[AKS] configure AAD integration

[joshgav]

@koalalorenzo in 2069#comment:

Since AKS went GA with new features, it would be nice to know if there is already the possibility to use the API to create a new AKS cluster with these new features (one of those is Azure Active Directory + RBAC).

Is this a possibility? Is there already an API to deploy a kubernetes cluster with Azure Active Directory enabled?

I believe you'll need to follow instructions here to create the principal, then use the properties of that principal to populate the ServicePrincipalProfile within the Properties struct of containerservice.CreateOrUpdate.

@neilpeterson is the author of that article - Neil, is it possible to programmatically create the service principal with the properties described in that article? Thanks!

[vladbarosan]

A couple things to add

• note that although AKS is GA this specific feature is in preview
• a small correction to what @joshgav linked, you need to configure ManagedClusterProperties and use the enableRBAC flag.

[neilpeterson]

I was able to hack together something using the Azure CLI, not sure it would be helpful or how it would translate to the go client.

Create the following file:

[
    {
      "resourceAccess": [
        {
          "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
          "type": "Role"
        },
        {
          "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
          "type": "Scope"
        },
        {
          "id": "06da0dbc-49e2-44d2-8312-53f166ab848a",
          "type": "Scope"
        }
      ],
      "resourceAppId": "00000003-0000-0000-c000-000000000000"
    },
    {
      "resourceAccess": [
        {
          "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
          "type": "Scope"
        }
      ],
      "resourceAppId": "00000002-0000-0000-c000-000000000000"
    }
  ]

Run this script:

#!/bin/bash

SERVER_APP=AKSAADServer036
SERVER_SECRET=P@ssword12
CLIENT_APP=AKSAADClient036

# Create AKS AAD sever app
SERVER_ID=$(az ad app create --display-name $SERVER_APP --identifier-uris http://$SERVER_APP --password $SERVER_SECRET --required-resource-accesses serverManifest.json --query appId -o tsv)
az ad app update --id $SERVER_ID --set groupMembershipClaims="All"

# Create AKS AAD client app
CLIENT_PERMS=$(cat <<EOF
[{"resourceAccess": [{"id": "318f4279-a6d6-497a-8c69-a793bda0d54f","type": "Scope"}],"resourceAppId": "$SERVER_ID"}]
EOF
)
CLIENT_ID=$(az ad app create --display-name $CLIENT_APP --native-app --required-resource-accesses "$CLIENT_PERMS" --query appId -o tsv)

# Get tenant ID
TENANT_ID=$(az account list --query [0].[tenantId] -o tsv)

echo "Client application ID: $SERVER_ID"
echo "Server application ID: $CLIENT_ID"
echo "Server application secret: $SERVER_SECRET"
echo "Tenant ID: $TENANT_ID"

@amanohar may know more.

[joshgav]

Thank you @neilpeterson! We'll try to turn that into Go code and add it to the samples repo in Azure-Samples/azure-sdk-for-go-samples#197.

[joshgav]

related: hashicorp/terraform-provider-azurerm#1429

[vladbarosan]

Closing this we are tracking the issue in the Samples repo Azure-Samples/azure-sdk-for-go-samples#197.

[lukasmrtvy]

@neilpeterson: You have to also do az ad sp create --id $SERVER_ID to assign SP to App