Skip to content

Osa cluster admin #9058

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tjprescott merged 16 commits into from
Apr 24, 2019
Merged

Osa cluster admin #9058

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
494a9c8
adding cluster admin option to osa create
JackQuincy Mar 27, 2019
b244fa7
adding direcctory read permissions to the aad app (#1)
JackQuincy Apr 8, 2019
1356978
adding new version of python sdk (#3)
JackQuincy Apr 10, 2019
0fcfc2e
updating history.rst
JackQuincy Apr 10, 2019
8fdd587
Change type from scope to role
julienstroheker Apr 11, 2019
8084cc6
apply review
julienstroheker Apr 11, 2019
3e87b7c
Merge branch 'dev' into osa-cluster-admin
julienstroheker Apr 11, 2019
a96742c
pep fix
julienstroheker Apr 11, 2019
15133e9
Merge branch 'osa-cluster-admin' of github.com:JackQuincy/azure-cli i…
julienstroheker Apr 11, 2019
b8405a4
fix merge conflict
julienstroheker Apr 11, 2019
1f75865
update history and help
sozercan Apr 19, 2019
5af166f
Merge branch 'dev' into osa-cluster-admin
sozercan Apr 19, 2019
8643736
update recorded aks tests
sozercan Apr 20, 2019
1459498
Revert "update recorded aks tests"
sozercan Apr 23, 2019
f58917a
change api version for tests
sozercan Apr 23, 2019
889e482
Merge branch 'dev' into osa-cluster-admin
sozercan Apr 23, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/command_modules/azure-cli-acs/HISTORY.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ Release History
++++++
* "az aks get-credentials" will prompt to overwrite duplicated values
* Remove "(PREVIEW)" from Dev Spaces commands, "az aks use-dev-spaces" and "az aks remove-dev-spaces".
* adding customer-admin-group-id flag to "az openshift create"

2.3.21
++++++
Expand Down
5 changes: 5 additions & 0 deletions src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/_help.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -662,11 +662,16 @@
- name: --subnet-prefix
type: string
short-summary: The CIDR used on the Subnet into which to deploy the cluster.
- name: --customer-admin-group-id
type: string
short-summary: The Object ID of an Azure Active Directory Group that memberships will get synced into the OpenShift group "osa-customer-admins". If not specified, no cluster admin access will be granted.


examples:
- name: Create an OpenShift cluster and auto create an AAD Client
text: az openshift create -g MyResourceGroup -n MyManagedCluster --fqdn {FQDN}
- name: Create an OpenShift cluster and auto create an AAD Client and setup cluster admin group
text: az openshift create -g MyResourceGroup -n MyManagedCluster --fqdn {FQDN} --customer-admin-group-id {GROUP_ID}
Copy link
Member

@tjprescott tjprescott Apr 16, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is going to be incompatible with PR #9083 which removes FQDN.

Copy link

@amanohar amanohar Apr 18, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tjprescott FQDN is not being removed. Its being made optional. PR #9083 will be done on top of this PR.

- name: Create an OpenShift cluster with 5 compute nodes and a custom AAD Client.
text: az openshift create -g MyResourceGroup -n MyManagedCluster --fqdn {FQDN} --aad-client-app-id {APP_ID} --aad-client-app-secret {APP_SECRET} --aad-tenant-id {TENANT_ID} --compute-count 5
- name: Create an Openshift cluster using a custom vnet
Expand Down
1 change: 1 addition & 0 deletions src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/_params.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,7 @@ def load_arguments(self, _):
with self.argument_context('openshift create') as c:
c.argument('name', validator=validate_linux_host_name)
c.argument('compute_vm_size', options_list=['--compute-vm-size', '-s'])
c.argument('customer_admin_group_id', options_list=['--customer-admin-group-id'])


def _get_default_install_location(exe_name):
Expand Down
21 changes: 15 additions & 6 deletions src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/custom.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2255,7 +2255,8 @@ def _ensure_osa_aad(cli_ctx,
aad_client_app_secret=None,
aad_tenant_id=None,
identifier=None,
name=None, update=False):
name=None, update=False,
customer_admin_group_id=None):
rbac_client = get_graph_rbac_management_client(cli_ctx)
if not aad_client_app_id:
if not aad_client_app_secret and update:
Expand All @@ -2265,9 +2266,14 @@ def _ensure_osa_aad(cli_ctx,
# Delegate Sign In and Read User Profile permissions on Windows Azure Active Directory API
resource_access = ResourceAccess(id="311a71cc-e848-46a1-bdf8-97ff7156d8e6",
additional_properties=None, type="Scope")
required_osa_aad_access = RequiredResourceAccess(resource_access=[resource_access],
# Read directory permissions on Windows Azure Active Directory API
directory_access = ResourceAccess(id="5778995a-e1bf-45b8-affa-663a9f3f4d04",
Copy link
Member

@tjprescott tjprescott Apr 16, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this hard-coded ID?

Copy link

@amanohar amanohar Apr 18, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this hard-coded ID?

@tjprescott these are scope GUIDs for programmatic use and represent various permissions: https://docs.microsoft.com/en-us/graph/permissions-reference. Currently there isn't a straightforward documentation from AAD for this and this is obtained by looking at currently configured apps in AAD.

additional_properties=None, type="Role")

required_osa_aad_access = RequiredResourceAccess(resource_access=[resource_access, directory_access],
additional_properties=None,
resource_app_id="00000002-0000-0000-c000-000000000000")

list_aad_filtered = list(rbac_client.applications.list(filter="identifierUris/any(s:s eq '{}')"
.format(reply_url)))
if update:
Expand Down Expand Up @@ -2303,7 +2309,8 @@ def _ensure_osa_aad(cli_ctx,
client_id=aad_client_app_id,
secret=aad_client_app_secret,
tenant_id=aad_tenant_id,
kind='AADIdentityProvider')
kind='AADIdentityProvider',
customer_admin_group_id=customer_admin_group_id)


def _ensure_service_principal(cli_ctx,
Expand Down Expand Up @@ -2495,7 +2502,8 @@ def openshift_create(cmd, client, resource_group_name, name, # pylint: disable=
subnet_prefix="10.0.0.0/24",
vnet_peer=None,
tags=None,
no_wait=False):
no_wait=False,
customer_admin_group_id=None):

if location is None:
location = _get_rg_location(cmd.cli_ctx, resource_group_name)
Expand All @@ -2511,7 +2519,7 @@ def openshift_create(cmd, client, resource_group_name, name, # pylint: disable=

agent_infra_pool_profile = OpenShiftManagedClusterAgentPoolProfile(
name='infra', # Must be 12 chars or less before ACS RP adds to it
count=int(2),
count=int(3),
Copy link
Member

@mboersma mboersma Apr 11, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this change the default node pool count from 2 to 3? That seems like a significant change (not related to this PR). Maybe it should be mentioned separately in the release notes.

Copy link
Contributor

@julienstroheker julienstroheker Apr 11, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we agreed on this to switch from 2 to 3

vm_size="Standard_D4s_v3",
os_type="Linux",
role=OpenShiftAgentPoolProfileRole.infra,
Expand Down Expand Up @@ -2540,7 +2548,8 @@ def openshift_create(cmd, client, resource_group_name, name, # pylint: disable=
aad_client_app_id=aad_client_app_id,
aad_client_app_secret=aad_client_app_secret,
aad_tenant_id=aad_tenant_id, identifier=fqdn,
name=name, update=update_aad_secret)
name=name, update=update_aad_secret,
customer_admin_group_id=customer_admin_group_id)
identity_providers.append(
OpenShiftManagedClusterIdentityProvider(
name='Azure AD',
Expand Down
28 changes: 14 additions & 14 deletions ...zure/cli/command_modules/acs/tests/latest/recordings/test_aks_create_default_service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -386,7 +386,7 @@ interactions:
accept-language:
- en-US
method: PUT
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2018-03-31
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2019-02-01
response:
body:
string: "{\n \"code\": \"ServicePrincipalNotFound\",\n \"message\": \"Service
Expand Down Expand Up @@ -447,7 +447,7 @@ interactions:
accept-language:
- en-US
method: PUT
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2018-03-31
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2019-02-01
response:
body:
string: "{\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003\",\n
Expand Down Expand Up @@ -1245,7 +1245,7 @@ interactions:
- python/3.6.6 (Windows-10-10.0.17763-SP0) msrest/0.6.4 msrest_azure/0.4.34
azure-mgmt-containerservice/4.4.0 Azure-SDK-For-Python AZURECLI/2.0.62
method: GET
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2018-03-31
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2019-02-01
response:
body:
string: "{\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003\",\n
Expand Down Expand Up @@ -1309,7 +1309,7 @@ interactions:
accept-language:
- en-US
method: GET
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters?api-version=2018-03-31
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters?api-version=2019-02-01
response:
body:
string: "{\n \"value\": [\n {\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003\",\n
Expand Down Expand Up @@ -1375,7 +1375,7 @@ interactions:
accept-language:
- en-US
method: GET
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters?api-version=2018-03-31
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters?api-version=2019-02-01
response:
body:
string: "{\n \"value\": [\n {\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003\",\n
Expand Down Expand Up @@ -1441,7 +1441,7 @@ interactions:
accept-language:
- en-US
method: GET
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2018-03-31
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2019-02-01
response:
body:
string: "{\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003\",\n
Expand Down Expand Up @@ -1507,7 +1507,7 @@ interactions:
accept-language:
- en-US
method: POST
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003/listClusterUserCredential?api-version=2018-03-31
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003/listClusterUserCredential?api-version=2019-02-01
response:
body:
string: "{\n \"kubeconfigs\": [\n {\n \"name\": \"clusterUser\",\n \"value\":
Expand Down Expand Up @@ -1562,7 +1562,7 @@ interactions:
accept-language:
- en-US
method: POST
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003/listClusterUserCredential?api-version=2018-03-31
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003/listClusterUserCredential?api-version=2019-02-01
response:
body:
string: "{\n \"kubeconfigs\": [\n {\n \"name\": \"clusterUser\",\n \"value\":
Expand Down Expand Up @@ -1617,7 +1617,7 @@ interactions:
accept-language:
- en-US
method: POST
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003/listClusterUserCredential?api-version=2018-03-31
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003/listClusterUserCredential?api-version=2019-02-01
response:
body:
string: "{\n \"kubeconfigs\": [\n {\n \"name\": \"clusterUser\",\n \"value\":
Expand Down Expand Up @@ -1670,7 +1670,7 @@ interactions:
accept-language:
- en-US
method: GET
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2018-03-31
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2019-02-01
response:
body:
string: "{\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003\",\n
Expand Down Expand Up @@ -1745,7 +1745,7 @@ interactions:
accept-language:
- en-US
method: PUT
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2018-03-31
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2019-02-01
response:
body:
string: "{\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003\",\n
Expand Down Expand Up @@ -2244,7 +2244,7 @@ interactions:
- python/3.6.6 (Windows-10-10.0.17763-SP0) msrest/0.6.4 msrest_azure/0.4.34
azure-mgmt-containerservice/4.4.0 Azure-SDK-For-Python AZURECLI/2.0.62
method: GET
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2018-03-31
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2019-02-01
response:
body:
string: "{\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003\",\n
Expand Down Expand Up @@ -2308,7 +2308,7 @@ interactions:
accept-language:
- en-US
method: GET
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2018-03-31
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2019-02-01
response:
body:
string: "{\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003\",\n
Expand Down Expand Up @@ -2374,7 +2374,7 @@ interactions:
accept-language:
- en-US
method: DELETE
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2018-03-31
uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000003?api-version=2019-02-01
response:
body:
string: ''
Expand Down
Loading