Azure
diff --git a/‎scripts/ci/credscan/CredScanSuppressions.json‎
Lines changed: 29 additions & 0 deletions b/‎scripts/ci/credscan/CredScanSuppressions.json‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎src/aks-preview/HISTORY.rst‎
Lines changed: 8 additions & 0 deletions b/‎src/aks-preview/HISTORY.rst‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/aks-preview/azext_aks_preview/_consts.py‎
Lines changed: 1 addition & 0 deletions b/‎src/aks-preview/azext_aks_preview/_consts.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/aks-preview/azext_aks_preview/_params.py‎
Lines changed: 4 additions & 2 deletions b/‎src/aks-preview/azext_aks_preview/_params.py‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎src/aks-preview/azext_aks_preview/agentpool_decorator.py‎
Lines changed: 24 additions & 3 deletions b/‎src/aks-preview/azext_aks_preview/agentpool_decorator.py‎
Lines changed: 24 additions & 3 deletions
diff --git a/‎src/aks-preview/azext_aks_preview/managed_cluster_decorator.py‎
Lines changed: 46 additions & 1 deletion b/‎src/aks-preview/azext_aks_preview/managed_cluster_decorator.py‎
Lines changed: 46 additions & 1 deletion
@@ -294,6 +294,35 @@
         "src\\storage-preview\\azext_storage_preview\\tests\\latest\\recordings\\test_storage_account_local_user.yaml"
       ],
       "_justification": "Fake credentials for recordings reported by new version credential scanner."
+    },
+    {
+      "file": [
+        "src\\workloads\\azext_workloads\\tests\\latest\\recordings\\test_workloads_distributed_ha_avset_difftransrgShare.yaml",
+        "src\\workloads\\azext_workloads\\tests\\latest\\recordings\\test_workloads_distributed_ha_avzone_cusrestrustedtransshare.yaml",
+        "src\\workloads\\azext_workloads\\tests\\latest\\recordings\\test_workloads_distributed_trustedaccessnotransshare.yaml",
+        "src\\workloads\\azext_workloads\\tests\\latest\\recordings\\test_workloads_singlesystem_cusrestrusted.yaml",
+        "src\\workloads\\azext_workloads\\tests\\latest\\recordings\\test_workloads_singlesystem_notrusted.yaml"
+      ],
+      "_justification": "[Workloads] False positive."
+    },
+    {
+      "file": [
+        "src\\oracle-database\\azext_oracle_database\\tests\\latest\\test_oracle_db_systems.py",
+        "src\\oracle-database\\azext_oracle_database\\tests\\latest\\recordings\\test_create_db_system.yaml"
+      ],
+      "_justification": "[Oracle Database] False positive."
+    },
+    {
+      "file": [
+        "src\\load\\azext_load\\tests\\latest\\recordings\\test_load_test_run_download_files.yaml"
+      ],
+      "_justification": "[Load] False positive."
+    },
+    {
+      "file": [
+        "src\\databox\\testkey.pvk"
+      ],
+      "_justification": "[Databox] False positive."
     }
   ]
 }
@@ -11,11 +11,19 @@ To release a new version, please select a new version number (usually plus 1 to
 
 Pending
 +++++++
+
+19.0.0b27
++++++++
+* `az aks nodepool add`: Fix `InvalidParameter` error when `mode` is `Machines`.
+
+19.0.0b26
++++++++
 * `az aks create/update`: Add `--enable-app-routing-istio` / `--disable-app-routing-istio` (short: `--enable-ari` / `--disable-ari`) flags to enable or disable Istio as a Gateway API implementation for App Routing.
 * `az aks approuting gateway istio enable/disable`: Add new subcommands to enable or disable the Istio Gateway API implementation for App Routing on an existing cluster.
 * `az aks machine add`: Add `--spot-max-price` flag support to set the max price (in US Dollars) you are willing to pay for spot instances on a machine.
 * `az aks machine add`: Add `--eviction-policy` flag support to set the eviction policy for a machine.
 * `az aks machine add`: Add `--enable-ultra-ssd` flag support to enable ultra ssd on a machine.
+* Add 'mTLS' as a transit encryption type option for `--acns-transit-encryption-type` in `az aks create/update`
 
 19.0.0b25
 +++++++
 
@@ -154,6 +154,7 @@
 # ACNS transit encryption type
 CONST_TRANSIT_ENCRYPTION_TYPE_NONE = "None"
 CONST_TRANSIT_ENCRYPTION_TYPE_WIREGUARD = "WireGuard"
+CONST_TRANSIT_ENCRYPTION_TYPE_MTLS = "mTLS"
 
 # ACNS performance acceleration mode
 CONST_ACNS_DATAPATH_ACCELERATION_MODE_NONE = "None"
 
@@ -158,6 +158,7 @@
     CONST_ADVANCED_NETWORKPOLICIES_L7,
     CONST_TRANSIT_ENCRYPTION_TYPE_NONE,
     CONST_TRANSIT_ENCRYPTION_TYPE_WIREGUARD,
+    CONST_TRANSIT_ENCRYPTION_TYPE_MTLS,
     CONST_ACNS_DATAPATH_ACCELERATION_MODE_BPFVETH,
     CONST_ACNS_DATAPATH_ACCELERATION_MODE_NONE,
     CONST_UPGRADE_STRATEGY_ROLLING,
@@ -360,6 +361,7 @@
 transit_encryption_types = [
     CONST_TRANSIT_ENCRYPTION_TYPE_NONE,
     CONST_TRANSIT_ENCRYPTION_TYPE_WIREGUARD,
+    CONST_TRANSIT_ENCRYPTION_TYPE_MTLS,
 ]
 acns_datapath_acceleration_modes = [
     CONST_ACNS_DATAPATH_ACCELERATION_MODE_NONE,
@@ -970,7 +972,7 @@ def load_arguments(self, _):
             "acns_transit_encryption_type",
             is_preview=True,
             arg_type=get_enum_type(transit_encryption_types),
-            help="Specify the transit encryption type for ACNS. Available values are 'None' and 'WireGuard'.",
+            help="Specify the transit encryption type for ACNS. Available values are 'None', 'WireGuard', and 'mTLS'.",
         )
         c.argument(
             "enable_retina_flow_logs",
@@ -1648,7 +1650,7 @@ def load_arguments(self, _):
             "acns_transit_encryption_type",
             is_preview=True,
             arg_type=get_enum_type(transit_encryption_types),
-            help="Specify the transit encryption type for ACNS. Available values are 'None' and 'WireGuard'.",
+            help="Specify the transit encryption type for ACNS. Available values are 'None', 'WireGuard', and 'mTLS'.",
         )
         c.argument(
             "enable_retina_flow_logs",
 
@@ -46,6 +46,7 @@
     CONST_SSH_ACCESS_LOCALUSER,
     CONST_GPU_DRIVER_NONE,
     CONST_NODEPOOL_MODE_MANAGEDSYSTEM,
+    CONST_NODEPOOL_MODE_MACHINES,
 )
 from azext_aks_preview._helpers import (
     get_nodepool_snapshot_by_snapshot_id,
@@ -1452,6 +1453,25 @@ def set_up_managed_system_mode(self, agentpool: AgentPool) -> AgentPool:
 
         return agentpool
 
+    def set_up_machines_mode(self, agentpool: AgentPool) -> AgentPool:
+        """Handle the special Machines mode by resetting all properties except name and mode.
+
+        :param agentpool: the AgentPool object
+        :return: the AgentPool object
+        """
+        self._ensure_agentpool(agentpool)
+
+        mode = self.context.get_mode()
+        if mode == CONST_NODEPOOL_MODE_MACHINES:
+            agentpool.mode = CONST_NODEPOOL_MODE_MACHINES
+            # Make sure all other attributes are None
+            for attr in vars(agentpool):
+                if attr != 'name' and attr != 'mode' and not attr.startswith('_'):
+                    if hasattr(agentpool, attr):
+                        setattr(agentpool, attr, None)
+
+        return agentpool
+
     def set_up_localdns_profile(self, agentpool: AgentPool) -> AgentPool:
         """Set up local DNS profile for the AgentPool object if provided via --localdns-config."""
         self._ensure_agentpool(agentpool)
@@ -1468,11 +1488,12 @@ def construct_agentpool_profile_preview(self) -> AgentPool:
         # DO NOT MOVE: keep this on top, construct the default AgentPool profile
         agentpool = self.construct_agentpool_profile_default(bypass_restore_defaults=True)
 
-        # Check if mode is ManagedSystem, if yes, reset all properties
+        # Check if mode is ManagedSystem or Machines, if yes, reset all other properties
         agentpool = self.set_up_managed_system_mode(agentpool)
+        agentpool = self.set_up_machines_mode(agentpool)
 
-        # If mode is ManagedSystem, skip all other property setups
-        if agentpool.mode == CONST_NODEPOOL_MODE_MANAGEDSYSTEM:
+        # If mode is ManagedSystem or Machines, skip all other property setups
+        if agentpool.mode == CONST_NODEPOOL_MODE_MANAGEDSYSTEM or agentpool.mode == CONST_NODEPOOL_MODE_MACHINES:
             return agentpool
 
         # set up preview vm properties
 
@@ -51,7 +51,9 @@
     CONST_APP_ROUTING_ISTIO_MODE_ENABLED,
     CONST_APP_ROUTING_ISTIO_MODE_DISABLED,
     CONST_ACNS_DATAPATH_ACCELERATION_MODE_BPFVETH,
-    CONST_ACNS_DATAPATH_ACCELERATION_MODE_NONE
+    CONST_ACNS_DATAPATH_ACCELERATION_MODE_NONE,
+    CONST_TRANSIT_ENCRYPTION_TYPE_MTLS,
+    CONST_ADVANCED_NETWORKPOLICIES_L7,
 )
 from azext_aks_preview.azurecontainerstorage._consts import (
     CONST_ACSTOR_EXT_INSTALLATION_NAME,
@@ -919,6 +921,49 @@ def get_acns_transit_encryption_type(self) -> Union[str, None]:
                 raise MutuallyExclusiveArgumentError(
                     "--disable-acns-security and --disable-acns cannot be used with --acns-transit-encryption-type."
                 )
+            if acns_transit_encryption_type == CONST_TRANSIT_ENCRYPTION_TYPE_MTLS:
+                # Check CLI args for L7
+                acns_advanced_networkpolicies = self.raw_param.get("acns_advanced_networkpolicies")
+                if acns_advanced_networkpolicies == CONST_ADVANCED_NETWORKPOLICIES_L7:
+                    raise MutuallyExclusiveArgumentError(
+                        "'--acns-transit-encryption-type mTLS' cannot be used with "
+                        "'--acns-advanced-networkpolicies L7'. "
+                        "Please choose either '--acns-advanced-networkpolicies L7' or "
+                        "'--acns-transit-encryption-type mTLS', but not both."
+                    )
+                # Check CLI args for Istio
+                enable_asm = self.raw_param.get("enable_azure_service_mesh", False)
+                if enable_asm:
+                    raise MutuallyExclusiveArgumentError(
+                        "'--acns-transit-encryption-type mTLS' cannot be used with "
+                        "'--enable-azure-service-mesh'. "
+                        "Please remove '--enable-azure-service-mesh' or choose a different "
+                        "transit encryption type."
+                    )
+                # On update, check existing cluster state
+                if self.decorator_mode == DecoratorMode.UPDATE and self.mc:
+                    # Check if existing cluster has L7 enabled and user is not changing it
+                    if (acns_advanced_networkpolicies is None and
+                            self.mc.network_profile and
+                            self.mc.network_profile.advanced_networking and
+                            self.mc.network_profile.advanced_networking.security and
+                            self.mc.network_profile.advanced_networking.security.advanced_network_policies ==
+                            CONST_ADVANCED_NETWORKPOLICIES_L7):
+                        raise MutuallyExclusiveArgumentError(
+                            "'--acns-transit-encryption-type mTLS' cannot be used with L7 advanced network policies. "
+                            "The existing cluster already has L7 enabled. Please disable L7 by passing "
+                            "'--acns-advanced-networkpolicies None' or choose a different transit encryption type."
+                        )
+                    # Check if existing cluster has Istio enabled and user is not disabling it
+                    disable_asm = self.raw_param.get("disable_azure_service_mesh", False)
+                    if (not disable_asm and
+                            self.mc.service_mesh_profile and
+                            self.mc.service_mesh_profile.mode == CONST_AZURE_SERVICE_MESH_MODE_ISTIO):
+                        raise MutuallyExclusiveArgumentError(
+                            "'--acns-transit-encryption-type mTLS' cannot be used with Istio service mesh. "
+                            "The existing cluster already has Istio enabled. Please disable Istio by passing "
+                            "'--disable-azure-service-mesh' or choose a different transit encryption type."
+                        )
         return self.raw_param.get("acns_transit_encryption_type")
 
     # Container network logs is the new name for retina flow logs.