[AKS] az aks update: Add --disable-http-proxy and --enable-http-proxy options (#32996)

Author: mxj220

src/azure-cli/azure/cli/command_modules/acs/_help.py

@@ -1015,6 +1015,12 @@
   - name: --http-proxy-config
     type: string
     short-summary: HTTP Proxy configuration for this cluster.
+  - name: --disable-http-proxy
+    type: bool
+    short-summary: Disable HTTP Proxy Configuration on the cluster.
+  - name: --enable-http-proxy
+    type: bool
+    short-summary: Enable HTTP Proxy Configuration on the cluster.
   - name: --enable-oidc-issuer
     type: bool
     short-summary: Enable OIDC issuer.

src/azure-cli/azure/cli/command_modules/acs/_params.py

@@ -743,6 +743,8 @@ def load_arguments(self, _):
         c.argument('disable_image_cleaner', action='store_true', validator=validate_image_cleaner_enable_disable_mutually_exclusive)
         c.argument('image_cleaner_interval_hours', type=int)
         c.argument('http_proxy_config')
+        c.argument('disable_http_proxy', action='store_true')
+        c.argument('enable_http_proxy', action='store_true')
         c.argument('custom_ca_trust_certificates', options_list=["--custom-ca-trust-certificates", "--ca-certs"], validator=validate_custom_ca_trust_certificates, help="path to file containing list of new line separated CAs")
         c.argument('enable_run_command', action='store_true')
         c.argument('disable_run_command', action='store_true')

src/azure-cli/azure/cli/command_modules/acs/custom.py

@@ -1148,6 +1148,8 @@ def aks_update(
     disable_image_cleaner=False,
     image_cleaner_interval_hours=None,
     http_proxy_config=None,
+    disable_http_proxy=False,
+    enable_http_proxy=False,
     enable_keda=False,
     disable_keda=False,
     enable_vpa=False,

src/azure-cli/azure/cli/command_modules/acs/linter_exclusions.yml

@@ -230,6 +230,12 @@ aks update:
       disable_container_network_logs:
         rule_exclusions:
           - option_length_too_long
+      disable_http_proxy:
+        rule_exclusions:
+          - option_length_too_long
+      enable_http_proxy:
+        rule_exclusions:
+          - option_length_too_long
 aks nodepool add:
   parameters:
       disable_windows_outbound_nat:

src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py

@@ -2021,6 +2021,64 @@ def get_http_proxy_config(self) -> Union[Dict, ManagedClusterHTTPProxyConfig, No
         # this parameter does not need validation
         return http_proxy_config
 
+    def get_disable_http_proxy(self) -> bool:
+        """Obtain the value of disable_http_proxy.
+
+        This function will verify the parameter by default. If both enable_http_proxy and disable_http_proxy are
+        specified, raise a MutuallyExclusiveArgumentError.
+
+        :return: bool
+        """
+        return self._get_disable_http_proxy(enable_validation=True)
+
+    def _get_disable_http_proxy(self, enable_validation: bool = False) -> bool:
+        """Internal function to obtain the value of disable_http_proxy.
+
+        This function supports the option of enable_validation. When enabled, if both enable_http_proxy and
+        disable_http_proxy are specified, raise a MutuallyExclusiveArgumentError.
+
+        :return: bool
+        """
+        # read the original value passed by the command
+        disable_http_proxy = self.raw_param.get("disable_http_proxy")
+
+        if enable_validation:
+            if disable_http_proxy and self._get_enable_http_proxy(enable_validation=False):
+                raise MutuallyExclusiveArgumentError(
+                    "Cannot specify --enable-http-proxy and --disable-http-proxy at the same time."
+                )
+
+        return disable_http_proxy
+
+    def get_enable_http_proxy(self) -> bool:
+        """Obtain the value of enable_http_proxy.
+
+        This function will verify the parameter by default. If both enable_http_proxy and disable_http_proxy are
+        specified, raise a MutuallyExclusiveArgumentError.
+
+        :return: bool
+        """
+        return self._get_enable_http_proxy(enable_validation=True)
+
+    def _get_enable_http_proxy(self, enable_validation: bool = False) -> bool:
+        """Internal function to obtain the value of enable_http_proxy.
+
+        This function supports the option of enable_validation. When enabled, if both enable_http_proxy and
+        disable_http_proxy are specified, raise a MutuallyExclusiveArgumentError.
+
+        :return: bool
+        """
+        # read the original value passed by the command
+        enable_http_proxy = self.raw_param.get("enable_http_proxy")
+
+        if enable_validation:
+            if enable_http_proxy and self._get_disable_http_proxy(enable_validation=False):
+                raise MutuallyExclusiveArgumentError(
+                    "Cannot specify --enable-http-proxy and --disable-http-proxy at the same time."
+                )
+
+        return enable_http_proxy
+
     def get_assignee_from_identity_or_sp_profile(self) -> Tuple[str, bool]:
         """Helper function to obtain the value of assignee from identity_profile or service_principal_profile.
 
@@ -8490,11 +8548,38 @@ def update_monitoring_profile_flow_logs(self, mc: ManagedCluster) -> ManagedClus
     def update_http_proxy_config(self, mc: ManagedCluster) -> ManagedCluster:
         """Set up http proxy config for the ManagedCluster object.
 
+        Only updates if --http-proxy-config was explicitly provided, to avoid wiping existing config.
+
         :return: the ManagedCluster object
         """
         self._ensure_mc(mc)
 
-        mc.http_proxy_config = self.context.get_http_proxy_config()
+        http_proxy_config = self.context.get_http_proxy_config()
+        if http_proxy_config is not None:
+            mc.http_proxy_config = http_proxy_config
+        return mc
+
+    def update_http_proxy_enabled(self, mc: ManagedCluster) -> ManagedCluster:
+        """Update http proxy enabled/disabled state for the ManagedCluster object.
+
+        :return: the ManagedCluster object
+        """
+        self._ensure_mc(mc)
+
+        if self.context.get_disable_http_proxy():
+            if mc.http_proxy_config is None:
+                mc.http_proxy_config = (
+                    self.models.ManagedClusterHTTPProxyConfig()  # pylint: disable=no-member
+                )
+            mc.http_proxy_config.enabled = False
+
+        if self.context.get_enable_http_proxy():
+            if mc.http_proxy_config is None:
+                mc.http_proxy_config = (
+                    self.models.ManagedClusterHTTPProxyConfig()  # pylint: disable=no-member
+                )
+            mc.http_proxy_config.enabled = True
+
         return mc
 
     def update_identity(self, mc: ManagedCluster) -> ManagedCluster:
@@ -9800,6 +9885,8 @@ def update_mc_profile_default(self) -> ManagedCluster:
         mc = self.update_identity_profile(mc)
         # set up http proxy config
         mc = self.update_http_proxy_config(mc)
+        # update http proxy enabled/disabled state
+        mc = self.update_http_proxy_enabled(mc)
         # update workload autoscaler profile
         mc = self.update_workload_auto_scaler_profile(mc)
         # update kubernetes support plan

src/azure-cli/azure/cli/command_modules/acs/tests/latest/data/httpproxyconfig.json

@@ -1,6 +1,6 @@
 {
   "httpProxy": "http://cli-proxy-vm:3128/",
-  "httpsProxy": "https://cli-proxy-vm:3129/",
+  "httpsProxy": "http://cli-proxy-vm:3128/",
   "noProxy": [
     "localhost",
     "127.0.0.1"

src/azure-cli/azure/cli/command_modules/acs/tests/latest/data/httpproxyconfig_update.json

@@ -1,6 +1,6 @@
 {
   "httpProxy": "http://cli-proxy-vm:3128/",
-  "httpsProxy": "https://cli-proxy-vm:3129/",
+  "httpsProxy": "http://cli-proxy-vm:3128/",
   "noProxy": [
     "localhost",
     "127.0.0.1"

src/azure-cli/azure/cli/command_modules/acs/tests/latest/data/setup_proxy.sh

@@ -7,22 +7,12 @@ echo "setting up ${WORKDIR}"
 
 pushd "$WORKDIR"
 
-apt update -y && apt install -y apt-transport-https curl gnupg make gcc < /dev/null
-
-# add diladele apt key
-wget -qO - https://packages.diladele.com/diladele_pub.asc | apt-key add -
-
-# add new repo
-tee /etc/apt/sources.list.d/squid413-ubuntu20.diladele.com.list <<EOF
-deb https://squid413-ubuntu20.diladele.com/ubuntu/ focal main
-EOF
-
-# and install
-apt-get update && apt-get install -y squid-common squid-openssl squidclient libecap3 libecap3-dev < /dev/null
+apt-get update -y && apt-get install -y curl squid < /dev/null
 
 mkdir -p /var/lib/squid
 
-/usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB || true
+/usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB 2>/dev/null || \
+  /usr/libexec/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB 2>/dev/null || true
 
 chown -R proxy:proxy /var/lib/squid
 
@@ -127,13 +117,11 @@ cp squidc.pem /usr/local/share/ca-certificates/squidc.crt
 update-ca-certificates 
 
 sed -i 's~http_access deny all~http_access allow all~' /etc/squid/squid.conf
-sed -i "s~http_port 3128~http_port $HOST:3128\nhttps_port $HOST:3129 tls-cert=/etc/squid/squidc.pem tls-key=/etc/squid/squidk.pem~" /etc/squid/squid.conf
+sed -i "s~http_port 3128~http_port $HOST:3128~" /etc/squid/squid.conf
 
 systemctl restart squid
 systemctl status squid
 
 # validation, fails VM creation if commands fail
 curl -fsSl -o /dev/null -w '%{http_code}\n' -x http://${HOST}:3128/ -I http://www.google.com
 curl -fsSl -o /dev/null -w '%{http_code}\n' -x http://${HOST}:3128/ -I https://www.google.com
-curl -fsSl -o /dev/null -w '%{http_code}\n' -x https://${HOST}:3129/ -I http://www.google.com
-curl -fsSl -o /dev/null -w '%{http_code}\n' -x https://${HOST}:3129/ -I https://www.google.com