[aks-preview] Support updating an existing AAD-Integrated cluster to the new AKS-managed AAD experience

src/aks-preview/HISTORY.md

@@ -2,6 +2,10 @@
 
 Release History
 ===============
+0.4.54
++++++
+* Support "--enable-aad" for "az aks update" to update an existing AAD-Integrated cluster to the new AKS-managed AAD experience
+
 0.4.53
 +++++
 * Add --ppg for "az aks create" and "az aks nodepool add"

src/aks-preview/azext_aks_preview/_help.py

@@ -265,6 +265,8 @@
           text: az aks create -g MyResourceGroup -n MyManagedCluster --node-osdisk-diskencryptionset-id <disk-encryption-set-resource-id>
         - name: Create a kubernetes cluster with userDefinedRouting, standard load balancer SKU and a custom subnet preconfigured with a route table
           text: az aks create -g MyResourceGroup -n MyManagedCluster --outbound-type userDefinedRouting --load-balancer-sku standard --vnet-subnet-id customUserSubnetVnetID
+        - name: Create a kubernetes cluster with managed AAD enabled.
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>
 
 """.format(sp_cache=AKS_SERVICE_PRINCIPAL_CACHE)
 
@@ -355,6 +357,9 @@
         - name: --api-server-authorized-ip-ranges
           type: string
           short-summary: Comma seperated list of authorized apiserver IP ranges. Set to "" to allow all traffic on a previously restricted cluster. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools.
+        - name: --enable-aad
+          type: bool
+          short-summary: Enable managed AAD feature for cluster.
         - name: --aad-admin-group-object-ids
           type: string
           short-summary: Comma seperated list of aad group object IDs that will be set as cluster admin.
@@ -389,6 +394,10 @@
         text: az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges ""
       - name: Restrict apiserver traffic in a kubernetes cluster to agentpool nodes.
         text: az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 0.0.0.0/32
+      - name: Update a AKS-managed AAD cluster with tenant ID or admin group object IDs.
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>
+      - name: Update an existing AKS AAD-Integrated cluster to the new AKS-managed AAD experience.
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-aad
 """
 
 helps['aks kollect'] = """

src/aks-preview/azext_aks_preview/custom.py

@@ -1134,6 +1134,7 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
                attach_acr=None,
                detach_acr=None,
                uptime_sla=False,
+               enable_aad=False,
                aad_tenant_id=None,
                aad_admin_group_object_ids=None,
                aks_custom_headers=None):
@@ -1155,6 +1156,7 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
        not update_pod_security and \
        not update_lb_profile and \
        not uptime_sla and \
+       not enable_aad and \
        not update_aad_profile:
         raise CLIError('Please specify "--enable-cluster-autoscaler" or '
                        '"--disable-cluster-autoscaler" or '
@@ -1169,6 +1171,7 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
                        '"--load-balancer-managed-outbound-ip-count" or '
                        '"--load-balancer-outbound-ips" or '
                        '"--load-balancer-outbound-ip-prefixes" or '
+                       '"--enable-aad" or '
                        '"--aad-tenant-id" or '
                        '"--aad-admin-group-object-ids"')
 
@@ -1283,10 +1286,18 @@ def aks_update(cmd,     # pylint: disable=too-many-statements,too-many-branches,
         instance.api_server_access_profile = \
             _populate_api_server_access_profile(api_server_authorized_ip_ranges, instance)
 
+    if enable_aad:
+        if instance.aad_profile is None:
+            raise CLIError('Cannot specify "--enable-aad" for a non-AAD cluster')
+        if instance.aad_profile.managed:
+            raise CLIError('Cannot specify "--enable-aad" if managed AAD is already enabled')
+        instance.aad_profile = ManagedClusterAADProfile(
+            managed=True
+        )
     if update_aad_profile:
         if instance.aad_profile is None or not instance.aad_profile.managed:
             raise CLIError('Cannot specify "--aad-tenant-id/--aad-admin-group-object-ids"'
-                           ' if managed aad not is enabled')
+                           ' if managed AAD is not enabled')
         if aad_tenant_id is not None:
             instance.aad_profile.tenant_id = aad_tenant_id
         if aad_admin_group_object_ids is not None:

src/aks-preview/azext_aks_preview/tests/latest/recordings/test_aks_byo_appgw_with_ingress_appgw_addon.yaml

@@ -1643,8 +1643,8 @@ interactions:
       false, "scaleSetPriority": "Regular", "scaleSetEvictionPolicy": "Delete", "name":
       "nodepool1"}], "linuxProfile": {"adminUsername": "azureuser", "ssh": {"publicKeys":
       [{"keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdabawEfwOujYnckZRvvkrcqoR+c2bLuoiOddqujUWHu+fBTEwDd8nB0vBemdGLNHmo7B3qpXyq9pcplUaGYzCmRZtnYy35UOtCinMqyT3mIJshJA1cIw70nFJbr2gvDl+XXtxmd59k5bWMUjzNdynurjhcA53b1fMHTFXSd5ugtbJ4SyZxPkNWxRtJ9Dg2RslMZ+3ZA9y8iAAMxnX85HpG1UMpwzvEM/jPoFd43UYB5TFZIRAcvlkZTQKaBtFW+Khg7Jx5C3iyPzSMAgDzS4WsJBCfABpJ8nnGzBEi/orhFydtkE/zsXOEMY8ppUpnBLN+LXD1gqWhEYRLF7atYd3
-      vsonline@c541134d8e01\\n"}]}}, "servicePrincipalProfile": {"clientId": "xxxx",
-      "secret": "yyyy"}, "addonProfiles": {"IngressApplicationGateway":
+      vsonline@c541134d8e01\\n"}]}}, "servicePrincipalProfile": {"clientId": "<REDACTED>",
+      "secret": "<REDACTED>"}, "addonProfiles": {"IngressApplicationGateway":
       {"enabled": true, "config": {"applicationGatewayId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.Network/applicationGateways/appgw"}}},
       "enableRBAC": true, "enablePodSecurityPolicy": false, "networkProfile": {"networkPlugin":
       "kubenet", "podCidr": "10.244.0.0/16", "serviceCidr": "10.0.0.0/16", "dnsServiceIP":

src/aks-preview/azext_aks_preview/tests/latest/recordings/test_aks_byo_subnet_with_ingress_appgw_addon.yaml

@@ -791,8 +791,8 @@ interactions:
       false, "scaleSetPriority": "Regular", "scaleSetEvictionPolicy": "Delete", "name":
       "nodepool1"}], "linuxProfile": {"adminUsername": "azureuser", "ssh": {"publicKeys":
       [{"keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdabawEfwOujYnckZRvvkrcqoR+c2bLuoiOddqujUWHu+fBTEwDd8nB0vBemdGLNHmo7B3qpXyq9pcplUaGYzCmRZtnYy35UOtCinMqyT3mIJshJA1cIw70nFJbr2gvDl+XXtxmd59k5bWMUjzNdynurjhcA53b1fMHTFXSd5ugtbJ4SyZxPkNWxRtJ9Dg2RslMZ+3ZA9y8iAAMxnX85HpG1UMpwzvEM/jPoFd43UYB5TFZIRAcvlkZTQKaBtFW+Khg7Jx5C3iyPzSMAgDzS4WsJBCfABpJ8nnGzBEi/orhFydtkE/zsXOEMY8ppUpnBLN+LXD1gqWhEYRLF7atYd3
-      vsonline@c541134d8e01\\n"}]}}, "servicePrincipalProfile": {"clientId": "efe70525-74c7-4e99-b80d-970b901032c4",
-      "secret": "1fa5b2295678c53514fa$"}, "addonProfiles": {"IngressApplicationGateway":
+      vsonline@c541134d8e01\\n"}]}}, "servicePrincipalProfile": {"clientId": "<REDACTED>",
+      "secret": "<REDACTED>"}, "addonProfiles": {"IngressApplicationGateway":
       {"enabled": true, "config": {"applicationGatewayName": "gateway", "subnetId":
       "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.Network/virtualNetworks/cliakstest000003/subnets/appgw-subnet"}}},
       "enableRBAC": true, "enablePodSecurityPolicy": false, "networkProfile": {"networkPlugin":