Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aks: add enableCustomCATrust in v20220402-preview api-version #18830

Merged
merged 3 commits into from
May 3, 2022
Merged

aks: add enableCustomCATrust in v20220402-preview api-version #18830

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6fde8db
aks: add enableCustomCATrust in v20220402-preview api-version
Apr 26, 2022
46ed98d
aks: add description of CustomCATrust
Apr 27, 2022
e76ef77
aks: fix typo, add DaemonSet to custom words list
Apr 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions custom-words.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -484,6 +484,7 @@ CVEs
CVSS
Cyrl
dacl
DaemonSet
dailyforecast
dailyhistorical
dapr
Expand Down
54 changes: 54 additions & 0 deletions ...inerService/preview/2022-04-02-preview/examples/AgentPoolsCreate_EnableCustomCATrust.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
{
"parameters": {
"api-version": "2022-04-02-preview",
"subscriptionId": "subid1",
"resourceGroupName": "rg1",
"resourceName": "clustername1",
"agentPoolName": "agentpool1",
"parameters": {
"properties": {
"orchestratorVersion": "",
"count": 3,
"vmSize": "Standard_DS2_v2",
"osType": "Linux",
"enableCustomCATrust": true
}
}
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/subid1/resourcegroups/rg1/providers/Microsoft.ContainerService/managedClusters/clustername1/agentPools/agentpool1",
"type": "Microsoft.ContainerService/managedClusters/agentPools",
"name": "agentpool1",
"properties": {
"provisioningState": "Succeeded",
"orchestratorVersion": "1.19.6",
"currentOrchestratorVersion": "1.19.6",
"count": 3,
"vmSize": "Standard_DS2_v2",
"maxPods": 110,
"osType": "Linux",
"enableCustomCATrust": true
}
}
},
"201": {
"body": {
"id": "/subscriptions/subid1/resourcegroups/rg1/providers/Microsoft.ContainerService/managedClusters/clustername1/agentPools/agentpool1",
"type": "Microsoft.ContainerService/managedClusters/agentPools",
"name": "agentpool1",
"properties": {
"provisioningState": "Creating",
"orchestratorVersion": "1.19.6",
"currentOrchestratorVersion": "1.19.6",
"count": 3,
"vmSize": "Standard_DS2_v2",
"maxPods": 110,
"osType": "Linux",
"enableCustomCATrust": true
}
}
}
}
}
256 changes: 256 additions & 0 deletions ...ervice/preview/2022-04-02-preview/examples/ManagedClustersCreate_EnableCustomCATrust.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,256 @@
{
"parameters": {
"api-version": "2022-04-02-preview",
"subscriptionId": "subid1",
"resourceGroupName": "rg1",
"resourceName": "clustername1",
"parameters": {
"location": "location1",
"tags": {
"tier": "production",
"archv2": ""
},
"sku": {
"name": "Basic",
"tier": "Free"
},
"properties": {
"kubernetesVersion": "",
"dnsPrefix": "dnsprefix1",
"agentPoolProfiles": [
{
"name": "nodepool1",
"count": 3,
"vmSize": "Standard_DS2_v2",
"osType": "Linux",
"type": "VirtualMachineScaleSets",
"enableNodePublicIP": true,
"mode": "System",
"enableCustomCATrust": true
}
],
"linuxProfile": {
"adminUsername": "azureuser",
"ssh": {
"publicKeys": [
{
"keyData": "keydata"
}
]
}
},
"networkProfile": {
"loadBalancerSku": "standard",
"outboundType": "loadBalancer",
"loadBalancerProfile": {
"managedOutboundIPs": {
"count": 2
}
}
},
"autoScalerProfile": {
"scan-interval": "20s",
"scale-down-delay-after-add": "15m"
},
"windowsProfile": {
"adminUsername": "azureuser",
"adminPassword": "replacePassword1234$"
},
"servicePrincipalProfile": {
"clientId": "clientid",
"secret": "secret"
},
"addonProfiles": {},
"enableRBAC": true,
"diskEncryptionSetID": "/subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
"enablePodSecurityPolicy": true
}
}
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/subid1/resourcegroups/rg1/providers/Microsoft.ContainerService/managedClusters/clustername1",
"location": "location1",
"name": "clustername1",
"tags": {
"archv2": "",
"tier": "production"
},
"type": "Microsoft.ContainerService/ManagedClusters",
"properties": {
"provisioningState": "Succeeded",
"maxAgentPools": 1,
"kubernetesVersion": "1.9.6",
"dnsPrefix": "dnsprefix1",
"agentPoolProfiles": [
{
"name": "nodepool1",
"count": 3,
"vmSize": "Standard_DS2_v2",
"maxPods": 110,
"osType": "Linux",
"provisioningState": "Succeeded",
"orchestratorVersion": "1.9.6",
"currentOrchestratorVersion": "1.9.6",
"type": "VirtualMachineScaleSets",
"enableNodePublicIP": true,
"mode": "System",
"nodeImageVersion": "AKSUbuntu:1604:2020.03.11",
"enableCustomCATrust": true
}
],
"linuxProfile": {
"adminUsername": "azureuser",
"ssh": {
"publicKeys": [
{
"keyData": "keydata"
}
]
}
},
"windowsProfile": {
"adminUsername": "azureuser"
},
"servicePrincipalProfile": {
"clientId": "clientid"
},
"nodeResourceGroup": "MC_rg1_clustername1_location1",
"enableRBAC": true,
"diskEncryptionSetID": "/subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
"enablePodSecurityPolicy": true,
"fqdn": "dnsprefix1-abcd1234.hcp.eastus.azmk8s.io",
"networkProfile": {
"loadBalancerSku": "basic",
"networkPlugin": "kubenet",
"podCidr": "10.244.0.0/16",
"serviceCidr": "10.0.0.0/16",
"dnsServiceIP": "10.0.0.10",
"dockerBridgeCidr": "172.17.0.1/16",
"outboundType": "loadBalancer",
"podCidrs": [
"10.244.0.0/16"
],
"serviceCidrs": [
"10.0.0.0/16"
],
"ipFamilies": [
"IPv4"
],
"loadBalancerProfile": {
"allocatedOutboundPorts": 2000,
"idleTimeoutInMinutes": 10,
"managedOutboundIPs": {
"count": 2
},
"effectiveOutboundIPs": [
{
"id": "/subscriptions/subid1/resourceGroups/MC_rg1/providers/Microsoft.Network/publicIPAddresses/mgdoutboundip1"
},
{
"id": "/subscriptions/subid1/resourceGroups/MC_rg1/providers/Microsoft.Network/publicIPAddresses/mgdoutboundip2"
}
]
}
},
"autoScalerProfile": {
"scan-interval": "20s",
"scale-down-delay-after-add": "15m"
}
}
}
},
"201": {
"body": {
"id": "/subscriptions/subid1/resourcegroups/rg1/providers/Microsoft.ContainerService/managedClusters/clustername1",
"location": "location1",
"name": "clustername1",
"tags": {
"archv2": "",
"tier": "production"
},
"type": "Microsoft.ContainerService/ManagedClusters",
"properties": {
"provisioningState": "Creating",
"maxAgentPools": 1,
"kubernetesVersion": "1.9.6",
"dnsPrefix": "dnsprefix1",
"agentPoolProfiles": [
{
"name": "nodepool1",
"count": 3,
"vmSize": "Standard_DS2_v2",
"maxPods": 110,
"osType": "Linux",
"provisioningState": "Creating",
"orchestratorVersion": "1.9.6",
"currentOrchestratorVersion": "1.9.6",
"type": "VirtualMachineScaleSets",
"enableNodePublicIP": true,
"mode": "System",
"enableCustomCATrust": true
}
],
"linuxProfile": {
"adminUsername": "azureuser",
"ssh": {
"publicKeys": [
{
"keyData": "keydata"
}
]
}
},
"windowsProfile": {
"adminUsername": "azureuser"
},
"servicePrincipalProfile": {
"clientId": "clientid"
},
"nodeResourceGroup": "MC_rg1_clustername1_location1",
"enableRBAC": true,
"diskEncryptionSetID": "/subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
"enablePodSecurityPolicy": true,
"networkProfile": {
"networkPlugin": "kubenet",
"podCidr": "10.244.0.0/16",
"serviceCidr": "10.0.0.0/16",
"dnsServiceIP": "10.0.0.10",
"dockerBridgeCidr": "172.17.0.1/16",
"loadBalancerSku": "standard",
"outboundType": "loadBalancer",
"podCidrs": [
"10.244.0.0/16"
],
"serviceCidrs": [
"10.0.0.0/16"
],
"ipFamilies": [
"IPv4"
],
"loadBalancerProfile": {
"allocatedOutboundPorts": 2000,
"idleTimeoutInMinutes": 10,
"managedOutboundIPs": {
"count": 2
},
"effectiveOutboundIPs": [
{
"id": "/subscriptions/subid1/resourceGroups/MC_rg1/providers/Microsoft.Network/publicIPAddresses/mgdoutboundip1"
},
{
"id": "/subscriptions/subid1/resourceGroups/MC_rg1/providers/Microsoft.Network/publicIPAddresses/mgdoutboundip2"
}
]
}
},
"autoScalerProfile": {
"scan-interval": "20s",
"scale-down-delay-after-add": "15m"
}
}
}
}
}
}
11 changes: 11 additions & 0 deletions ...source-manager/Microsoft.ContainerService/preview/2022-04-02-preview/managedClusters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -593,6 +593,9 @@
},
"Create Managed Cluster with Dedicated Host Group": {
"$ref": "./examples/ManagedClustersCreate_DedicatedHostGroup.json"
},
"Create Managed Cluster with CustomCATrust enabled": {
"$ref": "./examples/ManagedClustersCreate_EnableCustomCATrust.json"
}
}
},
Expand Down Expand Up @@ -1097,6 +1100,9 @@
},
"Create Agent Pool with Dedicated Host Group": {
"$ref": "./examples/AgentPoolsCreate_DedicatedHostGroup.json"
},
"Create Agent Pool with CustomCATrust enabled": {
"$ref": "./examples/AgentPoolsCreate_EnableCustomCATrust.json"
}
}
},
Expand Down Expand Up @@ -3278,6 +3284,11 @@
"title": "Whether each node is allocated its own public IP.",
"description": "Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see [assigning a public IP per node](https://docs.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). The default is false."
},
"enableCustomCATrust": {
"type": "boolean",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this reviewed in an API review meeting? I have some questions like:

  • Should this really be an enum? Could there possibly be multiple "modes" to this in the future?
  • Should we be expanding CA in the name here? Generally speaking I don't love abbreviations in the API, but they're ok in cases things are very well understood terms (VM, ID, DNS, etc). CA might meet the bar there but I am not sure that it was discussed.
  • Should this go into some sort of Profile? A SecurityProfile or somesuch on AP, rather than just just jamming everything into the top level?

These sorts of things would hopefully have been covered in an official API review internally but I'm not sure we had one where this was explicitly discussed.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(from offline discussion)

the bool would be enabled/disabled, so bool should be fine.

as far as profiles -- maybe something for future discussion? we didn't see a reason to break with the pattern, e.g. this isn't related to some set of features, but I don't love that we perpetually add One More Knob to AP either.

"title": "Whether to enable Custom CA Trust feature.",
"description": "When set to true, AKS deploys a daemonset and host services to sync custom certificate authorities from a user-provided config map into node trust stores. Defaults to false."
},
"nodePublicIPPrefixID": {
"type": "string",
"title": "The public IP prefix ID which VM nodes should use IPs from.",
Expand Down