Merge branch 'main' into feature/eas-llm-setup

Author: chenxi

src/aks-preview/HISTORY.rst

@@ -11,6 +11,19 @@ To release a new version, please select a new version number (usually plus 1 to
 
 Pending
 +++++++
+* `az aks update`: Add new parameter `--kms-infrastructure-encryption` to enable KMS infrastructure encryption on an existing cluster.
+
+18.0.0b44
++++++++
+* Vendor new SDK and bump API version to 2025-08-02-preview.
+* Pre-deprecate `--enable-custom-ca-trust` and `--disable-custom-ca-trust` in `az aks create`, `az aks update` commands.
+* Hide `--enable-managed-system-pool` parameter for `az aks create` for now, as the feature is not ready yet.
+
+18.0.0b43
++++++++
+* Fix `--localdns-config` parameter to handle null values and case-insensitive JSON keys in DNS override sections, preventing crashes with malformed localdns configuration files.
+* Enhance `build_override` function to validate dictionary types and only initialize DNS overrides when present in localdns configuration (case-insensitive).
+* Refactor `build_localdns_profile` function to eliminate code duplication between AgentPool add and update operations.
 
 18.0.0b42
 +++++++
@@ -37,7 +50,7 @@ Pending
 * Add option `AzureLinuxOSGuard` and `AzureLinux3OSGuard` to `--os-sku` for `az aks nodepool add` and `az aks nodepool update`.
 * Add machine command `az aks machine add` to add a machine to an existing machine pool.
 * Add blue-green upgrade strategy support for AKS node pools:
-  - `az aks nodepool add/update/upgrade`: Add `--upgrade-strategy` parameter to switch between rolling and blue-green nodepool upgrades. 
+  - `az aks nodepool add/update/upgrade`: Add `--upgrade-strategy` parameter to switch between rolling and blue-green nodepool upgrades.
   - `az aks nodepool add/update/upgrade`: Add `--drain-batch-size`, `--drain-timeout-bg`, `--batch-soak-duration`, `--final-soak-duration` parameters to configure blue-green upgrade settings.
 
 18.0.0b38

src/aks-preview/azext_aks_preview/_help.py

@@ -1110,6 +1110,10 @@
         - name: --azure-keyvault-kms-key-vault-resource-id
           type: string
           short-summary: Resource ID of Azure Key Vault.
+        - name: --kms-infrastructure-encryption
+          type: string
+          short-summary: Enable encryption at rest of Kubernetes resource objects using service-managed keys.
+          long-summary: Enable infrastructure encryption for Kubernetes resource objects. This feature provides encryption at rest for cluster secrets and configuration using service-managed keys. For more information see https://aka.ms/aks/kubernetesResourceObjectEncryption.
         - name: --enable-image-cleaner
           type: bool
           short-summary: Enable ImageCleaner Service.

src/aks-preview/azext_aks_preview/_helpers.py

@@ -460,6 +460,10 @@ def process_dns_overrides(overrides_dict, target_dict, build_override_func):
     :param target_dict: Target dictionary to populate with processed overrides
     :param build_override_func: Function to build override objects from dict values
     """
+    if not isinstance(overrides_dict, dict):
+        raise InvalidArgumentValueError(
+            f"Expected a dictionary for DNS overrides, but got {type(overrides_dict).__name__}: {overrides_dict}"
+        )
     if overrides_dict is not None:
         for key, value in overrides_dict.items():
             if value is not None:

src/aks-preview/azext_aks_preview/_params.py

@@ -1127,7 +1127,10 @@ def load_arguments(self, _):
         # virtual machines
         c.argument("vm_sizes", is_preview=True)
         c.argument("enable_imds_restriction", action="store_true", is_preview=True)
-        c.argument("enable_managed_system_pool", action="store_true", is_preview=True)
+        c.argument("enable_managed_system_pool",
+                   action="store_true",
+                   is_preview=True,
+                   deprecate_info=c.deprecate(target="--enable-managed-system-pool", hide=True))
         c.argument("enable_upstream_kubescheduler_user_configuration", action="store_true", is_preview=True)
 
     with self.argument_context("aks update") as c:
@@ -1264,6 +1267,11 @@ def load_arguments(self, _):
             "azure_keyvault_kms_key_vault_resource_id",
             validator=validate_azure_keyvault_kms_key_vault_resource_id,
         )
+        c.argument(
+            "kms_infrastructure_encryption",
+            arg_type=get_enum_type(["Enabled", "Disabled"]),
+            is_preview=True,
+        )
         c.argument("http_proxy_config")
         c.argument(
             "bootstrap_artifact_source",

src/aks-preview/azext_aks_preview/agentpool_decorator.py

@@ -241,65 +241,6 @@ def get_workload_runtime(self) -> Union[str, None]:
         # this parameter does not need validation
         return workload_runtime
 
-    def _get_enable_custom_ca_trust(self, enable_validation: bool = False) -> bool:
-        """Internal function to obtain the value of enable_custom_ca_trust.
-
-        This function supports the option of enable_validation. When enabled, if both enable_custom_ca_trust and
-        disable_custom_ca_trust are specified, raise a MutuallyExclusiveArgumentError.
-
-        :return: bool
-        """
-        # read the original value passed by the command
-        enable_custom_ca_trust = self.raw_param.get("enable_custom_ca_trust")
-        # In create mode, try to read the property value corresponding to the parameter from the `agentpool` object
-        if self.decorator_mode == DecoratorMode.CREATE:
-            if self.agentpool and self.agentpool.enable_custom_ca_trust is not None:
-                enable_custom_ca_trust = self.agentpool.enable_custom_ca_trust
-
-        # this parameter does not need dynamic completion
-        # validation
-        if enable_validation:
-            if enable_custom_ca_trust and self._get_disable_custom_ca_trust(enable_validation=False):
-                raise MutuallyExclusiveArgumentError(
-                    'Cannot specify "--enable-custom-ca-trust" and "--disable-custom-ca-trust" at the same time'
-                )
-        return enable_custom_ca_trust
-
-    def get_enable_custom_ca_trust(self) -> bool:
-        """Obtain the value of enable_custom_ca_trust.
-
-        :return: bool
-        """
-        return self._get_enable_custom_ca_trust(enable_validation=True)
-
-    def _get_disable_custom_ca_trust(self, enable_validation: bool = False) -> bool:
-        """Internal function to obtain the value of disable_custom_ca_trust.
-
-        This function supports the option of enable_validation. When enabled, if both enable_custom_ca_trust and
-        disable_custom_ca_trust are specified, raise a MutuallyExclusiveArgumentError.
-
-        :return: bool
-        """
-        # read the original value passed by the command
-        disable_custom_ca_trust = self.raw_param.get("disable_custom_ca_trust")
-        # This option is not supported in create mode, so its value is not read from `agentpool`.
-
-        # this parameter does not need dynamic completion
-        # validation
-        if enable_validation:
-            if disable_custom_ca_trust and self._get_enable_custom_ca_trust(enable_validation=False):
-                raise MutuallyExclusiveArgumentError(
-                    'Cannot specify "--enable-custom-ca-trust" and "--disable-custom-ca-trust" at the same time'
-                )
-        return disable_custom_ca_trust
-
-    def get_disable_custom_ca_trust(self) -> bool:
-        """Obtain the value of disable_custom_ca_trust.
-
-        :return: bool
-        """
-        return self._get_disable_custom_ca_trust(enable_validation=True)
-
     def _get_disable_windows_outbound_nat(self) -> bool:
         """Internal function to obtain the value of disable_windows_outbound_nat.
 
@@ -940,6 +881,78 @@ def get_localdns_profile(self):
             return profile
         return None
 
+    def build_localdns_profile(self, agentpool: AgentPool) -> AgentPool:
+        """Build local DNS profile for the AgentPool object if provided via --localdns-config."""
+        localdns_profile = self.get_localdns_profile()
+        kube_dns_overrides, vnet_dns_overrides = None, None
+
+        if localdns_profile is not None:
+            def find_keys_case_insensitive(dictionary, target_keys):
+                """Find multiple keys case-insensitively and return a dict mapping target_key -> actual_key"""
+                result = {}
+                lowered_keys = {key.lower(): key for key in dictionary.keys()}
+                for target_key in target_keys:
+                    lowered_target = target_key.lower()
+                    if lowered_target in lowered_keys:
+                        result[target_key] = lowered_keys[lowered_target]
+                    else:
+                        result[target_key] = None
+                return result
+
+            def build_override(override_dict):
+                if not isinstance(override_dict, dict):
+                    raise InvalidArgumentValueError(
+                        f"Expected a dictionary for DNS override settings,"
+                        f" but got {type(override_dict).__name__}: {override_dict}"
+                    )
+                camel_to_snake_case = {
+                    "queryLogging": "query_logging",
+                    "protocol": "protocol",
+                    "forwardDestination": "forward_destination",
+                    "forwardPolicy": "forward_policy",
+                    "maxConcurrent": "max_concurrent",
+                    "cacheDurationInSeconds": "cache_duration_in_seconds",
+                    "serveStaleDurationInSeconds": "serve_stale_duration_in_seconds",
+                    "serveStale": "serve_stale",
+                }
+                valid_keys = set(camel_to_snake_case.values())
+                filtered = {}
+                for k, v in override_dict.items():
+                    if k in camel_to_snake_case:
+                        filtered[camel_to_snake_case[k]] = v
+                    elif k in valid_keys:
+                        filtered[k] = v
+                return self.models.LocalDNSOverride(**filtered)
+
+            # Build kubeDNSOverrides and vnetDNSOverrides from the localdns_profile
+            key_mappings = find_keys_case_insensitive(localdns_profile, ["kubeDNSOverrides", "vnetDNSOverrides"])
+            actual_kube_key = key_mappings["kubeDNSOverrides"]
+            if actual_kube_key:
+                logger.debug("Found kubeDNSOverrides key as: %s", actual_kube_key)
+                kube_dns_overrides = {}
+                process_dns_overrides(
+                    localdns_profile.get(actual_kube_key),
+                    kube_dns_overrides,
+                    build_override
+                )
+
+            actual_vnet_key = key_mappings["vnetDNSOverrides"]
+            if actual_vnet_key:
+                logger.debug("Found vnetDNSOverrides key as: %s", actual_vnet_key)
+                vnet_dns_overrides = {}
+                process_dns_overrides(
+                    localdns_profile.get(actual_vnet_key),
+                    vnet_dns_overrides,
+                    build_override
+                )
+
+            agentpool.local_dns_profile = self.models.LocalDNSProfile(
+                mode=localdns_profile.get("mode"),
+                kube_dns_overrides=kube_dns_overrides,
+                vnet_dns_overrides=vnet_dns_overrides,
+            )
+        return agentpool
+
     def get_node_count_and_enable_cluster_autoscaler_min_max_count_vms(
         self,
     ) -> Tuple[int, bool, Union[int, None], Union[int, None]]:
@@ -1195,16 +1208,6 @@ def set_up_gpu_properties(self, agentpool: AgentPool) -> AgentPool:
         agentpool.workload_runtime = self.context.get_workload_runtime()
         return agentpool
 
-    def set_up_custom_ca_trust(self, agentpool: AgentPool) -> AgentPool:
-        """Set up custom ca trust property for the AgentPool object.
-
-        :return: the AgentPool object
-        """
-        self._ensure_agentpool(agentpool)
-
-        agentpool.enable_custom_ca_trust = self.context.get_enable_custom_ca_trust()
-        return agentpool
-
     def set_up_agentpool_windows_profile(self, agentpool: AgentPool) -> AgentPool:
         """Set up windows profile for the AgentPool object.
 
@@ -1452,49 +1455,7 @@ def set_up_managed_system_mode(self, agentpool: AgentPool) -> AgentPool:
     def set_up_localdns_profile(self, agentpool: AgentPool) -> AgentPool:
         """Set up local DNS profile for the AgentPool object if provided via --localdns-config."""
         self._ensure_agentpool(agentpool)
-        localdns_profile = self.context.get_localdns_profile()
-        if localdns_profile is not None:
-            kube_dns_overrides = {}
-            vnet_dns_overrides = {}
-
-            def build_override(override_dict):
-                camel_to_snake_case = {
-                    "queryLogging": "query_logging",
-                    "protocol": "protocol",
-                    "forwardDestination": "forward_destination",
-                    "forwardPolicy": "forward_policy",
-                    "maxConcurrent": "max_concurrent",
-                    "cacheDurationInSeconds": "cache_duration_in_seconds",
-                    "serveStaleDurationInSeconds": "serve_stale_duration_in_seconds",
-                    "serveStale": "serve_stale",
-                }
-                valid_keys = set(camel_to_snake_case.values())
-                filtered = {}
-                for k, v in override_dict.items():
-                    if k in camel_to_snake_case:
-                        filtered[camel_to_snake_case[k]] = v
-                    elif k in valid_keys:
-                        filtered[k] = v
-                return self.models.LocalDNSOverride(**filtered)
-
-            # Build kubeDNSOverrides and vnetDNSOverrides from the localdns_profile
-            process_dns_overrides(
-                localdns_profile.get("kubeDNSOverrides"),
-                kube_dns_overrides,
-                build_override
-            )
-            process_dns_overrides(
-                localdns_profile.get("vnetDNSOverrides"),
-                vnet_dns_overrides,
-                build_override
-            )
-
-            agentpool.local_dns_profile = self.models.LocalDNSProfile(
-                mode=localdns_profile.get("mode"),
-                kube_dns_overrides=kube_dns_overrides,
-                vnet_dns_overrides=vnet_dns_overrides,
-            )
-        return agentpool
+        return self.context.build_localdns_profile(agentpool)
 
     def construct_agentpool_profile_preview(self) -> AgentPool:
         """The overall controller used to construct the preview AgentPool profile.
@@ -1518,8 +1479,6 @@ def construct_agentpool_profile_preview(self) -> AgentPool:
         agentpool = self.set_up_preview_vm_properties(agentpool)
         # set up message of the day
         agentpool = self.set_up_motd(agentpool)
-        # set up custom ca trust
-        agentpool = self.set_up_custom_ca_trust(agentpool)
         # set up agentpool windows profile
         agentpool = self.set_up_agentpool_windows_profile(agentpool)
         # set up agentpool network profile
@@ -1672,20 +1631,6 @@ def init_context(self) -> None:
             self.agentpool_decorator_mode,
         )
 
-    def update_custom_ca_trust(self, agentpool: AgentPool) -> AgentPool:
-        """Update custom ca trust property for the AgentPool object.
-
-        :return: the AgentPool object
-        """
-        self._ensure_agentpool(agentpool)
-
-        if self.context.get_enable_custom_ca_trust():
-            agentpool.enable_custom_ca_trust = True
-
-        if self.context.get_disable_custom_ca_trust():
-            agentpool.enable_custom_ca_trust = False
-        return agentpool
-
     def update_network_profile(self, agentpool: AgentPool) -> AgentPool:
         self._ensure_agentpool(agentpool)
 
@@ -1794,49 +1739,7 @@ def update_fips_image(self, agentpool: AgentPool) -> AgentPool:
     def update_localdns_profile(self, agentpool: AgentPool) -> AgentPool:
         """Update local DNS profile for the AgentPool object if provided via --localdns-config."""
         self._ensure_agentpool(agentpool)
-        localdns_profile = self.context.get_localdns_profile()
-        if localdns_profile is not None:
-            kube_dns_overrides = {}
-            vnet_dns_overrides = {}
-
-            def build_override(override_dict):
-                camel_to_snake_case = {
-                    "queryLogging": "query_logging",
-                    "protocol": "protocol",
-                    "forwardDestination": "forward_destination",
-                    "forwardPolicy": "forward_policy",
-                    "maxConcurrent": "max_concurrent",
-                    "cacheDurationInSeconds": "cache_duration_in_seconds",
-                    "serveStaleDurationInSeconds": "serve_stale_duration_in_seconds",
-                    "serveStale": "serve_stale",
-                }
-                valid_keys = set(camel_to_snake_case.values())
-                filtered = {}
-                for k, v in override_dict.items():
-                    if k in camel_to_snake_case:
-                        filtered[camel_to_snake_case[k]] = v
-                    elif k in valid_keys:
-                        filtered[k] = v
-                return self.models.LocalDNSOverride(**filtered)
-
-            # Build kubeDNSOverrides and vnetDNSOverrides from the localdns_profile
-            process_dns_overrides(
-                localdns_profile.get("kubeDNSOverrides"),
-                kube_dns_overrides,
-                build_override
-            )
-            process_dns_overrides(
-                localdns_profile.get("vnetDNSOverrides"),
-                vnet_dns_overrides,
-                build_override
-            )
-
-            agentpool.local_dns_profile = self.models.LocalDNSProfile(
-                mode=localdns_profile.get("mode"),
-                kube_dns_overrides=kube_dns_overrides,
-                vnet_dns_overrides=vnet_dns_overrides,
-            )
-        return agentpool
+        return self.context.build_localdns_profile(agentpool)
 
     def update_upgrade_strategy(self, agentpool: AgentPool) -> AgentPool:
         """Update upgrade strategy for the AgentPool object.
@@ -1871,9 +1774,6 @@ def update_agentpool_profile_preview(self, agentpools: List[AgentPool] = None) -
                         setattr(agentpool, attr, None)
             return agentpool
 
-        # update custom ca trust
-        agentpool = self.update_custom_ca_trust(agentpool)
-
         # update network profile
         agentpool = self.update_network_profile(agentpool)
 

src/aks-preview/azext_aks_preview/custom.py

@@ -865,6 +865,7 @@ def aks_update(
     azure_keyvault_kms_key_id=None,
     azure_keyvault_kms_key_vault_network_access=None,
     azure_keyvault_kms_key_vault_resource_id=None,
+    kms_infrastructure_encryption=None,
     http_proxy_config=None,
     disable_http_proxy=False,
     enable_http_proxy=False,