[AKS] identity binding commands

src/aks-preview/HISTORY.rst

@@ -12,6 +12,10 @@ To release a new version, please select a new version number (usually plus 1 to
 Pending
 +++++++
 
+18.0.0b26
++++++++
+* Add `az aks identity-binding` command group for identity binding feataure.
+
 18.0.0b25
 +++++++
 * Update for `az aks machine show` and `az aks machine list` to show more details about the machine.

src/aks-preview/azext_aks_preview/_client_factory.py

@@ -43,6 +43,10 @@ def cf_machines(cli_ctx, *_):
     return get_container_service_client(cli_ctx).machines
 
 
+def cf_identity_bindings(cli_ctx, *_):
+    return get_container_service_client(cli_ctx).identity_bindings
+
+
 def cf_operations(cli_ctx, *_):
     return get_container_service_client(cli_ctx).operation_status_result
 

src/aks-preview/azext_aks_preview/_help.py

@@ -3894,3 +3894,52 @@
         - name: Connect to a managed Kubernetes cluster using Azure Bastion with custom port and admin credentials.
           text: az aks bastion -g MyResourceGroup --name MyManagedCluster --bastion MyBastionResource --port 50001 --admin
 """
+
+helps['aks identity-binding'] = """
+    type: group
+    short-summary: Commands to manage identity bindings in Azure Kubernetes Service.
+"""
+helps['aks identity-binding show'] = """
+    type: command
+    short-summary: Show details of a specific identity binding in a managed Kubernetes cluster.
+    parameters:
+        - name: --cluster-name
+          type: string
+          short-summary: Name of the managed Kubernetes cluster.
+        - name: --name -n
+          type: string
+          short-summary: Name of the identity binding to show.
+"""
+helps['aks identity-binding list'] = """
+    type: command
+    short-summary: List all identity bindings under a managed Kubernetes cluster.
+    parameters:
+        - name: --cluster-name
+          type: string
+          short-summary: Name of the managed Kubernetes cluster.
+"""
+helps['aks identity-binding create'] = """
+    type: command
+    short-summary: Create a new identity binding in a managed Kubernetes cluster.
+    parameters:
+        - name: --cluster-name
+          type: string
+          short-summary: Name of the managed Kubernetes cluster.
+        - name: --name -n
+          type: string
+          short-summary: Name of the identity binding to show.
+        - name: --managed-identity-resource-id
+          type: string
+          short-summary: The resource ID of the managed identity to use.
+"""
+helps['aks identity-binding delete'] = """
+    type: command
+    short-summary: Delete a specific identity binding in a managed Kubernetes cluster.
+    parameters:
+        - name: --cluster-name
+          type: string
+          short-summary: Name of the managed Kubernetes cluster.
+        - name: --name -n
+          type: string
+          short-summary: Name of the identity binding to show.
+"""

src/aks-preview/azext_aks_preview/aks_identity_binding/commands.py

@@ -0,0 +1,84 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+
+# `az aks identity-binding create` command
+def aks_ib_cmd_create(
+    cmd, client,  # pylint: disable=unused-argument
+    resource_group_name: str,
+    cluster_name: str,
+    name: str,
+    managed_identity_resource_id: str,
+    no_wait: bool = False,
+):
+    from azure.cli.core.util import sdk_no_wait
+    from azext_aks_preview.vendored_sdks.azure_mgmt_preview_aks.models import (
+        IdentityBinding,
+        IdentityBindingProperties,
+        IdentityBindingManagedIdentityProfile,
+    )
+
+    instance = IdentityBinding(
+        name=name,
+        properties=IdentityBindingProperties(
+            managed_identity=IdentityBindingManagedIdentityProfile(
+                resource_id=managed_identity_resource_id,
+            )
+        )
+    )
+
+    return sdk_no_wait(
+        no_wait,
+        client.begin_create_or_update,
+        resource_group_name,
+        cluster_name,
+        name,
+        instance,
+    )
+
+
+# `az aks identity-binding delete` command
+def aks_ib_cmd_delete(
+    cmd, client,  # pylint: disable=unused-argument
+    resource_group_name: str,
+    cluster_name: str,
+    name: str,
+    no_wait: bool = False,
+):
+    from azure.cli.core.util import sdk_no_wait
+
+    return sdk_no_wait(
+        no_wait,
+        client.begin_delete,
+        resource_group_name=resource_group_name,
+        resource_name=cluster_name,
+        identity_binding_name=name,
+    )
+
+
+# `az aks identity-binding show` command
+def aks_ib_cmd_show(
+    cmd, client,  # pylint: disable=unused-argument
+    resource_group_name: str,
+    cluster_name: str,
+    name: str,
+):
+    return client.get(
+        resource_group_name=resource_group_name,
+        resource_name=cluster_name,
+        identity_binding_name=name,
+    )
+
+
+# `az aks identity-binding list` command
+def aks_ib_cmd_list(
+    cmd, client,  # pylint: disable=unused-argument
+    resource_group_name: str,
+    cluster_name: str,
+):
+    return client.list_by_managed_cluster(
+        resource_group_name=resource_group_name,
+        resource_name=cluster_name,
+    )

src/aks-preview/azext_aks_preview/commands.py

@@ -15,6 +15,7 @@
     cf_machines,
     cf_operations,
     cf_load_balancers,
+    cf_identity_bindings,
 )
 
 from azext_aks_preview._format import (
@@ -506,3 +507,12 @@ def load_command_table(self, _):
             'list_k8s_extension_type_versions',
             table_transformer=aks_extension_type_versions_list_table_format
         )
+
+# AKS identity binding commands
+    with self.command_group(
+        "aks identity-binding", managed_clusters_sdk, client_factory=cf_identity_bindings
+    ) as g:
+        g.custom_command("create", "aks_identity_binding_create")
+        g.custom_command("delete", "aks_identity_binding_delete")
+        g.custom_show_command("show", "aks_identity_binding_show")
+        g.custom_command("list", "aks_identity_binding_list")

src/aks-preview/azext_aks_preview/custom.py

@@ -104,6 +104,12 @@
 from azext_aks_preview.maintenanceconfiguration import (
     aks_maintenanceconfiguration_update_internal,
 )
+from azext_aks_preview.aks_identity_binding.commands import (
+    aks_ib_cmd_create,
+    aks_ib_cmd_delete,
+    aks_ib_cmd_show,
+    aks_ib_cmd_list,
+)
 from azext_aks_preview.managednamespace import (
     aks_managed_namespace_add,
     aks_managed_namespace_update,
@@ -4386,3 +4392,9 @@ def aks_bastion(cmd, client, resource_group_name, name, bastion=None, port=None,
             )
         finally:
             aks_batsion_clean_up()
+
+
+aks_identity_binding_create = aks_ib_cmd_create
+aks_identity_binding_delete = aks_ib_cmd_delete
+aks_identity_binding_show = aks_ib_cmd_show
+aks_identity_binding_list = aks_ib_cmd_list

src/aks-preview/azext_aks_preview/tests/latest/test_identity_binding.py

@@ -0,0 +1,111 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+
+from azure.cli.testsdk import ScenarioTest, live_only
+from azure.cli.testsdk.scenario_tests import AllowLargeResponse
+
+from azext_aks_preview.tests.latest.recording_processors import KeyReplacer
+from azext_aks_preview.tests.latest.custom_preparers import (
+    AKSCustomResourceGroupPreparer,
+)
+
+
+class IdentityBindingTestCases(ScenarioTest):
+
+    def __init__(self, method_name):
+        super(IdentityBindingTestCases, self).__init__(
+            method_name,
+            recording_processors=[KeyReplacer()],
+        )
+
+    @AllowLargeResponse()
+    @live_only()
+    @AKSCustomResourceGroupPreparer(
+        random_name_length=17,
+        name_prefix="clitest",
+        location="eastus2",
+    )
+    def test_identity_binding_usages(self, resource_group, resource_group_location):
+        aks_name = self.create_random_name("cliakstest", 16)
+        identity_name = self.create_random_name("cli", 16)
+        identity_binding_name = self.create_random_name("cliib", 16)
+        self.kwargs.update(
+            {
+                "resource_group": resource_group,
+                "aks_name": aks_name,
+                "identity_name": identity_name,
+                "identity_binding_name": identity_binding_name,
+                "location": resource_group_location,
+            }
+        )
+
+        create_aks_cmd = ("aks create --resource-group={resource_group} --name={aks_name} "
+                          "--location={location} --no-ssh-key -o json")
+        self.cmd(create_aks_cmd, checks=[
+                 self.check("provisioningState", "Succeeded")])
+
+        list_identity_binding_cmd = ("aks identity-binding list --resource-group {resource_group} "
+                                     "--cluster-name {aks_name} -o json")
+        self.cmd(
+            list_identity_binding_cmd,
+            checks=[
+                self.check("length(@)", 0)
+            ]
+        )
+
+        create_identity_cmd = ("identity create --resource-group {resource_group} --name {identity_name} "
+                               "--location {location} -o json")
+        identity = self.cmd(create_identity_cmd).get_output_in_json()
+        identity_resource_id = identity["id"]
+        identity_client_id = identity["clientId"]
+        identity_tenant_id = identity["tenantId"]
+
+        identity_binding_checks = [
+            self.check("properties.provisioningState", "Succeeded"),
+            self.check(
+                "properties.managedIdentity.resourceId",
+                identity_resource_id
+            ),
+            self.check(
+                "properties.managedIdentity.clientId",
+                identity_client_id
+            ),
+            self.check(
+                "properties.managedIdentity.tenantId",
+                identity_tenant_id
+            ),
+            self.check(
+                f"ends_with(properties.oidcIssuer.oidcIssuerUrl, '/{identity_tenant_id}/{identity_client_id}')",
+                True,
+            ),
+        ]
+
+        create_identity_binding_cmd = ("aks identity-binding create --resource-group {resource_group} --cluster-name {aks_name} "
+                                       "-n {identity_binding_name} -o json"
+                                       f" --managed-identity-resource-id {identity_resource_id}")
+        self.cmd(create_identity_binding_cmd, checks=identity_binding_checks)
+
+        self.cmd(
+            list_identity_binding_cmd,
+            checks=[
+                self.check("length(@)", 1)
+            ]
+        )
+
+        show_identity_binding_cmd = ("aks identity-binding show --resource-group {resource_group} --cluster-name {aks_name} "
+                                     "-n {identity_binding_name} -o json")
+        self.cmd(show_identity_binding_cmd, checks=identity_binding_checks)
+
+        delete_identity_binding_cmd = ("aks identity-binding delete --resource-group {resource_group} --cluster-name {aks_name} "
+                                       "-n {identity_binding_name} -o json")
+        self.cmd(delete_identity_binding_cmd)
+
+        self.cmd(
+            list_identity_binding_cmd,
+            checks=[
+                self.check("length(@)", 0)
+            ]
+        )

src/aks-preview/linter_exclusions.yml

@@ -384,3 +384,8 @@ aks nodepool delete:
     ignore_pod_disruption_budget:
       rule_exclusions:
         - option_length_too_long
+aks identity-binding create:
+  parameters:
+    managed_identity_resource_id:
+      rule_exclusions:
+        - option_length_too_long

src/aks-preview/setup.py

@@ -9,7 +9,7 @@
 
 from setuptools import setup, find_packages
 
-VERSION = "18.0.0b25"
+VERSION = "18.0.0b26"
 
 CLASSIFIERS = [
     "Development Status :: 4 - Beta",