[AKS] Add mesh Istio CNI commands for az aks mesh

Author: German Robayo Paz

src/aks-preview/azext_aks_preview/_consts.py

@@ -334,6 +334,8 @@
 CONST_AZURE_SERVICE_MESH_UPGRADE_COMMAND_ROLLBACK = "Rollback"
 CONST_AZURE_SERVICE_MESH_DEFAULT_EGRESS_NAMESPACE = "aks-istio-egress"
 CONST_AZURE_SERVICE_MESH_MAX_EGRESS_NAME_LENGTH = 253
+CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_INIT_CONTAINERS = "InitContainers"
+CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_CNI_CHAINING = "CNIChaining"
 
 # Node Provisioning Mode Consts
 CONST_NODE_PROVISIONING_MODE_MANUAL = "Manual"

src/aks-preview/azext_aks_preview/_help.py

@@ -3554,6 +3554,23 @@
         text: az aks mesh upgrade rollback --resource-group MyResourceGroup --name MyManagedCluster
 """
 
+helps['aks mesh enable-istio-cni'] = """
+    type: command
+    short-summary: Enable Istio CNI chaining for Azure Service Mesh proxy redirection mechanism.
+    long-summary: This command enables Istio CNI chaining as the proxy redirection mechanism for Azure Service Mesh. CNI chaining provides better security and performance compared to init containers by using CNI plugins to set up traffic redirection.
+    examples:
+      - name: Enable Istio CNI chaining for Azure Service Mesh.
+        text: az aks mesh enable-istio-cni --resource-group MyResourceGroup --name MyManagedCluster
+"""
+
+helps['aks mesh disable-istio-cni'] = """
+    type: command
+    short-summary: Disable Istio CNI chaining for Azure Service Mesh proxy redirection mechanism.
+    long-summary: This command disables Istio CNI chaining and reverts to using init containers as the proxy redirection mechanism for Azure Service Mesh. This is the traditional method using privileged init containers to set up iptables rules.
+    examples:
+      - name: Disable Istio CNI chaining for Azure Service Mesh.
+        text: az aks mesh disable-istio-cni --resource-group MyResourceGroup --name MyManagedCluster
+"""
 
 helps['aks approuting'] = """
     type: group

src/aks-preview/azext_aks_preview/commands.py

@@ -441,6 +441,16 @@ def load_command_table(self, _):
             "aks_mesh_get_upgrades",
             table_transformer=aks_mesh_upgrades_table_format,
         )
+        g.custom_command(
+            "enable-istio-cni",
+            "aks_mesh_enable_istio_cni",
+            supports_no_wait=True,
+        )
+        g.custom_command(
+            "disable-istio-cni",
+            "aks_mesh_disable_istio_cni",
+            supports_no_wait=True,
+        )
 
     # AKS mesh upgrade commands
     with self.command_group(

src/aks-preview/azext_aks_preview/custom.py

@@ -3972,6 +3972,38 @@ def aks_mesh_upgrade_rollback(
         mesh_upgrade_command=CONST_AZURE_SERVICE_MESH_UPGRADE_COMMAND_ROLLBACK)
 
 
+def aks_mesh_enable_istio_cni(
+        cmd,
+        client,
+        resource_group_name,
+        name,
+):
+    """Enable Istio CNI chaining for the Azure Service Mesh proxy redirection mechanism."""
+    return _aks_mesh_update(
+        cmd,
+        client,
+        resource_group_name,
+        name,
+        enable_istio_cni=True,
+    )
+
+
+def aks_mesh_disable_istio_cni(
+        cmd,
+        client,
+        resource_group_name,
+        name,
+):
+    """Disable Istio CNI chaining for the Azure Service Mesh proxy redirection mechanism."""
+    return _aks_mesh_update(
+        cmd,
+        client,
+        resource_group_name,
+        name,
+        disable_istio_cni=True,
+    )
+
+
 def _aks_mesh_get_supported_revisions(
         cmd,
         client,
@@ -4006,6 +4038,8 @@ def _aks_mesh_update(
         revision=None,
         yes=False,
         mesh_upgrade_command=None,
+        enable_istio_cni=None,
+        disable_istio_cni=None,
 ):
     raw_parameters = locals()
 

src/aks-preview/azext_aks_preview/managed_cluster_decorator.py

@@ -19,6 +19,8 @@
     CONST_AZURE_SERVICE_MESH_UPGRADE_COMMAND_ROLLBACK,
     CONST_AZURE_SERVICE_MESH_UPGRADE_COMMAND_START,
     CONST_AZURE_SERVICE_MESH_DEFAULT_EGRESS_NAMESPACE,
+    CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_CNI_CHAINING,
+    CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_INIT_CONTAINERS,
     CONST_LOAD_BALANCER_SKU_BASIC,
     CONST_MANAGED_CLUSTER_SKU_NAME_BASE,
     CONST_MANAGED_CLUSTER_SKU_NAME_AUTOMATIC,
@@ -3233,6 +3235,42 @@ def _handle_enable_disable_asm(self, new_profile: ServiceMeshProfile) -> Tuple[S
 
         return new_profile, updated
 
+    def _handle_istio_cni_asm(self, new_profile: ServiceMeshProfile) -> Tuple[ServiceMeshProfile, bool]:
+        """Handle enable/disable Istio CNI proxy redirection mechanism."""
+        updated = False
+        enable_istio_cni = self.raw_param.get("enable_istio_cni", False)
+        disable_istio_cni = self.raw_param.get("disable_istio_cni", False)
+
+        if enable_istio_cni and disable_istio_cni:
+            raise MutuallyExclusiveArgumentError(
+                "Cannot both enable and disable Istio CNI at the same time.",
+            )
+
+        # Check if service mesh is enabled before allowing CNI changes
+        if enable_istio_cni or disable_istio_cni:
+            if new_profile is None or new_profile.mode == CONST_AZURE_SERVICE_MESH_MODE_DISABLED:
+                raise ArgumentUsageError(
+                    "Istio has not been enabled for this cluster, please refer to https://aka.ms/asm-aks-addon-docs "
+                    "for more details on enabling Azure Service Mesh."
+                )
+
+            # Ensure istio profile exists
+            if new_profile.istio is None:
+                new_profile.istio = self.models.IstioServiceMesh()  # pylint: disable=no-member
+                
+            # Ensure components exist
+            if new_profile.istio.components is None:
+                new_profile.istio.components = self.models.IstioComponents()  # pylint: disable=no-member
+
+            if enable_istio_cni:
+                new_profile.istio.components.proxy_redirection_mechanism = CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_CNI_CHAINING
+                updated = True
+            elif disable_istio_cni:
+                new_profile.istio.components.proxy_redirection_mechanism = CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_INIT_CONTAINERS
+                updated = True
+
+        return new_profile, updated
+
     # pylint: disable=too-many-branches,too-many-locals,too-many-statements
     def update_azure_service_mesh_profile(self) -> ServiceMeshProfile:
         """ Update azure service mesh profile.
@@ -3267,6 +3305,9 @@ def update_azure_service_mesh_profile(self) -> ServiceMeshProfile:
         new_profile, updated_upgrade_asm = self._handle_upgrade_asm(new_profile)
         updated |= updated_upgrade_asm
 
+        new_profile, updated_istio_cni = self._handle_istio_cni_asm(new_profile)
+        updated |= updated_istio_cni
+
         if updated:
             return new_profile
         return self.mc.service_mesh_profile