From 34cff93d62e41a837cda4657c4cb31c6a596c21a Mon Sep 17 00:00:00 2001
From: Chetan Vaja <chetanv@outlook.com>
Date: Thu, 14 Nov 2024 16:12:35 +0530
Subject: [PATCH] fix: Adding support for Cilium Network Policy (#3402)

# Supporting Cilium network policy in AKS

cilium data plane requires cilium network policy. when specifying azure
policy for cilium we get an error -
CiliumDataplaneRequiresNetworkPolicyCilium

Configuration
networkPolicy: 'azure'
networkPlugin: 'azure'
networkDataplane: 'cilium'

Detailed Error
```json
{
    "message": {
        "code": "BadRequest",
        "details": null,
        "message": "Cilium dataplane requires network policy cilium.",
        "subcode": "CiliumDataplaneRequiresNetworkPolicyCilium",
        "target": "networkProfile.networkPolicy"
    }
}
```

| Pipeline |
| -------- |
|
[![avm.res.container-service.managed-cluster](https://github.com/cv-gh/bicep-registry-modules/actions/workflows/avm.res.container-service.managed-cluster.yml/badge.svg)](https://github.com/cv-gh/bicep-registry-modules/actions/workflows/avm.res.container-service.managed-cluster.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [ x] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [ x] I'm sure there are no other open Pull Requests for the same
update/change
- [ x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

---------

Co-authored-by: Ilhaan Rasheed <ilhaan@users.noreply.github.com>
---
 .../managed-cluster/README.md                 |  1 +
 .../managed-cluster/agent-pool/main.json      |  9 ++----
 .../managed-cluster/main.bicep                |  5 ++--
 .../managed-cluster/main.json                 | 29 ++++++++-----------
 .../maintenance-configurations/main.json      |  4 +--
 5 files changed, 21 insertions(+), 27 deletions(-)

diff --git a/avm/res/container-service/managed-cluster/README.md b/avm/res/container-service/managed-cluster/README.md
index a5f83980ea..8ff9e062da 100644
--- a/avm/res/container-service/managed-cluster/README.md
+++ b/avm/res/container-service/managed-cluster/README.md
@@ -4645,6 +4645,7 @@ Specifies the network policy used for building Kubernetes network. - calico or a
   [
     'azure'
     'calico'
+    'cilium'
   ]
   ```
 
diff --git a/avm/res/container-service/managed-cluster/agent-pool/main.json b/avm/res/container-service/managed-cluster/agent-pool/main.json
index 65a21588ad..11965a3fab 100644
--- a/avm/res/container-service/managed-cluster/agent-pool/main.json
+++ b/avm/res/container-service/managed-cluster/agent-pool/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "13856766172443517827"
+      "version": "0.31.34.60546",
+      "templateHash": "13504241837980660061"
     },
     "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools",
     "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.",
@@ -355,10 +355,7 @@
         "vmSize": "[parameters('vmSize')]",
         "vnetSubnetID": "[parameters('vnetSubnetResourceId')]",
         "workloadRuntime": "[parameters('workloadRuntime')]"
-      },
-      "dependsOn": [
-        "managedCluster"
-      ]
+      }
     }
   },
   "outputs": {
diff --git a/avm/res/container-service/managed-cluster/main.bicep b/avm/res/container-service/managed-cluster/main.bicep
index ea126b9dea..3aecff5f78 100644
--- a/avm/res/container-service/managed-cluster/main.bicep
+++ b/avm/res/container-service/managed-cluster/main.bicep
@@ -38,6 +38,7 @@ param networkPluginMode string?
 @allowed([
   'azure'
   'calico'
+  'cilium'
 ])
 param networkPolicy string?
 
@@ -720,8 +721,8 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-03-02-p
     networkProfile: {
       networkDataplane: networkDataplane
       networkPlugin: networkPlugin
-      networkPluginMode: networkPluginMode
-      networkPolicy: networkPolicy
+      networkPluginMode: networkDataplane == 'cilium' ? 'overlay' : networkPluginMode
+      networkPolicy: networkDataplane == 'cilium' ? 'cilium' : networkPolicy
       podCidr: podCidr
       serviceCidr: serviceCidr
       dnsServiceIP: dnsServiceIP
diff --git a/avm/res/container-service/managed-cluster/main.json b/avm/res/container-service/managed-cluster/main.json
index 40b0d76ed4..3f20739576 100644
--- a/avm/res/container-service/managed-cluster/main.json
+++ b/avm/res/container-service/managed-cluster/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "543007463534644066"
+      "version": "0.31.34.60546",
+      "templateHash": "178765084464759811"
     },
     "name": "Azure Kubernetes Service (AKS) Managed Clusters",
     "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.",
@@ -812,7 +812,8 @@
       "nullable": true,
       "allowedValues": [
         "azure",
-        "calico"
+        "calico",
+        "cilium"
       ],
       "metadata": {
         "description": "Optional. Specifies the network policy used for building Kubernetes network. - calico or azure."
@@ -1677,10 +1678,7 @@
       "apiVersion": "2023-02-01",
       "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]",
       "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]",
-      "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]",
-      "dependsOn": [
-        "cMKKeyVault"
-      ]
+      "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]"
     },
     "avmTelemetry": {
       "condition": "[parameters('enableTelemetry')]",
@@ -1791,8 +1789,8 @@
         "networkProfile": {
           "networkDataplane": "[parameters('networkDataplane')]",
           "networkPlugin": "[parameters('networkPlugin')]",
-          "networkPluginMode": "[parameters('networkPluginMode')]",
-          "networkPolicy": "[parameters('networkPolicy')]",
+          "networkPluginMode": "[if(equals(parameters('networkDataplane'), 'cilium'), 'overlay', parameters('networkPluginMode'))]",
+          "networkPolicy": "[if(equals(parameters('networkDataplane'), 'cilium'), 'cilium', parameters('networkPolicy'))]",
           "podCidr": "[parameters('podCidr')]",
           "serviceCidr": "[parameters('serviceCidr')]",
           "dnsServiceIP": "[parameters('dnsServiceIP')]",
@@ -2007,8 +2005,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "2505380725266419010"
+              "version": "0.31.34.60546",
+              "templateHash": "3191846535289543816"
             },
             "name": "Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations",
             "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations.",
@@ -2204,8 +2202,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "13856766172443517827"
+              "version": "0.31.34.60546",
+              "templateHash": "13504241837980660061"
             },
             "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools",
             "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.",
@@ -2554,10 +2552,7 @@
                 "vmSize": "[parameters('vmSize')]",
                 "vnetSubnetID": "[parameters('vnetSubnetResourceId')]",
                 "workloadRuntime": "[parameters('workloadRuntime')]"
-              },
-              "dependsOn": [
-                "managedCluster"
-              ]
+              }
             }
           },
           "outputs": {
diff --git a/avm/res/container-service/managed-cluster/maintenance-configurations/main.json b/avm/res/container-service/managed-cluster/maintenance-configurations/main.json
index 22e9300b85..64b5e4c229 100644
--- a/avm/res/container-service/managed-cluster/maintenance-configurations/main.json
+++ b/avm/res/container-service/managed-cluster/maintenance-configurations/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "2505380725266419010"
+      "version": "0.31.34.60546",
+      "templateHash": "3191846535289543816"
     },
     "name": "Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations",
     "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations.",