Merge branch 'main' of github.com:Azure/azure-cli-extensions into bump-holmesgpt

Author: mainred

src/aks-preview/HISTORY.rst

@@ -11,6 +11,24 @@ To release a new version, please select a new version number (usually plus 1 to
 
 Pending
 +++++++
+* `az aks update`: Add new parameter `--kms-infrastructure-encryption` to enable KMS infrastructure encryption on an existing cluster.
+
+18.0.0b44
++++++++
+* Vendor new SDK and bump API version to 2025-08-02-preview.
+* Pre-deprecate `--enable-custom-ca-trust` and `--disable-custom-ca-trust` in `az aks create`, `az aks update` commands.
+* Hide `--enable-managed-system-pool` parameter for `az aks create` for now, as the feature is not ready yet.
+
+18.0.0b43
++++++++
+* Fix `--localdns-config` parameter to handle null values and case-insensitive JSON keys in DNS override sections, preventing crashes with malformed localdns configuration files.
+* Enhance `build_override` function to validate dictionary types and only initialize DNS overrides when present in localdns configuration (case-insensitive).
+* Refactor `build_localdns_profile` function to eliminate code duplication between AgentPool add and update operations.
+
+18.0.0b42
++++++++
+* Fix role assignment failure when using azure-cli version >= `2.77.0`.
+* Add option `Flatcar` to `--os-sku` for `az aks nodepool add` and `az aks nodepool update`.
 
 18.0.0b41
 +++++++
@@ -32,7 +50,7 @@ Pending
 * Add option `AzureLinuxOSGuard` and `AzureLinux3OSGuard` to `--os-sku` for `az aks nodepool add` and `az aks nodepool update`.
 * Add machine command `az aks machine add` to add a machine to an existing machine pool.
 * Add blue-green upgrade strategy support for AKS node pools:
-  - `az aks nodepool add/update/upgrade`: Add `--upgrade-strategy` parameter to switch between rolling and blue-green nodepool upgrades. 
+  - `az aks nodepool add/update/upgrade`: Add `--upgrade-strategy` parameter to switch between rolling and blue-green nodepool upgrades.
   - `az aks nodepool add/update/upgrade`: Add `--drain-batch-size`, `--drain-timeout-bg`, `--batch-soak-duration`, `--final-soak-duration` parameters to configure blue-green upgrade settings.
 
 18.0.0b38
@@ -2012,4 +2030,4 @@ Pending
 +++++
 
 * new feature `enable-cluster-autoscaler`
-* default agentType is VMSS
+* default agentType is VMSS

src/aks-preview/azext_aks_preview/_consts.py

@@ -40,6 +40,7 @@
 CONST_OS_SKU_WINDOWSANNUAL = "WindowsAnnual"
 CONST_OS_SKU_AZURELINUX = "AzureLinux"
 CONST_OS_SKU_AZURELINUX3 = "AzureLinux3"
+CONST_OS_SKU_FLATCAR = "Flatcar"
 CONST_OS_SKU_UBUNTU2204 = "Ubuntu2204"
 CONST_OS_SKU_UBUNTU2404 = "Ubuntu2404"
 CONST_OS_SKU_AZURELINUXOSGUARD = "AzureLinuxOSGuard"

src/aks-preview/azext_aks_preview/_help.py

@@ -271,7 +271,7 @@
           short-summary: The ID of a PPG.
         - name: --os-sku
           type: string
-          short-summary: The os-sku of the agent node pool. Ubuntu or CBLMariner.
+          short-summary: The os-sku of the agent node pool. Ubuntu, Ubuntu2204, Ubuntu2404, CBLMariner, AzureLinux, AzureLinux3, AzureLinuxOSGuard, AzureLinux3OSGuard, or Flatcar when os-type is Linux, default is Ubuntu if not set; Windows2019, Windows2022, Windows2025, or WindowsAnnual when os-type is Windows, the current default is Windows2022 if not set.
         - name: --enable-fips-image
           type: bool
           short-summary: Use FIPS-enabled OS on agent nodes.
@@ -1110,6 +1110,10 @@
         - name: --azure-keyvault-kms-key-vault-resource-id
           type: string
           short-summary: Resource ID of Azure Key Vault.
+        - name: --kms-infrastructure-encryption
+          type: string
+          short-summary: Enable encryption at rest of Kubernetes resource objects using service-managed keys.
+          long-summary: Enable infrastructure encryption for Kubernetes resource objects. This feature provides encryption at rest for cluster secrets and configuration using service-managed keys. For more information see https://aka.ms/aks/kubernetesResourceObjectEncryption.
         - name: --enable-image-cleaner
           type: bool
           short-summary: Enable ImageCleaner Service.
@@ -1928,7 +1932,7 @@
           short-summary: The OS Type. Linux or Windows. Windows not supported yet for "VirtualMachines" VM set type.
         - name: --os-sku
           type: string
-          short-summary: The os-sku of the agent node pool. Ubuntu, Ubuntu2204, Ubuntu2404, CBLMariner, AzureLinux， AzureLinux3, AzureLinuxOSGuard, or AzureLinux3OSGuard when os-type is Linux, default is Ubuntu if not set; Windows2019, Windows2022, Windows2025, or WindowsAnnual when os-type is Windows, the current default is Windows2022 if not set.
+          short-summary: The os-sku of the agent node pool. Ubuntu, Ubuntu2204, Ubuntu2404, CBLMariner, AzureLinux, AzureLinux3, AzureLinuxOSGuard, AzureLinux3OSGuard, or Flatcar when os-type is Linux, default is Ubuntu if not set; Windows2019, Windows2022, Windows2025, or WindowsAnnual when os-type is Windows, the current default is Windows2022 if not set.
         - name: --enable-fips-image
           type: bool
           short-summary: Use FIPS-enabled OS on agent nodes.

src/aks-preview/azext_aks_preview/_helpers.py

@@ -460,6 +460,10 @@ def process_dns_overrides(overrides_dict, target_dict, build_override_func):
     :param target_dict: Target dictionary to populate with processed overrides
     :param build_override_func: Function to build override objects from dict values
     """
+    if not isinstance(overrides_dict, dict):
+        raise InvalidArgumentValueError(
+            f"Expected a dictionary for DNS overrides, but got {type(overrides_dict).__name__}: {overrides_dict}"
+        )
     if overrides_dict is not None:
         for key, value in overrides_dict.items():
             if value is not None:

src/aks-preview/azext_aks_preview/_params.py

@@ -93,6 +93,7 @@
     CONST_OS_DISK_TYPE_MANAGED,
     CONST_OS_SKU_AZURELINUX,
     CONST_OS_SKU_AZURELINUX3,
+    CONST_OS_SKU_FLATCAR,
     CONST_OS_SKU_CBLMARINER,
     CONST_OS_SKU_MARINER,
     CONST_OS_SKU_AZURELINUXOSGUARD,
@@ -280,6 +281,7 @@
 node_os_skus_create = [
     CONST_OS_SKU_AZURELINUX,
     CONST_OS_SKU_AZURELINUX3,
+    CONST_OS_SKU_FLATCAR,
     CONST_OS_SKU_UBUNTU,
     CONST_OS_SKU_CBLMARINER,
     CONST_OS_SKU_MARINER,
@@ -297,6 +299,7 @@
 node_os_skus_update = [
     CONST_OS_SKU_AZURELINUX,
     CONST_OS_SKU_AZURELINUX3,
+    CONST_OS_SKU_FLATCAR,
     CONST_OS_SKU_UBUNTU,
     CONST_OS_SKU_UBUNTU2204,
     CONST_OS_SKU_UBUNTU2404,
@@ -1124,7 +1127,10 @@ def load_arguments(self, _):
         # virtual machines
         c.argument("vm_sizes", is_preview=True)
         c.argument("enable_imds_restriction", action="store_true", is_preview=True)
-        c.argument("enable_managed_system_pool", action="store_true", is_preview=True)
+        c.argument("enable_managed_system_pool",
+                   action="store_true",
+                   is_preview=True,
+                   deprecate_info=c.deprecate(target="--enable-managed-system-pool", hide=True))
         c.argument("enable_upstream_kubescheduler_user_configuration", action="store_true", is_preview=True)
 
     with self.argument_context("aks update") as c:
@@ -1261,6 +1267,11 @@ def load_arguments(self, _):
             "azure_keyvault_kms_key_vault_resource_id",
             validator=validate_azure_keyvault_kms_key_vault_resource_id,
         )
+        c.argument(
+            "kms_infrastructure_encryption",
+            arg_type=get_enum_type(["Enabled", "Disabled"]),
+            is_preview=True,
+        )
         c.argument("http_proxy_config")
         c.argument(
             "bootstrap_artifact_source",

src/aks-preview/azext_aks_preview/_roleassignments.py

@@ -3,103 +3,8 @@
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
 
-import time
-import uuid
-
-from azure.cli.command_modules.acs._client_factory import (
-    get_auth_management_client,
+# pylint: disable=unused-import
+from azure.cli.command_modules.acs._roleassignments import (
+    add_role_assignment,
+    add_role_assignment_executor,
 )
-from azure.cli.command_modules.acs._graph import resolve_object_id
-from azure.cli.command_modules.acs._roleassignments import build_role_scope, resolve_role_id
-from azure.cli.core.azclierror import AzCLIError
-from azure.cli.core.profiles import ResourceType, get_sdk
-from azure.core.exceptions import HttpResponseError, ResourceExistsError
-from knack.log import get_logger
-
-logger = get_logger(__name__)
-
-# pylint: disable=protected-access
-
-
-# temp workaround for the breaking change caused by default API version bump of the auth SDK
-def add_role_assignment(cmd, role, service_principal_msi_id, is_service_principal=True, delay=2, scope=None):
-    return _add_role_assignment_new(cmd, role, service_principal_msi_id, is_service_principal, delay, scope)
-
-
-# TODO(fuming): remove and replaced by import from azure.cli.command_modules.acs once dependency bumped to 2.47.0
-def _add_role_assignment_executor_new(cmd, role, assignee, resource_group_name=None, scope=None, resolve_assignee=True):
-    factory = get_auth_management_client(cmd.cli_ctx, scope)
-    assignments_client = factory.role_assignments
-    definitions_client = factory.role_definitions
-
-    # FIXME: is this necessary?
-    if assignments_client._config is None:
-        raise AzCLIError("Assignments client config is undefined.")
-
-    scope = build_role_scope(resource_group_name, scope, assignments_client._config.subscription_id)
-
-    # XXX: if role is uuid, this function's output cannot be used as role assignment defintion id
-    # ref: https://github.com/Azure/azure-cli/issues/2458
-    role_id = resolve_role_id(role, scope, definitions_client)
-
-    # If the cluster has service principal resolve the service principal client id to get the object id,
-    # if not use MSI object id.
-    object_id = resolve_object_id(cmd.cli_ctx, assignee) if resolve_assignee else assignee
-
-    assignment_name = uuid.uuid4()
-    custom_headers = None
-
-    RoleAssignmentCreateParameters = get_sdk(
-        cmd.cli_ctx,
-        ResourceType.MGMT_AUTHORIZATION,
-        "RoleAssignmentCreateParameters",
-        mod="models",
-        operation_group="role_assignments",
-    )
-    if cmd.supported_api_version(min_api="2018-01-01-preview", resource_type=ResourceType.MGMT_AUTHORIZATION):
-        parameters = RoleAssignmentCreateParameters(role_definition_id=role_id, principal_id=object_id,
-                                                    principal_type=None)
-        return assignments_client.create(scope, assignment_name, parameters, headers=custom_headers)
-
-    # for backward compatibility
-    RoleAssignmentProperties = get_sdk(
-        cmd.cli_ctx,
-        ResourceType.MGMT_AUTHORIZATION,
-        "RoleAssignmentProperties",
-        mod="models",
-        operation_group="role_assignments",
-    )
-    properties = RoleAssignmentProperties(role_definition_id=role_id, principal_id=object_id)
-    return assignments_client.create(scope, assignment_name, properties, headers=custom_headers)
-
-
-# TODO(fuming): remove and replaced by import from azure.cli.command_modules.acs once dependency bumped to 2.47.0
-def _add_role_assignment_new(cmd, role, service_principal_msi_id, is_service_principal=True, delay=2, scope=None):
-    # AAD can have delays in propagating data, so sleep and retry
-    hook = cmd.cli_ctx.get_progress_controller(True)
-    hook.add(message="Waiting for AAD role to propagate", value=0, total_val=1.0)
-    logger.info("Waiting for AAD role to propagate")
-    for x in range(0, 10):
-        hook.add(message="Waiting for AAD role to propagate", value=0.1 * x, total_val=1.0)
-        try:
-            # TODO: break this out into a shared utility library
-            _add_role_assignment_executor_new(
-                cmd,
-                role,
-                service_principal_msi_id,
-                scope=scope,
-                resolve_assignee=is_service_principal,
-            )
-            break
-        except HttpResponseError as ex:
-            if isinstance(ex, ResourceExistsError) or "The role assignment already exists." in ex.message:
-                break
-            logger.info(ex.message)
-        except Exception as ex:  # pylint: disable=broad-except
-            logger.error(str(ex))
-        time.sleep(delay + delay * x)
-    else:
-        return False
-    hook.add(message="AAD role propagation done", value=1.0, total_val=1.0)
-    logger.info("AAD role propagation done")
-    return True