[Aks] Add Set-AzAksClusterCredential to reset the ServicePrincipal of a existing aks cluster (Azure#14821)

* Add SetAzureRmAksCredential

* Add `Set-AzAksClusterCredential` to reset the ServicePrincipal or reset AAD profile of a existing aks cluster.

* Remove the support of reset AAD profile.

* Remove the support of reset AAD profile.

* Update the document

Co-authored-by: wyunchi <[email protected]>

Author: wyunchi-ms

src/Aks/Aks.Test/ScenarioTests/KubernetesTests.cs

@@ -44,5 +44,12 @@ public void TestAzureKubernetesAddons()
         {
             TestController.NewInstance.RunPowerShellTest(_logger, "Test-NewAzAksAddons");
         }
+
+        [Fact(Skip = "Updating service principal profile is not allowed on MSI cluster.")]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestResetAzureKubernetesServicePrincipal()
+        {
+            TestController.NewInstance.RunPowerShellTest(_logger, "Test-ResetAzureKubernetesServicePrincipal");
+        }
     }
 }

src/Aks/Aks.Test/ScenarioTests/KubernetesTests.ps1

@@ -46,7 +46,7 @@ function Test-NewAzAksWithAcr
         New-AzResourceGroup -Name $resourceGroupName -Location $location
 
         New-AzContainerRegistry -ResourceGroupName $resourceGroupName -Name $acrName -Sku Standard
-        
+                
         $cred = $(createTestCredential "e65d50b0-0853-48a9-82d3-77d800f4a9bc" "V8-S-y6Er8jXy-.aM_WT95BF89N~X23lqb")
 
         New-AzAksCluster -ResourceGroupName $resourceGroupName -Name $kubeClusterName -NodeVmSize $nodeVmSize -ServicePrincipalIdAndSecret $cred -AcrNameToAttach $acrName
@@ -187,3 +187,32 @@ function Test-NewAzAksAddons
         Remove-AzResourceGroup -Name $resourceGroupName -Force
     }
 }
+
+
+<#
+.SYNOPSIS
+Test Kubernetes stuff
+#>
+function Test-ResetAzureKubernetesServicePrincipal
+{
+    # Setup
+    $resourceGroupName = Get-RandomResourceGroupName
+    $kubeClusterName = Get-RandomClusterName
+    $location = Get-ProviderLocation "Microsoft.ContainerService/managedClusters"
+    $nodeVmSize = "Standard_D2_v2"
+
+    try
+    {
+        New-AzResourceGroup -Name $resourceGroupName -Location 'eastus'
+
+        $credObject = $(createTestCredential "e65d50b0-0853-48a9-82d3-77d800f4a9bc" "75_4.yHJFjkKaRUUb535aH2d.ty4RG~uax")
+        New-AzAksCluster -ResourceGroupName $resourceGroupName -Name $kubeClusterName -NodeVmSize $nodeVmSize -ServicePrincipalIdAndSecret $credObject
+        
+        $newCred = $(createTestCredential "6f277dd3-e481-4518-8aab-35c31662bad9" "XITofmnbbyU34uR_Yqx_4TI13OJ9--0C3m")
+        Set-AzAksClusterCredential -ResourceGroupName $resourceGroupName -Name $kubeClusterName -ServicePrincipalIdAndSecret $newCred -force
+    }
+    finally
+    {
+        Remove-AzResourceGroup -Name $resourceGroupName -Force
+    }
+}

src/Aks/Aks/Az.Aks.psd1

@@ -76,11 +76,11 @@ FunctionsToExport = @()
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
 CmdletsToExport = 'Get-AzAksCluster', 'New-AzAksCluster', 'Remove-AzAksCluster', 
-               'Import-AzAksCredential', 'Start-AzAksDashboard', 
+               'Import-AzAksCredential', 'Start-AzAksDashboard',
                'Stop-AzAksDashboard', 'Set-AzAksCluster', 'New-AzAksNodePool', 
                'Update-AzAksNodePool', 'Remove-AzAksNodePool', 'Get-AzAksNodePool', 
                'Install-AzAksKubectl', 'Get-AzAksVersion', 'Enable-AzAksAddOn', 
-               'Disable-AzAksAddOn'
+               'Disable-AzAksAddOn', 'Set-AzAksClusterCredential'
 
 # Variables to export from this module
 # VariablesToExport = @()

src/Aks/Aks/ChangeLog.md

@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Add `Set-AzAksClusterCredential` to reset the ServicePrincipal of an existing AKS cluster.
 
 ## Version 2.0.2
 * Refined error messages of cmdlet failure.

src/Aks/Aks/Commands/SetAzureRmAksCredential.cs

@@ -0,0 +1,147 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+
+using Microsoft.Azure.Commands.Aks.Models;
+using Microsoft.Azure.Commands.Aks.Properties;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Management.ContainerService;
+using Microsoft.Azure.Management.ContainerService.Models;
+using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
+using Microsoft.WindowsAzure.Commands.Common;
+
+using System;
+using System.Collections.Generic;
+using System.Management.Automation;
+using System.Text;
+
+namespace Microsoft.Azure.Commands.Aks
+{
+    [Cmdlet("Set", ResourceManager.Common.AzureRMConstants.AzurePrefix + "AksClusterCredential", SupportsShouldProcess = true, DefaultParameterSetName = GroupNameParameterSet)]
+    [OutputType(typeof(bool))]
+    public class SetAzureRmAksCredential : KubeCmdletBase
+    {
+        private const string IdParameterSet = "IdParameterSet";
+        private const string GroupNameParameterSet = "GroupNameParameterSet";
+        private const string InputObjectParameterSet = "InputObjectParameterSet";
+
+        [Parameter(Mandatory = true,
+            ParameterSetName = InputObjectParameterSet,
+            ValueFromPipeline = true,
+            HelpMessage = "A PSKubernetesCluster object, normally passed through the pipeline.")]
+        [ValidateNotNullOrEmpty]
+        public PSKubernetesCluster InputObject { get; set; }
+
+        [Parameter(Mandatory = true,
+            ParameterSetName = IdParameterSet,
+            Position = 0,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Id of a managed Kubernetes cluster")]
+        [ValidateNotNullOrEmpty]
+        [Alias("ResourceId")]
+        public string Id { get; set; }
+
+        /// <summary>
+        /// Resource group name
+        /// </summary>
+        [Parameter(
+            Position = 0,
+            Mandatory = true,
+            ParameterSetName = GroupNameParameterSet,
+            HelpMessage = "Resource group name")]
+        [ResourceGroupCompleter()]
+        [ValidateNotNullOrEmpty]
+        public string ResourceGroupName { get; set; }
+
+        /// <summary>
+        /// Cluster name
+        /// </summary>
+        [Parameter(
+            Mandatory = true,
+            Position = 1,
+            ParameterSetName = GroupNameParameterSet,
+            HelpMessage = "Name of your managed Kubernetes cluster")]
+        [ValidateNotNullOrEmpty]
+        public string Name { get; set; }
+
+        [Parameter(
+            Mandatory = true,
+            ParameterSetName = InputObjectParameterSet,
+            HelpMessage = "The client id and client secret associated with the service principal.")]
+        [Parameter(
+            Mandatory = true,
+            ParameterSetName = GroupNameParameterSet,
+            HelpMessage = "The client id and client secret associated with the service principal.")]
+        [Parameter(
+            Mandatory = true,
+            ParameterSetName = IdParameterSet,
+            HelpMessage = "The client id and client secret associated with the service principal.")]
+        public PSCredential ServicePrincipalIdAndSecret { get; set; }
+
+        [Parameter(Mandatory = false)]
+        public SwitchParameter PassThru { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "Run cmdlet in the background")]
+        public SwitchParameter AsJob { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "Remove managed Kubernetes cluster without prompt")]
+        public SwitchParameter Force { get; set; }
+
+        public override void ExecuteCmdlet()
+        {
+            base.ExecuteCmdlet();
+
+            switch (ParameterSetName)
+            {
+                case IdParameterSet:
+                {
+                    var resource = new ResourceIdentifier(Id);
+                    ResourceGroupName = resource.ResourceGroupName;
+                    Name = resource.ResourceName;
+                    break;
+                }
+                case InputObjectParameterSet:
+                {
+                    var resource = new ResourceIdentifier(InputObject.Id);
+                    ResourceGroupName = resource.ResourceGroupName;
+                    Name = resource.ResourceName;
+                    break;
+                }
+            }
+
+            var msg = $"{Name} in {ResourceGroupName}";
+
+            ConfirmAction(Force.IsPresent,
+                Resources.ResetTheCredentialOfAksCluster,
+                Resources.ResetingTheCredentialOfAksCluster,
+                msg,
+                () =>
+                {
+                    RunCmdLet(() =>
+                    {
+                        ManagedClusterServicePrincipalProfile servicePrincipalProfile = new ManagedClusterServicePrincipalProfile()
+                        {
+                            ClientId = ServicePrincipalIdAndSecret.UserName,
+                            Secret = ServicePrincipalIdAndSecret.Password.ConvertToString()
+                        };
+                        Client.ManagedClusters.ResetServicePrincipalProfile(ResourceGroupName, Name, servicePrincipalProfile);
+                        if (PassThru)
+                        {
+                            WriteObject(true);
+                        }
+                    });
+                });
+        }
+    }
+}

src/Aks/Aks/Properties/Resources.Designer.cs

@@ -411,4 +411,10 @@
   <data name="CouldNotAssignServicePrincipalWithSubsContributorPermission" xml:space="preserve">
     <value>Could not assign subscription contributor permission to service principal just created. Please make sure you have permission to assign subscription contributor role, or you could use parameter -ClientIdAndSecret to specify one existing service principal id and secret.</value>
   </data>
+  <data name="ResetingTheCredentialOfAksCluster" xml:space="preserve">
+    <value>Reseting the credential of the aks cluster.</value>
+  </data>
+  <data name="ResetTheCredentialOfAksCluster" xml:space="preserve">
+    <value>Do you want to reset the credential of the aks cluster?</value>
+  </data>
 </root>

src/Aks/Aks/Properties/Resources.resx

@@ -21,7 +21,7 @@ Enable the addons for aks.
 List Kubernetes managed clusters.
 
 ### [Get-AzAksNodePool](Get-AzAksNodePool.md)
-Create node pool in specified cluster.
+List node pools in specified cluster.
 
 ### [Get-AzAksVersion](Get-AzAksVersion.md)
 List available version for creating managed Kubernetes cluster.
@@ -47,6 +47,9 @@ Delete node pool from managed cluster.
 ### [Set-AzAksCluster](Set-AzAksCluster.md)
 Update or create a managed Kubernetes cluster.
 
+### [Set-AzAksClusterCredential](Set-AzAksClusterCredential.md)
+Reset the ServicePrincipal of a existing aks cluster.
+
 ### [Start-AzAksDashboard](Start-AzAksDashboard.md)
 Create a Kubectl SSH tunnel to the managed cluster's dashboard.