PR comments + tests

Author: carlotaarvela

src/aks-preview/azext_aks_preview/managed_cluster_decorator.py

@@ -7,6 +7,7 @@
 import copy
 import datetime
 import os
+import random
 import time
 from types import SimpleNamespace
 from typing import Any, Dict, List, Optional, Tuple, TypeVar, Union
@@ -4543,9 +4544,12 @@ def _setup_azure_monitor_logs(self, mc: ManagedCluster) -> None:
         if not workspace_resource_id:
             ensure_workspace_func = (
                 self.context.external_functions.ensure_default_log_analytics_workspace_for_monitoring)
-            # Retry with backoff to handle 409 Conflict when workspace is still provisioning
-            # (common when parallel tests or commands target the same default workspace)
-            for attempt in range(3):
+            # Retry with exponential backoff + jitter to handle 409 Conflict when
+            # workspace is still provisioning (common when parallel commands target
+            # the same default workspace).  Delays: ~5 s, ~10 s, ~20 s (worst-case
+            # total ~52 s; fast path ~7 s if the first retry succeeds).
+            max_attempts = 4
+            for attempt in range(max_attempts):
                 try:
                     workspace_resource_id = ensure_workspace_func(
                         self.cmd,
@@ -4554,8 +4558,10 @@ def _setup_azure_monitor_logs(self, mc: ManagedCluster) -> None:
                     )
                     break
                 except (HttpResponseError, ResourceExistsError):
-                    if attempt < 2:
-                        time.sleep(30)
+                    if attempt < max_attempts - 1:
+                        base_delay = 5 * (2 ** attempt)  # 5 s, 10 s, 20 s
+                        jitter = random.uniform(0, base_delay * 0.5)
+                        time.sleep(base_delay + jitter)
                     else:
                         raise
 
@@ -4582,26 +4588,9 @@ def _setup_azure_monitor_logs(self, mc: ManagedCluster) -> None:
         }
         mc.addon_profiles[CONST_MONITORING_ADDON_NAME] = addon_profile
 
-        # Create DCR before the cluster is created (matching base class build_monitoring_addon_profile pattern).
-        # The DCRA will be created later in postprocessing_after_mc_created.
-        self.context.external_functions.ensure_container_insights_for_monitoring(
-            self.cmd,
-            addon_profile,
-            self.context.get_subscription_id(),
-            self.context.get_resource_group_name(),
-            self.context.get_name(),
-            self.context.get_location(),
-            remove_monitoring=False,
-            aad_route=self.context.get_enable_msi_auth_for_monitoring(),
-            create_dcr=True,
-            create_dcra=False,
-            enable_syslog=self.context.get_enable_syslog(),
-            data_collection_settings=self.context.get_data_collection_settings(),
-            is_private_cluster=self.context.get_enable_private_cluster(),
-            ampls_resource_id=self.context.get_ampls_resource_id(),
-            enable_high_log_scale_mode=self.context.get_enable_high_log_scale_mode(),
-        )
-
+        # DCR and DCRA creation is deferred to postprocessing_after_mc_created
+        # (_postprocess_monitoring_enable) so that all flags are finalized and
+        # the cluster exists.  Only MSI clusters need a DCR.
         self.context.set_intermediate("monitoring_addon_enabled", True, overwrite_exists=True)
 
     def _setup_opentelemetry_metrics(self, mc: ManagedCluster) -> None:
@@ -5465,7 +5454,7 @@ def _postprocess_monitoring_enable(self, cluster: ManagedCluster) -> None:
                 self.context.get_location(),
                 remove_monitoring=False,
                 aad_route=self.context.get_enable_msi_auth_for_monitoring(),
-                create_dcr=self._is_cnl_or_hlsm_changing(),
+                create_dcr=True,
                 create_dcra=True,
                 enable_syslog=self.context.get_enable_syslog(),
                 data_collection_settings=self.context.get_data_collection_settings(),
@@ -5776,17 +5765,9 @@ def update_monitoring_profile_flow_logs(self, mc: ManagedCluster) -> ManagedClus
         if container_network_logs_enabled is not None:
             if mc.addon_profiles:
                 addon_consts = self.context.get_addon_consts()
-                CONST_MONITORING_ADDON_NAME = addon_consts.get("CONST_MONITORING_ADDON_NAME")
-                # Handle both "omsagent" and "omsAgent" key variants
-                monitoring_addon_profile = (
-                    mc.addon_profiles.get(CONST_MONITORING_ADDON_NAME) or
-                    mc.addon_profiles.get(CONST_MONITORING_ADDON_NAME_CAMELCASE)
-                )
+                monitoring_addon_key = _get_monitoring_addon_key(mc, addon_consts)
+                monitoring_addon_profile = mc.addon_profiles.get(monitoring_addon_key)
                 if monitoring_addon_profile:
-                    monitoring_addon_key = (
-                        CONST_MONITORING_ADDON_NAME if CONST_MONITORING_ADDON_NAME in mc.addon_profiles
-                        else CONST_MONITORING_ADDON_NAME_CAMELCASE
-                    )
                     config = monitoring_addon_profile.config or {}
                     config["enableRetinaNetworkFlags"] = str(container_network_logs_enabled)
                     mc.addon_profiles[monitoring_addon_key].config = config
@@ -7692,9 +7673,12 @@ def _setup_azure_monitor_logs(self, mc: ManagedCluster) -> None:
         if not workspace_resource_id:
             ensure_workspace_func = (
                 self.context.external_functions.ensure_default_log_analytics_workspace_for_monitoring)
-            # Retry with backoff to handle 409 Conflict when workspace is still provisioning
-            # (common when parallel tests or commands target the same default workspace)
-            for attempt in range(3):
+            # Retry with exponential backoff + jitter to handle 409 Conflict when
+            # workspace is still provisioning (common when parallel commands target
+            # the same default workspace).  Delays: ~5 s, ~10 s, ~20 s (worst-case
+            # total ~52 s; fast path ~7 s if the first retry succeeds).
+            max_attempts = 4
+            for attempt in range(max_attempts):
                 try:
                     workspace_resource_id = ensure_workspace_func(
                         self.cmd,
@@ -7703,8 +7687,10 @@ def _setup_azure_monitor_logs(self, mc: ManagedCluster) -> None:
                     )
                     break
                 except (HttpResponseError, ResourceExistsError):
-                    if attempt < 2:
-                        time.sleep(30)
+                    if attempt < max_attempts - 1:
+                        base_delay = 5 * (2 ** attempt)  # 5 s, 10 s, 20 s
+                        jitter = random.uniform(0, base_delay * 0.5)
+                        time.sleep(base_delay + jitter)
                     else:
                         raise
 

src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py

@@ -19141,6 +19141,53 @@ def test_aks_update_standalone_enable_high_log_scale_mode(
             checks=[self.is_empty()],
         )
 
+    @AllowLargeResponse()
+    @AKSCustomResourceGroupPreparer(
+        random_name_length=17,
+        name_prefix="clitest",
+        location="westus2",
+    )
+    def test_aks_update_disable_hlsm_error_when_cnl_enabled(
+        self, resource_group, resource_group_location
+    ):
+        """Test that disabling --enable-high-log-scale-mode raises an error
+        when container network logs are already enabled on the cluster."""
+        self.test_resources_count = 0
+        aks_name = self.create_random_name("cliakstest", 16)
+        self.kwargs.update(
+            {
+                "resource_group": resource_group,
+                "name": aks_name,
+                "ssh_key_value": self.generate_ssh_keys(),
+                "location": resource_group_location,
+            }
+        )
+
+        # Create cluster with monitoring + CNL + HLSM
+        create_cmd = (
+            "aks create --resource-group={resource_group} --name={name} --location={location} "
+            "--ssh-key-value={ssh_key_value} --node-count=1 "
+            "--enable-azure-monitor-logs --enable-managed-identity "
+            "--enable-acns --enable-container-network-logs --output=json"
+        )
+        self.cmd(create_cmd, checks=[
+            self.check("provisioningState", "Succeeded"),
+        ])
+
+        # Attempt to disable HLSM while CNL is still enabled — should fail
+        disable_cmd = (
+            "aks update --resource-group={resource_group} --name={name} --yes "
+            "--enable-high-log-scale-mode false --output=json"
+        )
+        with self.assertRaisesRegex(Exception, "container network logs"):
+            self.cmd(disable_cmd)
+
+        # delete
+        self.cmd(
+            "aks delete -g {resource_group} -n {name} --yes --no-wait",
+            checks=[self.is_empty()],
+        )
+
     @AllowLargeResponse()
     @AKSCustomResourceGroupPreparer(
         random_name_length=17,