mgmt, AKS, support AAD integration (Azure#27729)

* support rbac in create

* aks with aad integration

* changelog

* javadoc

Author: weidongxu-microsoft

sdk/resourcemanager/azure-resourcemanager-authorization/CHANGELOG.md

@@ -4,11 +4,7 @@
 
 ### Features Added
 
-### Breaking Changes
-
-### Bugs Fixed
-
-### Other Changes
+- Supported Azure Kubernetes Service related roles to `BuiltInRole`.
 
 ## 2.13.0 (2022-03-11)
 

sdk/resourcemanager/azure-resourcemanager-authorization/src/main/java/com/azure/resourcemanager/authorization/models/BuiltInRole.java

@@ -7,7 +7,13 @@
 
 import java.util.Collection;
 
-/** Defines values for roles. */
+/**
+ * Defines values for roles.
+ * <p>
+ * It is not the complete list of roles.
+ * See {@link RoleDefinitions#listByScope(String)} for all viable roles,
+ * and {@link RoleDefinition#roleName()} as {@link BuiltInRole}.
+ */
 public final class BuiltInRole extends ExpandableStringEnum<BuiltInRole> {
     /** A role that can manage API Management service and the APIs. */
     public static final BuiltInRole API_MANAGEMENT_SERVICE_CONTRIBUTOR =
@@ -211,6 +217,29 @@ public final class BuiltInRole extends ExpandableStringEnum<BuiltInRole> {
     public static final BuiltInRole KEY_VAULT_CRYPTO_SERVICE_ENCRYPTION_USER =
         BuiltInRole.fromString("Key Vault Crypto Service Encryption User");
 
+    // AKS related roles
+    /** Lets you manage all resources in the cluster. */
+    public static final BuiltInRole AZURE_KUBERNETES_SERVICE_RBAC_CLUSTER_ADMIN =
+        BuiltInRole.fromString("Azure Kubernetes Service RBAC Cluster Admin");
+    /** Lets you manage all resources under cluster/namespace,
+     *  except update or delete resource quotas and namespaces. */
+    public static final BuiltInRole AZURE_KUBERNETES_SERVICE_RBAC_ADMIN =
+        BuiltInRole.fromString("Azure Kubernetes Service RBAC Admin");
+    /** Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings.
+     *  This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount
+     *  credentials in the namespace, which would allow API access as any ServiceAccount in the namespace
+     *  (a form of privilege escalation).
+     *  Applying this role at cluster scope will give access across all namespaces. */
+    public static final BuiltInRole AZURE_KUBERNETES_SERVICE_RBAC_READER =
+        BuiltInRole.fromString("Azure Kubernetes Service RBAC Reader");
+    /** Allows read/write access to most objects in a namespace.
+     * This role does not allow viewing or modifying roles or role bindings.
+     * However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace,
+     * so it can be used to gain the API access levels of any ServiceAccount in the namespace.
+     * Applying this role at cluster scope will give access across all namespaces. */
+    public static final BuiltInRole AZURE_KUBERNETES_SERVICE_RBAC_WRITER =
+        BuiltInRole.fromString("Azure Kubernetes Service RBAC Writer");
+
     /**
      * Finds or creates a role instance based on the specified name.
      *

sdk/resourcemanager/azure-resourcemanager-compute/src/main/java/com/azure/resourcemanager/compute/models/VirtualMachine.java

@@ -1233,7 +1233,7 @@ interface WithEphemeralOSDisk {
         interface WithVMSize {
             /**
              * Selects the size of the virtual machine.
-             *
+             * <p>
              * See {@link ComputeSkus#listByRegion(Region)} for virtual machine sizes in region,
              * and {@link AvailabilitySet#listVirtualMachineSizes()} for virtual machine sizes in availability set.
              *
@@ -1244,7 +1244,7 @@ interface WithVMSize {
 
             /**
              * Specifies the size of the virtual machine.
-             *
+             * <p>
              * {@link VirtualMachineSizeTypes} is not the complete list of virtual machine sizes.
              * See {@link ComputeSkus#listByRegion(Region)} for virtual machine sizes in region,
              * and {@link AvailabilitySet#listVirtualMachineSizes()} for virtual machine sizes in availability set.
@@ -1863,7 +1863,7 @@ interface WithNetworkInterfaceDeleteOptions {
         interface WithAdditionalCapacities {
             /**
              * Enables hibernation feature.
-             *
+             * <p>
              * Hibernation is supported on premium general purpose SKUs, e.g. STANDARD_D2S_V3.
              * Hibernation is supported on Windows 10 19H1 and higher, and Windows Server 2019 and higher.
              * For Ubuntu 18.04 or higher, hibernation-setup-tool is required to be installed on the virtual machine.
@@ -2447,7 +2447,7 @@ interface Update
 
         /**
          * Specifies a new size for the virtual machine.
-         *
+         * <p>
          * See {@link VirtualMachine#availableSizes()} for resizing.
          *
          * @param sizeName the name of a size for the virtual machine as text
@@ -2457,7 +2457,7 @@ interface Update
 
         /**
          * Specifies a new size for the virtual machine.
-         *
+         * <p>
          * {@link VirtualMachineSizeTypes} is not the complete list of virtual machine sizes.
          * See {@link VirtualMachine#availableSizes()} for resizing.
          *

sdk/resourcemanager/azure-resourcemanager-containerservice/CHANGELOG.md

@@ -2,9 +2,16 @@
 
 ## 2.14.0-beta.1 (Unreleased)
 
+### Features Added
+
+- Supported disabling Kubernetes Role-Based Access Control for `KubernetesCluster` during create.
+- Supported enabling Azure AD integration for `KubernetesCluster`.
+- Supported disabling local accounts for `KubernetesCluster`.
+
 ### Other Changes
 
 - Changed behavior that `KubernetesCluster` no longer retrieves admin and user KubeConfig during create, update, refresh.
+- Changed behavior that Linux profile is not required for `KubernetesCluster` during create.
 
 ## 2.13.0 (2022-03-11)
 
@@ -38,6 +45,12 @@
 
 - Updated `api-version` to `2022-01-01`.
 
+## 2.12.2 (2022-03-17)
+
+### Other Changes
+
+- Changed behavior that `KubernetesCluster` no longer retrieves admin and user KubeConfig during create, update, refresh.
+
 ## 2.12.1 (2022-02-22)
 
 ### Bugs Fixed

sdk/resourcemanager/azure-resourcemanager-containerservice/src/main/java/com/azure/resourcemanager/containerservice/implementation/KubernetesClusterImpl.java

@@ -6,6 +6,7 @@
 import com.azure.core.http.rest.PagedIterable;
 import com.azure.core.http.rest.Response;
 import com.azure.core.http.rest.SimpleResponse;
+import com.azure.core.util.CoreUtils;
 import com.azure.core.util.logging.ClientLogger;
 import com.azure.resourcemanager.containerservice.ContainerServiceManager;
 import com.azure.resourcemanager.containerservice.fluent.models.ManagedClusterInner;
@@ -19,6 +20,7 @@
 import com.azure.resourcemanager.containerservice.models.Format;
 import com.azure.resourcemanager.containerservice.models.KubernetesCluster;
 import com.azure.resourcemanager.containerservice.models.KubernetesClusterAgentPool;
+import com.azure.resourcemanager.containerservice.models.ManagedClusterAadProfile;
 import com.azure.resourcemanager.containerservice.models.ManagedClusterAddonProfile;
 import com.azure.resourcemanager.containerservice.models.ManagedClusterAgentPoolProfile;
 import com.azure.resourcemanager.containerservice.models.ManagedClusterApiServerAccessProfile;
@@ -34,6 +36,7 @@
 import com.azure.resourcemanager.resources.fluentcore.arm.models.PrivateLinkResource;
 import com.azure.resourcemanager.resources.fluentcore.arm.models.implementation.GroupableResourceImpl;
 import com.azure.resourcemanager.resources.fluentcore.utils.PagedConverter;
+import com.azure.resourcemanager.resources.fluentcore.utils.ResourceManagerUtils;
 import reactor.core.publisher.Mono;
 
 import java.util.ArrayList;
@@ -238,6 +241,27 @@ public String systemAssignedManagedServiceIdentityPrincipalId() {
         return objectId;
     }
 
+    @Override
+    public List<String> azureActiveDirectoryGroupIds() {
+        if (innerModel().aadProfile() == null
+            || CoreUtils.isNullOrEmpty(innerModel().aadProfile().adminGroupObjectIDs())) {
+            return Collections.emptyList();
+        } else {
+            return Collections.unmodifiableList(innerModel().aadProfile().adminGroupObjectIDs());
+        }
+    }
+
+    @Override
+    public boolean isLocalAccountsEnabled() {
+        return !ResourceManagerUtils.toPrimitiveBoolean(innerModel().disableLocalAccounts());
+    }
+
+    @Override
+    public boolean isAzureRbacEnabled() {
+        return innerModel().aadProfile() != null
+            && ResourceManagerUtils.toPrimitiveBoolean(innerModel().aadProfile().enableAzureRbac());
+    }
+
     @Override
     public void start() {
         this.startAsync().block();
@@ -479,6 +503,49 @@ public PagedFlux<PrivateEndpointConnection> listPrivateEndpointConnectionsAsync(
         return PagedConverter.convertListToPagedFlux(retList);
     }
 
+    @Override
+    public KubernetesClusterImpl withAzureActiveDirectoryGroup(String activeDirectoryGroupObjectId) {
+        this.withRBACEnabled();
+
+        if (innerModel().aadProfile() == null) {
+            innerModel().withAadProfile(new ManagedClusterAadProfile().withManaged(true));
+        }
+        if (innerModel().aadProfile().adminGroupObjectIDs() == null) {
+            innerModel().aadProfile().withAdminGroupObjectIDs(new ArrayList<>());
+        }
+        innerModel().aadProfile().adminGroupObjectIDs().add(activeDirectoryGroupObjectId);
+        return this;
+    }
+
+    @Override
+    public KubernetesClusterImpl enableAzureRbac() {
+        this.withRBACEnabled();
+
+        if (innerModel().aadProfile() == null) {
+            innerModel().withAadProfile(new ManagedClusterAadProfile().withManaged(true));
+        }
+        innerModel().aadProfile().withEnableAzureRbac(true);
+        return this;
+    }
+
+    @Override
+    public KubernetesClusterImpl enableLocalAccounts() {
+        innerModel().withDisableLocalAccounts(false);
+        return this;
+    }
+
+    @Override
+    public KubernetesClusterImpl disableLocalAccounts() {
+        innerModel().withDisableLocalAccounts(true);
+        return this;
+    }
+
+    @Override
+    public KubernetesCluster.DefinitionStages.WithCreate disableKubernetesRbac() {
+        this.innerModel().withEnableRbac(false);
+        return this;
+    }
+
     private static final class PrivateLinkResourceImpl implements PrivateLinkResource {
         private final PrivateLinkResourceInner innerModel;