Azure active directory support for managedclusters #1560
Conversation
k8s-ci-robot
added
release-note
|
Hi @LochanRn. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
k8s-ci-robot
added
the
sig/cluster-lifecycle
| @@ -197,6 +197,31 @@ spec: | |||
| --- | |||
| ``` | |||
|
|
|||
| ### AKS AAD | |||
|
|
|||
| Azure Kubernetes Service can be configured to use Azure Active Directory for user authentication. | |||
There was a problem hiding this comment.
can you please add a link to the AKS AAD documentation here? https://docs.microsoft.com/en-us/azure/aks/managed-aad
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
LochanRn
force-pushed
the
aks-aad
branch
4 times, most recently
from
d60aff0 to
c2f7843
Compare
|
/test pull-cluster-api-provider-azure-e2e-windows |
|
/test pull-cluster-api-provider-azure-e2e-exp |
|
/test pull-cluster-api-provider-azure-e2e |
1 similar comment
|
/test pull-cluster-api-provider-azure-e2e |
|
/test pull-cluster-api-provider-azure-e2e-exp |
| } | ||
| } | ||
|
|
||
| if existingMC.AadProfile != nil { |
There was a problem hiding this comment.
is there any normalization happening here? if no, you can simply compare the raw structs.
There was a problem hiding this comment.
ah, is tenant ID immutable?
There was a problem hiding this comment.
yeah amcp spec is normalized to aadProfile and version.
| description: AadProfile is Azure Active Directory configuration to | ||
| integrate with AKS for aad authentication. | ||
| properties: | ||
| legacyAadProfile: |
There was a problem hiding this comment.
I would almost be tempted to reject this for creates inside the reconciler? I would be okay allowing this for adoption scenarios, but we shouldn't be encouraging it for new clusters.
That is a bit aggressive of a constraint, but I also explicitly didn't support Basic LB or VMAS.
What do you think?
There was a problem hiding this comment.
It is a good point even I agree with that. I will make changes accordingly.
| type LegacyAAD struct { | ||
| // ClientAppID - The client AAD application ID. | ||
| // +kubebuilder:validation:Required | ||
| ClientAppID *string `json:"clientAppID"` |
There was a problem hiding this comment.
any reason these are pointers if they are required, non-omitempty?
There was a problem hiding this comment.
In the begining I was validating it a bit differently, so I needed it. I will change this to normal strings.
There was a problem hiding this comment.
I did not have legacyaad and managedaad, all the fields where under one spec AADProfile. So for validation purpose i took them all as a pointer, but this was very tedious and not very clean. Latter I iterated to have legacy and managed as two separate specs. When I iterated i did not change it. But will change it now.
|
|
||
| // AdminGroupObjectIDs - AAD group object IDs that will have admin role of the cluster. | ||
| // +kubebuilder:validation:Required | ||
| AdminGroupObjectIDs *[]string `json:"adminGroupObjectIDs"` |
There was a problem hiding this comment.
nit: pointer to a slice is awkward
| } | ||
|
|
||
| if new.ManagedAAD == nil { | ||
| if !reflect.DeepEqual(new.LegacyAAD, old.LegacyAAD) { |
There was a problem hiding this comment.
prefer not to use reflection....but I guess it's fine here since all members are simple types anyway..
| } | ||
|
|
||
| func (r *AzureManagedControlPlane) validateLegacyAadProfile() bool { | ||
| return r.Spec.AADProfile.LegacyAAD != nil |
There was a problem hiding this comment.
is this missing some additional validation?
There was a problem hiding this comment.
Nope I guess I can remove the function here and directly do a check above. But this would be required only during an update now. Support during creation will be removed.
|
minor comments, looks pretty clean on a first pass. nice work! |
k8s-ci-robot
added
needs-rebase
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
k8s-ci-robot
added
size/XL
|
/test pull-cluster-api-provider-azure-e2e-exp |
|
/lgtm on a roll! nice work :) this might be a good one to cover in e2e? we can open an issue perhaps, I supposed it's a bit involved. |
k8s-ci-robot
added
the
lgtm
yes you are right !! We need to cover this in e2e :) |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: CecileRobertMichon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What type of PR is this?
/kind feature
What this PR does / why we need it:
Adds Azure active directory support for user authentication in managed clusters
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #1407
Special notes for your reviewer:
Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.
TODOs:
Release note: