[AKS] az aks create/update: Add support for ACNS transit encryption#32988
[AKS] az aks create/update: Add support for ACNS transit encryption#32988
az aks create/update: Add support for ACNS transit encryption#32988Conversation
nddq
requested review from
FumingZhang,
NoriZC,
teresaritorto and
yanzhudd
as code owners
️✔️AzureCLI-FullTest
|
|
| rule | cmd_name | rule_message | suggest_message |
|---|---|---|---|
| aks create | cmd aks create added parameter acns_transit_encryption_type |
||
| aks update | cmd aks update added parameter acns_transit_encryption_type |
microsoft-github-policy-service
bot
requested review from
yonzhan and
zhoxing-ms
microsoft-github-policy-service
bot
added
Auto-Assign
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
There was a problem hiding this comment.
Pull request overview
Adds a new AKS CLI surface for configuring ACNS transit encryption (None/WireGuard) on Cilium clusters, including SDK bump and test coverage.
Changes:
- Add
--acns-transit-encryption-typetoaz aks createandaz aks updateand plumb it into managed cluster network profile assembly. - Update mgmt SDK dependency to
azure-mgmt-containerservice~=41.0.0to consume new transit encryption models. - Add unit + scenario tests and recordings for the new parameter.
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/azure-cli/setup.py | Bumps azure-mgmt-containerservice to pick up new transit encryption models/enums. |
| src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py | Adds param parsing/validation and writes transit encryption into advancedNetworking.security. |
| src/azure-cli/azure/cli/command_modules/acs/_params.py | Registers new CLI arg and constrains allowed values via enum type. |
| src/azure-cli/azure/cli/command_modules/acs/_help.py | Documents --acns-transit-encryption-type for create/update. |
| src/azure-cli/azure/cli/command_modules/acs/_consts.py | Adds constants for supported transit encryption types. |
| src/azure-cli/azure/cli/command_modules/acs/custom.py | Adds parameter to aks_create / aks_update function signatures. |
| src/azure-cli/azure/cli/command_modules/acs/linter_exclusions.yml | Adds linter exclusions for the new long option name. |
| src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_managed_cluster_decorator.py | Adds unit tests for parsing/behavior and update decorator modeling. |
| src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_aks_commands.py | Adds scenario tests for create/update with transit encryption. |
| src/azure-cli/azure/cli/command_modules/acs/tests/latest/recordings/test_aks_create_with_acns_transit_encryption.yaml | Adds recording coverage for create scenario. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py
Outdated
Show resolved
Hide resolved
src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py
Show resolved
Hide resolved
nddq
force-pushed
the
nddq/acns-transit-encryption-cli
branch
from
3206ff8 to
9d73659
Compare
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
FumingZhang
left a comment
FumingZhang
left a comment
There was a problem hiding this comment.
Queued live test to validate the change.
- test_aks_create_with_acns_transit_encryption
- test_aks_update_with_acns_transit_encryption
|
Please commit new recording files to fix the mismatch issue
|
Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
nddq
force-pushed
the
nddq/acns-transit-encryption-cli
branch
from
3373a92 to
e3dc8f5
Compare
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
|
Re-queued live test, test passed |
|
@FumingZhang @yanzhudd all CI green, please take a look, thanks! |
feat(acns) add transit encryption options for az create and update commands
Related command
az aks create --enable-acns --acns-transit-encryption-type <None|WireGuard>az aks update --enable-acns --acns-transit-encryption-type <None|WireGuard>Description
Adds
--acns-transit-encryption-typeparameter toaz aks createandaz aks updatecommands, allowing users to configure pod-to-pod transit encryption on Cilium-based AKS clusters. Once enabled, all traffic between Cilium managed pods will be encrypted when it leaves the node boundary.Also bumps
azure-mgmt-containerserviceSDK from40.0.0to41.0.0which includes theAdvancedNetworkingSecurityTransitEncryptionmodel andTransitEncryptionTypeenum.Testing Guide
Note: These commands will only be applicable for Cilium clusters
--enable-acns --acns-transit-encryption-type WireGuard- Enable ACNS with WireGuard transit encryption for pod-to-pod traffic.--enable-acns --acns-transit-encryption-type None- Enable ACNS without transit encryption (or disable transit encryption on an existing cluster).History Notes
[AKS]
az aks create/update: Add--acns-transit-encryption-typeparameter to support configuring pod-to-pod transit encryption (WireGuardorNone)This checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.