[AKS] Support Azure Hybrid User Benefits (#21764)

* [AKS] support parameter OutboundType

* [AKS] Fixed the issue of Enable-AzAksAddon when there are no addons

* [AKS] Support EnableAHUB

* update changelog and help md

Author: YanaXu

src/Aks/Aks.Test/ScenarioTests/KubernetesTests.cs

@@ -219,5 +219,12 @@ public void TestOutboundType()
         {
             TestRunner.RunTestScript("Test-OutboundType");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestEnableAHUB()
+        {
+            TestRunner.RunTestScript("Test-EnableAHUB");
+        }
     }
 }

src/Aks/Aks.Test/ScenarioTests/KubernetesTests.ps1

@@ -1248,4 +1248,33 @@ function Test-OutboundType {
     finally {
         Remove-AzResourceGroup -Name $resourceGroupName -Force
     }
+}
+
+function Test-EnableAHUB {
+    # Setup
+    $resourceGroupName = Get-RandomResourceGroupName
+    $kubeClusterName = Get-RandomClusterName
+    $location = 'eastus'
+
+    try {
+        New-AzResourceGroup -Name $resourceGroupName -Location $location
+
+        $SecurePassword = ConvertTo-SecureString 'Abcdefg@123456' -AsPlainText -Force
+        New-AzAksCluster -ResourceGroupName $resourceGroupName -Name $kubeClusterName -NodeCount 1 -WindowsProfileAdminUserName azure -WindowsProfileAdminUserPassword $SecurePassword -EnableAHUB
+        $cluster = Get-AzAksCluster -ResourceGroupName $resourceGroupName -Name $kubeClusterName
+        Assert-AreEqual 'Windows_Server' $cluster.WindowsProfile.LicenseType
+        $cluster = Set-AzAksCluster -ResourceGroupName $resourceGroupName -Name $kubeClusterName -EnableAHUB:$false
+        Assert-AreEqual 'None' $cluster.WindowsProfile.LicenseType
+
+        
+        $kubeClusterName = Get-RandomClusterName
+        New-AzAksCluster -ResourceGroupName $resourceGroupName -Name $kubeClusterName -NodeCount 1
+        $cluster = Get-AzAksCluster -ResourceGroupName $resourceGroupName -Name $kubeClusterName
+        Assert-Null $cluster.WindowsProfile.LicenseType
+        $cluster = $cluster | Set-AzAksCluster -EnableAHUB
+        Assert-AreEqual 'Windows_Server' $cluster.WindowsProfile.LicenseType
+    }
+    finally {
+        Remove-AzResourceGroup -Name $resourceGroupName -Force
+    }
 }

src/Aks/Aks.Test/SessionRecords/Commands.Aks.Test.ScenarioTests.KubernetesTests/TestEnableAHUB.json

@@ -19,6 +19,8 @@
 -->
 ## Upcoming Release
 * Fixed the issue of `Enable-AzAksAddon` when there are no addons. [#21665]
+* Added parameter `-EnableAHUB` for `New-AzAksCluster` and `Set-AzAksCluster`
+* Added parameter `-WindowsProfileAdminUserPassword` for `Set-AzAksCluster`
 
 ## Version 5.4.0
 * Added cmdlet `New-AzAksMaintenanceConfiguration`, `Get-AzAksMaintenanceConfiguration`, `Remove-AzAksMaintenanceConfiguration`, `New-AzAksSnapshot`, `Get-AzAksSnapshot`, `Remove-AzAksSnapshot`, `Get-AzAksManagedClusterCommandResult`, `Get-AzAksManagedClusterOSOption`, `Get-AzAksManagedClusterOutboundNetworkDependencyEndpoint`, `Invoke-AzAksAbortAgentPoolLatestOperation`, `Invoke-AzAksAbortManagedClusterLatestOperation`, `Invoke-AzAksRotateManagedClusterServiceAccountSigningKey`, `Start-AzAksManagedClusterCommand`, `New-AzAksTimeInWeekObject`, `New-AzAksTimeSpanObject`.

src/Aks/Aks/ChangeLog.md

@@ -40,6 +40,8 @@
 using Microsoft.Azure.Commands.Common.MSGraph.Version1_0;
 using ResourceIdentityType = Microsoft.Azure.Management.ContainerService.Models.ResourceIdentityType;
 using Microsoft.Azure.Commands.Aks.Commands;
+using Microsoft.Azure.Commands.Aks.Utils;
+using System.Security;
 
 namespace Microsoft.Azure.Commands.Aks
 {
@@ -197,6 +199,14 @@ public abstract class CreateOrUpdateKubeBase : KubeCmdletBase
         [Parameter(Mandatory = false, HelpMessage = "The Azure Active Directory configuration.")]
         public ManagedClusterAADProfile AadProfile { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = "The administrator password to use for Windows VMs. Password requirement:"
+          + "At least one lower case, one upper case, one special character !@#$%^&*(), the minimum lenth is 12.")]
+        [ValidateSecureString(RegularExpression = "^(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%\\^&\\*\\(\\)])[a-zA-Z\\d!@#$%\\^&\\*\\(\\)]{12,123}$", ParameterName = nameof(WindowsProfileAdminUserPassword))]
+        public SecureString WindowsProfileAdminUserPassword { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "Whether to enable Azure Hybrid User Benefits (AHUB) for Windows VMs.")]
+        public SwitchParameter EnableAHUB { get; set; }
+
         protected void BeforeBuildNewCluster()
         {
             if (!string.IsNullOrEmpty(ResourceGroupName) && string.IsNullOrEmpty(Location))

src/Aks/Aks/Commands/CreateOrUpdateKubeBase.cs

@@ -19,7 +19,6 @@
 using System.IO;
 using System.Linq;
 using System.Management.Automation;
-using System.Security;
 using Microsoft.Azure.Commands.Aks.Models;
 using Microsoft.Azure.Commands.Aks.Properties;
 using Microsoft.Azure.Commands.Aks.Utils;
@@ -31,7 +30,6 @@
 using Microsoft.Rest;
 using Microsoft.WindowsAzure.Commands.Common;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
-using Newtonsoft.Json;
 
 namespace Microsoft.Azure.Commands.Aks
 {
@@ -88,11 +86,6 @@ public class NewAzureRmAks : CreateOrUpdateKubeBase
         [Parameter(Mandatory = false, HelpMessage = "The administrator username to use for Windows VMs.")]
         public string WindowsProfileAdminUserName { get; set; }
 
-        [Parameter(Mandatory = false, HelpMessage = "The administrator password to use for Windows VMs. Password requirement:"
-          + "At least one lower case, one upper case, one special character !@#$%^&*(), the minimum lenth is 12.")]
-        [ValidateSecureString(RegularExpression = "^(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%\\^&\\*\\(\\)])[a-zA-Z\\d!@#$%\\^&\\*\\(\\)]{12,123}$", ParameterName = nameof(WindowsProfileAdminUserPassword))]
-        public SecureString WindowsProfileAdminUserPassword { get; set; }
-
         [Parameter(Mandatory = false, HelpMessage = "Network plugin used for building Kubernetes network.")]
         [PSArgumentCompleter("azure", "kubenet")]
         public string NetworkPlugin { get; set; } = "azure";
@@ -490,6 +483,10 @@ private ManagedClusterWindowsProfile GetWindowsProfile()
             {
                 windowsProfile = new ManagedClusterWindowsProfile(WindowsProfileAdminUserName,
                     WindowsProfileAdminUserPassword?.ConvertToString());
+                if (this.IsParameterBound(c => c.EnableAHUB) && EnableAHUB.ToBool()) 
+                {
+                    windowsProfile.LicenseType = "Windows_Server";
+                }
             }
             return windowsProfile;
         }

src/Aks/Aks/Commands/NewAzureRmAks.cs

@@ -427,6 +427,24 @@ public override void ExecuteCmdlet()
                     {
                         cluster.OidcIssuerProfile = new ManagedClusterOIDCIssuerProfile(enabled: true);
                     }
+                    if (cluster.WindowsProfile != null)
+                    {
+                        if (this.IsParameterBound(c => c.WindowsProfileAdminUserPassword) && WindowsProfileAdminUserPassword != null)
+                        {
+                            cluster.WindowsProfile.AdminPassword = WindowsProfileAdminUserPassword.ConvertToString();
+                        }
+                        if (this.IsParameterBound(c => c.EnableAHUB))
+                        {
+                            if (EnableAHUB.ToBool())
+                            {
+                                cluster.WindowsProfile.LicenseType = "Windows_Server";
+                            }
+                            else
+                            {
+                                cluster.WindowsProfile.LicenseType = "None";
+                            }
+                        }
+                    }
                     SetIdentity(cluster);
 
                     var kubeCluster = this.CreateOrUpdate(ResourceGroupName, Name, cluster);
@@ -439,7 +457,7 @@ public override void ExecuteCmdlet()
                     {
                         cluster.DisableLocalAccounts = DisableLocalAccount;
                     }
-                    
+
                     WriteObject(AdapterHelper<ManagedCluster, PSKubernetesCluster>.Adapt(kubeCluster));
                 });
             }

src/Aks/Aks/Commands/SetAzureRmAks.cs

@@ -20,12 +20,11 @@ The cmdlet may call below Microsoft Graph API according to input parameters:
 New-AzAksCluster [-NodeVmSetType <String>] [-NodeVnetSubnetID <String>] [-NodeMaxPodCount <Int32>]
  [-NodeSetPriority <String>] [-NodePoolMode <String>] [-NodeOsSKU <String>]
  [-NodeScaleSetEvictionPolicy <String>] [-AddOnNameToBeEnabled <String[]>] [-WorkspaceResourceId <String>]
- [-SubnetName <String>] [-EnableRbac] [-WindowsProfileAdminUserName <String>]
- [-WindowsProfileAdminUserPassword <SecureString>] [-NetworkPlugin <String>] [-NetworkPolicy <String>]
- [-PodCidr <String>] [-ServiceCidr <String>] [-DnsServiceIP <String>] [-DockerBridgeCidr <String>]
- [-OutboundType <String>] [-LoadBalancerSku <String>] [-Force] [-GenerateSshKey] [-EnableNodePublicIp]
- [-NodePublicIPPrefixID <String>] [-AvailabilityZone <String[]>] [-NodeResourceGroup <String>]
- [-EnableEncryptionAtHost] [-EnableUltraSSD] [-NodeLinuxOSConfig <LinuxOSConfig>]
+ [-SubnetName <String>] [-EnableRbac] [-WindowsProfileAdminUserName <String>] [-NetworkPlugin <String>]
+ [-NetworkPolicy <String>] [-PodCidr <String>] [-ServiceCidr <String>] [-DnsServiceIP <String>]
+ [-DockerBridgeCidr <String>] [-OutboundType <String>] [-LoadBalancerSku <String>] [-Force] [-GenerateSshKey]
+ [-EnableNodePublicIp] [-NodePublicIPPrefixID <String>] [-AvailabilityZone <String[]>]
+ [-NodeResourceGroup <String>] [-EnableEncryptionAtHost] [-EnableUltraSSD] [-NodeLinuxOSConfig <LinuxOSConfig>]
  [-NodeKubeletConfig <KubeletConfig>] [-NodeMaxSurge <String>] [-PPG <String>] [-EnableFIPS]
  [-AutoScalerProfile <ManagedClusterPropertiesAutoScalerProfile>] [-GpuInstanceProfile <String>]
  [-EnableUptimeSLA] [-EdgeZone <String>] [-NodeHostGroupID <String>] [-NodePodSubnetID <String>]
@@ -43,8 +42,8 @@ New-AzAksCluster [-NodeVmSetType <String>] [-NodeVnetSubnetID <String>] [-NodeMa
  [-DiskEncryptionSetID <String>] [-DisableLocalAccount] [-HttpProxy <String>] [-HttpsProxy <String>]
  [-HttpProxyConfigNoProxyEndpoint <String[]>] [-HttpProxyConfigTrustedCa <String>]
  [-AksCustomHeader <Hashtable>] [-AadProfile <ManagedClusterAADProfile>]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [-SubscriptionId <String>]
- [<CommonParameters>]
+ [-WindowsProfileAdminUserPassword <SecureString>] [-EnableAHUB] [-DefaultProfile <IAzureContextContainer>]
+ [-WhatIf] [-Confirm] [-SubscriptionId <String>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -397,6 +396,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -EnableAHUB
+Whether to enable Azure Hybrid User Benefits (AHUB) for Windows VMs.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -EnableApiServerAccessPrivateCluster
 Whether to create the cluster as a private cluster or not.
 

src/Aks/Aks/help/New-AzAksCluster.md

@@ -30,8 +30,8 @@ Set-AzAksCluster [-NodePoolMode <String>] [-AcrNameToDetach <String>] [-NodeImag
  [-DiskEncryptionSetID <String>] [-DisableLocalAccount] [-HttpProxy <String>] [-HttpsProxy <String>]
  [-HttpProxyConfigNoProxyEndpoint <String[]>] [-HttpProxyConfigTrustedCa <String>]
  [-AksCustomHeader <Hashtable>] [-AadProfile <ManagedClusterAADProfile>]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [-SubscriptionId <String>]
- [<CommonParameters>]
+ [-WindowsProfileAdminUserPassword <SecureString>] [-EnableAHUB] [-DefaultProfile <IAzureContextContainer>]
+ [-WhatIf] [-Confirm] [-SubscriptionId <String>] [<CommonParameters>]
 ```
 
 ### InputObjectParameterSet
@@ -51,8 +51,8 @@ Set-AzAksCluster -InputObject <PSKubernetesCluster> [-NodePoolMode <String>] [-A
  [-DiskEncryptionSetID <String>] [-DisableLocalAccount] [-HttpProxy <String>] [-HttpsProxy <String>]
  [-HttpProxyConfigNoProxyEndpoint <String[]>] [-HttpProxyConfigTrustedCa <String>]
  [-AksCustomHeader <Hashtable>] [-AadProfile <ManagedClusterAADProfile>]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [-SubscriptionId <String>]
- [<CommonParameters>]
+ [-WindowsProfileAdminUserPassword <SecureString>] [-EnableAHUB] [-DefaultProfile <IAzureContextContainer>]
+ [-WhatIf] [-Confirm] [-SubscriptionId <String>] [<CommonParameters>]
 ```
 
 ### IdParameterSet
@@ -72,8 +72,8 @@ Set-AzAksCluster [-NodePoolMode <String>] [-AcrNameToDetach <String>] [-NodeImag
  [-DiskEncryptionSetID <String>] [-DisableLocalAccount] [-HttpProxy <String>] [-HttpsProxy <String>]
  [-HttpProxyConfigNoProxyEndpoint <String[]>] [-HttpProxyConfigTrustedCa <String>]
  [-AksCustomHeader <Hashtable>] [-AadProfile <ManagedClusterAADProfile>]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [-SubscriptionId <String>]
- [<CommonParameters>]
+ [-WindowsProfileAdminUserPassword <SecureString>] [-EnableAHUB] [-DefaultProfile <IAzureContextContainer>]
+ [-WhatIf] [-Confirm] [-SubscriptionId <String>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -343,6 +343,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -EnableAHUB
+Whether to enable Azure Hybrid User Benefits (AHUB) for Windows VMs.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -EnableApiServerAccessPrivateCluster
 Whether to create the cluster as a private cluster or not.
 
@@ -902,6 +917,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -WindowsProfileAdminUserPassword
+The administrator password to use for Windows VMs. Password requirement:At least one lower case, one upper case, one special character !@#$%^&*(), the minimum lenth is 12.
+
+```yaml
+Type: System.Security.SecureString
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -Confirm
 Prompts you for confirmation before running the cmdlet.