From 319559d1da9c77ce63b0821754e30494633283d9 Mon Sep 17 00:00:00 2001
From: Billy Bunter <billy@bunter.com>
Date: Thu, 1 Feb 2024 17:13:31 +0000
Subject: [PATCH] Added UI & BiCep update for issue 551.

---
 bicep/main.bicep                   | 16 +++++++++++++-
 helper/src/components/addonsTab.js | 34 +++++++++++++++++++++++++++++-
 helper/src/components/deployTab.js |  1 +
 helper/src/config.json             |  5 ++++-
 4 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/bicep/main.bicep b/bicep/main.bicep
index dfb223fc0..96f0ce013 100644
--- a/bicep/main.bicep
+++ b/bicep/main.bicep
@@ -1166,6 +1166,15 @@ var systemPoolPresets = {
   }
 }
 
+@description('Enables the use of a customer user-assigned managed identity for the control plane')
+param useuserassignedidentityforkublet bool = false
+
+@description('Enables the use of a customer user-assigned managed identity for the control plane')
+param KubeletCustomUserIdentity string = ''
+
+@description('Enables the use of a customer user-assigned managed identity for the control plane')
+param KubeletCustomUserIdentityResourceGroup string = ''
+
 var systemPoolBase = {
   name:  JustUseSystemPool ? nodePoolName : 'npsystem'
   vmSize: agentVMSize
@@ -1336,6 +1345,11 @@ var aksProperties = union({
   nodeResourceGroupProfile: {
     restrictionLevel: restrictionLevelNodeResourceGroup
   }
+  identityProfile: (useuserassignedidentityforkublet == 'no') ? null : {
+    kubeletidentity: {
+      resourceId : resourceId('${KubeletCustomUserIdentityResourceGroup}','Microsoft.ManagedIdentity/userAssignedIdentities', '${KubeletCustomUserIdentity}')
+    }
+  }
 },
 outboundTrafficType == 'managedNATGateway' ? managedNATGatewayProfile : {},
 defenderForContainers && createLaw ? azureDefenderSecurityProfile : {},
@@ -1360,7 +1374,7 @@ resource aks 'Microsoft.ContainerService/managedClusters@2023-07-02-preview' = {
     }
   } : {
     type: 'SystemAssigned'
-  }
+   }
   sku: {
     name: 'Base'
     tier: akssku
diff --git a/helper/src/components/addonsTab.js b/helper/src/components/addonsTab.js
index 937d79785..33f618ce6 100644
--- a/helper/src/components/addonsTab.js
+++ b/helper/src/components/addonsTab.js
@@ -534,7 +534,7 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray,showPr
 
             <Stack.Item align="start">
                 <Label required={true}>
-                    Workload Identity : Enable Azure Workload Identity on the AKS Cluster
+                    Use a managed identity : Enable Azure Workload Identity on the AKS Cluster
                     (<a target="_new" href="https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster">*preview</a>)
                     (<a target="_new" href="https://github.com/Azure/azure-workload-identity">project</a>)
                 </Label>
@@ -544,6 +544,38 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray,showPr
 
             <Separator className="notopmargin" />
 
+            <Stack.Item align="start">
+                <Label required={true}>
+                    Kubelet identity: Allow the Kubelet on each node to run as a user-assigned managed identity.
+                    (<a target="_new" href="https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#bring-your-own-managed-identity">docs</a>)
+                </Label>
+                <MessageBar messageBarType={MessageBarType.info} styles={{ root: { marginBottom: '10px' } }}>
+                        This option is only applicable providing a custom user managed account is also used for the control plane.
+                        Without it, you will see an error similar to "Custom Kubelet Identity Only Supported On User Assigned MSI Cluster".
+                        Select the "Security Principals --&gt; Cluster with additional security controls" option above and this will be enabled automatically.
+                </MessageBar>
+
+                <ChoiceGroup
+                    styles={{ root: { marginLeft: '50px' } }}
+                    selectedKey={addons.useuserassignedidentityforkubelet}
+                    options={[
+                        { key: 'no', text: 'Do not use a custom user-assigned identity for the kubelet' },
+                        { key: 'yesExisting', text: 'Yes, use a pre-existing user-assigned identity for the kubelet.' }
+                    ]}
+                    onChange={(ev, { key }) => updateFn("useuserassignedidentityforkubelet", key)}
+                />
+
+                {addons.useuserassignedidentityforkubelet !== 'no' &&
+                    <>
+                    <TextField label="User Assigned Identity Name" styles={{ root: { marginBottom: '10px', marginLeft: '50px', width: '300px' } }} required placeholder="e.g. aksControl" onChange={(ev, v) => {updateFn("kubeletCustomUserIdentity", v)}} value={addons.kubeletCustomUserIdentity} />
+                    <TextField label="Resource Group Name"              styles={{ root: { marginBottom: '10px', marginLeft: '50px', width: '300px' } }} required placeholder="e.g. akaIdentities" onChange={(ev, v) => {updateFn("kubeletCustomUserIdentityResourceGroup", v)}} value={addons.kubeletCustomUserIdentityResourceGroup} />
+                    </>
+                }
+
+            </Stack.Item>
+
+            <Separator className="notopmargin" />
+
             <Stack.Item align="start">
                 <Label required={true}>
                     GitOps with Flux
diff --git a/helper/src/components/deployTab.js b/helper/src/components/deployTab.js
index 681d3da2c..06b28e3d4 100644
--- a/helper/src/components/deployTab.js
+++ b/helper/src/components/deployTab.js
@@ -57,6 +57,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
     ...(cluster.enable_aad && { enable_aad: true, ...(cluster.enableAzureRBAC === false && cluster.aad_tenant_id && { aad_tenant_id: cluster.aad_tenant_id }) }),
     ...(cluster.enable_aad && cluster.AksDisableLocalAccounts !== defaults.cluster.AksDisableLocalAccounts && { AksDisableLocalAccounts: cluster.AksDisableLocalAccounts }),
     ...(cluster.enable_aad && cluster.enableAzureRBAC && { enableAzureRBAC: true, ...(deploy.clusterAdminRole && { adminPrincipalId: "$(az ad signed-in-user show --query id --out tsv)" }) }),
+    ...(addons.useuserassignedidentityforkubelet !=="no") && {KubeletCustomUserIdentity : addons.kubeletCustomUserIdentity, KubeletCustomUserIdentityResourceGroup : addons.kubeletCustomUserIdentityResourceGroup },
     ...(addons.registry !== "none" && {
         registries_sku: addons.registry,
         ...(deploy.acrPushRole && { acrPushRolePrincipalId: "$(az ad signed-in-user show --query id --out tsv)"}),
diff --git a/helper/src/config.json b/helper/src/config.json
index fb712434a..a51838132 100644
--- a/helper/src/config.json
+++ b/helper/src/config.json
@@ -115,7 +115,10 @@
             "automationAccountScheduledStartStop": "",
             "automationTimeZone": "Etc/UTC",
             "automationStartHour": 8,
-            "automationStopHour" : 19
+            "automationStopHour" : 19,
+            "useuserassignedidentityforkubelet" : "no",
+            "kubeletCustomUserIdentity" : "",
+            "kubeletCustomUserIdentityResourceGroup" : ""
         },
         "net": {
             "vnetFirewallManagementSubnetAddressPrefix": "10.240.51.0/26",