Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding support for AzureAD auth to AKS via RBAC #1820

Merged
merged 35 commits into from
Nov 15, 2018
Merged
Show file tree
Hide file tree
Changes from 16 commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
5fabc0f
Adding support for AzureAD auth to AKS via RBAC
Aug 24, 2018
90909e8
Merge branch 'timcurless'
Aug 24, 2018
6b126fc
Merge branch 'master' into timcurless
timcurless Aug 24, 2018
74b118a
Merge branch 'timcurless' of https://github.com/timcurless/terraform-…
Aug 24, 2018
98dcb1b
formatting
Aug 24, 2018
f98d40b
formatting
Aug 24, 2018
7410d40
Merge branch 'master' into timcurless
timcurless Aug 31, 2018
2d45712
fixing conflicts
Aug 31, 2018
6afd99d
Merge branch 'master' into timcurless
Aug 31, 2018
68aa0f2
fixing conflicts
Aug 31, 2018
8b05407
Adding documentation updates
Aug 31, 2018
ef80ef0
Fixing issues with aadProfile server_app_secret always causing a new …
Sep 23, 2018
2db2c6d
Refactoring code to avoid repetition in some areas. Documentation upd…
Sep 29, 2018
aaab03f
minor updates to testing section of main documentation index
Oct 5, 2018
2d827a5
docs: client_id -> client_app_id
katbyte Oct 18, 2018
ed45f77
fixing one more misnamed var in the docs
Oct 19, 2018
655b079
Merge branch 'master' into timcurless
tombuildsstuff Nov 14, 2018
890333e
AKS: switching RBAC to be an independent block
tombuildsstuff Nov 14, 2018
a83c246
Rewriting the documentation to be clearer (ala VM's)
tombuildsstuff Nov 14, 2018
fb5b0cd
AKS: refactoring
tombuildsstuff Nov 14, 2018
bd61925
AKS: adding additional context to the errors
tombuildsstuff Nov 14, 2018
a5d1a4e
updating a todo
tombuildsstuff Nov 14, 2018
2025f17
Data Source: refactoring
tombuildsstuff Nov 14, 2018
12d2677
Data Source: continued re-ordering/removing the existing structure
tombuildsstuff Nov 14, 2018
1eb7ab4
d/AKS: adding the `role_based_access_control` block
tombuildsstuff Nov 14, 2018
c186e4c
AKS: support for up to 100 agents
tombuildsstuff Nov 14, 2018
7607444
Updating the versions of kubernetes being used
tombuildsstuff Nov 14, 2018
6fa3d6f
Documentation: moving the AKS Examples into their own folder
tombuildsstuff Nov 14, 2018
dabe1c9
removing the older aks examples
tombuildsstuff Nov 14, 2018
0ffad71
Updating to include the changes from #2286
tombuildsstuff Nov 14, 2018
3edc3a6
re-ordering/updating the errors
tombuildsstuff Nov 14, 2018
94196cd
removing the unused env variables
tombuildsstuff Nov 14, 2018
a8e97b5
fixing the linting
tombuildsstuff Nov 14, 2018
8b5965a
fixing broken tests
tombuildsstuff Nov 14, 2018
1773e86
fixes from code review
tombuildsstuff Nov 15, 2018
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 92 additions & 4 deletions azurerm/data_source_kubernetes_cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package azurerm

import (
"fmt"
"strings"

"github.com/Azure/azure-sdk-for-go/services/containerservice/mgmt/2018-03-31/containerservice"
"github.com/hashicorp/terraform/helper/schema"
Expand Down Expand Up @@ -38,6 +39,11 @@ func dataSourceArmKubernetesCluster() *schema.Resource {
Computed: true,
},

"enable_rbac": {
Type: schema.TypeBool,
Computed: true,
},

"node_resource_group": {
Type: schema.TypeString,
Computed: true,
Expand Down Expand Up @@ -171,6 +177,29 @@ func dataSourceArmKubernetesCluster() *schema.Resource {
},
},

"aad_profile": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"server_app_id": {
Type: schema.TypeString,
Computed: true,
},

"client_app_id": {
Type: schema.TypeString,
Computed: true,
},

"tenant_id": {
Type: schema.TypeString,
Computed: true,
},
},
},
},

"network_profile": {
Type: schema.TypeList,
Computed: true,
Expand Down Expand Up @@ -285,6 +314,7 @@ func dataSourceArmKubernetesClusterRead(d *schema.ResourceData, meta interface{}
d.Set("dns_prefix", props.DNSPrefix)
d.Set("fqdn", props.Fqdn)
d.Set("kubernetes_version", props.KubernetesVersion)
d.Set("enable_rbac", props.EnableRBAC)
d.Set("node_resource_group", props.NodeResourceGroup)

linuxProfile := flattenKubernetesClusterDataSourceLinuxProfile(props.LinuxProfile)
Expand All @@ -311,6 +341,11 @@ func dataSourceArmKubernetesClusterRead(d *schema.ResourceData, meta interface{}
if err := d.Set("service_principal", servicePrincipal); err != nil {
return fmt.Errorf("Error setting `service_principal`: %+v", err)
}

aadProfile := flattenKubernetesClusterDataSourceAadProfile(resp.ManagedClusterProperties.AadProfile)
if err := d.Set("aad_profile", aadProfile); err != nil {
return fmt.Errorf("Error setting `aad_profile`: %+v", err)
}
}

kubeConfigRaw, kubeConfig := flattenKubernetesClusterDataSourceAccessProfile(&profile)
Expand Down Expand Up @@ -421,19 +456,54 @@ func flattenKubernetesClusterDataSourceAccessProfile(profile *containerservice.M

if kubeConfigRaw := profile.AccessProfile.KubeConfig; kubeConfigRaw != nil {
rawConfig := string(*kubeConfigRaw)
var flattenedKubeConfig []interface{}

if strings.Contains(rawConfig, "apiserver-id:") {
kubeConfigAAD, err := kubernetes.ParseKubeConfigAAD(rawConfig)

if err != nil {
return utils.String(rawConfig), []interface{}{}
}

flattenedKubeConfig = flattenKubernetesClusterDataSourceKubeConfigAAD(*kubeConfigAAD)
} else {
kubeConfig, err := kubernetes.ParseKubeConfig(rawConfig)

if err != nil {
return utils.String(rawConfig), []interface{}{}
}

kubeConfig, err := kubernetes.ParseKubeConfig(rawConfig)
if err != nil {
return utils.String(rawConfig), []interface{}{}
flattenedKubeConfig = flattenKubernetesClusterDataSourceKubeConfig(*kubeConfig)
}

flattenedKubeConfig := flattenKubernetesClusterDataSourceKubeConfig(*kubeConfig)
return utils.String(rawConfig), flattenedKubeConfig
}

return nil, []interface{}{}
}

func flattenKubernetesClusterDataSourceAadProfile(profile *containerservice.ManagedClusterAADProfile) []interface{} {
if profile == nil {
return nil
}

values := make(map[string]interface{})

if serverAppId := profile.ServerAppID; serverAppId != nil {
values["server_app_id"] = *serverAppId
}

if clientAppId := profile.ClientAppID; clientAppId != nil {
values["client_app_id"] = *clientAppId
}

if tenantId := profile.TenantID; tenantId != nil {
values["tenant_id"] = *tenantId
}

return []interface{}{values}
}

func flattenKubernetesClusterDataSourceKubeConfig(config kubernetes.KubeConfig) []interface{} {
values := make(map[string]interface{})

Expand All @@ -451,6 +521,24 @@ func flattenKubernetesClusterDataSourceKubeConfig(config kubernetes.KubeConfig)
return []interface{}{values}
}

func flattenKubernetesClusterDataSourceKubeConfigAAD(config kubernetes.KubeConfigAAD) []interface{} {
values := make(map[string]interface{})

cluster := config.Clusters[0].Cluster
name := config.Users[0].Name

values["host"] = cluster.Server
values["username"] = name

values["password"] = ""
values["client_certificate"] = ""
values["client_key"] = ""

values["cluster_ca_certificate"] = cluster.ClusterAuthorityData

return []interface{}{values}
}

func flattenKubernetesClusterDataSourceNetworkProfile(profile *containerservice.NetworkProfile) []interface{} {
values := make(map[string]interface{})

Expand Down
44 changes: 44 additions & 0 deletions azurerm/data_source_kubernetes_cluster_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,38 @@ func TestAccDataSourceAzureRMKubernetesCluster_basic(t *testing.T) {
})
}

func TestAccDataSourceAzureRMKubernetesCluster_aadProfile(t *testing.T) {
dataSourceName := "data.azurerm_kubernetes_cluster.test"
ri := acctest.RandInt()
clientId := os.Getenv("ARM_CLIENT_ID")
clientSecret := os.Getenv("ARM_CLIENT_SECRET")
serverAppId := os.Getenv("ARM_SERVER_APP_ID")
tombuildsstuff marked this conversation as resolved.
Show resolved Hide resolved
serverAppSecret := os.Getenv("ARM_SERVER_APP_SECRET")
clientAppId := os.Getenv("ARM_CLIENT_APP_ID")
tenantId := os.Getenv("ARM_TENANT_ID")
location := testLocation()
config := testAccDataSourceAzureRMKubernetesCluster_rbacAAD(ri, clientId, clientSecret, location, serverAppId, serverAppSecret, clientAppId, tenantId)

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testCheckAzureRMKubernetesClusterDestroy,
Steps: []resource.TestStep{
{
Config: config,
Check: resource.ComposeTestCheckFunc(
testCheckAzureRMKubernetesClusterExists(dataSourceName),
resource.TestCheckResourceAttr(dataSourceName, "aad_profile.#", "1"),
resource.TestCheckResourceAttrSet(dataSourceName, "aad_profile.0.server_app_id"),
resource.TestCheckResourceAttrSet(dataSourceName, "aad_profile.0.server_app_secret"),
resource.TestCheckResourceAttrSet(dataSourceName, "aad_profile.0.client_app_id"),
resource.TestCheckResourceAttrSet(dataSourceName, "aad_profile.0.tenant_id"),
),
},
},
})
}

func TestAccDataSourceAzureRMKubernetesCluster_internalNetwork(t *testing.T) {
dataSourceName := "data.azurerm_kubernetes_cluster.test"
ri := acctest.RandInt()
Expand Down Expand Up @@ -244,6 +276,18 @@ data "azurerm_kubernetes_cluster" "test" {
`, resource)
}

func testAccDataSourceAzureRMKubernetesCluster_rbacAAD(rInt int, clientId string, clientSecret string, location string, serverAppId string, serverAppSecret string, clientAppId string, tenantId string) string {
resource := testAccAzureRMKubernetesCluster_rbacAAD(rInt, clientId, clientSecret, location, serverAppId, serverAppSecret, clientAppId, tenantId)
return fmt.Sprintf(`
%s

data "azurerm_kubernetes_cluster" "test" {
name = "${azurerm_kubernetes_cluster.test.name}"
resource_group_name = "${azurerm_kubernetes_cluster.test.resource_group_name}"
}
`, resource)
}

func testAccDataSourceAzureRMKubernetesCluster_internalNetwork(rInt int, clientId string, clientSecret string, location string) string {
resource := testAccAzureRMKubernetesCluster_internalNetwork(rInt, clientId, clientSecret, location)
return fmt.Sprintf(`
Expand Down
55 changes: 53 additions & 2 deletions azurerm/helpers/kubernetes/kube_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,26 @@ type user struct {
ClientKeyData string `yaml:"client-key-data"`
}

type userItemAAD struct {
Name string `yaml:"name"`
User userAAD `yaml:"user"`
}

type userAAD struct {
AuthProvider authProvider `yaml:"auth-provider"`
}

type authProvider struct {
Name string `yaml:"name"`
Config configAzureAD `yaml:"config"`
}

type configAzureAD struct {
APIServerID string `yaml:"apiserver-id,omitempty"`
ClientID string `yaml:"client-id,omitempty"`
TenantID string `yaml:"tenant-id,omitempty"`
}

type contextItem struct {
Name string `yaml:"name"`
Context context `yaml:"context"`
Expand All @@ -38,16 +58,25 @@ type context struct {
Namespace string `yaml:"namespace,omitempty"`
}

type KubeConfig struct {
type KubeConfigBase struct {
APIVersion string `yaml:"apiVersion"`
Clusters []clusterItem `yaml:"clusters"`
Users []userItem `yaml:"users"`
Contexts []contextItem `yaml:"contexts,omitempty"`
CurrentContext string `yaml:"current-context,omitempty"`
Kind string `yaml:"kind,omitempty"`
Preferences map[string]interface{} `yaml:"preferences,omitempty"`
}

type KubeConfig struct {
KubeConfigBase `yaml:",inline"`
Users []userItem `yaml:"users"`
}

type KubeConfigAAD struct {
metacpp marked this conversation as resolved.
Show resolved Hide resolved
KubeConfigBase `yaml:",inline"`
Users []userItemAAD `yaml:"users"`
}

func ParseKubeConfig(config string) (*KubeConfig, error) {
if config == "" {
return nil, fmt.Errorf("Cannot parse empty config")
Expand All @@ -72,3 +101,25 @@ func ParseKubeConfig(config string) (*KubeConfig, error) {

return &kubeConfig, nil
}

func ParseKubeConfigAAD(config string) (*KubeConfigAAD, error) {
if config == "" {
return nil, fmt.Errorf("Cannot parse empty config")
}

var kubeConfig KubeConfigAAD
err := yaml.Unmarshal([]byte(config), &kubeConfig)
if err != nil {
tombuildsstuff marked this conversation as resolved.
Show resolved Hide resolved
return nil, fmt.Errorf("Failed to unmarshal YAML config with error %+v", err)
}
if len(kubeConfig.Clusters) <= 0 || len(kubeConfig.Users) <= 0 {
return nil, fmt.Errorf("Config %+v contains no valid clusters or users", kubeConfig)
}

cluster := kubeConfig.Clusters[0].Cluster
if cluster.Server == "" {
return nil, fmt.Errorf("Config has invalid or non existent server for cluster %+v", cluster)
}

return &kubeConfig, nil
}
Loading