[aks-agent] Separate Azure OpenAI providers and add --yes flag

- Split Azure OpenAI provider into two separate providers:
  - Azure OpenAI (API Key): Requires API key authentication
  - Azure OpenAI (Microsoft Entra ID): Supports keyless authentication
- Add role assignment reminders in helm deployment for keyless auth
- Add --yes/-y flag to agent-cleanup command to skip confirmation
- Change secret empty data message from warning to debug level
- Bump to v0.7.1 (suppress litellm debug logs)

Author: mainred

src/aks-agent/HISTORY.rst

@@ -14,7 +14,10 @@ Pending
 
 1.0.0b22
 ++++++++
-* Feature: Add Microsoft Entra ID (formerly Azure AD) authentication support for Azure OpenAI
+* Bump aks-agent to v0.7.1
+  * Suppress litellm debug logs
+* Feature: Separate Azure OpenAI provider into API Key and Microsoft Entra ID (keyless) providers
+* Feature: Add --yes/-y flag to agent-cleanup command to skip confirmation prompt
 
 1.0.0b21
 ++++++++

src/aks-agent/azext_aks_agent/_consts.py

@@ -52,7 +52,7 @@
 AKS_MCP_LABEL_SELECTOR = "app.kubernetes.io/name=aks-mcp"
 
 # AKS Agent Version (shared by helm chart and docker image)
-AKS_AGENT_VERSION = "0.7.0"
+AKS_AGENT_VERSION = "0.7.1"
 
 # Helm Configuration
 HELM_VERSION = "3.16.0"

src/aks-agent/azext_aks_agent/_params.py

@@ -111,3 +111,9 @@ def load_arguments(self, _):
             help="The mode decides how the agent is deployed.",
             default="cluster",
         )
+        c.argument(
+            "yes",
+            options_list=["--yes", "-y"],
+            action="store_true",
+            help="Do not prompt for confirmation.",
+        )

src/aks-agent/azext_aks_agent/agent/k8s/aks_agent_manager.py

@@ -232,7 +232,7 @@ def _populate_api_keys_from_secret(self):
             )
 
             if not secret.data:
-                logger.warning("Secret '%s' exists but has no data", self.llm_secret_name)
+                logger.debug("Secret '%s' exists but has no data", self.llm_secret_name)
                 return
 
             # Decode secret data (base64 encoded)

src/aks-agent/azext_aks_agent/agent/llm_providers/__init__.py

@@ -5,11 +5,12 @@
 
 from typing import List, Tuple
 
-from azext_aks_agent.agent.console import ERROR_COLOR, HELP_COLOR
+from azext_aks_agent.agent.console import ERROR_COLOR, HELP_COLOR, INFO_COLOR
 from rich.console import Console
 
 from .anthropic_provider import AnthropicProvider
 from .azure_provider import AzureProvider
+from .azure_entraid_provider import AzureEntraIDProvider
 from .base import LLMProvider
 from .gemini_provider import GeminiProvider
 from .openai_compatible_provider import OpenAICompatibleProvider
@@ -19,11 +20,11 @@
 
 _PROVIDER_CLASSES: List[LLMProvider] = [
     AzureProvider,
+    AzureEntraIDProvider,
     OpenAIProvider,
     AnthropicProvider,
     GeminiProvider,
     OpenAICompatibleProvider,
-    # Add new providers here
 ]
 
 PROVIDER_REGISTRY = {}
@@ -49,8 +50,9 @@ def _get_provider_by_index(idx: int) -> LLMProvider:
     Raises ValueError if index is out of range.
     """
     if 1 <= idx <= len(_PROVIDER_CLASSES):
-        console.print("You selected provider:", _PROVIDER_CLASSES[idx - 1]().readable_name, style=f"bold {HELP_COLOR}")
-        return _PROVIDER_CLASSES[idx - 1]()
+        provider = _PROVIDER_CLASSES[idx - 1]()
+        console.print("You selected provider:", provider.readable_name, style=f"bold {HELP_COLOR}")
+        return provider
     raise ValueError(f"Invalid provider index: {idx}")
 
 

src/aks-agent/azext_aks_agent/agent/llm_providers/azure_entraid_provider.py

@@ -0,0 +1,58 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+
+from typing import Tuple
+
+from .base import LLMProvider, is_valid_url, non_empty
+
+
+def is_valid_api_base(v: str) -> bool:
+    if not v.startswith("https://"):
+        return False
+    return is_valid_url(v)
+
+
+class AzureEntraIDProvider(LLMProvider):
+    @property
+    def readable_name(self) -> str:
+        return "Azure OpenAI (Microsoft Entra ID)"
+
+    @property
+    def model_route(self) -> str:
+        return "azure"
+
+    @property
+    def parameter_schema(self):
+        return {
+            "model": {
+                "secret": False,
+                "default": None,
+                "hint": "ensure your deployment name is the same as the model name, e.g., gpt-5",
+                "validator": non_empty,
+                "alias": "deployment_name"
+            },
+            "api_base": {
+                "secret": False,
+                "default": None,
+                "validator": is_valid_api_base
+            },
+            "api_version": {
+                "secret": False,
+                "default": "2025-04-01-preview",
+                "hint": None,
+                "validator": non_empty
+            }
+        }
+
+    def validate_connection(self, params: dict) -> Tuple[str, str]:
+        api_base = params.get("api_base")
+        api_version = params.get("api_version")
+        deployment_name = params.get("model")
+
+        if not all([api_base, api_version, deployment_name]):
+            return "Missing required Azure parameters.", "retry_input"
+
+        return None, "save"

src/aks-agent/azext_aks_agent/agent/llm_providers/azure_provider.py

@@ -24,7 +24,7 @@ def is_valid_api_base(v: str) -> bool:
 class AzureProvider(LLMProvider):
     @property
     def readable_name(self) -> str:
-        return "Azure OpenAI"
+        return "Azure OpenAI (API Key)"
 
     @property
     def model_route(self) -> str:
@@ -43,8 +43,8 @@ def parameter_schema(self):
             "api_key": {
                 "secret": True,
                 "default": None,
-                "hint": "press enter to enable keyless authentication with Microsoft Entra ID",
-                "validator": lambda v: True
+                "hint": None,
+                "validator": non_empty
             },
             "api_base": {
                 "secret": False,
@@ -65,12 +65,9 @@ def validate_connection(self, params: dict) -> Tuple[str, str]:
         api_version = params.get("api_version")
         deployment_name = params.get("model")
 
-        if not all([api_base, api_version, deployment_name]):
+        if not all([api_key, api_base, api_version, deployment_name]):
             return "Missing required Azure parameters.", "retry_input"
 
-        if not api_key or not api_key.strip():
-            return None, "save"
-
         # REST API reference: https://learn.microsoft.com/en-us/azure/ai-foundry/openai/api-version-lifecycle?tabs=rest
         url = urljoin(api_base, f"openai/deployments/{deployment_name}/chat/completions")
 

src/aks-agent/azext_aks_agent/custom.py

@@ -19,6 +19,7 @@
 from azext_aks_agent.agent.k8s import AKSAgentManager, AKSAgentManagerClient
 from azext_aks_agent.agent.k8s.aks_agent_manager import AKSAgentManagerLLMConfigBase
 from azext_aks_agent.agent.llm_providers import prompt_provider_choice
+from azext_aks_agent.agent.llm_providers.azure_entraid_provider import AzureEntraIDProvider
 from azext_aks_agent.agent.telemetry import CLITelemetryClient
 from azure.cli.core.azclierror import AzCLIError
 from azure.cli.core.commands.client_factory import get_subscription_id
@@ -178,6 +179,19 @@ def _setup_helm_deployment(console, aks_agent_manager: AKSAgentManager):
         console.print(
             f"\n👤 Current service account in namespace '{aks_agent_manager.namespace}': {service_account_name}",
             style="cyan")
+        
+        # Check if using Azure Entra ID provider and show role assignment reminder
+        model_list = aks_agent_manager.get_llm_config()
+        if model_list and any("azure/" in model_name and not model_config.get("api_key") for model_name, model_config in model_list.items()):
+            console.print(
+                f"\n⚠️  IMPORTANT: If using keyless authentication with Azure OpenAI, ensure the 'Cognitive Services OpenAI User' or 'Azure AI Developer' role "
+                f"is assigned to the workload identity (service account: {service_account_name}).",
+                style=f"bold {INFO_COLOR}"
+            )
+            console.print(
+                "Learn more: https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/managed-identity\n",
+                style=INFO_COLOR
+            )
 
     elif helm_status == "not_found":
         console.print(
@@ -196,6 +210,19 @@ def _setup_helm_deployment(console, aks_agent_manager: AKSAgentManager):
             "To have access to Azure resources, the service account should be annotated with "
             "'azure.workload.identity/client-id: <managed-identity-client-id>'.",
             style=WARNING_COLOR)
+        
+        # Check if using Azure Entra ID provider and show role assignment note
+        model_list = aks_agent_manager.get_llm_config()
+        if model_list and any("azure/" in model_name and not model_config.get("api_key") for model_name, model_config in model_list.items()):
+            console.print(
+                "\n⚠️  NOTE: You are using keyless authentication with Azure OpenAI. "
+                "Ensure the 'Cognitive Services OpenAI User' or 'Azure AI Developer' role is assigned to the workload identity.",
+                style=f"bold {INFO_COLOR}"
+            )
+            console.print(
+                "Learn more: https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/managed-identity",
+                style=INFO_COLOR
+            )
 
         # Prompt user for service account name (required)
         while True:
@@ -422,6 +449,7 @@ def aks_agent_cleanup(
         cluster_name,
         namespace,
         mode=None,
+        yes=False,
 ):
     """Cleanup and uninstall the AKS agent."""
     with CLITelemetryClient(event_type="cleanup") as telemetry_client:
@@ -442,16 +470,17 @@ def aks_agent_cleanup(
                 f"⚠️  Warning: --namespace '{namespace}' is specified but will be ignored in client mode.",
                 style=WARNING_COLOR)
 
-        console.print(
-            "\n⚠️  Warning: This will uninstall the AKS agent and delete all associated resources.",
-            style=WARNING_COLOR)
+        if not yes:
+            console.print(
+                "\n⚠️  Warning: This will uninstall the AKS agent and delete all associated resources.",
+                style=WARNING_COLOR)
 
-        user_confirmation = console.input(
-            f"\n[{WARNING_COLOR}]Are you sure you want to proceed with cleanup? (y/N): [/]").strip().lower()
+            user_confirmation = console.input(
+                f"\n[{WARNING_COLOR}]Are you sure you want to proceed with cleanup? (y/N): [/]").strip().lower()
 
-        if user_confirmation not in ['y', 'yes']:
-            console.print("❌ Cleanup cancelled.", style=INFO_COLOR)
-            return
+            if user_confirmation not in ['y', 'yes']:
+                console.print("❌ Cleanup cancelled.", style=INFO_COLOR)
+                return
 
         console.print("\n🗑️  Starting cleanup (this typically takes a few seconds)...", style=INFO_COLOR)