Merge branch 'main' of https://github.com/AzureArcForKubernetes/connectedk8s into gabrielmousa/proxyupdate

Author: gabemousa

src/aks-preview/HISTORY.rst

@@ -12,6 +12,31 @@ To release a new version, please select a new version number (usually plus 1 to
 Pending
 +++++++
 
+19.0.0b1
++++++++
+* [BREAKING CHANGE]: `az aks create`: remove `--enable-custom-ca-trust` and `--disable-custom-ca-trust` options
+* [BREAKING CHANGE]: `az aks update`: remove `--enable-custom-ca-trust` and `--disable-custom-ca-trust` options
+* [BREAKING CHANGE]: `az aks nodepool add`: remove `--enable-custom-ca-trust` and `--disable-custom-ca-trust` options
+* [BREAKING CHANGE]: `az aks nodepool update`: remove `--enable-custom-ca-trust` and `--disable-custom-ca-trust` options
+* `az aks update`: Add new parameter `--kms-infrastructure-encryption` to enable KMS infrastructure encryption on an existing cluster.
+
+18.0.0b44
++++++++
+* Vendor new SDK and bump API version to 2025-08-02-preview.
+* Pre-deprecate `--enable-custom-ca-trust` and `--disable-custom-ca-trust` in `az aks create`, `az aks update` commands.
+* Hide `--enable-managed-system-pool` parameter for `az aks create` for now, as the feature is not ready yet.
+
+18.0.0b43
++++++++
+* Fix `--localdns-config` parameter to handle null values and case-insensitive JSON keys in DNS override sections, preventing crashes with malformed localdns configuration files.
+* Enhance `build_override` function to validate dictionary types and only initialize DNS overrides when present in localdns configuration (case-insensitive).
+* Refactor `build_localdns_profile` function to eliminate code duplication between AgentPool add and update operations.
+
+18.0.0b42
++++++++
+* Fix role assignment failure when using azure-cli version >= `2.77.0`.
+* Add option `Flatcar` to `--os-sku` for `az aks nodepool add` and `az aks nodepool update`.
+
 18.0.0b41
 +++++++
 * Fix `--localdns-config` parameter to handle null values in JSON configuration files gracefully, preventing crashes when DNS override sections are null.
@@ -32,7 +57,7 @@ Pending
 * Add option `AzureLinuxOSGuard` and `AzureLinux3OSGuard` to `--os-sku` for `az aks nodepool add` and `az aks nodepool update`.
 * Add machine command `az aks machine add` to add a machine to an existing machine pool.
 * Add blue-green upgrade strategy support for AKS node pools:
-  - `az aks nodepool add/update/upgrade`: Add `--upgrade-strategy` parameter to switch between rolling and blue-green nodepool upgrades. 
+  - `az aks nodepool add/update/upgrade`: Add `--upgrade-strategy` parameter to switch between rolling and blue-green nodepool upgrades.
   - `az aks nodepool add/update/upgrade`: Add `--drain-batch-size`, `--drain-timeout-bg`, `--batch-soak-duration`, `--final-soak-duration` parameters to configure blue-green upgrade settings.
 
 18.0.0b38
@@ -2012,4 +2037,4 @@ Pending
 +++++
 
 * new feature `enable-cluster-autoscaler`
-* default agentType is VMSS
+* default agentType is VMSS

src/aks-preview/azcli_aks_live_test/README.md

@@ -1,6 +1,6 @@
 # Azure CLI AKS Live Test Pipeline & Azure CLI AKS Unit Test Pipeline
 
-These pipelines are used to test newly added aks commands in module aks-preview (azure-cli-extensions) / acs (azure-cli, not covered by default). For more details, you may refer to this [wiki](https://dev.azure.com/msazure/CloudNativeCompute/_wiki/wikis/CloudNativeCompute.wiki/156735/CLI-AKS-Live-Unit-Test-Pipeline).
+These pipelines are used to test newly added aks commands in module aks-preview (azure-cli-extensions) / acs (azure-cli, not covered by default). For more details, you may refer to this [wiki](https://dev.azure.com/msazure/CloudNativeCompute/_wiki/wikis/CloudNativeCompute.wiki/358312/AZCLI-AKS-Live-Unit-Test-Pipelines).
 
 ## How to use
 
@@ -10,4 +10,4 @@ By default, for **live test pipeline**, the test will be performed in **record m
 
 If the newly added commands and test cases use the **features** that are being previewed, that is, some feature under container service needs to be manually registered before using the command, then such cases will not be able to execute/pass the test temporarily, since the subscription used for testing does not (and does not intend to) enable these additional features. In the future, we will use customer header to pass these features in test cases, but for now you can just bypass these cases. For now,  you can follow the instructions in [section Bypass Test Case](#bypass-test-case) to **bypass such test cases**. 
 
-You can also trigger this pipeline **manually** and adjust variables such as test coverage, test filter, test location, etc. as needed. For more details, you may refer to the following sections.
+You can also trigger this pipeline **manually** and adjust variables such as test coverage, test filter, test location, etc. as needed. For more details, you may refer to the following sections.

src/aks-preview/azext_aks_preview/_consts.py

@@ -40,6 +40,7 @@
 CONST_OS_SKU_WINDOWSANNUAL = "WindowsAnnual"
 CONST_OS_SKU_AZURELINUX = "AzureLinux"
 CONST_OS_SKU_AZURELINUX3 = "AzureLinux3"
+CONST_OS_SKU_FLATCAR = "Flatcar"
 CONST_OS_SKU_UBUNTU2204 = "Ubuntu2204"
 CONST_OS_SKU_UBUNTU2404 = "Ubuntu2404"
 CONST_OS_SKU_AZURELINUXOSGUARD = "AzureLinuxOSGuard"

src/aks-preview/azext_aks_preview/_help.py

@@ -271,7 +271,7 @@
           short-summary: The ID of a PPG.
         - name: --os-sku
           type: string
-          short-summary: The os-sku of the agent node pool. Ubuntu or CBLMariner.
+          short-summary: The os-sku of the agent node pool. Ubuntu, Ubuntu2204, Ubuntu2404, CBLMariner, AzureLinux, AzureLinux3, AzureLinuxOSGuard, AzureLinux3OSGuard, or Flatcar when os-type is Linux, default is Ubuntu if not set; Windows2019, Windows2022, Windows2025, or WindowsAnnual when os-type is Windows, the current default is Windows2022 if not set.
         - name: --enable-fips-image
           type: bool
           short-summary: Use FIPS-enabled OS on agent nodes.
@@ -517,9 +517,6 @@
         - name: --dns-zone-resource-ids
           type: string
           short-summary: A comma separated list of resource IDs of the DNS zone resource to use with the App Routing addon.
-        - name: --enable-custom-ca-trust
-          type: bool
-          short-summary: Enable Custom CA Trust on agent node pool.
         - name: --ca-certs --custom-ca-trust-certificates
           type: string
           short-summary: Path to a file containing up to 10 blank line separated certificates. Only valid for linux nodes.
@@ -730,8 +727,6 @@
           text: az aks create -g MyResourceGroup -n MyMC --kubernetes-version 1.20.13 --location westus2 --host-group-id /subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/hostGroups/myHostGroup --node-vm-size VMSize --enable-managed-identity --assign-identity <user_assigned_identity_resource_id>
         - name: Create a kubernetes cluster with no CNI installed.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --network-plugin none
-        - name: Create a kubernetes cluster with Custom CA Trust enabled.
-          text: az aks create -g MyResourceGroup -n MyManagedCluster --enable-custom-ca-trust
         - name: Create a kubernetes cluster with safeguards set to "Warning"
           text: az aks create -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --enable-addons azure-policy
         - name: Create a kubernetes cluster with safeguards set to "Warning" and some namespaces excluded
@@ -1110,6 +1105,10 @@
         - name: --azure-keyvault-kms-key-vault-resource-id
           type: string
           short-summary: Resource ID of Azure Key Vault.
+        - name: --kms-infrastructure-encryption
+          type: string
+          short-summary: Enable encryption at rest of Kubernetes resource objects using service-managed keys.
+          long-summary: Enable infrastructure encryption for Kubernetes resource objects. This feature provides encryption at rest for cluster secrets and configuration using service-managed keys. For more information see https://aka.ms/aks/kubernetesResourceObjectEncryption.
         - name: --enable-image-cleaner
           type: bool
           short-summary: Enable ImageCleaner Service.
@@ -1928,7 +1927,7 @@
           short-summary: The OS Type. Linux or Windows. Windows not supported yet for "VirtualMachines" VM set type.
         - name: --os-sku
           type: string
-          short-summary: The os-sku of the agent node pool. Ubuntu, Ubuntu2204, Ubuntu2404, CBLMariner, AzureLinux， AzureLinux3, AzureLinuxOSGuard, or AzureLinux3OSGuard when os-type is Linux, default is Ubuntu if not set; Windows2019, Windows2022, Windows2025, or WindowsAnnual when os-type is Windows, the current default is Windows2022 if not set.
+          short-summary: The os-sku of the agent node pool. Ubuntu, Ubuntu2204, Ubuntu2404, CBLMariner, AzureLinux, AzureLinux3, AzureLinuxOSGuard, AzureLinux3OSGuard, or Flatcar when os-type is Linux, default is Ubuntu if not set; Windows2019, Windows2022, Windows2025, or WindowsAnnual when os-type is Windows, the current default is Windows2022 if not set.
         - name: --enable-fips-image
           type: bool
           short-summary: Use FIPS-enabled OS on agent nodes.
@@ -2019,9 +2018,6 @@
         - name: --message-of-the-day
           type: string
           short-summary: Path to a file containing the desired message of the day. Only valid for linux nodes. Will be written to /etc/motd.
-        - name: --enable-custom-ca-trust
-          type: bool
-          short-summary: Enable Custom CA Trust on agent node pool.
         - name: --disable-windows-outbound-nat
           type: bool
           short-summary: Disable Windows OutboundNAT on Windows agent node pool. Must use VMSS agent pool type.
@@ -2241,12 +2237,6 @@
         - name: --node-taints
           type: string
           short-summary: The node taints for the node pool.
-        - name: --enable-custom-ca-trust
-          type: bool
-          short-summary: Enable Custom CA Trust on agent node pool.
-        - name: --dcat --disable-custom-ca-trust
-          type: bool
-          short-summary: Disable Custom CA Trust on agent node pool.
         - name: --aks-custom-headers
           type: string
           short-summary: Send custom headers. When specified, format should be Key1=Value1,Key2=Value2

src/aks-preview/azext_aks_preview/_helpers.py

@@ -460,6 +460,10 @@ def process_dns_overrides(overrides_dict, target_dict, build_override_func):
     :param target_dict: Target dictionary to populate with processed overrides
     :param build_override_func: Function to build override objects from dict values
     """
+    if not isinstance(overrides_dict, dict):
+        raise InvalidArgumentValueError(
+            f"Expected a dictionary for DNS overrides, but got {type(overrides_dict).__name__}: {overrides_dict}"
+        )
     if overrides_dict is not None:
         for key, value in overrides_dict.items():
             if value is not None:

src/aks-preview/azext_aks_preview/_params.py

@@ -93,6 +93,7 @@
     CONST_OS_DISK_TYPE_MANAGED,
     CONST_OS_SKU_AZURELINUX,
     CONST_OS_SKU_AZURELINUX3,
+    CONST_OS_SKU_FLATCAR,
     CONST_OS_SKU_CBLMARINER,
     CONST_OS_SKU_MARINER,
     CONST_OS_SKU_AZURELINUXOSGUARD,
@@ -185,7 +186,6 @@
     validate_defender_disable_and_enable_parameters,
     validate_disable_windows_outbound_nat,
     validate_asm_egress_name,
-    validate_enable_custom_ca_trust,
     validate_eviction_policy,
     validate_grafanaresourceid,
     validate_host_group_id,
@@ -280,6 +280,7 @@
 node_os_skus_create = [
     CONST_OS_SKU_AZURELINUX,
     CONST_OS_SKU_AZURELINUX3,
+    CONST_OS_SKU_FLATCAR,
     CONST_OS_SKU_UBUNTU,
     CONST_OS_SKU_CBLMARINER,
     CONST_OS_SKU_MARINER,
@@ -297,6 +298,7 @@
 node_os_skus_update = [
     CONST_OS_SKU_AZURELINUX,
     CONST_OS_SKU_AZURELINUX3,
+    CONST_OS_SKU_FLATCAR,
     CONST_OS_SKU_UBUNTU,
     CONST_OS_SKU_UBUNTU2204,
     CONST_OS_SKU_UBUNTU2404,
@@ -973,8 +975,6 @@ def load_arguments(self, _):
             arg_type=get_enum_type(workload_runtimes),
             default=CONST_WORKLOAD_RUNTIME_OCI_CONTAINER,
         )
-        # no validation for aks create because it already only supports Linux.
-        c.argument("enable_custom_ca_trust", action="store_true")
         c.argument(
             "nodepool_allowed_host_ports",
             validator=validate_allowed_host_ports,
@@ -1124,7 +1124,10 @@ def load_arguments(self, _):
         # virtual machines
         c.argument("vm_sizes", is_preview=True)
         c.argument("enable_imds_restriction", action="store_true", is_preview=True)
-        c.argument("enable_managed_system_pool", action="store_true", is_preview=True)
+        c.argument("enable_managed_system_pool",
+                   action="store_true",
+                   is_preview=True,
+                   deprecate_info=c.deprecate(target="--enable-managed-system-pool", hide=True))
         c.argument("enable_upstream_kubescheduler_user_configuration", action="store_true", is_preview=True)
 
     with self.argument_context("aks update") as c:
@@ -1261,6 +1264,11 @@ def load_arguments(self, _):
             "azure_keyvault_kms_key_vault_resource_id",
             validator=validate_azure_keyvault_kms_key_vault_resource_id,
         )
+        c.argument(
+            "kms_infrastructure_encryption",
+            arg_type=get_enum_type(["Enabled", "Disabled"]),
+            is_preview=True,
+        )
         c.argument("http_proxy_config")
         c.argument(
             "bootstrap_artifact_source",
@@ -1776,11 +1784,6 @@ def load_arguments(self, _):
             arg_type=get_enum_type(workload_runtimes),
             default=CONST_WORKLOAD_RUNTIME_OCI_CONTAINER,
         )
-        c.argument(
-            "enable_custom_ca_trust",
-            action="store_true",
-            validator=validate_enable_custom_ca_trust,
-        )
         c.argument(
             "disable_windows_outbound_nat",
             action="store_true",
@@ -1895,16 +1898,6 @@ def load_arguments(self, _):
         c.argument("mode", arg_type=get_enum_type(node_mode_types))
         c.argument("scale_down_mode", arg_type=get_enum_type(scale_down_modes))
         # extensions
-        c.argument(
-            "enable_custom_ca_trust",
-            action="store_true",
-            validator=validate_enable_custom_ca_trust,
-        )
-        c.argument(
-            "disable_custom_ca_trust",
-            options_list=["--disable-custom-ca-trust", "--dcat"],
-            action="store_true",
-        )
         c.argument(
             "allowed_host_ports", validator=validate_allowed_host_ports, is_preview=True
         )

src/aks-preview/azext_aks_preview/_roleassignments.py

@@ -3,103 +3,8 @@
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
 
-import time
-import uuid
-
-from azure.cli.command_modules.acs._client_factory import (
-    get_auth_management_client,
+# pylint: disable=unused-import
+from azure.cli.command_modules.acs._roleassignments import (
+    add_role_assignment,
+    add_role_assignment_executor,
 )
-from azure.cli.command_modules.acs._graph import resolve_object_id
-from azure.cli.command_modules.acs._roleassignments import build_role_scope, resolve_role_id
-from azure.cli.core.azclierror import AzCLIError
-from azure.cli.core.profiles import ResourceType, get_sdk
-from azure.core.exceptions import HttpResponseError, ResourceExistsError
-from knack.log import get_logger
-
-logger = get_logger(__name__)
-
-# pylint: disable=protected-access
-
-
-# temp workaround for the breaking change caused by default API version bump of the auth SDK
-def add_role_assignment(cmd, role, service_principal_msi_id, is_service_principal=True, delay=2, scope=None):
-    return _add_role_assignment_new(cmd, role, service_principal_msi_id, is_service_principal, delay, scope)
-
-
-# TODO(fuming): remove and replaced by import from azure.cli.command_modules.acs once dependency bumped to 2.47.0
-def _add_role_assignment_executor_new(cmd, role, assignee, resource_group_name=None, scope=None, resolve_assignee=True):
-    factory = get_auth_management_client(cmd.cli_ctx, scope)
-    assignments_client = factory.role_assignments
-    definitions_client = factory.role_definitions
-
-    # FIXME: is this necessary?
-    if assignments_client._config is None:
-        raise AzCLIError("Assignments client config is undefined.")
-
-    scope = build_role_scope(resource_group_name, scope, assignments_client._config.subscription_id)
-
-    # XXX: if role is uuid, this function's output cannot be used as role assignment defintion id
-    # ref: https://github.com/Azure/azure-cli/issues/2458
-    role_id = resolve_role_id(role, scope, definitions_client)
-
-    # If the cluster has service principal resolve the service principal client id to get the object id,
-    # if not use MSI object id.
-    object_id = resolve_object_id(cmd.cli_ctx, assignee) if resolve_assignee else assignee
-
-    assignment_name = uuid.uuid4()
-    custom_headers = None
-
-    RoleAssignmentCreateParameters = get_sdk(
-        cmd.cli_ctx,
-        ResourceType.MGMT_AUTHORIZATION,
-        "RoleAssignmentCreateParameters",
-        mod="models",
-        operation_group="role_assignments",
-    )
-    if cmd.supported_api_version(min_api="2018-01-01-preview", resource_type=ResourceType.MGMT_AUTHORIZATION):
-        parameters = RoleAssignmentCreateParameters(role_definition_id=role_id, principal_id=object_id,
-                                                    principal_type=None)
-        return assignments_client.create(scope, assignment_name, parameters, headers=custom_headers)
-
-    # for backward compatibility
-    RoleAssignmentProperties = get_sdk(
-        cmd.cli_ctx,
-        ResourceType.MGMT_AUTHORIZATION,
-        "RoleAssignmentProperties",
-        mod="models",
-        operation_group="role_assignments",
-    )
-    properties = RoleAssignmentProperties(role_definition_id=role_id, principal_id=object_id)
-    return assignments_client.create(scope, assignment_name, properties, headers=custom_headers)
-
-
-# TODO(fuming): remove and replaced by import from azure.cli.command_modules.acs once dependency bumped to 2.47.0
-def _add_role_assignment_new(cmd, role, service_principal_msi_id, is_service_principal=True, delay=2, scope=None):
-    # AAD can have delays in propagating data, so sleep and retry
-    hook = cmd.cli_ctx.get_progress_controller(True)
-    hook.add(message="Waiting for AAD role to propagate", value=0, total_val=1.0)
-    logger.info("Waiting for AAD role to propagate")
-    for x in range(0, 10):
-        hook.add(message="Waiting for AAD role to propagate", value=0.1 * x, total_val=1.0)
-        try:
-            # TODO: break this out into a shared utility library
-            _add_role_assignment_executor_new(
-                cmd,
-                role,
-                service_principal_msi_id,
-                scope=scope,
-                resolve_assignee=is_service_principal,
-            )
-            break
-        except HttpResponseError as ex:
-            if isinstance(ex, ResourceExistsError) or "The role assignment already exists." in ex.message:
-                break
-            logger.info(ex.message)
-        except Exception as ex:  # pylint: disable=broad-except
-            logger.error(str(ex))
-        time.sleep(delay + delay * x)
-    else:
-        return False
-    hook.add(message="AAD role propagation done", value=1.0, total_val=1.0)
-    logger.info("AAD role propagation done")
-    return True

src/aks-preview/azext_aks_preview/_validators.py

@@ -731,14 +731,6 @@ def validate_bootstrap_container_registry_resource_id(namespace):
         raise InvalidArgumentValueError("--bootstrap-container-registry-resource-id is not a valid Azure resource ID.")
 
 
-def validate_enable_custom_ca_trust(namespace):
-    """Validates Custom CA Trust can only be used on Linux."""
-    if namespace.enable_custom_ca_trust:
-        if hasattr(namespace, 'os_type') and namespace.os_type != "Linux":
-            raise ArgumentUsageError(
-                '--enable_custom_ca_trust can only be set for Linux nodepools')
-
-
 def validate_custom_ca_trust_certificates(namespace):
     """Validates Custom CA Trust Certificates can only be used on Linux."""
     if namespace.custom_ca_trust_certificates is not None and namespace.custom_ca_trust_certificates != "":