feat(acns): add retinaNetworkFlowLogs to azure cli (#8645)

* feat(acns): add retinaNetworkFlowLogs to azure cli

* update import addonconfiguration and update cistreams

* update history

* add test aks command and history bump aks version

* update tests

* linter and slight updates

* more linter

* more linter and removing unused import

* update code to match create

* update test for enablement update command

* live only tag

* update commands

* Update setup.py

Author: snguyen64

src/aks-preview/HISTORY.rst

@@ -13,6 +13,10 @@ Pending
 +++++++
 * Remove TrustedAccess commands from aks-preview extension as it is GA and exists in azure-cli for long time.
 
+14.0.0b7
+++++++++
+* Add `az aks create/update --enable-retina-flow-logs` and `az aks update --disable-retina-flow-logs` commands.
+
 14.0.0b6
 +++++++
 * Add option `--acns-advanced-networkpolicies <None|FQDN|L7>` to `az aks create/update`

src/aks-preview/azext_aks_preview/_help.py

@@ -231,6 +231,9 @@
         - name: --acns-advanced-networkpolicies
           type: string
           short-summary: Used to enable advanced network policies (None, FQDN or L7) on a cluster when enabling advanced networking features with "--enable-acns".
+        - name: --enable-retina-flow-logs
+          type: bool
+          short-summary: Enable advanced network flow log collection functionalities on a cluster.
         - name: --no-ssh-key -x
           type: string
           short-summary: Do not use or create a local SSH key.
@@ -1220,6 +1223,12 @@
         - name: --acns-advanced-networkpolicies
           type: string
           short-summary: Used to enable advanced network policies (None, FQDN or L7) on a cluster when enabling advanced networking features with "--enable-acns".
+        - name: --enable-retina-flow-logs
+          type: bool
+          short-summary: Enable advanced network flow log collection functionalities on a cluster.
+        - name: --disable-retina-flow-logs
+          type: bool
+          short-summary: Disable advanced network flow log collection functionalities on a cluster.
         - name: --enable-cost-analysis
           type: bool
           short-summary: Enable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. For more information see aka.ms/aks/docs/cost-analysis.

src/aks-preview/azext_aks_preview/_params.py

@@ -838,6 +838,10 @@ def load_arguments(self, _):
             is_preview=True,
             arg_type=get_enum_type(advanced_networkpolicies),
         )
+        c.argument(
+            "enable_retina_flow_logs",
+            action="store_true",
+        )
         c.argument(
             "custom_ca_trust_certificates",
             options_list=["--custom-ca-trust-certificates", "--ca-certs"],
@@ -1321,6 +1325,14 @@ def load_arguments(self, _):
             is_preview=True,
             arg_type=get_enum_type(advanced_networkpolicies),
         )
+        c.argument(
+            "enable_retina_flow_logs",
+            action="store_true",
+        )
+        c.argument(
+            "disable_retina_flow_logs",
+            action="store_true",
+        )
         c.argument("enable_cost_analysis", action="store_true")
         c.argument("disable_cost_analysis", action="store_true")
         c.argument('enable_ai_toolchain_operator', is_preview=True, action='store_true')

src/aks-preview/azext_aks_preview/addonconfiguration.py

@@ -14,6 +14,7 @@
     sanitize_loganalytics_ws_resource_id,
     ensure_default_log_analytics_workspace_for_monitoring
 )
+import azure.cli.command_modules.acs.addonconfiguration
 from azext_aks_preview._helpers import (
     check_is_monitoring_addon_enabled,
 )
@@ -44,6 +45,22 @@
 
 logger = get_logger(__name__)
 
+azure.cli.command_modules.acs.addonconfiguration.ContainerInsightsStreams = [
+    "Microsoft-ContainerLog",
+    "Microsoft-ContainerLogV2-HighScale",
+    "Microsoft-KubeEvents",
+    "Microsoft-KubePodInventory",
+    "Microsoft-KubeNodeInventory",
+    "Microsoft-KubePVInventory",
+    "Microsoft-KubeServices",
+    "Microsoft-KubeMonAgentEvents",
+    "Microsoft-InsightsMetrics",
+    "Microsoft-ContainerInventory",
+    "Microsoft-ContainerNodeInventory",
+    "Microsoft-Perf",
+    "Microsoft-RetinaNetworkFlowLogs",
+]
+
 
 # pylint: disable=too-many-locals
 def enable_addons(

src/aks-preview/azext_aks_preview/custom.py

@@ -494,6 +494,7 @@ def aks_create(
     disable_acns_observability=None,
     disable_acns_security=None,
     acns_advanced_networkpolicies=None,
+    enable_retina_flow_logs=None,
     # nodepool
     crg_id=None,
     message_of_the_day=None,
@@ -726,6 +727,8 @@ def aks_update(
     disable_acns_observability=None,
     disable_acns_security=None,
     acns_advanced_networkpolicies=None,
+    enable_retina_flow_logs=None,
+    disable_retina_flow_logs=None,
     # metrics profile
     enable_cost_analysis=False,
     disable_cost_analysis=False,

src/aks-preview/azext_aks_preview/managed_cluster_decorator.py

@@ -778,6 +778,35 @@ def get_acns_advanced_networkpolicies(self) -> Union[str, None]:
                 )
         return self.raw_param.get("acns_advanced_networkpolicies")
 
+    def get_retina_flow_logs(self, mc: ManagedCluster) -> Union[bool, None]:
+        """Get the enablement of retina flow logs
+
+        :return: bool or None"""
+        enable_retina_flow_logs = self.raw_param.get("enable_retina_flow_logs")
+        disable_retina_flow_logs = self.raw_param.get("disable_retina_flow_logs")
+        if enable_retina_flow_logs is None and disable_retina_flow_logs is None:
+            return None
+        if enable_retina_flow_logs and disable_retina_flow_logs:
+            raise MutuallyExclusiveArgumentError(
+                "Cannot specify --enable-retina-flow-logs and "
+                "--disable-retina-flow-logs at the same time."
+            )
+        if (
+            enable_retina_flow_logs and
+            (not self.raw_param.get("enable_acns", False) and
+                not (mc.network_profile and mc.network_profile.advanced_networking and
+                     mc.network_profile.advanced_networking.enabled)) or
+            not (mc.addon_profiles and mc.addon_profiles.get("omsagent") and mc.addon_profiles["omsagent"].enabled)
+        ):
+            raise InvalidArgumentValueError(
+                "Flow logs requires '--enable-acns', advanced networking "
+                "to be enabled, and the monitoring addon to be enabled."
+            )
+        enable_retina_flow_logs = bool(enable_retina_flow_logs) if enable_retina_flow_logs is not None else False
+        disable_retina_flow_logs = bool(disable_retina_flow_logs) if disable_retina_flow_logs is not None else False
+        retina_flow_logs = enable_retina_flow_logs or not disable_retina_flow_logs
+        return retina_flow_logs
+
     def get_load_balancer_managed_outbound_ip_count(self) -> Union[int, None]:
         """Obtain the value of load_balancer_managed_outbound_ip_count.
 
@@ -3025,6 +3054,15 @@ def set_up_addon_profiles(self, mc: ManagedCluster) -> ManagedCluster:
             addon_profiles[
                 CONST_GITOPS_ADDON_NAME
             ] = self.build_gitops_addon_profile()
+
+        retina_flow_logs_enabled = self.context.get_retina_flow_logs(mc)
+        if retina_flow_logs_enabled is not None:
+            monitoring_addon_profile = addon_profiles.get(addon_consts.get("CONST_MONITORING_ADDON_NAME"))
+            if monitoring_addon_profile:
+                config = monitoring_addon_profile.config or {}
+                config["enableRetinaNetworkFlags"] = str(retina_flow_logs_enabled)
+                monitoring_addon_profile.config = config
+
         mc.addon_profiles = addon_profiles
         return mc
 
@@ -4070,6 +4108,25 @@ def update_acns_in_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
             mc.network_profile.advanced_networking = acns
         return mc
 
+    def update_monitoring_profile_flow_logs(self, mc: ManagedCluster) -> ManagedCluster:
+        """Update monitor profile for the ManagedCluster object for flow logs.
+
+        :return: the ManagedCluster object
+        """
+        self._ensure_mc(mc)
+
+        retina_flow_logs_enabled = self.context.get_retina_flow_logs(mc)
+        if retina_flow_logs_enabled is not None:
+            if mc.addon_profiles:
+                addon_consts = self.context.get_addon_consts()
+                CONST_MONITORING_ADDON_NAME = addon_consts.get("CONST_MONITORING_ADDON_NAME")
+                monitoring_addon_profile = mc.addon_profiles.get(CONST_MONITORING_ADDON_NAME)
+                if monitoring_addon_profile:
+                    config = monitoring_addon_profile.config or {}
+                    config["enableRetinaNetworkFlags"] = str(retina_flow_logs_enabled)
+                    mc.addon_profiles[CONST_MONITORING_ADDON_NAME].config = config
+        return mc
+
     # pylint: disable=too-many-statements,too-many-locals,too-many-branches
     def update_azure_container_storage(self, mc: ManagedCluster) -> ManagedCluster:
         """Update azure container storage for the Managed Cluster object
@@ -5331,6 +5388,8 @@ def update_mc_profile_preview(self) -> ManagedCluster:
         mc = self.update_nodepool_initialization_taints_mc(mc)
         # update acns in network_profile
         mc = self.update_acns_in_network_profile(mc)
+        # update update_monitoring_profile_flow_logs
+        mc = self.update_monitoring_profile_flow_logs(mc)
         # update kubernetes support plan
         mc = self.update_k8s_support_plan(mc)
         # update AI toolchain operator