[AKS] az aks create: add support for --private-dns-zone and --fqdn-su…

…bdomain feature (Azure#17430)

src/azure-cli/azure/cli/command_modules/acs/_consts.py

@@ -35,6 +35,9 @@
 CONST_CONFCOM_ADDON_NAME = "ACCSGXDevicePlugin"
 CONST_ACC_SGX_QUOTE_HELPER_ENABLED = "ACCSGXQuoteHelperEnabled"
 
+# private dns zone mode
+CONST_PRIVATE_DNS_ZONE_SYSTEM = "system"
+
 ADDONS = {
     'http_application_routing': CONST_HTTP_APPLICATION_ROUTING_ADDON_NAME,
     'monitoring': CONST_MONITORING_ADDON_NAME,

src/azure-cli/azure/cli/command_modules/acs/_help.py

@@ -379,6 +379,13 @@
   - name: --enable-private-cluster
     type: string
     short-summary: Enable private cluster.
+  - name: --private-dns-zone
+    type: string
+    short-summary: Private dns zone mode for private cluster.
+    long-summary: Allowed values are "system" or custom private dns zone resource id. If not set, defaults to type system. Requires --enable-private-cluster to be used.
+  - name: --fqdn-subdomain
+    type: string
+    short-summary: Prefix for FQDN that is created for private cluster with custom private dns zone scenario.
   - name: --api-server-authorized-ip-ranges
     type: string
     short-summary: Comma seperated list of authorized apiserver IP ranges. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools.

src/azure-cli/azure/cli/command_modules/acs/_params.py

@@ -207,6 +207,8 @@ def load_arguments(self, _):
         c.argument('api_server_authorized_ip_ranges', type=str, validator=validate_ip_ranges)
         c.argument('attach_acr', acr_arg_type)
         c.argument('enable_private_cluster', action='store_true')
+        c.argument('private_dns_zone')
+        c.argument('fqdn_subdomain')
         c.argument('nodepool_tags', nargs='*', validator=validate_nodepool_tags, help='space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.')
         c.argument('enable_managed_identity', action='store_true')
         c.argument('assign_identity', type=str, validator=validate_assign_identity)

src/azure-cli/azure/cli/command_modules/acs/custom.py

@@ -46,6 +46,7 @@
                                        ArgumentUsageError,
                                        ClientRequestError,
                                        InvalidArgumentValueError,
+                                       MutuallyExclusiveArgumentError,
                                        ValidationError)
 from azure.cli.core._profile import Profile
 from azure.cli.core.commands.client_factory import get_mgmt_service_client, get_subscription_id
@@ -119,6 +120,7 @@
 from ._consts import CONST_CONFCOM_ADDON_NAME, CONST_ACC_SGX_QUOTE_HELPER_ENABLED
 from ._consts import ADDONS
 from ._consts import CONST_CANIPULL_IMAGE
+from ._consts import CONST_PRIVATE_DNS_ZONE_SYSTEM
 
 logger = get_logger(__name__)
 
@@ -1883,6 +1885,8 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value,  # pylint:
                generate_ssh_keys=False,  # pylint: disable=unused-argument
                api_server_authorized_ip_ranges=None,
                enable_private_cluster=False,
+               private_dns_zone=None,
+               fqdn_subdomain=None,
                enable_managed_identity=True,
                assign_identity=None,
                attach_acr=None,
@@ -1899,7 +1903,9 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value,  # pylint:
                yes=False):
     _validate_ssh_key(no_ssh_key, ssh_key_value)
     subscription_id = get_subscription_id(cmd.cli_ctx)
-    if not dns_name_prefix:
+    if dns_name_prefix and fqdn_subdomain:
+        raise MutuallyExclusiveArgumentError('--dns-name-prefix and --fqdn-subdomain cannot be used at same time')
+    if not dns_name_prefix and not fqdn_subdomain:
         dns_name_prefix = _get_default_dns_prefix(name, resource_group_name, subscription_id)
 
     rg_location = _get_rg_location(cmd.cli_ctx, resource_group_name)
@@ -1983,7 +1989,7 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value,  # pylint:
         principal_obj = _ensure_aks_service_principal(cmd.cli_ctx,
                                                       service_principal=service_principal, client_secret=client_secret,
                                                       subscription_id=subscription_id, dns_name_prefix=dns_name_prefix,
-                                                      location=location, name=name)
+                                                      fqdn_subdomain=fqdn_subdomain, location=location, name=name)
         service_principal_profile = ManagedClusterServicePrincipalProfile(
             client_id=principal_obj.get("service_principal"),
             secret=principal_obj.get("client_secret"),
@@ -2176,6 +2182,24 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value,  # pylint:
         disk_encryption_set_id=node_osdisk_diskencryptionset_id
     )
 
+    use_custom_private_dns_zone = False
+    if private_dns_zone:
+        if not enable_private_cluster:
+            raise InvalidArgumentValueError("Invalid private dns zone for public cluster. "
+                                            "It should always be empty for public cluster")
+        mc.api_server_access_profile.private_dns_zone = private_dns_zone
+        from msrestazure.tools import is_valid_resource_id
+        if private_dns_zone.lower() != CONST_PRIVATE_DNS_ZONE_SYSTEM:
+            if is_valid_resource_id(private_dns_zone):
+                use_custom_private_dns_zone = True
+            else:
+                raise InvalidArgumentValueError(private_dns_zone + " is not a valid Azure resource ID.")
+    if fqdn_subdomain:
+        if not use_custom_private_dns_zone:
+            raise ArgumentUsageError("--fqdn-subdomain should only be used for "
+                                     "private cluster with custom private dns zone")
+        mc.fqdn_subdomain = fqdn_subdomain
+
     if uptime_sla:
         mc.sku = ManagedClusterSKU(
             name="Basic",
@@ -3602,6 +3626,7 @@ def _ensure_aks_service_principal(cli_ctx,
                                   client_secret=None,
                                   subscription_id=None,
                                   dns_name_prefix=None,
+                                  fqdn_subdomain=None,
                                   location=None,
                                   name=None):
     aad_session_key = None
@@ -3612,7 +3637,10 @@ def _ensure_aks_service_principal(cli_ctx,
         if not client_secret:
             client_secret = _create_client_secret()
         salt = binascii.b2a_hex(os.urandom(3)).decode('utf-8')
-        url = 'https://{}.{}.{}.cloudapp.azure.com'.format(salt, dns_name_prefix, location)
+        if dns_name_prefix:
+            url = 'https://{}.{}.{}.cloudapp.azure.com'.format(salt, dns_name_prefix, location)
+        else:
+            url = 'https://{}.{}.{}.cloudapp.azure.com'.format(salt, fqdn_subdomain, location)
 
         service_principal, aad_session_key = _build_service_principal(rbac_client, cli_ctx, name, url, client_secret)
         if not service_principal: