Skip to content

[AKS] az aks update: Add support to remove existing certificates by setting the value of --custom-ca-trust-certificates to an empty file #32201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yanzhudd merged 4 commits into from
Oct 14, 2025
Merged

[AKS] az aks update: Add support to remove existing certificates by setting the value of --custom-ca-trust-certificates to an empty file #32201

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
bf302ae
fix: allow removing custom ca certificates by passing empty file
UtheMan Aug 29, 2025
4cb277a
fix: block passing empty string to custom ca trust certificates flag
UtheMan Oct 9, 2025
4dcdc24
fix: set custom ca tests as live only
UtheMan Oct 10, 2025
64958e6
fix: remove live_only, use modified recordings
UtheMan Oct 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -920,8 +920,13 @@ def get_custom_ca_trust_certificates(self) -> Union[List[bytes], None]:
:return: List[str] or None
"""
custom_ca_certs_file_path = self.raw_param.get("custom_ca_trust_certificates")
if not custom_ca_certs_file_path:
if custom_ca_certs_file_path is None:
return None
# Reject empty string - user must provide a valid file path
if custom_ca_certs_file_path == "":
raise InvalidArgumentValueError(
"custom_ca_trust_certificates cannot be an empty string. Please provide a valid file path."
)
if not os.path.isfile(custom_ca_certs_file_path):
raise InvalidArgumentValueError(
"{} is not valid file, or not accessible.".format(
Expand Down Expand Up @@ -8710,11 +8715,13 @@ def update_custom_ca_trust_certificates(self, mc: ManagedCluster) -> ManagedClus
"""
self._ensure_mc(mc)

ca_certs = self.context.get_custom_ca_trust_certificates()
if ca_certs:
# Check if the parameter was explicitly provided
if self.context.raw_param.get("custom_ca_trust_certificates") is not None:
ca_certs = self.context.get_custom_ca_trust_certificates()
Comment on lines +8719 to +8720
Copy link
Copy Markdown
Member

@FumingZhang FumingZhang Oct 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if it's a good idea to allow this option to accept an empty string as a value, and that would also remove the existing certificates. But there might be a chance user is doing so by mistake (compared to provided an emtpy file)

Copy link
Copy Markdown
Contributor Author

@UtheMan UtheMan Oct 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Modified this to block when empty string is passed

if mc.security_profile is None:
mc.security_profile = self.models.ManagedClusterSecurityProfile() # pylint: disable=no-member

# Set certificates (this allows setting to empty list to remove certificates)
mc.security_profile.custom_ca_trust_certificates = ca_certs
Comment thread
UtheMan marked this conversation as resolved.

return mc
Expand Down
Empty file added src/azure-cli/azure/cli/command_modules/acs/tests/latest/data/certs_empty.txt
View file
Open in desktop
Empty file.
Loading