Merge pull request #243 from mjura/privateDNSzone

Add PrivateDNSZone for private clusters
rancher · Aug 7, 2023 · 0cfe5ba · 0cfe5ba
2 parents f712444 + 4482fee
commit 0cfe5ba
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 0 deletions.
diff --git a/charts/aks-operator-crd/templates/crds.yaml b/charts/aks-operator-crd/templates/crds.yaml
@@ -68,6 +68,9 @@ spec:
               logAnalyticsWorkspaceName:
                 nullable: true
                 type: string
+              managedIdentity:
+                nullable: true
+                type: boolean
               monitoring:
                 nullable: true
                 type: boolean
@@ -155,6 +158,9 @@ spec:
               privateCluster:
                 nullable: true
                 type: boolean
+              privateDnsZone:
+                nullable: true
+                type: string
               resourceGroup:
                 nullable: true
                 type: string
@@ -176,6 +182,9 @@ spec:
                   type: string
                 nullable: true
                 type: object
+              userAssignedIdentity:
+                nullable: true
+                type: string
               virtualNetwork:
                 nullable: true
                 type: string

diff --git a/controller/aks-cluster-config-handler.go b/controller/aks-cluster-config-handler.go
@@ -691,6 +691,18 @@ func (h *Handler) buildUpstreamClusterState(ctx context.Context, credentials *ak
 		if clusterState.APIServerAccessProfile.AuthorizedIPRanges != nil && *clusterState.APIServerAccessProfile.AuthorizedIPRanges != nil {
 			upstreamSpec.AuthorizedIPRanges = clusterState.APIServerAccessProfile.AuthorizedIPRanges
 		}
+		if clusterState.APIServerAccessProfile.PrivateDNSZone != nil {
+			upstreamSpec.PrivateDNSZone = clusterState.APIServerAccessProfile.PrivateDNSZone
+		}
+	}
+	upstreamSpec.ManagedIdentity = to.BoolPtr(false)
+	if clusterState.Identity != nil {
+		upstreamSpec.ManagedIdentity = to.BoolPtr(true)
+		if clusterState.Identity.UserAssignedIdentities != nil {
+			for userAssignedID := range clusterState.Identity.UserAssignedIdentities {
+				upstreamSpec.UserAssignedIdentity = to.StringPtr(userAssignedID)
+			}
+		}
 	}
 
 	return upstreamSpec, err

diff --git a/controller/aks-cluster-config-handler_test.go b/controller/aks-cluster-config-handler_test.go
@@ -831,6 +831,7 @@ var _ = Describe("buildUpstreamClusterState", func() {
 				APIServerAccessProfile: &containerservice.ManagedClusterAPIServerAccessProfile{
 					EnablePrivateCluster: to.BoolPtr(true),
 					AuthorizedIPRanges:   to.StringSlicePtr([]string{"test"}),
+					PrivateDNSZone:       to.StringPtr("test-private-dns-zone-id"),
 				},
 			},
 			Tags: *to.StringMapPtr(map[string]string{"test": "test"}),
@@ -885,6 +886,7 @@ var _ = Describe("buildUpstreamClusterState", func() {
 		Expect(upstreamSpec.LogAnalyticsWorkspaceGroup).To(Equal(to.StringPtr("test")))
 		Expect(upstreamSpec.LogAnalyticsWorkspaceName).To(Equal(to.StringPtr("test/resourcegroups/test/")))
 		Expect(upstreamSpec.PrivateCluster).To(Equal(to.BoolPtr(*clusterState.APIServerAccessProfile.EnablePrivateCluster)))
+		Expect(upstreamSpec.PrivateDNSZone).To(Equal(to.StringPtr(*clusterState.APIServerAccessProfile.PrivateDNSZone)))
 		Expect(upstreamSpec.AuthorizedIPRanges).To(Equal(clusterState.APIServerAccessProfile.AuthorizedIPRanges))
 	})
 

diff --git a/pkg/aks/create.go b/pkg/aks/create.go
@@ -264,6 +264,10 @@ func createManagedCluster(ctx context.Context, cred *Credentials, workplacesClie
 			managedCluster.APIServerAccessProfile = &containerservice.ManagedClusterAPIServerAccessProfile{}
 		}
 		managedCluster.APIServerAccessProfile.EnablePrivateCluster = spec.PrivateCluster
+		// Private DNS Zone ID can be set only for private cluster
+		if spec.PrivateDNSZone != nil {
+			managedCluster.APIServerAccessProfile.PrivateDNSZone = spec.PrivateDNSZone
+		}
 	}
 
 	if cred.TenantID != "" {
@@ -273,6 +277,20 @@ func createManagedCluster(ctx context.Context, cred *Credentials, workplacesClie
 		}
 	}
 
+	if to.Bool(spec.ManagedIdentity) {
+		managedCluster.Identity = &containerservice.ManagedClusterIdentity{
+			Type: containerservice.ResourceIdentityTypeSystemAssigned,
+		}
+		if spec.UserAssignedIdentity != nil {
+			managedCluster.Identity = &containerservice.ManagedClusterIdentity{
+				Type: containerservice.ResourceIdentityTypeUserAssigned,
+				UserAssignedIdentities: map[string]*containerservice.ManagedClusterIdentityUserAssignedIdentitiesValue{
+					to.String(spec.UserAssignedIdentity): {},
+				},
+			}
+		}
+	}
+
 	return managedCluster, nil
 }
 

diff --git a/pkg/aks/create_test.go b/pkg/aks/create_test.go
@@ -151,6 +151,7 @@ var _ = Describe("newManagedCluster", func() {
 		Expect(managedCluster.Identity).ToNot(BeNil())
 		Expect(managedCluster.Identity.Type).To(Equal(containerservice.ResourceIdentityTypeSystemAssigned))
 		Expect(managedCluster.Identity.TenantID).To(Equal(to.StringPtr(cred.TenantID)))
+		Expect(managedCluster.APIServerAccessProfile.PrivateDNSZone).To(Equal(clusterSpec.PrivateDNSZone))
 	})
 
 	It("should successfully create managed cluster with custom load balancer sku", func() {
@@ -536,6 +537,7 @@ func newTestClusterSpec() *aksv1.AKSClusterConfigSpec {
 		DNSPrefix:                  to.StringPtr("test-dns-prefix"),
 		AuthorizedIPRanges:         to.StringSlicePtr([]string{"test-authorized-ip-range"}),
 		PrivateCluster:             to.BoolPtr(true),
+		PrivateDNSZone:             to.StringPtr("test-private-dns-zone"),
 		LogAnalyticsWorkspaceGroup: to.StringPtr("test-log-analytics-workspace-group"),
 		LogAnalyticsWorkspaceName:  to.StringPtr("test-log-analytics-workspace-name"),
 	}

diff --git a/pkg/apis/aks.cattle.io/v1/types.go b/pkg/apis/aks.cattle.io/v1/types.go
@@ -59,11 +59,14 @@ type AKSClusterConfigSpec struct {
 	Tags                        map[string]string `json:"tags"`
 	NodePools                   []AKSNodePool     `json:"nodePools"`
 	PrivateCluster              *bool             `json:"privateCluster"`
+	PrivateDNSZone              *string           `json:"privateDnsZone" norman:"pointer"`
 	AuthorizedIPRanges          *[]string         `json:"authorizedIpRanges" norman:"pointer"`
 	HTTPApplicationRouting      *bool             `json:"httpApplicationRouting"`
 	Monitoring                  *bool             `json:"monitoring"`
 	LogAnalyticsWorkspaceGroup  *string           `json:"logAnalyticsWorkspaceGroup" norman:"pointer"`
 	LogAnalyticsWorkspaceName   *string           `json:"logAnalyticsWorkspaceName" norman:"pointer"`
+	ManagedIdentity             *bool             `json:"managedIdentity" norman:"pointer"`
+	UserAssignedIdentity        *string           `json:"userAssignedIdentity" norman:"pointer"`
 }
 
 type AKSClusterConfigStatus struct {

diff --git a/pkg/apis/aks.cattle.io/v1/zz_generated_deepcopy.go b/pkg/apis/aks.cattle.io/v1/zz_generated_deepcopy.go