[AKS] aks enable-addons: Add new parameter --enable-msi-auth-for-monitoring to support enabling managed identity auth (Azure#21661)

* add cluster spn with metric publisher role to aks cluster resource

* refactor the code

* fix default workspace issue in china cloud

* add metrics publisher role assignment only in public cloud

* fix pr feedback

* fix build error

* fix lint error

* update region mapping

* order regions in sortorder

* fix trailing whitespaces

* fix default log analytics region mapping

* fix map index error if key not found

* fix lint errors

* fix uninitialized error

* update to new API version for ARO

* use latest api version for ARO

* revert to workspace_resource_id in os management profile

* fix test case

* fixed test failure

* added recording file

* dont containerinsights solution

* remove tests

* remove unused imports

* remove tests

* revert import change

* revert change

* monitoring addon msi updates

* monitoring addon msi updates

* monitoring addon msi updates

* monitoring addon msi updates

* monitoring addon msi updates

* monitoring addon msi updates

* monitoring addon msi updates

* health updates

* update ws region mapping for canary regions

* remove Microsoft-KubeHealth stream from ci dcr

* bug fix

Author: ganga1980

linter_exclusions.yml

@@ -291,6 +291,9 @@ aks create:
     workspace_resource_id:
       rule_exclusions:
       - option_length_too_long
+    enable_msi_auth_for_monitoring:
+      rule_exclusions:
+      - option_length_too_long
     node_osdisk_diskencryptionset_id:
       rule_exclusions:
       - option_length_too_long
@@ -305,6 +308,9 @@ aks enable-addons:
     workspace_resource_id:
       rule_exclusions:
       - option_length_too_long
+    enable_msi_auth_for_monitoring:
+      rule_exclusions:
+      - option_length_too_long
 aks install-cli:
   parameters:
     kubelogin_install_location:

src/azure-cli/azure/cli/command_modules/acs/_consts.py

@@ -60,6 +60,7 @@
 # monitoring
 CONST_MONITORING_ADDON_NAME = "omsagent"
 CONST_MONITORING_LOG_ANALYTICS_WORKSPACE_RESOURCE_ID = "logAnalyticsWorkspaceResourceID"
+CONST_MONITORING_USING_AAD_MSI_AUTH = "useAADAuth"
 
 # virtual node
 CONST_VIRTUAL_NODE_ADDON_NAME = "aciConnector"

src/azure-cli/azure/cli/command_modules/acs/_help.py

@@ -339,6 +339,7 @@
             - http_application_routing : configure ingress with automatic public DNS name creation.
             - monitoring               : turn on Log Analytics monitoring. Uses the Log Analytics Default Workspace if it exists, else creates one.
                                          Specify "--workspace-resource-id" to use an existing workspace.
+                                         Specify "--enable-msi-auth-for-monitoring" to use Managed Identity Auth.
                                          If monitoring addon is enabled --no-wait argument will have no effect
             - azure-policy             : enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
                                          Learn more at aka.ms/aks/policy.
@@ -396,6 +397,9 @@
   - name: --workspace-resource-id
     type: string
     short-summary: The resource ID of an existing Log Analytics Workspace to use for storing monitoring data. If not specified, uses the default Log Analytics Workspace if it exists, otherwise creates one.
+  - name: --enable-msi-auth-for-monitoring
+    type: bool
+    short-summary: Enable Managed Identity Auth for Monitoring addon.
   - name: --uptime-sla
     type: bool
     short-summary: Enable a paid managed cluster service with a financially backed SLA.
@@ -778,6 +782,7 @@
     These addons are available:
         - http_application_routing : configure ingress with automatic public DNS name creation.
         - monitoring               : turn on Log Analytics monitoring. Requires "--workspace-resource-id".
+                                     Requires "--enable_msi_auth_for_monitoring" for managed identity auth.
                                      If monitoring addon is enabled --no-wait argument will have no effect
         - virtual-node             : enable AKS Virtual Node. Requires --subnet-name to provide the name of an existing subnet for the Virtual Node to use.
         - azure-policy             : enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
@@ -792,6 +797,9 @@
   - name: --workspace-resource-id
     type: string
     short-summary: The resource ID of an existing Log Analytics Workspace to use for storing monitoring data.
+  - name: --enable-msi-auth-for-monitoring
+    type: bool
+    short-summary: Enable Managed Identity Auth for Monitoring addon.
   - name: --appgw-name
     type: string
     short-summary: Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon.

src/azure-cli/azure/cli/command_modules/acs/_params.py

@@ -10,7 +10,7 @@
 
 from argcomplete.completers import FilesCompleter
 from azure.cli.core.commands.parameters import (
-    file_type, get_enum_type, get_resource_name_completion_list, name_type, tags_type, zones_type, edge_zone_type)
+    file_type, get_enum_type, get_resource_name_completion_list, get_three_state_flag, name_type, tags_type, zones_type, edge_zone_type)
 from azure.cli.core.commands.validators import validate_file_or_dict
 from azure.cli.core.profiles import ResourceType
 from knack.arguments import CLIArgumentType
@@ -260,6 +260,7 @@ def load_arguments(self, _):
         c.argument('vnet_subnet_id', type=str,
                    validator=validate_vnet_subnet_id)
         c.argument('workspace_resource_id')
+        c.argument('enable_msi_auth_for_monitoring', arg_type=get_three_state_flag(), is_preview=True)
         c.argument('skip_subnet_role_assignment', action='store_true')
         c.argument('api_server_authorized_ip_ranges',
                    type=str, validator=validate_ip_ranges)

src/azure-cli/azure/cli/command_modules/acs/addonconfiguration.py

@@ -6,6 +6,7 @@
 
 from azure.cli.core.azclierror import (
     AzCLIError,
+    CLIError,
     ClientRequestError,
 )
 from azure.cli.core.commands import LongRunningOperation
@@ -118,6 +119,7 @@ def ensure_default_log_analytics_workspace_for_monitoring(
         "germanynorth": "germanywestcentral",
         "uaecentral": "uaecentral",
         "eastus2euap": "eastus2euap",
+        "centraluseuap": "eastus2euap",
         "brazilsoutheast": "brazilsoutheast",
     }
 
@@ -238,7 +240,30 @@ def sanitize_loganalytics_ws_resource_id(workspace_resource_id):
     return workspace_resource_id
 
 
-# pylint: disable=too-many-locals,too-many-branches,too-many-statements
+def is_container_insights_extension_dcr_exists(cmd, dcr_url, workspace_resource_id):
+    containerinsights_extension_dcr_exists = False
+    _MAX_RETRY_TIMES = 3
+    for retry_count in range(0, _MAX_RETRY_TIMES):
+        try:
+            resp = send_raw_request(
+                cmd.cli_ctx, "GET", dcr_url
+            )
+            json_response = json.loads(resp.text)
+            destinations = json_response["properties"]["destinations"]
+            if not destinations and not destinations["logAnalytics"] and len(destinations["logAnalytics"]) > 0:
+                destinationLogAnalyticsResourceId = destinations["logAnalytics"][0]
+                if destinationLogAnalyticsResourceId.tolower() == workspace_resource_id.tolower():
+                    containerinsights_extension_dcr_exists = True
+            break
+        except CLIError as e:
+            if "ResourceNotFound" in str(e):
+                break
+            if retry_count >= (_MAX_RETRY_TIMES - 1):
+                raise e
+    return containerinsights_extension_dcr_exists
+
+
+# pylint: disable=too-many-locals,too-many-branches,too-many-statements,line-too-long
 def ensure_container_insights_for_monitoring(
     cmd,
     addon,
@@ -286,7 +311,6 @@ def ensure_container_insights_for_monitoring(
     try:
         subscription_id = workspace_resource_id.split("/")[2]
         resource_group = workspace_resource_id.split("/")[4]
-        workspace_name = workspace_resource_id.split("/")[8]
     except IndexError:
         raise AzCLIError(
             "Could not locate resource group in workspace-resource-id URL."
@@ -308,7 +332,7 @@ def ensure_container_insights_for_monitoring(
             f"/subscriptions/{cluster_subscription}/resourceGroups/{cluster_resource_group_name}/"
             f"providers/Microsoft.ContainerService/managedClusters/{cluster_name}"
         )
-        dataCollectionRuleName = f"MSCI-{workspace_name}"
+        dataCollectionRuleName = f"MSCI-{cluster_name}-{cluster_region}"
         dcr_resource_id = (
             f"/subscriptions/{subscription_id}/resourceGroups/{resource_group}/"
             f"providers/Microsoft.Insights/dataCollectionRules/{dataCollectionRuleName}"
@@ -320,12 +344,9 @@ def ensure_container_insights_for_monitoring(
             # retry the request up to two times
             for _ in range(3):
                 try:
-                    location_list_url = (
-                        f"https://management.azure.com/subscriptions/{subscription_id}/"
-                        "locations?api-version=2019-11-01"
-                    )
+                    location_list_url = cmd.cli_ctx.cloud.endpoints.resource_manager + \
+                        f"/subscriptions/{subscription_id}/locations?api-version=2019-11-01"
                     r = send_raw_request(cmd.cli_ctx, "GET", location_list_url)
-
                     # this is required to fool the static analyzer. The else statement will only run if an exception
                     # is thrown, but flake8 will complain that e is undefined if we don't also define it here.
                     error = None
@@ -344,10 +365,8 @@ def ensure_container_insights_for_monitoring(
             # check if region supports DCRs and DCR-A
             for _ in range(3):
                 try:
-                    feature_check_url = (
-                        f"https://management.azure.com/subscriptions/{subscription_id}/"
-                        "providers/Microsoft.Insights?api-version=2020-10-01"
-                    )
+                    feature_check_url = cmd.cli_ctx.cloud.endpoints.resource_manager + \
+                        f"/subscriptions/{subscription_id}/providers/Microsoft.Insights?api-version=2020-10-01"
                     r = send_raw_request(cmd.cli_ctx, "GET", feature_check_url)
                     error = None
                     break
@@ -374,78 +393,77 @@ def ensure_container_insights_for_monitoring(
                     raise ClientRequestError(
                         f"Data Collection Rule Associations are not supported for cluster region {location}"
                     )
-
-            # create the DCR
-            dcr_creation_body = json.dumps(
-                {
-                    "location": location,
-                    "properties": {
-                        "dataSources": {
-                            "extensions": [
+            dcr_url = cmd.cli_ctx.cloud.endpoints.resource_manager + f"{dcr_resource_id}?api-version=2019-11-01-preview"
+            # Create DCR if doesnt exists already with same destination
+            if not is_container_insights_extension_dcr_exists(cmd, dcr_url, workspace_resource_id):
+                # create the DCR
+                dcr_creation_body = json.dumps(
+                    {
+                        "location": location,
+                        "properties": {
+                            "dataSources": {
+                                "extensions": [
+                                    {
+                                        "name": "ContainerInsightsExtension",
+                                        "streams": [
+                                            "Microsoft-Perf",
+                                            "Microsoft-ContainerInventory",
+                                            "Microsoft-ContainerLog",
+                                            "Microsoft-ContainerLogV2",
+                                            "Microsoft-ContainerNodeInventory",
+                                            "Microsoft-KubeEvents",
+                                            "Microsoft-KubeMonAgentEvents",
+                                            "Microsoft-KubeNodeInventory",
+                                            "Microsoft-KubePodInventory",
+                                            "Microsoft-KubePVInventory",
+                                            "Microsoft-KubeServices",
+                                            "Microsoft-InsightsMetrics",
+                                        ],
+                                        "extensionName": "ContainerInsights",
+                                    }
+                                ]
+                            },
+                            "dataFlows": [
                                 {
-                                    "name": "ContainerInsightsExtension",
                                     "streams": [
                                         "Microsoft-Perf",
                                         "Microsoft-ContainerInventory",
                                         "Microsoft-ContainerLog",
                                         "Microsoft-ContainerLogV2",
                                         "Microsoft-ContainerNodeInventory",
                                         "Microsoft-KubeEvents",
-                                        "Microsoft-KubeHealth",
                                         "Microsoft-KubeMonAgentEvents",
                                         "Microsoft-KubeNodeInventory",
                                         "Microsoft-KubePodInventory",
                                         "Microsoft-KubePVInventory",
                                         "Microsoft-KubeServices",
                                         "Microsoft-InsightsMetrics",
                                     ],
-                                    "extensionName": "ContainerInsights",
+                                    "destinations": ["la-workspace"],
                                 }
-                            ]
+                            ],
+                            "destinations": {
+                                "logAnalytics": [
+                                    {
+                                        "workspaceResourceId": workspace_resource_id,
+                                        "name": "la-workspace",
+                                    }
+                                ]
+                            },
                         },
-                        "dataFlows": [
-                            {
-                                "streams": [
-                                    "Microsoft-Perf",
-                                    "Microsoft-ContainerInventory",
-                                    "Microsoft-ContainerLog",
-                                    "Microsoft-ContainerLogV2",
-                                    "Microsoft-ContainerNodeInventory",
-                                    "Microsoft-KubeEvents",
-                                    "Microsoft-KubeHealth",
-                                    "Microsoft-KubeMonAgentEvents",
-                                    "Microsoft-KubeNodeInventory",
-                                    "Microsoft-KubePodInventory",
-                                    "Microsoft-KubePVInventory",
-                                    "Microsoft-KubeServices",
-                                    "Microsoft-InsightsMetrics",
-                                ],
-                                "destinations": ["la-workspace"],
-                            }
-                        ],
-                        "destinations": {
-                            "logAnalytics": [
-                                {
-                                    "workspaceResourceId": workspace_resource_id,
-                                    "name": "la-workspace",
-                                }
-                            ]
-                        },
-                    },
-                }
-            )
-            dcr_url = f"https://management.azure.com/{dcr_resource_id}?api-version=2019-11-01-preview"
-            for _ in range(3):
-                try:
-                    send_raw_request(
-                        cmd.cli_ctx, "PUT", dcr_url, body=dcr_creation_body
-                    )
-                    error = None
-                    break
-                except AzCLIError as e:
-                    error = e
-            else:
-                raise error
+                    }
+                )
+                for _ in range(3):
+                    try:
+                        send_raw_request(
+                            cmd.cli_ctx, "PUT", dcr_url, body=dcr_creation_body
+                        )
+                        error = None
+                        break
+                    except AzCLIError as e:
+                        error = e
+                else:
+                    raise error
 
         if create_dcra:
             # only create or delete the association between the DCR and cluster
@@ -458,10 +476,8 @@ def ensure_container_insights_for_monitoring(
                     },
                 }
             )
-            association_url = (
-                f"https://management.azure.com/{cluster_resource_id}/providers/Microsoft.Insights/"
-                f"dataCollectionRuleAssociations/send-to-{workspace_name}?api-version=2019-11-01-preview"
-            )
+            association_url = cmd.cli_ctx.cloud.endpoints.resource_manager + \
+                f"{cluster_resource_id}/providers/Microsoft.Insights/dataCollectionRuleAssociations/ContainerInsightsExtension?api-version=2019-11-01-preview"
             for _ in range(3):
                 try:
                     send_raw_request(