instance, batchv1_api_instance, filepat
     return consts.Diagnostic_Check_Incomplete, storage_space_available
 
 
-def executing_diagnoser_job(corev1_api_instance, batchv1_api_instance, filepath_with_timestamp, storage_space_available, absolute_path, helm_client_location, kubectl_client_location, release_namespace, probable_pod_security_policy_presence):
+def executing_diagnoser_job(corev1_api_instance, batchv1_api_instance, filepath_with_timestamp, storage_space_available, absolute_path, helm_client_location, kubectl_client_location, release_namespace, probable_pod_security_policy_presence, kube_config, kube_context):
 
     global diagnoser_output
     job_name = "azure-arc-diagnoser-job"
     # CMD command to get helm values in azure arc and converting it to json format
     command = [helm_client_location, "get", "values", "azure-arc", "--namespace", release_namespace, "-o", "json"]
+    if kube_config:
+        command.extend(["--kubeconfig", kube_config])
+    if kube_context:
+        command.extend(["--kube-context", kube_context])
     # Using Popen to execute the helm get values command and fetching the output
     response_helm_values_get = Popen(command, stdout=PIPE, stderr=PIPE)
     output_helm_values_get, error_helm_get_values = response_helm_values_get.communicate()
@@ -565,6 +577,10 @@ def executing_diagnoser_job(corev1_api_instance, batchv1_api_instance, filepath_
     # Setting the log output as Empty
     diagnoser_container_log = ""
     cmd_delete_job = [kubectl_client_location, "delete", "-f", ""]
+    if kube_config:
+        cmd_delete_job.extend(["--kubeconfig", kube_config])
+    if kube_context:
+        cmd_delete_job.extend(["--context", kube_context])
     cmd_delete_job[3] = str(yaml_file_path)
     # Editing the yaml file based on the release namespace
     new_yaml = []
@@ -592,7 +608,7 @@ def executing_diagnoser_job(corev1_api_instance, batchv1_api_instance, filepath_
     # To handle the user keyboard Interrupt
     try:
         # Executing the diagnoser_job.yaml
-        config.load_kube_config()
+        config.load_kube_config(kube_config, kube_context)
         k8s_client = client.ApiClient()
         # Attempting deletion of diagnoser resources to handle the scenario if any stale resources are present
         response_kubectl_delete_job = Popen(cmd_delete_job, stdout=PIPE, stderr=PIPE)
@@ -669,6 +685,10 @@ def executing_diagnoser_job(corev1_api_instance, batchv1_api_instance, filepath_
                 # Creating folder with name 'describe_non_ready_agent' in the given path
                 unfinished_diagnoser_job_path = os.path.join(filepath_with_timestamp, consts.Events_of_Incomplete_Diagnoser_Job)
                 cmd_get_diagnoser_job_events = [kubectl_client_location, "get", "events", "--field-selector", "", "-n", "azure-arc", "--output", "json"]
+                if kube_config:
+                    cmd_get_diagnoser_job_events.extend(["--kubeconfig", kube_config])
+                if kube_context:
+                    cmd_get_diagnoser_job_events.extend(["--context", kube_context])
                 # To describe the diagnoser pod which did not reach completed stage
                 arc_agents_pod_list = corev1_api_instance.list_namespaced_pod(namespace="azure-arc")
                 for each_pod in arc_agents_pod_list.items:
@@ -834,7 +854,7 @@ def check_msi_certificate_presence(corev1_api_instance):
     return consts.Diagnostic_Check_Incomplete
 
 
-def check_probable_cluster_security_policy(corev1_api_instance, helm_client_location, release_namespace):
+def check_probable_cluster_security_policy(corev1_api_instance, helm_client_location, release_namespace, kube_config, kube_context):
 
     global diagnoser_output
     try:
@@ -843,6 +863,10 @@ def check_probable_cluster_security_policy(corev1_api_instance, helm_client_loca
         cluster_connect_feature = False
         # CMD command to get helm values in azure arc and converting it to json format
         command = [helm_client_location, "get", "values", "azure-arc", "--namespace", release_namespace, "-o", "json"]
+        if kube_config:
+            command.extend(["--kubeconfig", kube_config])
+        if kube_context:
+            command.extend(["--kube-context", kube_context])
         # Using Popen to execute the helm get values command and fetching the output
         response_helm_values_get = Popen(command, stdout=PIPE, stderr=PIPE)
         output_helm_values_get, error_helm_get_values = response_helm_values_get.communicate()