Merge branch 'dev' into add-validation-level

Author: jeskew

.github/policies/resourceManagement.yml

@@ -593,13 +593,11 @@ configuration:
         then:
         - mentionUsers:
             mentionees:
-            - mksuni
-            - bgklein
-            - mscurrell
             - dpwatrous
-            - gingi
-            - paterasMSFT
+            - wiboris
             - cRui861
+            - skapur12
+            - wanghoppe
             replyTemplate: Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc ${mentionees}.
             assignMentionees: False
       - if:
@@ -1555,7 +1553,6 @@ configuration:
         - mentionUsers:
             mentionees:
             - sourabhguha
-            - inesk-vt
             replyTemplate: Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc ${mentionees}.
             assignMentionees: False
       - if:
@@ -2990,6 +2987,20 @@ configuration:
             - xgithubtriage
             replyTemplate: Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc ${mentionees}.
             assignMentionees: False
+      - if:
+        - hasLabel:
+            label: Service Attention
+        - hasLabel:
+            label: Storage Action
+        then:
+        - mentionUsers:
+            mentionees:
+            - blueww
+            - sshankMSFT
+            - golddove
+            - S-J-M
+            replyTemplate: Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc ${mentionees}.
+            assignMentionees: False
       - if:
         - hasLabel:
             label: Service Attention

linter_exclusions.yml

@@ -291,6 +291,9 @@ aks create:
     azure_keyvault_kms_key_vault_resource_id:
       rule_exclusions:
         - option_length_too_long
+    node_provisioning_default_pools:
+      rule_exclusions:
+        - option_length_too_long
 aks enable-addons:
   parameters:
     workspace_resource_id:
@@ -374,6 +377,9 @@ aks update:
     azure_keyvault_kms_key_vault_resource_id:
       rule_exclusions:
         - option_length_too_long
+    node_provisioning_default_pools:
+      rule_exclusions:
+        - option_length_too_long
 aks update-credentials:
   parameters:
     aad_server_app_secret:

scripts/ci/test_extensions.sh

@@ -32,8 +32,16 @@ set +e
 
 for ext in $output; do
     echo
-    # Use regex to detect if $ext is in $ignore_list
-    if [[ $ignore_list =~ $ext ]]; then
+    # Exact string matching against each item in the ignore list
+    ignore_match=0
+    for item in $ignore_list; do
+        if [ "$ext" = "$item" ]; then
+            ignore_match=1
+            break
+        fi
+    done
+    
+    if [ $ignore_match -eq 1 ]; then
         echo "Ignore extension: $ext"
         continue
     fi

src/azure-cli/azure/cli/command_modules/acr/_validators.py

@@ -19,6 +19,8 @@
                     " manifest specifier such as 'myregistry.azurecr.io/hello-world:latest' or"\
                     " 'myregistry.azurecr.io/hello-world@sha256:abc123'."
 BAD_REGISTRY_NAME = "Registry names may contain only alpha numeric characters and must be between 5 and 50 characters"
+INVALID_LOGIN_SERVER_SUFFIX = "The login server suffix is not valid for the current cloud. Please try again using"\
+                              " '{}'."
 
 logger = get_logger(__name__)
 
@@ -104,29 +106,42 @@ def validate_retention_days(namespace):
 
 
 def validate_registry_name(cmd, namespace):
-    """Omit login server endpoint suffix."""
+    """Omit login server endpoint suffix and domain name label (DNL) hash if given."""
     registry = namespace.registry_name
     if registry is None:
         return
     suffixes = cmd.cli_ctx.cloud.suffixes
-    dnl_hash = registry.find("-")
-
-    if dnl_hash > 0:
-        logger.warning(
-            "Registry name is %s. The following suffix '%s' is automatically omitted.",
-            registry[:dnl_hash],
-            registry[dnl_hash:])
-        namespace.registry_name = registry[:dnl_hash]
+
+    # Split registry login server into components ['myregistry-dnlhash', '.azurecr.io']
+    registry_parts = registry.split('.', 1)
+    trimmed_registry_name = registry_parts[0]
+    registry_login_server_suffix = '.' + registry_parts[1] if len(registry_parts) > 1 else ''
+
+    dnl_hash_index = trimmed_registry_name.find("-")
+
+    # Registry name has hyphen but no login server endpoint suffix
+    if registry_login_server_suffix == '' and dnl_hash_index != -1:
+        raise InvalidArgumentValueError(BAD_REGISTRY_NAME)
+
     # Some clouds do not define 'acr_login_server_endpoint' (e.g. AzureGermanCloud)
-    elif hasattr(suffixes, 'acr_login_server_endpoint'):
+    if hasattr(suffixes, 'acr_login_server_endpoint'):
         acr_suffix = suffixes.acr_login_server_endpoint
-        pos = registry.find(acr_suffix)
-        if pos > 0:
-            logger.warning("Registry name is %s. The following suffix '%s' is automatically omitted.",
-                           registry[:pos],
-                           acr_suffix)
-            namespace.registry_name = registry[:pos]
-            registry = registry[:pos]
+        if registry_login_server_suffix.lower() == acr_suffix and registry_login_server_suffix != '':
+            if dnl_hash_index != -1:
+                removed_suffix = trimmed_registry_name[dnl_hash_index:] + registry_login_server_suffix
+                registry_name = trimmed_registry_name[:dnl_hash_index]
+            else:
+                removed_suffix = registry_login_server_suffix
+                registry_name = trimmed_registry_name
+            logger.warning("Registry name is '%s'. The following suffix '%s' is automatically omitted.",
+                           registry_name,
+                           removed_suffix)
+        else:
+            if registry_login_server_suffix != '':
+                raise InvalidArgumentValueError(INVALID_LOGIN_SERVER_SUFFIX.format(acr_suffix))
+            registry_name = trimmed_registry_name
+        namespace.registry_name = registry_name
+        registry = registry_name
 
     registry = namespace.registry_name
     if not re.match(ACR_NAME_VALIDATION_REGEX, registry):

src/azure-cli/azure/cli/command_modules/acr/check_health.py

@@ -345,7 +345,8 @@ def _check_registry_health(cmd, registry_name, repository, ignore_errors):
     status_validated = _get_registry_status(login_server, registry_name, ignore_errors)
     if status_validated:
         RoleAssignmentMode = cmd.get_models('RoleAssignmentMode')
-        registry_abac_enabled = registry.role_assignment_mode == RoleAssignmentMode.ABAC_REPOSITORY_PERMISSIONS
+        registry_abac_enabled = \
+            registry and registry.role_assignment_mode == RoleAssignmentMode.ABAC_REPOSITORY_PERMISSIONS
         _get_endpoint_and_token_status(cmd, login_server, registry_abac_enabled, repository, ignore_errors)
 
     if cmd.supported_api_version(min_api='2020-11-01-preview', resource_type=ResourceType.MGMT_CONTAINERREGISTRY):  # pylint: disable=too-many-nested-blocks

src/azure-cli/azure/cli/command_modules/acr/tests/latest/test_acr_validators.py

@@ -6,22 +6,11 @@
 import unittest
 from types import SimpleNamespace
 from unittest.mock import Mock
+from azure.cli.core.azclierror import InvalidArgumentValueError
 from azure.cli.core.cloud import HARD_CODED_CLOUD_LIST
 from azure.cli.command_modules.acr._validators import validate_registry_name
 
-class AcrValidatorsTests(unittest.TestCase):
-    def test_registry_name_with_dnl_suffix(self):
-        acr_supported_clouds = [cloud for cloud in HARD_CODED_CLOUD_LIST if cloud.name != 'AzureGermanCloud']
-        for hard_coded_cloud in acr_supported_clouds:
-            namespace = SimpleNamespace(
-                    **{
-                        "registry_name": "myacr-dnlhash123",
-                    }
-                )
-            cmd = Mock(cli_ctx=Mock(cloud=hard_coded_cloud))
-            validate_registry_name(cmd, namespace)
-            self.assertEqual(namespace.registry_name, 'myacr')
-    
+class AcrValidatorsTests(unittest.TestCase):  
     def test_registry_name_with_dnl_suffix_loginserver(self):
         namespace = SimpleNamespace(
             **{
@@ -33,3 +22,41 @@ def test_registry_name_with_dnl_suffix_loginserver(self):
         validate_registry_name(cmd, namespace)
         self.assertEqual(namespace.registry_name, 'myacr')
 
+    def test_registry_name_valid_inputs(self):
+        """Test valid registry names that should pass validation."""
+        test_cases = [
+            # (input_registry_name, expected_output)
+            ("validregistry.azurecr.io", "validregistry"),
+            ("myregistry123-dnlhasd234.azurecr.io", "myregistry123"),
+            ("test5chars", "test5chars"),
+            ("a" * 50, "a" * 50),  # Maximum length
+            ("registry2024", "registry2024"),
+        ]
+        
+        azure_public_cloud = HARD_CODED_CLOUD_LIST[0]
+        cmd = Mock(cli_ctx=Mock(cloud=azure_public_cloud))
+        
+        for input_name, expected_output in test_cases:
+            with self.subTest(input_name=input_name):
+                namespace = SimpleNamespace(registry_name=input_name)
+                validate_registry_name(cmd, namespace)
+                self.assertEqual(namespace.registry_name, expected_output)
+    
+    def test_registry_name_invalid_inputs_should_raise_error(self):
+        """Test invalid registry names that should raise InvalidArgumentValueError."""
+        invalid_inputs = [
+            "myregistry-hash123",  # Has hyphen but no suffix
+            "test.invalid.suffix",  # Invalid suffix
+            "registry.azurecr.io124567",  # Wrong suffix
+            "my-registry.wrongsuffix.io",  # Invalid suffix with hyphen
+            "78787%^&*(()).azurecr.io" # invalid characters
+        ]
+        
+        azure_public_cloud = HARD_CODED_CLOUD_LIST[0]
+        cmd = Mock(cli_ctx=Mock(cloud=azure_public_cloud))
+        
+        for invalid_input in invalid_inputs:
+            with self.subTest(invalid_input=invalid_input):
+                namespace = SimpleNamespace(registry_name=invalid_input)
+                with self.assertRaises(InvalidArgumentValueError):
+                    validate_registry_name(cmd, namespace)

src/azure-cli/azure/cli/command_modules/acs/__init__.py

@@ -21,6 +21,17 @@ def __init__(self, cli_ctx=None):
 
     def load_command_table(self, args):
         from azure.cli.command_modules.acs.commands import load_command_table
+        from azure.cli.core.aaz import load_aaz_command_table
+        try:
+            from . import aaz
+        except ImportError:
+            aaz = None
+        if aaz:
+            load_aaz_command_table(
+                loader=self,
+                aaz_pkg_name=aaz.__name__,
+                args=args
+            )
         load_command_table(self, args)
         return self.command_table
 

src/azure-cli/azure/cli/command_modules/acs/_consts.py

@@ -233,6 +233,14 @@
 CONST_ARTIFACT_SOURCE_DIRECT = "Direct"
 CONST_ARTIFACT_SOURCE_CACHE = "Cache"
 
+# node provisioning mode
+CONST_NODE_PROVISIONING_MODE_MANUAL = "Manual"
+CONST_NODE_PROVISIONING_MODE_AUTO = "Auto"
+
+# node provisioning default pools
+CONST_NODE_PROVISIONING_DEFAULT_POOLS_NONE = "None"
+CONST_NODE_PROVISIONING_DEFAULT_POOLS_AUTO = "Auto"
+
 
 # consts for decorator pattern
 class DecoratorMode(Enum):

src/azure-cli/azure/cli/command_modules/acs/_help.py

@@ -454,6 +454,9 @@
     type: string
     short-summary: Path to a file containing up to 10 blank line separated certificates. Only valid for Linux nodes.
     long-summary: These certificates are used by Custom CA Trust feature and will be added to trust stores of nodes.
+  - name: --disable-run-command
+    type: bool
+    short-summary: Disable Run command feature for the cluster.
   - name: --enable-defender
     type: bool
     short-summary: Enable Microsoft Defender security profile.
@@ -599,6 +602,17 @@
   - name: --enable-static-egress-gateway
     type: bool
     short-summary: Enable Static Egress Gateway addon to the cluster.
+  - name: --node-provisioning-mode
+    type: string
+    short-summary: Set the node provisioning mode of the cluster. Valid values are "Auto" and "Manual". For more information on "Auto" mode see aka.ms/aks/nap.
+  - name: --node-provisioning-default-pools
+    type: string
+    short-summary: The set of default Karpenter NodePools configured for node provisioning. Valid values are "Auto" and "None".
+    long-summary: |-
+        The set of default Karpenter NodePools configured for node provisioning. Valid values are "Auto" and "None".
+        Auto: A standard set of Karpenter NodePools are provisioned.
+        None: No Karpenter NodePools are provisioned.
+        WARNING: Changing this from Auto to None on an existing cluster will cause the default Karpenter NodePools to be deleted, which will in turn drain and delete the nodes associated with those pools. It is strongly recommended to not do this unless there are idle nodes ready to take the pods evicted by that action.
 examples:
   - name: Create a Kubernetes cluster with an existing SSH public key.
     text: az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey
@@ -678,6 +692,10 @@
     text: az aks create -g MyResourceGroup -n MyManagedCluster --os-sku Ubuntu --max-pods MaxPodsPerNode --network-plugin azure --vnet-subnet-id /subscriptions/SubID/resourceGroups/AnotherResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVnet/subnets/NodeSubnet --pod-subnet-id /subscriptions/SubID/resourceGroups/AnotherResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVnet/subnets/PodSubnet --pod-ip-allocation-mode StaticBlock
   - name: Create a kubernetes cluster with VirtualMachines vm set type.
     text: az aks create -g MyResourceGroup -n MyManagedCluster --vm-set-type VirtualMachines --vm-sizes "VMSize1,VMSize2" --node-count 3
+  - name: Create a kubernetes cluster with auto node provisioning.
+    text: az aks create -g MyResourceGroup -n MyManagedCluster --node-provisioning-mode Auto
+  - name: Create a kubernetes cluster with auto node provisioning and no default pools.
+    text: az aks create -g MyResourceGroup -n MyManagedCluster --node-provisioning-mode Auto --node-provisioning-default-pools None
 """
 
 helps['aks update'] = """
@@ -760,6 +778,10 @@
     type: string
     short-summary: Load balancer backend pool type.
     long-summary: Define the LoadBalancer backend pool type of managed inbound backend pool. The nodeIP means the VMs will be attached to the LoadBalancer by adding its private IP address to the backend pool. The nodeIPConfiguration means the VMs will be attached to the LoadBalancer by referencing the backend pool ID in the VM's NIC.
+  - name: --load-balancer-sku
+    type: string
+    short-summary: Azure Load Balancer SKU selection for your cluster. only standard is accepted.
+    long-summary: Upgrade to Standard Azure Load Balancer SKU for your AKS cluster.
   - name: --nat-gateway-managed-outbound-ip-count
     type: int
     short-summary: NAT gateway managed outbound IP count.
@@ -900,6 +922,12 @@
     type: string
     short-summary: Path to a file containing up to 10 blank line separated certificates. Only valid for Linux nodes.
     long-summary: These certificates are used by Custom CA Trust feature and will be added to trust stores of nodes.
+  - name: --enable-run-command
+    type: bool
+    short-summary: Enable Run command feature for the cluster.
+  - name: --disable-run-command
+    type: bool
+    short-summary: Disable Run command feature for the cluster.
   - name: --defender-config
     type: string
     short-summary: Path to JSON file containing Microsoft Defender profile configurations.
@@ -1069,6 +1097,17 @@
   - name: --migrate-vmas-to-vms
     type: bool
     short-summary: Migrate cluster with VMAS node pool to VMS node pool.
+  - name: --node-provisioning-mode
+    type: string
+    short-summary: Set the node provisioning mode of the cluster. Valid values are "Auto" and "Manual". For more information on "Auto" mode see aka.ms/aks/nap.
+  - name: --node-provisioning-default-pools
+    type: string
+    short-summary: The set of default Karpenter NodePools configured for node provisioning. Valid values are "Auto" and "None".
+    long-summary: |-
+        The set of default Karpenter NodePools configured for node provisioning. Valid values are "Auto" and "None".
+        Auto: A standard set of Karpenter NodePools are provisioned.
+        None: No Karpenter NodePools are provisioned.
+        WARNING: Changing this from Auto to None on an existing cluster will cause the default Karpenter NodePools to be deleted, which will in turn drain and delete the nodes associated with those pools. It is strongly recommended to not do this unless there are idle nodes ready to take the pods evicted by that action.
 examples:
   - name: Reconcile the cluster back to its current state.
     text: az aks update -g MyResourceGroup -n MyManagedCluster
@@ -1128,6 +1167,12 @@
     text: az aks update -g MyResourceGroup -n MyManagedCLuster --enable-vpa
   - name: Disable VPA(Vertical Pod Autoscaler) for an existing kubernetes cluster.
     text: az aks update -g MyResourceGroup -n MyManagedCLuster --disable-vpa
+  - name: Update a kubernetes cluster to use auto node provisioning.
+    text: az aks update -g MyResourceGroup -n MyManagedCluster --node-provisioning-mode Auto
+  - name: Update a kubernetes cluster to use auto node provisioning mode with no default pools.
+    text: az aks update -g MyResourceGroup -n MyManagedCluster --node-provisioning-mode Auto --node-provisioning-default-pools None
+  - name: Upgrade load balancer sku to standard
+    text: az aks update --load-balancer-sku standard -g MyResourceGroup -n MyManagedCluster
 """
 
 helps['aks delete'] = """