add guidance on using user managed identity with aks cluster

Author: nawazkh

scripts/aks-as-mgmt.sh

@@ -74,7 +74,6 @@ main() {
   echo "AKS_MGMT_DNS_SERVICE_IP:                  $AKS_MGMT_DNS_SERVICE_IP"
   echo "AKS_MGMT_SUBNET_NAME:                     $AKS_MGMT_SUBNET_NAME"
   echo "AKS_MGMT_SUBNET_CIDR:                     $AKS_MGMT_SUBNET_CIDR"
-  echo
   echo "AZURE_SUBSCRIPTION_ID:                    $AZURE_SUBSCRIPTION_ID"
   echo "AZURE_CLIENT_ID:                          $AZURE_CLIENT_ID"
   echo "AZURE_TENANT_ID:                          $AZURE_TENANT_ID"
@@ -86,7 +85,6 @@ main() {
   echo "MANAGED_IDENTITY_RG:                      $MANAGED_IDENTITY_RG"
   echo "ASO_CREDENTIAL_SECRET_MODE:               $ASO_CREDENTIAL_SECRET_MODE"
   echo "SKIP_AKS_CREATE:                          $SKIP_AKS_CREATE"
-  echo "IS_DEV_BOX:                               $IS_DEV_BOX"
   echo "AZURE_CLIENT_ID_USER_ASSIGNED_IDENTITY:   $AZURE_CLIENT_ID_USER_ASSIGNED_IDENTITY"
   echo "AZURE_OBJECT_ID_USER_ASSIGNED_IDENTITY:   $AZURE_OBJECT_ID_USER_ASSIGNED_IDENTITY"
   echo "AZURE_USER_ASSIGNED_IDENTITY_RESOURCE_ID: $AZURE_USER_ASSIGNED_IDENTITY_RESOURCE_ID"
@@ -135,6 +133,7 @@ create_aks_cluster() {
     --node-vm-size "${AKS_NODE_VM_SIZE}" \
     --node-resource-group "${AKS_NODE_RESOURCE_GROUP}" \
     --vm-set-type VirtualMachineScaleSets \
+    --enable-managed-identity \
     --generate-ssh-keys \
     --network-plugin azure \
     --vnet-subnet-id "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AKS_RESOURCE_GROUP}/providers/Microsoft.Network/virtualNetworks/${AKS_MGMT_VNET_NAME}/subnets/${AKS_MGMT_SUBNET_NAME}" \
@@ -159,8 +158,10 @@ create_aks_cluster() {
   az aks get-credentials --name "${MGMT_CLUSTER_NAME}" --resource-group "${AKS_RESOURCE_GROUP}" \
   --overwrite-existing --only-show-errors
 
-  if [[ "${IS_DEV_BOX}" == "true" ]]; then
-    echo "using the Managed Identity created by the user instead of the one created by AKS"
+  if [[ -n "${AZURE_CLIENT_ID_USER_ASSIGNED_IDENTITY:-}" ]] && \
+     [[ -n "${AZURE_OBJECT_ID_USER_ASSIGNED_IDENTITY:-}" ]] && \
+     [[ -n "${AZURE_USER_ASSIGNED_IDENTITY_RESOURCE_ID:-}" ]]; then
+    echo "using user-provided Managed Identity"
     # echo "fetching Client ID for ${MGMT_CLUSTER_NAME}"
     AKS_MI_CLIENT_ID=${AZURE_CLIENT_ID_USER_ASSIGNED_IDENTITY}
     export AKS_MI_CLIENT_ID
@@ -184,6 +185,14 @@ create_aks_cluster() {
     USER_IDENTITY=$MANAGED_IDENTITY_NAME
     export USER_IDENTITY
 
+    echo "assigning user-assigned managed identity to the AKS cluster"
+    az aks update --resource-group "${AKS_RESOURCE_GROUP}" \
+    --name "${MGMT_CLUSTER_NAME}" \
+    --enable-managed-identity \
+    --assign-identity "${AKS_MI_RESOURCE_ID}" \
+    --assign-kubelet-identity "${AKS_MI_RESOURCE_ID}" \
+    --output none --only-show-errors --yes
+
   else
     # echo "fetching Client ID for ${MGMT_CLUSTER_NAME}"
     AKS_MI_CLIENT_ID=$(az aks show -n "${MGMT_CLUSTER_NAME}" -g "${AKS_RESOURCE_GROUP}" --output json \