[Aks] Added acr support in Set-AzAksCluster (#14796)

* Added support acr in Set-AzAksCluster

* Added support acr in Set-AzAksCluster

* Added support acr in Set-AzAksCluster

* Merge NewKubeBase and NewAzureRmAks into one class.

* Merge NewKubeBase and NewAzureRmAks into one class.

* Added support acr in Set-AzAksCluster

* Added support acr in Set-AzAksCluster

* Added support acr in Set-AzAksCluster

* Added support acr in Set-AzAksCluster

* Update the document

* Remove container registery in test cases

Co-authored-by: wyunchi-ms <[email protected]>
Co-authored-by: Yabo Hu <[email protected]>

Author: wyunchi-ms

src/Aks/Aks.Test/ScenarioTests/KubernetesTests.cs

@@ -45,6 +45,13 @@ public void TestAzureKubernetesAddons()
             TestController.NewInstance.RunPowerShellTest(_logger, "Test-NewAzAksAddons");
         }
 
+        [Fact(Skip = "Please make sure you have graph directory.read permission which is required for grant acrpull permission.")]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestNewAzAksWithAcr()
+        {
+            TestController.NewInstance.RunPowerShellTest(_logger, "Test-NewAzAksWithAcr");
+        }
+        
         [Fact(Skip = "Updating service principal profile is not allowed on MSI cluster.")]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void TestResetAzureKubernetesServicePrincipal()

src/Aks/Aks.Test/ScenarioTests/KubernetesTests.ps1

@@ -39,7 +39,7 @@ function Test-NewAzAksWithAcr
     $kubeClusterName = Get-RandomClusterName
     $acrName = Get-RandomRegistryName
     $location = Get-ProviderLocation "Microsoft.ContainerService/managedClusters"
-    $nodeVmSize = "Standard_A2"
+    $nodeVmSize = "Standard_D2_v2"
 
     try
     {
@@ -59,6 +59,14 @@ function Test-NewAzAksWithAcr
         Assert-AreEqual 2 $cluster.AgentPoolProfiles[0].Count;
         $cluster | Import-AzAksCredential -Force
         $cluster | Remove-AzAksCluster -Force
+        $roleAssignment = Get-AzRoleAssignment -ResourceGroupName $resourceGroupName | Where-Object { ($_.RoleDefinitionName -eq 'AcrPull') -and ($_.DisplayName -eq $acrName) }
+        Assert-NotNull $roleAssignment
+        Set-AzAksCluster -ResourceGroupName $resourceGroupName -Name $kubeClusterName -AcrNameToDetach $acrName
+        $roleAssignment = Get-AzRoleAssignment -ResourceGroupName $resourceGroupName | Where-Object { ($_.RoleDefinitionName -eq 'AcrPull') -and ($_.DisplayName -eq $acrName) }
+        Assert-Null $roleAssignment
+        Set-AzAksCluster -ResourceGroupName $resourceGroupName -Name $kubeClusterName -AcrNameToAttach $acrName
+        $roleAssignment = Get-AzRoleAssignment -ResourceGroupName $resourceGroupName | Where-Object { ($_.RoleDefinitionName -eq 'AcrPull') -and ($_.DisplayName -eq $acrName) }
+        Assert-NotNull $roleAssignment
     }
     finally
     {

src/Aks/Aks.Test/ScenarioTests/TestController.cs

@@ -14,6 +14,8 @@
 using Microsoft.Azure.ServiceManagement.Common.Models;
 using Microsoft.Azure.Management.ContainerService;
 using Microsoft.Azure.Management.Authorization.Version2015_07_01;
+using Microsoft.Azure.Graph.RBAC.Version1_6;
+using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
 
 namespace Commands.Aks.Test.ScenarioTests
 {
@@ -30,6 +32,9 @@ public TestController()
 
         public static TestController NewInstance => new TestController();
 
+        public string UserDomain { get; private set; }
+        public GraphRbacManagementClient InternalGraphRbacManagementClient { get; private set; }
+
         public ResourceManagementClient InternalResourceManagementClient { get; private set; }
 
         public AuthorizationManagementClient InternalAuthorizationManagementClient { get; private set; }
@@ -44,6 +49,7 @@ public void RunPowerShellTest(XunitTracingInterceptor logger, params string[] sc
 
             var d = new Dictionary<string, string>
             {
+                {"Microsoft.Resources", null},
                 {"Microsoft.Features", null},
                 {"Microsoft.Authorization", null}
             };
@@ -108,13 +114,26 @@ private void SetupManagementClients(MockContext context)
         {
             ContainerServiceClient = GetContainerServiceClient(context);
             InternalResourceManagementClient = GetInternalResourceManagementClient(context);
-            _helper.SetupManagementClients(ContainerServiceClient, InternalResourceManagementClient);
+            InternalAuthorizationManagementClient = GetAuthorizationManagementClient(context);
+            InternalGraphRbacManagementClient = GetGraphRbacManagementClient(context);
+            _helper.SetupManagementClients(ContainerServiceClient,
+                InternalResourceManagementClient,
+                InternalAuthorizationManagementClient,
+                InternalGraphRbacManagementClient);
         }
 
         private static ContainerServiceClient GetContainerServiceClient(MockContext context)
         {
             return context.GetServiceClient<ContainerServiceClient>();
         }
+        private GraphRbacManagementClient GetGraphRbacManagementClient(MockContext context)
+        {
+            return context.GetServiceClient<GraphRbacManagementClient>();
+        }
+        private static AuthorizationManagementClient GetAuthorizationManagementClient(MockContext context)
+        {
+            return context.GetServiceClient<AuthorizationManagementClient>();
+        }
         private static ResourceManagementClient GetInternalResourceManagementClient(MockContext context)
         {
             return context.GetServiceClient<ResourceManagementClient>();

src/Aks/Aks/ChangeLog.md

@@ -18,7 +18,9 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
-* Add `Set-AzAksClusterCredential` to reset the ServicePrincipal of an existing AKS cluster.
+* Added support `AcrNameToAttach` in `Set-AzAksCluster`. [#14692]
+* Added support `AcrNameToDetach` in `Set-AzAksCluster`. [#14693] 
+* Added `Set-AzAksClusterCredential` to reset the ServicePrincipal of an existing AKS cluster.
 
 ## Version 2.0.2
 * Refined error messages of cmdlet failure.

src/Aks/Aks/Commands/CreateOrUpdateKubeBase.cs

@@ -116,61 +116,15 @@ public abstract class CreateOrUpdateKubeBase : KubeCmdletBase
         [Alias("SshKeyPath")]
         public string SshKeyValue { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = "Grant the 'acrpull' role of the specified ACR to AKS Service Principal, e.g. myacr")]
+        public string AcrNameToAttach { get; set; }
+
         [Parameter(Mandatory = false, HelpMessage = "Run cmdlet in the background")]
         public SwitchParameter AsJob { get; set; }
 
         [Parameter(Mandatory = false)]
         public Hashtable Tag { get; set; }
 
-        protected virtual ManagedCluster BuildNewCluster()
-        {
-            BeforeBuildNewCluster();
-
-            var defaultAgentPoolProfile = new ManagedClusterAgentPoolProfile(
-                name: NodeName ?? "default",
-                count: NodeCount,
-                vmSize: NodeVmSize,
-                osDiskSizeGB: NodeOsDiskSize);
-
-            if (this.IsParameterBound(c => c.NodeMinCount))
-            {
-                defaultAgentPoolProfile.MinCount = NodeMinCount;
-            }
-            if (this.IsParameterBound(c => c.NodeMaxCount))
-            {
-                defaultAgentPoolProfile.MaxCount = NodeMaxCount;
-            }
-            if (EnableNodeAutoScaling.IsPresent)
-            {
-                defaultAgentPoolProfile.EnableAutoScaling = EnableNodeAutoScaling.ToBool();
-            }
-
-            var pubKey =
-                new List<ContainerServiceSshPublicKey> { new ContainerServiceSshPublicKey(SshKeyValue) };
-
-            var linuxProfile =
-                new ContainerServiceLinuxProfile(LinuxProfileAdminUserName,
-                    new ContainerServiceSshConfiguration(pubKey));
-
-            var acsServicePrincipal = EnsureServicePrincipal(ServicePrincipalIdAndSecret?.UserName, ServicePrincipalIdAndSecret?.Password?.ConvertToString());
-
-            var spProfile = new ManagedClusterServicePrincipalProfile(
-                acsServicePrincipal.SpId,
-                acsServicePrincipal.ClientSecret);
-
-            WriteVerbose(string.Format(Resources.DeployingYourManagedKubeCluster, AcsSpFilePath));
-            var managedCluster = new ManagedCluster(
-                Location,
-                name: Name,
-                tags: TagsConversionHelper.CreateTagDictionary(Tag, true),
-                dnsPrefix: DnsNamePrefix,
-                kubernetesVersion: KubernetesVersion,
-                agentPoolProfiles: new List<ManagedClusterAgentPoolProfile> { defaultAgentPoolProfile },
-                linuxProfile: linuxProfile,
-                servicePrincipalProfile: spProfile);
-            return managedCluster;
-        }
-
         protected void BeforeBuildNewCluster()
         {
             if (!string.IsNullOrEmpty(ResourceGroupName) && string.IsNullOrEmpty(Location))
@@ -271,17 +225,15 @@ protected AcsServicePrincipal EnsureServicePrincipal(string spId = null, string
                 {
                     clientSecret = RandomBase64String(16);
                 }
-                var salt = RandomBase64String(3);
-                var url = $"http://{salt}.{DnsNamePrefix}.{Location}.cloudapp.azure.com";
 
-                acsServicePrincipal = BuildServicePrincipal(Name, url, clientSecret);
+                acsServicePrincipal = BuildServicePrincipal(Name, clientSecret);
                 WriteVerbose(Resources.CreatedANewServicePrincipalAndAssignedTheContributorRole);
                 StoreServicePrincipal(acsServicePrincipal);
             }
             return acsServicePrincipal;
         }
 
-        private AcsServicePrincipal BuildServicePrincipal(string name, string url, string clientSecret)
+        private AcsServicePrincipal BuildServicePrincipal(string name, string clientSecret)
         {
             var pwCreds = new PasswordCredential(
                 value: clientSecret,
@@ -291,8 +243,8 @@ private AcsServicePrincipal BuildServicePrincipal(string name, string url, strin
             var app = GraphClient.Applications.Create(new ApplicationCreateParameters(
                 false,
                 name,
-                new List<string> { url },
-                url,
+                new List<string> { },
+                null,
                 passwordCredentials: new List<PasswordCredential> { pwCreds }));
 
             ServicePrincipal sp = null;
@@ -316,6 +268,22 @@ private AcsServicePrincipal BuildServicePrincipal(string name, string url, strin
             return new AcsServicePrincipal { SpId = app.AppId, ClientSecret = clientSecret, ObjectId = app.ObjectId };
         }
 
+        protected RoleAssignment GetRoleAssignmentWithRoleDefinitionId(string roleDefinitionId)
+        {
+            RoleAssignment roleAssignment = null;
+            var actionSuccess = RetryAction(() =>
+            {
+                roleAssignment = AuthClient.RoleAssignments.List().Where(x => x.Properties.RoleDefinitionId == roleDefinitionId && x.Name == Name).FirstOrDefault();
+            });
+            if (!actionSuccess)
+            {
+                throw new AzPSInvalidOperationException(
+                    Resources.CouldNotGetAcrRoleAssignment,
+                    desensitizedMessage: Resources.CouldNotGetAcrRoleAssignment);
+            }
+            return roleAssignment;
+        }
+
         protected void AddAcrRoleAssignment(string acrName, string acrParameterName, AcsServicePrincipal acsServicePrincipal)
         {
             string acrResourceId = null;
@@ -335,8 +303,14 @@ protected void AddAcrRoleAssignment(string acrName, string acrParameterName, Acs
             }
 
             var roleId = GetRoleId("acrpull", acrResourceId);
+            RoleAssignment roleAssignment = GetRoleAssignmentWithRoleDefinitionId(roleId);
+            if (roleAssignment != null)
+            {
+                WriteWarning(string.Format(Resources.AcrRoleAssignmentIsAlreadyExist, acrResourceId));
+                return;
+            }
             var spObjectId = acsServicePrincipal.ObjectId;
-            if(spObjectId == null)
+            if (spObjectId == null)
             {
                 try
                 {