Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new feature for azure_rm_aks #651

Merged
merged 6 commits into from
Dec 17, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 86 additions & 2 deletions plugins/modules/azure_rm_aks.py
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,27 @@
choices:
- standard
- basic
outbound_type:
description:
- How outbound traffic will be configured for a cluster.
type: str
choices:
- loadBalancer
- userDefinedRouting
api_server_access_profile:
description:
- Profile of API Access configuration.
suboptions:
authorized_ip_ranges:
description:
- Authorized IP Ranges to kubernetes API server.
- Cannot be enabled when using private cluster
type: list
enable_private_cluster:
description:
- Whether to create the cluster as a private cluster or not.
- Cannot be changed for an existing cluster.
type: bool
aad_profile:
description:
- Profile of Azure Active Directory configuration.
Expand Down Expand Up @@ -330,6 +351,36 @@
count: 1
vm_size: Standard_D2_v2

- name: Create AKS with userDefinedRouting "Link:https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic#add-a-dnat-rule-to-azure-firewall"
azure_rm_aks:
name: "minimal{{ rpfx }}"
location: eastus
resource_group: "{{ resource_group }}"
kubernetes_version: "{{ versions.azure_aks_versions[0] }}"
dns_prefix: "aks{{ rpfx }}"
service_principal:
client_id: "{{ client_id }}"
client_secret: "{{ client_secret }}"
network_profile:
network_plugin: azure
load_balancer_sku: standard
outbound_type: userDefinedRouting
service_cidr: "10.41.0.0/16"
dns_service_ip: "10.41.0.10"
docker_bridge_cidr: "172.17.0.1/16"
api_server_access_profile:
authorized_ip_ranges:
- "20.106.246.252/32"
enable_private_cluster: no
agent_pool_profiles:
- name: default
count: 1
vm_size: Standard_B2s
mode: System
vnet_subnet_id: "{{ output.subnets[0].id }}"
type: VirtualMachineScaleSets
enable_auto_scaling: false

- name: Remove a managed Azure Container Services (AKS) instance
azure_rm_aks:
name: myAKS
Expand Down Expand Up @@ -404,6 +455,7 @@ def create_aks_dict(aks):
enable_rbac=aks.enable_rbac,
network_profile=create_network_profiles_dict(aks.network_profile),
aad_profile=create_aad_profiles_dict(aks.aad_profile),
api_server_access_profile=create_api_server_access_profile_dict(aks.api_server_access_profile),
addon=create_addon_dict(aks.addon_profiles),
fqdn=aks.fqdn,
node_resource_group=aks.node_resource_group
Expand All @@ -418,14 +470,19 @@ def create_network_profiles_dict(network):
service_cidr=network.service_cidr,
dns_service_ip=network.dns_service_ip,
docker_bridge_cidr=network.docker_bridge_cidr,
load_balancer_sku=network.load_balancer_sku
load_balancer_sku=network.load_balancer_sku,
outbound_type=network.outbound_type
) if network else dict()


def create_aad_profiles_dict(aad):
return aad.as_dict() if aad else dict()


def create_api_server_access_profile_dict(api_server):
return api_server.as_dict() if api_server else dict()


def create_addon_dict(addon):
result = dict()
addon = addon or dict()
Expand Down Expand Up @@ -553,7 +610,8 @@ def create_addon_profiles_spec():
service_cidr=dict(type='str'),
dns_service_ip=dict(type='str'),
docker_bridge_cidr=dict(type='str'),
load_balancer_sku=dict(type='str')
load_balancer_sku=dict(type='str'),
outbound_type=dict(type='str', default='loadBalancer', choices=['userDefinedRouting', 'loadBalancer'])
)


Expand All @@ -565,6 +623,12 @@ def create_addon_profiles_spec():
)


api_server_access_profile_spec = dict(
authorized_ip_ranges=dict(type='list', elements='str'),
enable_private_cluster=dict(type='bool'),
)


class AzureRMManagedCluster(AzureRMModuleBase):
"""Configuration class for an Azure RM container service (AKS) resource"""

Expand Down Expand Up @@ -621,6 +685,10 @@ def __init__(self):
type='dict',
options=create_addon_profiles_spec()
),
api_server_access_profile=dict(
type='dict',
options=api_server_access_profile_spec
),
node_resource_group=dict(
type='str'
)
Expand All @@ -639,6 +707,7 @@ def __init__(self):
self.enable_rbac = False
self.network_profile = None
self.aad_profile = None
self.api_server_access_profile = None
self.addon = None
self.node_resource_group = None

Expand Down Expand Up @@ -724,6 +793,17 @@ def is_property_changed(profile, property, ignore_case=False):
if response['enable_rbac'] != self.enable_rbac:
to_be_updated = True

if response['api_server_access_profile'] != self.api_server_access_profile and self.api_server_access_profile is not None:
if self.api_server_access_profile.get('enable_private_cluster') != response['api_server_access_profile'].get('enable_private_cluster'):
self.log(("Api Server Access Diff - Origin {0} / Update {1}"
.format(str(self.api_server_access_profile), str(response['api_server_access_profile']))))
self.fail("The enable_private_cluster of the api server access profile cannot be updated")
elif len(self.api_server_access_profile.get('authorized_ip_ranges')) != \
len(response['api_server_access_profile'].get('authorized_ip_ranges')):
self.log(("Api Server Access Diff - Origin {0} / Update {1}"
.format(str(self.api_server_access_profile), str(response['api_server_access_profile']))))
to_be_updated = True

if self.network_profile:
for key in self.network_profile.keys():
original = response['network_profile'].get(key) or ''
Expand Down Expand Up @@ -888,6 +968,7 @@ def create_update_aks(self):
enable_rbac=self.enable_rbac,
network_profile=self.create_network_profile_instance(self.network_profile),
aad_profile=self.create_aad_profile_instance(self.aad_profile),
api_server_access_profile=self.create_api_server_access_profile_instance(self.api_server_access_profile),
addon_profiles=self.create_addon_profile_instance(self.addon),
node_resource_group=self.node_resource_group
)
Expand Down Expand Up @@ -1038,6 +1119,9 @@ def create_linux_profile_instance(self, linuxprofile):
def create_network_profile_instance(self, network):
return self.managedcluster_models.ContainerServiceNetworkProfile(**network) if network else None

def create_api_server_access_profile_instance(self, server_access):
return self.managedcluster_models.ManagedClusterAPIServerAccessProfile(**server_access) if server_access else None

def create_aad_profile_instance(self, aad):
return self.managedcluster_models.ManagedClusterAADProfile(**aad) if aad else None

Expand Down
47 changes: 47 additions & 0 deletions tests/integration/targets/azure_rm_aks/tasks/minimal-cluster.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,15 @@
count: 1
vm_size: Standard_B2s
mode: System
api_server_access_profile:
authorized_ip_ranges:
- "192.0.2.0"
- "198.51.100.0"
- "203.0.113.0"
enable_private_cluster: no
network_profile:
load_balancer_sku: standard
outbound_type: loadBalancer
register: output

- name: Assert the AKS instance is well created
Expand Down Expand Up @@ -50,13 +59,51 @@
count: 1
vm_size: Standard_B2s
mode: System
api_server_access_profile:
authorized_ip_ranges:
- "192.0.2.0"
- "198.51.100.0"
- "203.0.113.0"
enable_private_cluster: no
network_profile:
load_balancer_sku: standard
outbound_type: loadBalancer
register: output

- name: Assert idempotent
assert:
that:
- not output.changed

- name: Update api_server_access_profile config
azure_rm_aks:
name: "minimal{{ rpfx }}"
location: eastus
resource_group: "{{ resource_group }}"
kubernetes_version: "{{ versions.azure_aks_versions[0] }}"
dns_prefix: "aks{{ rpfx }}"
agent_pool_profiles:
- name: default
count: 1
vm_size: Standard_B2s
mode: System
api_server_access_profile:
authorized_ip_ranges:
- "173.0.113.0"
- "192.0.2.0"
- "198.51.100.0"
- "203.0.113.0"
enable_private_cluster: no
network_profile:
load_balancer_sku: standard
outbound_type: loadBalancer
register: output

- name: Assert idempotent
assert:
that:
- output.changed

- name: Delete the AKS instance
azure_rm_aks:
name: "minimal{{ rpfx }}"
Expand Down