[AKS] az aks create/update: Add support for ACNS transit encryption

src/azure-cli/azure/cli/command_modules/acs/_consts.py

@@ -267,6 +267,10 @@
 # consts for workloadruntime
 CONST_WORKLOAD_RUNTIME_KATA_VM_ISOLATION = "KataVmIsolation"
 
+# consts for acns transit encryption
+CONST_TRANSIT_ENCRYPTION_WIREGUARD = "WireGuard"
+CONST_TRANSIT_ENCRYPTION_NONE = "None"
+
 
 # consts for decorator pattern
 class DecoratorMode(Enum):

src/azure-cli/azure/cli/command_modules/acs/_help.py

@@ -591,6 +591,10 @@
   - name: --enable-container-network-logs
     type: bool
     short-summary: Enable container network log collection functionalities on a cluster. Automatically enables --enable-high-log-scale-mode.
+  - name: --acns-transit-encryption-type
+    type: string
+    short-summary: Set transit encryption type for ACNS security.
+    long-summary: Configures pod-to-pod encryption for Cilium-based clusters. Once enabled, all traffic between Cilium managed pods will be encrypted when it leaves the node boundary. Valid values are "WireGuard" and "None". On cluster creation, this must be used together with "--enable-acns".
   - name: --nrg-lockdown-restriction-level
     type: string
     short-summary: Restriction level on the managed node resource group.
@@ -1098,6 +1102,10 @@
   - name: --disable-container-network-logs
     type: bool
     short-summary: Disable container network log collection functionalities on a cluster.
+  - name: --acns-transit-encryption-type
+    type: string
+    short-summary: Set transit encryption type for ACNS security.
+    long-summary: Configures pod-to-pod encryption for Cilium-based clusters. Once enabled, all traffic between Cilium managed pods will be encrypted when it leaves the node boundary. Valid values are "WireGuard" and "None". When creating a cluster, this option must be used together with "--enable-acns"; when updating a cluster, it can be used on its own to modify the transit encryption type for an existing ACNS-enabled cluster.
   - name: --nrg-lockdown-restriction-level
     type: string
     short-summary: Restriction level on the managed node resource group.

src/azure-cli/azure/cli/command_modules/acs/_params.py

@@ -75,7 +75,9 @@
     CONST_NODE_PROVISIONING_MODE_AUTO,
     CONST_NODE_PROVISIONING_DEFAULT_POOLS_NONE,
     CONST_NODE_PROVISIONING_DEFAULT_POOLS_AUTO,
-    CONST_WORKLOAD_RUNTIME_KATA_VM_ISOLATION)
+    CONST_WORKLOAD_RUNTIME_KATA_VM_ISOLATION,
+    CONST_TRANSIT_ENCRYPTION_WIREGUARD,
+    CONST_TRANSIT_ENCRYPTION_NONE)
 from azure.cli.command_modules.acs.azurecontainerstorage._consts import (
     CONST_ACSTOR_ALL,
     CONST_DISK_TYPE_EPHEMERAL_VOLUME_ONLY,
@@ -228,6 +230,11 @@
     CONST_NODE_PROVISIONING_DEFAULT_POOLS_AUTO,
 ]
 
+transit_encryption_types = [
+    CONST_TRANSIT_ENCRYPTION_WIREGUARD,
+    CONST_TRANSIT_ENCRYPTION_NONE,
+]
+
 dev_space_endpoint_types = ['Public', 'Private', 'None']
 
 keyvault_network_access_types = [CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PUBLIC, CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PRIVATE]
@@ -605,6 +612,7 @@ def load_arguments(self, _):
         c.argument('disable_acns_security', action='store_true')
         c.argument("acns_advanced_networkpolicies", arg_type=get_enum_type(advanced_networkpolicies))
         c.argument('enable_container_network_logs', action='store_true')
+        c.argument('acns_transit_encryption_type', arg_type=get_enum_type(transit_encryption_types))
         c.argument("if_match")
         c.argument("if_none_match")
         # node provisioning
@@ -664,6 +672,7 @@ def load_arguments(self, _):
         c.argument("acns_advanced_networkpolicies", arg_type=get_enum_type(advanced_networkpolicies))
         c.argument('enable_container_network_logs', action='store_true')
         c.argument('disable_container_network_logs', action='store_true')
+        c.argument('acns_transit_encryption_type', arg_type=get_enum_type(transit_encryption_types))
         # private cluster parameters
         c.argument('enable_apiserver_vnet_integration', action='store_true')
         c.argument('apiserver_subnet_id', validator=validate_apiserver_subnet_id)

src/azure-cli/azure/cli/command_modules/acs/custom.py

@@ -935,6 +935,7 @@ def aks_create(
     disable_acns_security=None,
     acns_advanced_networkpolicies=None,
     enable_container_network_logs=None,
+    acns_transit_encryption_type=None,
     # network isoalted cluster
     bootstrap_artifact_source=CONST_ARTIFACT_SOURCE_DIRECT,
     bootstrap_container_registry_resource_id=None,
@@ -1164,6 +1165,7 @@ def aks_update(
     acns_advanced_networkpolicies=None,
     enable_container_network_logs=None,
     disable_container_network_logs=None,
+    acns_transit_encryption_type=None,
     # network isoalted cluster
     bootstrap_artifact_source=None,
     bootstrap_container_registry_resource_id=None,

src/azure-cli/azure/cli/command_modules/acs/linter_exclusions.yml

@@ -76,6 +76,9 @@ aks create:
       acns_advanced_networkpolicies:
         rule_exclusions:
           - option_length_too_long
+      acns_transit_encryption_type:
+        rule_exclusions:
+        - option_length_too_long
       nrg_lockdown_restriction_level:
         rule_exclusions:
         - option_length_too_long
@@ -191,6 +194,9 @@ aks update:
       acns_advanced_networkpolicies:
         rule_exclusions:
           - option_length_too_long
+      acns_transit_encryption_type:
+        rule_exclusions:
+        - option_length_too_long
       nrg_lockdown_restriction_level:
         rule_exclusions:
         - option_length_too_long
@@ -205,7 +211,7 @@ aks update:
         - option_length_too_long
       disable_private_cluster:
         rule_exclusions:
-        - option_length_too_long 
+        - option_length_too_long
       enable_static_egress_gateway:
         rule_exclusions:
           - option_length_too_long

src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py

@@ -2676,6 +2676,32 @@ def get_enable_high_log_scale_mode(self) -> Union[bool, None]:
         # If container network logs are not being enabled, return the original value
         return enable_high_log_scale_mode
 
+    def get_acns_transit_encryption_type(self) -> Union[str, None]:
+        """Get the transit encryption type for acns security.
+
+        :return: str or None
+        """
+        acns_transit_encryption = self.raw_param.get("acns_transit_encryption_type")
+        if acns_transit_encryption is not None:
+            enable_acns = self.raw_param.get("enable_acns")
+            disable_acns = self.raw_param.get("disable_acns")
+            disable_acns_security = self.raw_param.get("disable_acns_security")
+            if disable_acns_security:
+                raise MutuallyExclusiveArgumentError(
+                    "Cannot specify --acns-transit-encryption-type and "
+                    "--disable-acns-security at the same time."
+                )
+            if disable_acns:
+                raise MutuallyExclusiveArgumentError(
+                    "Cannot specify --acns-transit-encryption-type and "
+                    "--disable-acns at the same time."
+                )
+            if self.decorator_mode == DecoratorMode.CREATE and not enable_acns:
+                raise MutuallyExclusiveArgumentError(
+                    "--acns-transit-encryption-type requires --enable-acns."
+                )
+        return acns_transit_encryption
+
     def _get_pod_cidr_and_service_cidr_and_dns_service_ip_and_docker_bridge_address_and_network_policy(
         self, enable_validation: bool = False
     ) -> Tuple[
@@ -6356,6 +6382,7 @@ def set_up_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
 
         (acns_enabled, acns_observability, acns_security) = self.context.get_acns_enablement()
         acns_advanced_networkpolicies = self.context.get_acns_advanced_networkpolicies()
+        acns_transit_encryption = self.context.get_acns_transit_encryption_type()
         if acns_enabled is not None:
             acns = self.models.AdvancedNetworking(
                 enabled=acns_enabled,
@@ -6375,6 +6402,12 @@ def set_up_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
                     )
                 else:
                     acns.security.advanced_network_policies = acns_advanced_networkpolicies
+            if acns_transit_encryption is not None:
+                if acns.security is None:
+                    acns.security = self.models.AdvancedNetworkingSecurity()
+                acns.security.transit_encryption = self.models.AdvancedNetworkingSecurityTransitEncryption(
+                    type=acns_transit_encryption,
+                )
 
         if any(
             [
@@ -8281,6 +8314,7 @@ def update_network_profile_advanced_networking(self, mc: ManagedCluster) -> Mana
         self._ensure_mc(mc)
         (acns_enabled, acns_observability, acns_security) = self.context.get_acns_enablement()
         acns_advanced_networkpolicies = self.context.get_acns_advanced_networkpolicies()
+        acns_transit_encryption = self.context.get_acns_transit_encryption_type()
         if acns_enabled is not None:
             acns = self.models.AdvancedNetworking(
                 enabled=acns_enabled,
@@ -8300,8 +8334,27 @@ def update_network_profile_advanced_networking(self, mc: ManagedCluster) -> Mana
                     )
                 else:
                     acns.security.advanced_network_policies = acns_advanced_networkpolicies
-        if acns_enabled is not None:
+            if acns_transit_encryption is not None:
+                if acns.security is None:
+                    acns.security = self.models.AdvancedNetworkingSecurity()
+                acns.security.transit_encryption = self.models.AdvancedNetworkingSecurityTransitEncryption(
+                    type=acns_transit_encryption,
+                )
             mc.network_profile.advanced_networking = acns
+        elif acns_transit_encryption is not None:
+            if (mc.network_profile.advanced_networking is None or
+                    not mc.network_profile.advanced_networking.enabled):
+                raise MutuallyExclusiveArgumentError(
+                    "--acns-transit-encryption-type requires ACNS to be enabled on the cluster. "
+                    "Use --enable-acns together with --acns-transit-encryption-type."
+                )
+            if mc.network_profile.advanced_networking.security is None:
+                mc.network_profile.advanced_networking.security = self.models.AdvancedNetworkingSecurity()
+            mc.network_profile.advanced_networking.security.transit_encryption = (
+                self.models.AdvancedNetworkingSecurityTransitEncryption(
+                    type=acns_transit_encryption,
+                )
+            )
         return mc
 
     def update_monitoring_profile_flow_logs(self, mc: ManagedCluster) -> ManagedCluster: