Addon options[draft] (#3911)

* added list-available command for addon

* added list command for addon

* added show command for addon

* added 5 new commands and refactored code into separate files

* updated version

* code cleanup

* added license headers

* fixed flake8 errors

* added help text for commands

* added exclusion for long param

* added test for list

* added fix for error function params

* added new test cases

* fixed test cases and recordings

* added test exclusions

* added new tests that should pass in pipeline

* updated formatting and tests

* code quality changes

* reverted code quality changes

* code quality changes added back in

* clearer history message

* update release history

* fix vendor

* fix url version in test recording data

* fix aks preview version

* add e2e for list_available

* add live only tag

Co-authored-by: Ishan <t-ishanarya@microsoft.com>
Co-authored-by: Tingting Liu <tilnl@microsoft.com>

linter_exclusions.yml

@@ -94,6 +94,28 @@ aks create:
     assign_kubelet_identity:
       rule_exclusions:
       - option_length_too_long
+aks addon enable:
+  parameters:
+    appgw_watch_namespace:
+      rule_exclusions:
+      - option_length_too_long
+    workspace_resource_id:
+      rule_exclusions:
+      - option_length_too_long
+    enable_msi_auth_for_monitoring:
+      rule_exclusions:
+      - option_length_too_long
+aks addon update:
+  parameters:
+    appgw_watch_namespace:
+      rule_exclusions:
+      - option_length_too_long
+    workspace_resource_id:
+      rule_exclusions:
+      - option_length_too_long
+    enable_msi_auth_for_monitoring:
+      rule_exclusions:
+      - option_length_too_long
 aks enable-addons:
   parameters:
     appgw_watch_namespace:

src/aks-preview/HISTORY.md

@@ -2,6 +2,17 @@
 
 Release History
 ===============
+0.5.33
++++++
+* Add support for new addon commands
+  * `az aks addon list`
+  * `az aks addon list-available`
+  * `az aks addon show`
+  * `az aks addon enable`
+  * `az aks addon disable`
+  * `az aks addon update`
+* Refactored code to bring addon specific functionality into a separate file.
+
 0.5.32
 +++++
 * Update to use 2021-08-01 api-version

src/aks-preview/azcli_aks_live_test/configs/ext_matrix_default.json

@@ -16,6 +16,12 @@
             "test_aks_create_with_openservicemesh_addon",
             "test_aks_enable_addon_with_openservicemesh",
             "test_aks_disable_addon_openservicemesh",
+            "test_aks_addon_disable_openservicemesh",
+            "test_aks_addon_show_openservicemesh_enabled",
+            "test_aks_addon_enable_with_openservicemesh",
+            "test_aks_addon_list_openservicemesh_enabled",
+            "test_aks_addon_update_with_azurekeyvaultsecretsprovider",
+            "test_aks_addon_enable_with_azurekeyvaultsecretsprovider",
             "test_aks_create_with_auto_upgrade_channel",
             "test_aks_disable_local_accounts",
             "test_aks_create_with_pod_identity_enabled",

src/aks-preview/azext_aks_preview/_consts.py

@@ -48,6 +48,9 @@
 # Open Service Mesh configuration keys
 CONST_OPEN_SERVICE_MESH_ADDON_NAME = "openServiceMesh"
 
+# Gitops configuration keys
+CONST_GITOPS_ADDON_NAME = "gitops"
+
 CONST_NODEPOOL_MODE_SYSTEM = "System"
 CONST_NODEPOOL_MODE_USER = "User"
 
@@ -80,9 +83,22 @@
     'ingress-appgw': CONST_INGRESS_APPGW_ADDON_NAME,
     'open-service-mesh': CONST_OPEN_SERVICE_MESH_ADDON_NAME,
     "confcom": CONST_CONFCOM_ADDON_NAME,
-    'gitops': 'gitops',
+    'gitops': CONST_GITOPS_ADDON_NAME,
     'azure-keyvault-secrets-provider': CONST_AZURE_KEYVAULT_SECRETS_PROVIDER_ADDON_NAME
 }
 
+ADDONS_DESCRIPTIONS = {
+    CONST_HTTP_APPLICATION_ROUTING_ADDON_NAME: '- configure ingress with automatic public DNS name creation',
+    CONST_MONITORING_ADDON_NAME: '- turn on Log Analytics monitoring. Uses the Log Analytics Default Workspace if it exists, else creates one. Specify "--workspace-resource-id" to use an existing workspace.\nIf monitoring addon is enabled --no-wait argument will have no effect.',
+    CONST_VIRTUAL_NODE_ADDON_NAME: '- enable AKS Virtual Node. Requires --aci-subnet-name to provide the name of an existing subnet for the Virtual Node to use.\naci-subnet-name must be in the same vnet which is specified by --vnet-subnet-id (required as well).',
+    CONST_AZURE_POLICY_ADDON_NAME: '- enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.\nLearn more at aka.ms/aks/policy.',
+    CONST_KUBE_DASHBOARD_ADDON_NAME: '- n/a',
+    CONST_INGRESS_APPGW_ADDON_NAME: '- enable Application Gateway Ingress Controller addon (PREVIEW).',
+    CONST_OPEN_SERVICE_MESH_ADDON_NAME: '- enable Open Service Mesh addon (PREVIEW).',
+    CONST_CONFCOM_ADDON_NAME: '- enable confcom addon, this will enable SGX device plugin by default (PREVIEW).',
+    CONST_GITOPS_ADDON_NAME: '- enable GitOps (PREVIEW).',
+    CONST_AZURE_KEYVAULT_SECRETS_PROVIDER_ADDON_NAME: '- enable Azure Keyvault Secrets Provider addon (PREVIEW).'
+}
+
 CONST_MANAGED_IDENTITY_OPERATOR_ROLE = 'Managed Identity Operator'
 CONST_MANAGED_IDENTITY_OPERATOR_ROLE_ID = 'f1a07417-d97a-45cb-824c-7a7467783830'

src/aks-preview/azext_aks_preview/_format.py

@@ -10,6 +10,42 @@
 from jmespath import functions
 
 
+def aks_addon_list_available_table_format(result):
+    def parser(entry):
+        parsed = compile_jmes("""{
+                name: name,
+                description: description
+            }""")
+        return parsed.search(entry, Options(dict_cls=OrderedDict))
+    return [parser(r) for r in result]
+
+
+def aks_addon_list_table_format(result):
+    def parser(entry):
+        parsed = compile_jmes("""{
+                name: name,
+                enabled: enabled
+            }""")
+        return parsed.search(entry, Options(dict_cls=OrderedDict))
+    return [parser(r) for r in result]
+
+
+def aks_addon_show_table_format(result):
+    def parser(entry):
+        config = ""
+        for k, v in entry["config"].items():
+            config += k + "=" + v + ";"
+        entry["config"] = config
+        parsed = compile_jmes("""{
+                name: name,
+                api_key: api_key,
+                config: config,
+                identity: identity
+            }""")
+        return parsed.search(entry, Options(dict_cls=OrderedDict))
+    return parser(result)
+
+
 def aks_agentpool_show_table_format(result):
     """Format an agent pool as summary results for display with "-o table"."""
     return [_aks_agentpool_table_format(result)]

src/aks-preview/azext_aks_preview/_help.py

@@ -1029,6 +1029,164 @@
     short-summary: Delete the agent pool in the managed Kubernetes cluster.
 """
 
+helps['aks addon'] = """
+    type: group
+    short-summary: Commands to manage and view single addon conditions.
+"""
+
+helps['aks addon list-available'] = """
+    type: command
+    short-summary: List available Kubernetes addons.
+"""
+
+helps['aks addon list'] = """
+    type: command
+    short-summary: List status of all Kubernetes addons in given cluster.
+"""
+
+helps['aks addon show'] = """
+    type: command
+    short-summary: Show status and configuration for an enabled Kubernetes addon in a given cluster.
+    parameters:
+      - name: --addon -a
+        type: string
+        short-summary: Specify the Kubernetes addon.
+    examples:
+      - name: Show configuration for "monitoring" addon.
+        text: az aks addon show -g myResourceGroup -n myAKSCluster -a monitoring
+        crafted: true
+"""
+
+helps['aks addon disable'] = """
+    type: command
+    short-summary: Disable an enabled Kubernetes addon in a cluster.
+    parameters:
+      - name: --addon -a
+        type: string
+        short-summary: Specify the Kubernetes addon to disable.
+    examples:
+      - name: Disable the "monitoring" addon.
+        text: az aks addon disable -g myResourceGroup -n myAKSCluster -a monitoring
+        crafted: true
+"""
+
+helps['aks addon enable'] = """
+type: command
+short-summary: Enable a Kubernetes addon.
+long-summary: |-
+    These addons are available:
+        http_application_routing        - configure ingress with automatic public DNS name creation.
+        monitoring                      - turn on Log Analytics monitoring. Uses the Log Analytics Default Workspace if it exists, else creates one. Specify "--workspace-resource-id" to use an existing workspace.
+                                          If monitoring addon is enabled --no-wait argument will have no effect
+        virtual-node                    - enable AKS Virtual Node. Requires --subnet-name to provide the name of an existing subnet for the Virtual Node to use.
+        azure-policy                    - enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
+                                          Learn more at aka.ms/aks/policy.
+        ingress-appgw                   - enable Application Gateway Ingress Controller addon (PREVIEW).
+        open-service-mesh               - enable Open Service Mesh addon (PREVIEW).
+        gitops                          - enable GitOps (PREVIEW).
+        azure-keyvault-secrets-provider - enable Azure Keyvault Secrets Provider addon (PREVIEW).
+parameters:
+  - name: --addon -a
+    type: string
+    short-summary: Specify the Kubernetes addon to enable.
+  - name: --workspace-resource-id
+    type: string
+    short-summary: The resource ID of an existing Log Analytics Workspace to use for storing monitoring data.
+  - name: --enable-msi-auth-for-monitoring
+    type: bool
+    short-summary: Send monitoring data to Log Analytics using the cluster's assigned identity (instead of the Log Analytics Workspace's shared key).
+  - name: --subnet-name -s
+    type: string
+    short-summary: The subnet name for the virtual node to use.
+  - name: --appgw-name
+    type: string
+    short-summary: Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon.
+  - name: --appgw-subnet-prefix
+    type: string
+    short-summary: Subnet Prefix to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon.
+  - name: --appgw-subnet-cidr
+    type: string
+    short-summary: Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon.
+  - name: --appgw-id
+    type: string
+    short-summary: Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon.
+  - name: --appgw-subnet-id
+    type: string
+    short-summary: Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon.
+  - name: --appgw-watch-namespace
+    type: string
+    short-summary: Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces. Use with ingress-azure addon.
+  - name: --enable-sgxquotehelper
+    type: bool
+    short-summary: Enable SGX quote helper for confcom addon.
+  - name: --enable-secret-rotation
+    type: bool
+    short-summary: Enable secret rotation. Use with azure-keyvault-secrets-provider addon.
+examples:
+  - name: Enable a Kubernetes addon. (autogenerated)
+    text: az aks addon enable --addon virtual-node --name MyManagedCluster --resource-group MyResourceGroup --subnet-name VirtualNodeSubnet
+    crafted: true
+  - name: Enable ingress-appgw addon with subnet prefix.
+    text: az aks addon enable --name MyManagedCluster --resource-group MyResourceGroup --addon ingress-appgw --appgw-subnet-cidr 10.2.0.0/16 --appgw-name gateway
+    crafted: true
+  - name: Enable open-service-mesh addon.
+    text: az aks addon enable --name MyManagedCluster --resource-group MyResourceGroup -a open-service-mesh
+    crafted: true
+"""
+
+helps['aks addon update'] = """
+type: command
+short-summary: Update an already enabled Kubernetes addon.
+parameters:
+  - name: --addon -a
+    type: string
+    short-summary: Specify the Kubernetes addon to update.
+  - name: --workspace-resource-id
+    type: string
+    short-summary: The resource ID of an existing Log Analytics Workspace to use for storing monitoring data.
+  - name: --enable-msi-auth-for-monitoring
+    type: bool
+    short-summary: Send monitoring data to Log Analytics using the cluster's assigned identity (instead of the Log Analytics Workspace's shared key).
+  - name: --subnet-name -s
+    type: string
+    short-summary: The subnet name for the virtual node to use.
+  - name: --appgw-name
+    type: string
+    short-summary: Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon.
+  - name: --appgw-subnet-prefix
+    type: string
+    short-summary: Subnet Prefix to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon.
+  - name: --appgw-subnet-cidr
+    type: string
+    short-summary: Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon.
+  - name: --appgw-id
+    type: string
+    short-summary: Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon.
+  - name: --appgw-subnet-id
+    type: string
+    short-summary: Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon.
+  - name: --appgw-watch-namespace
+    type: string
+    short-summary: Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces. Use with ingress-azure addon.
+  - name: --enable-sgxquotehelper
+    type: bool
+    short-summary: Enable SGX quote helper for confcom addon.
+  - name: --enable-secret-rotation
+    type: bool
+    short-summary: Enable secret rotation. Use with azure-keyvault-secrets-provider addon.
+examples:
+  - name: Update a Kubernetes addon. (autogenerated)
+    text: az aks addon update --addon virtual-node --name MyManagedCluster --resource-group MyResourceGroup --subnet-name VirtualNodeSubnet
+    crafted: true
+  - name: Update ingress-appgw addon with subnet prefix.
+    text: az aks addon update --name MyManagedCluster --resource-group MyResourceGroup --addon ingress-appgw --appgw-subnet-cidr 10.2.0.0/16 --appgw-name gateway
+    crafted: true
+  - name: Update monitoring addon with workspace resource id.
+    text: az aks addon update -g $rg -n $cn -a monitoring --workspace-resource-id=/subscriptions/0000000-00000000-00000-000-000/resourcegroups/myresourcegroup/providers/microsoft.operationalinsights/workspaces/defaultlaworkspace
+    crafted: true
+"""
+
+
 helps['aks enable-addons'] = """
 type: command
 short-summary: Enable Kubernetes addons.

src/aks-preview/azext_aks_preview/_params.py

@@ -21,7 +21,7 @@
     validate_nodepool_name, validate_vm_set_type, validate_load_balancer_sku,
     validate_load_balancer_outbound_ips, validate_load_balancer_outbound_ip_prefixes, validate_nat_gateway_managed_outbound_ip_count,
     validate_taints, validate_priority, validate_eviction_policy, validate_spot_max_price, validate_acr, validate_user,
-    validate_load_balancer_outbound_ports, validate_load_balancer_idle_timeout, validate_nat_gateway_idle_timeout, validate_nodepool_tags,
+    validate_load_balancer_outbound_ports, validate_load_balancer_idle_timeout, validate_nat_gateway_idle_timeout, validate_nodepool_tags, validate_addon,
     validate_nodepool_labels, validate_vnet_subnet_id, validate_pod_subnet_id, validate_max_surge, validate_assign_identity, validate_addons,
     validate_pod_identity_pod_labels, validate_pod_identity_resource_name, validate_pod_identity_resource_namespace, validate_assign_kubelet_identity)
 from ._consts import CONST_OUTBOUND_TYPE_LOAD_BALANCER, CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING, CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY, \
@@ -251,6 +251,42 @@ def load_arguments(self, _):
         c.argument('mode', arg_type=get_enum_type([CONST_NODEPOOL_MODE_SYSTEM, CONST_NODEPOOL_MODE_USER]))
         c.argument('max_surge', type=str, validator=validate_max_surge)
 
+    with self.argument_context('aks addon show') as c:
+        c.argument('addon', options_list=['--addon', '-a'], validator=validate_addon)
+
+    with self.argument_context('aks addon enable') as c:
+        c.argument('addon', options_list=['--addon', '-a'], validator=validate_addon)
+        c.argument('subnet_name', options_list=['--subnet-name', '-s'])
+        c.argument('enable_sgxquotehelper', action='store_true')
+        c.argument('osm_mesh_name', options_list=['--osm-mesh-name'])
+        c.argument('appgw_name', options_list=['--appgw-name'], arg_group='Application Gateway')
+        c.argument('appgw_subnet_prefix', options_list=['--appgw-subnet-prefix'], arg_group='Application Gateway', deprecate_info=c.deprecate(redirect='--appgw-subnet-cidr', hide=True))
+        c.argument('appgw_subnet_cidr', options_list=['--appgw-subnet-cidr'], arg_group='Application Gateway')
+        c.argument('appgw_id', options_list=['--appgw-id'], arg_group='Application Gateway')
+        c.argument('appgw_subnet_id', options_list=['--appgw-subnet-id'], arg_group='Application Gateway')
+        c.argument('appgw_watch_namespace', options_list=['--appgw-watch-namespace'], arg_group='Application Gateway')
+        c.argument('enable_secret_rotation', action='store_true')
+        c.argument('workspace_resource_id')
+        c.argument('enable_msi_auth_for_monitoring', arg_type=get_three_state_flag(), is_preview=True)
+
+    with self.argument_context('aks addon disable') as c:
+        c.argument('addon', options_list=['--addon', '-a'], validator=validate_addon)
+
+    with self.argument_context('aks addon update') as c:
+        c.argument('addon', options_list=['--addon', '-a'], validator=validate_addon)
+        c.argument('subnet_name', options_list=['--subnet-name', '-s'])
+        c.argument('enable_sgxquotehelper', action='store_true')
+        c.argument('osm_mesh_name', options_list=['--osm-mesh-name'])
+        c.argument('appgw_name', options_list=['--appgw-name'], arg_group='Application Gateway')
+        c.argument('appgw_subnet_prefix', options_list=['--appgw-subnet-prefix'], arg_group='Application Gateway', deprecate_info=c.deprecate(redirect='--appgw-subnet-cidr', hide=True))
+        c.argument('appgw_subnet_cidr', options_list=['--appgw-subnet-cidr'], arg_group='Application Gateway')
+        c.argument('appgw_id', options_list=['--appgw-id'], arg_group='Application Gateway')
+        c.argument('appgw_subnet_id', options_list=['--appgw-subnet-id'], arg_group='Application Gateway')
+        c.argument('appgw_watch_namespace', options_list=['--appgw-watch-namespace'], arg_group='Application Gateway')
+        c.argument('enable_secret_rotation', action='store_true')
+        c.argument('workspace_resource_id')
+        c.argument('enable_msi_auth_for_monitoring', arg_type=get_three_state_flag(), is_preview=True)
+
     with self.argument_context('aks disable-addons') as c:
         c.argument('addons', options_list=['--addons', '-a'], validator=validate_addons)
 

src/aks-preview/azext_aks_preview/_resourcegroup.py

@@ -0,0 +1,16 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+from knack.util import CLIError
+from ._client_factory import cf_resource_groups
+
+
+def get_rg_location(ctx, resource_group_name, subscription_id=None):
+    groups = cf_resource_groups(ctx, subscription_id=subscription_id)
+    # Just do the get, we don't need the result, it will error out if the group doesn't exist.
+    rg = groups.get(resource_group_name)
+    if rg is None:
+        raise CLIError(f"Resource group {resource_group_name} not found.")
+    return rg.location