Updated ARM and Bicep to include SSH keys

Author: dramasamy

articles/operator-nexus/howto-kubernetes-cluster-manage-ssh-key.md

@@ -36,9 +36,9 @@ Refer the [Disconnected mode access](./howto-kubernetes-cluster-connect.md#disco
 
 Following are the variables you need to set, along with the [quickstart guide](./quickstarts-kubernetes-cluster-deployment-cli.md#create-an-azure-nexus-kubernetes-cluster) default values you can use for certain variables.
 
-`SSH_PUBLIC_KEY` -  For the cluster wide keys.
-`CONTROL_PLANE_SSH_PUBLIC_KEY` - For the control plane, you can provide public keys that are inserted into the control plane nodes.
-`INITIAL_AGENT_POOL_SSH_PUBLIC_KEY` - For each agent pool, you can provide public keys that are inserted into the nodes in that pool.
+* `SSH_PUBLIC_KEY` -  For the cluster wide keys. Note that using cluster wide key with agent pool and control plane keys doesn't have any effect as the control plane and agent pool keys are used instead of the cluster wide keys.
+* `CONTROL_PLANE_SSH_PUBLIC_KEY` - For the control plane, you can provide public keys that are inserted into the control plane nodes.
+* `INITIAL_AGENT_POOL_SSH_PUBLIC_KEY` - For each agent pool, you can provide public keys that are inserted into the nodes in that pool.
 
 ```azurecli
     az networkcloud kubernetescluster create \
@@ -109,7 +109,7 @@ To update the SSH keys, you can apply the same Bicep/ARM configuration used duri
 
 #### Update cluster wide SSH keys
 
-Use the following command to update the cluster wide SSH keys, which are used for all nodes in the cluster. All the nodes in the cluster will be updated with the new keys.
+Use the following command to update the cluster wide SSH keys, which are used for all nodes in the cluster. All the nodes in the cluster will be updated with the new keys if the clster was created with only cluster wide keys.
 
 ```azurecli
 az networkcloud kubernetescluster update --name "$CLUSTER_NAME" --resource-group "$RESOURCE_GROUP" --subscription "$SUBSCRIPTION_ID" --ssh-key-values "$CLUSER_WIDE_KEY"

articles/operator-nexus/includes/kubernetes-cluster/quickstart-arm-add-node-pool.json

@@ -21,26 +21,27 @@
           "description": "The custom location of the Nexus instance"
         }
       },
-      "tags": {
-        "type": "object",
-        "defaultValue": {},
-        "metadata": {
-          "description": "Tags to be associated with the resource"
-        }
-      },
       "adminUsername": {
         "type": "string",
         "defaultValue": "azureuser",
         "metadata": {
           "description": "The username for the administrative account on the cluster"
         }
       },
-      "sshPublicKey": {
-        "type": "string",
-        "defaultValue": "",
+      "agentPoolSshKeys": {
+        "type": "array",
         "metadata": {
-          "description": "The SSH public key that will be associated with the 'azureuser' user for secure remote login"
-        }
+          "description": "The agent pool SSH public key that will be associated with the given user for secure remote login"
+        },
+        "defaultValue": []
+        /*
+          {
+            "keyData": "ssh-rsa AAAAA...."
+          },
+          {
+            "keyData": "ssh-rsa BBBBB...."
+          }
+        */
       },
       "agentPoolNodeCount": {
         "type": "int",
@@ -167,7 +168,10 @@
           "type": "CustomLocation"
         },
         "properties": {
-          "administratorConfiguration": {},
+          "administratorConfiguration": {
+            "adminUsername": "[parameters('adminUsername')]",
+            "sshPublicKeys": "[if(empty(parameters('agentPoolSshKeys')), json('null'), parameters('agentPoolSshKeys'))]"
+          },
           "count": "[parameters('agentPoolNodeCount')]",
           "mode": "[parameters('agentPoolMode')]",
           "vmSkuName": "[parameters('agentVmSku')]",

articles/operator-nexus/includes/kubernetes-cluster/quickstart-arm-deploy.json

@@ -235,11 +235,50 @@
           "hugepagesSize": "2M/1G"
         */
       },
-      "sshPublicKey": {
-        "type": "string",
+      "sshPublicKeys": {
+        "type": "array",
         "metadata": {
-          "description": "The SSH public key that will be associated with the 'azureuser' user for secure remote login"
-        }
+          "description": "The cluster wide SSH public key that will be associated with the given user for secure remote login"
+        },
+        "defaultValue": []
+        /*
+          {
+            "keyData": "ssh-rsa AAAAA...."
+          },
+          {
+            "keyData": "ssh-rsa BBBBB...."
+          }
+        */
+      },
+      "controlPlaneSshKeys": {
+        "type": "array",
+        "metadata": {
+          "description": "The control plane SSH public key that will be associated with the given user for secure remote login"
+        },
+        "defaultValue": []
+        /*
+          {
+            "keyData": "ssh-rsa AAAAA...."
+          },
+          {
+            "keyData": "ssh-rsa BBBBB...."
+          }
+        */
+      },
+      "agentPoolSshKeys": {
+        "type": "array",
+        "metadata": {
+          "description": "The agent pool SSH public key that will be associated with the given user for secure remote login"
+        },
+        "defaultValue": []
+        /*
+          {
+            "keyData": "ssh-rsa AAAAA...."
+          },
+          {
+            "keyData": "ssh-rsa BBBBB...."
+          }
+        */
       },
       "labels": {
         "type": "array",
@@ -290,16 +329,15 @@
           },
           "administratorConfiguration": {
             "adminUsername": "[parameters('adminUsername')]",
-            "sshPublicKeys": [
-              {
-                "keyData": "[parameters('sshPublicKey')]"
-              }
-            ]
+            "sshPublicKeys": "[if(empty(parameters('sshPublicKeys')), createArray(), parameters('sshPublicKeys'))]"
           },
           "initialAgentPoolConfigurations": [
             {
               "name": "[concat(parameters('kubernetesClusterName'), '-nodepool-1')]",
-              "administratorConfiguration": {},
+              "administratorConfiguration": {
+                "adminUsername": "[parameters('adminUsername')]",
+                "sshPublicKeys": "[if(empty(parameters('agentPoolSshKeys')), createArray(), parameters('agentPoolSshKeys'))]"
+              },
               "count": "[parameters('systemPoolNodeCount')]",
               "vmSkuName": "[parameters('workerVmSkuName')]",
               "mode": "System",
@@ -318,7 +356,10 @@
             }
           ],
           "controlPlaneNodeConfiguration": {
-            "administratorConfiguration": {},
+            "administratorConfiguration": {
+              "adminUsername": "[parameters('adminUsername')]",
+              "sshPublicKeys": "[if(empty(parameters('controlPlaneSshKeys')), createArray(), parameters('controlPlaneSshKeys'))]"
+            },
             "count": "[parameters('controlPlaneCount')]",
             "vmSkuName": "[parameters('controlPlaneVmSkuName')]",
             "availabilityZones": "[if(empty(parameters('controlPlaneZones')), json('null'), parameters('controlPlaneZones'))]"

articles/operator-nexus/includes/kubernetes-cluster/quickstart-bicep-add-node-pool.bicep

@@ -14,8 +14,14 @@ param tags object = {}
 @description('The username for the administrative account on the cluster')
 param adminUsername string = 'azureuser'
 
-@description('The SSH public key that will be associated with the "azureuser" user for secure remote login')
-param sshPublicKey string = ''
+@description('The agent pool SSH public key that will be associated with the given user for secure remote login')
+param agentPoolSshKeys array = []
+// {
+//   keyData: "ssh-rsa AAAAA...."
+// },
+// {
+//   keyData: "ssh-rsa AAAAA...."
+// }
 
 // Cluster Configuration Parameters
 @description('Number of nodes in the agent pool')
@@ -86,14 +92,10 @@ resource agentPools 'Microsoft.NetworkCloud/kubernetesClusters/agentPools@2023-0
     type: 'CustomLocation'
   }
   properties: {
-    administratorConfiguration: sshPublicKey != '' ? {
+    administratorConfiguration: {
       adminUsername: adminUsername
-      sshPublicKeys: [
-        {
-          keyData: sshPublicKey
-        }
-      ]
-    }: {}
+      sshPublicKeys: empty(agentPoolSshKeys) ? null : agentPoolSshKeys
+    }
     attachedNetworkConfiguration: {
       l2Networks: empty(l2Networks) ? null : l2Networks
       l3Networks: empty(l3Networks) ? null : l3Networks

articles/operator-nexus/includes/kubernetes-cluster/quickstart-bicep-deploy.bicep

@@ -122,8 +122,20 @@ param initialPoolAgentOptions object = {}
 //   "hugepagesSize": "2M/1G"
 // }
 
-@description('The SSH public key that will be associated with the "azureuser" user for secure remote login')
-param sshPublicKey string = ''
+@description('The cluster wide SSH public key that will be associated with the given user for secure remote login')
+param sshPublicKeys array = []
+
+@description('The control plane SSH public key that will be associated with the given user for secure remote login')
+param controlPlaneSshKeys array = []
+
+@description('The agent pool SSH public key that will be associated with the given user for secure remote login')
+param agentPoolSshKeys array = []
+// {
+//   keyData: "ssh-rsa AAAAA...."
+// },
+// {
+//   keyData: "ssh-rsa AAAAA...."
+// }
 
 @description('The labels to assign to the nodes in the cluster for identification and organization')
 param labels array = []
@@ -157,16 +169,15 @@ resource kubernetescluster 'Microsoft.NetworkCloud/kubernetesClusters@2023-07-01
     }
     administratorConfiguration: {
       adminUsername: adminUsername
-      sshPublicKeys: [
-        {
-          keyData: sshPublicKey
-        }
-      ]
+      sshPublicKeys: empty(sshPublicKeys) ? [] : sshPublicKeys
     }
     initialAgentPoolConfigurations: [
       {
         name: '${kubernetesClusterName}-nodepool-1'
-        administratorConfiguration: {}
+        administratorConfiguration: {
+          adminUsername: adminUsername
+          sshPublicKeys: empty(agentPoolSshKeys) ? [] : agentPoolSshKeys
+        }
         count: systemPoolNodeCount
         vmSkuName: workerVmSkuName
         mode: 'System'
@@ -185,7 +196,10 @@ resource kubernetescluster 'Microsoft.NetworkCloud/kubernetesClusters@2023-07-01
       }
     ]
     controlPlaneNodeConfiguration: {
-      administratorConfiguration: {}
+      administratorConfiguration: {
+        adminUsername: adminUsername
+        sshPublicKeys: empty(controlPlaneSshKeys) ? [] : controlPlaneSshKeys
+      }
       count: controlPlaneCount
       vmSkuName: controlPlaneVmSkuName
       availabilityZones: empty(controlPlaneZones) ? null : controlPlaneZones

articles/operator-nexus/includes/kubernetes-cluster/quickstart-deploy-params.json

@@ -22,8 +22,15 @@
     "location": {
       "value": "eastus"
     },
-    "sshPublicKey": {
-      "value": "ssh-rsa AAAAB...."
+    "sshPublicKeys": {
+      "value": [
+        {
+          "keyData": "ssh-rsa AAAAA...."
+        },
+        {
+          "keyData": "ssh-rsa BBBBB...."
+        }
+      ]
     }
   }
 }

articles/operator-nexus/quickstarts-kubernetes-cluster-deployment-cli.md

@@ -61,6 +61,8 @@ CLUSTER_NAME="myNexusK8sCluster"
 K8S_VERSION="v1.24.9"
 ADMIN_USERNAME="azureuser"
 SSH_PUBLIC_KEY="$(cat ~/.ssh/id_rsa.pub)"
+CONTROL_PLANE_SSH_PUBLIC_KEY="$(cat ~/.ssh/id_rsa.pub)"
+AGENT_POOL_SSH_PUBLIC_KEY="$(cat ~/.ssh/id_rsa.pub)"
 CONTROL_PLANE_COUNT="1"
 CONTROL_PLANE_VM_SIZE="NC_G6_28_v1"
 INITIAL_AGENT_POOL_NAME="${CLUSTER_NAME}-nodepool-1"
@@ -90,7 +92,8 @@ az networkcloud kubernetescluster create \
   --control-plane-node-configuration \
     count="${CONTROL_PLANE_COUNT}" \
     vm-sku-name="${CONTROL_PLANE_VM_SIZE}" \
-  --initial-agent-pool-configurations "[{count:${INITIAL_AGENT_POOL_COUNT},mode:System,name:${INITIAL_AGENT_POOL_NAME},vm-sku-name:${INITIAL_AGENT_POOL_VM_SIZE}}]" \
+    ssh-key-values='["${CONTROL_PLANE_SSH_PUBLIC_KEY}"]' \
+  --initial-agent-pool-configurations "[{count:${INITIAL_AGENT_POOL_COUNT},mode:System,name:${INITIAL_AGENT_POOL_NAME},vm-sku-name:${INITIAL_AGENT_POOL_VM_SIZE},,ssh-key-values:['${AGENT_POOL_SSH_PUBLIC_KEY}']}]" \
   --network-configuration \
     cloud-services-network-id="${CSN_ARM_ID}" \
     cni-network-id="${CNI_ARM_ID}" \