feat(acns): Add mTLS as transit encryption type for ACNS#9668
feat(acns): Add mTLS as transit encryption type for ACNS#9668yanzhudd merged 3 commits intoAzure:mainfrom
Conversation
|
| rule | cmd_name | rule_message | suggest_message |
|---|---|---|---|
| aks create | cmd aks create update parameter acns_transit_encryption_type: updated property choices from ['None', 'WireGuard'] to ['None', 'WireGuard', 'mTLS'] |
||
| aks update | cmd aks update update parameter acns_transit_encryption_type: updated property choices from ['None', 'WireGuard'] to ['None', 'WireGuard', 'mTLS'] |
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
microsoft-github-policy-service
bot
requested review from
yanzhudd,
yonzhan and
zhoxing-ms
nddq
changed the title
CodeGen Tools Feedback CollectionThank you for using our CodeGen tool. We value your feedback, and we would like to know how we can improve our product. Please take a few minutes to fill our codegen survey |
|
There was a problem hiding this comment.
Pull request overview
Adds support for mTLS as a new ACNS transit encryption type in the aks-preview extension, including CLI enum exposure and validation that prevents incompatible combinations with L7 advanced network policies and Istio service mesh during both create and update flows.
Changes:
- Add
mTLSto--acns-transit-encryption-typeallowed values and help text foraz aks createandaz aks update. - Add validation blocking
mTLSwhen L7 advanced network policies are requested or already enabled, and when Azure Service Mesh (Istio) is enabled or already present. - Add/extend unit tests, scenario tests, and recordings for the new
mTLSoption.
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/aks-preview/setup.py | Bumps extension version to 19.0.0b25. |
| src/aks-preview/HISTORY.rst | Documents the new mTLS transit encryption option in release notes. |
| src/aks-preview/azext_aks_preview/_consts.py | Adds CONST_TRANSIT_ENCRYPTION_TYPE_MTLS = "mTLS". |
| src/aks-preview/azext_aks_preview/_params.py | Adds mTLS to enum list and updates help text for create/update arguments. |
| src/aks-preview/azext_aks_preview/managed_cluster_decorator.py | Adds create/update validation to block mTLS with L7 policies or Istio service mesh. |
| src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py | Adds unit tests for mTLS value and mutual exclusion cases (create + update). |
| src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py | Adds scenario tests for mTLS in create/update flows. |
| src/aks-preview/azext_aks_preview/tests/latest/recordings/test_aks_create_with_transit_encryption_type_mtls.yaml | Adds recording for the new mTLS create scenario test. |
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
nddq
force-pushed
the
add-mtls-transit-encryption
branch
from
6b5c916 to
610dfbb
Compare
src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py
Outdated
Show resolved
Hide resolved
src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py
Outdated
Show resolved
Hide resolved
src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py
Outdated
Show resolved
Hide resolved
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
nddq
force-pushed
the
add-mtls-transit-encryption
branch
from
610dfbb to
aae778c
Compare
|
Please resolve merge conflicts, @nddq |
nddq
force-pushed
the
add-mtls-transit-encryption
branch
from
def6faa to
e79acb5
Compare
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
|
@FumingZhang can you help merge this? Thanks! |
|
@yanzhudd can you help me with this? Thanks! |
|
there are two history notes under the pending session. Could you please pull the latest code and include those two history notes into the newly released version |
Remove explicit aks delete step from mTLS transit encryption test to avoid 409 EtagMismatch race condition. Resource cleanup is handled by AKSCustomResourceGroupPreparer. Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
nddq
force-pushed
the
add-mtls-transit-encryption
branch
from
e79acb5 to
a4e2852
Compare
|
@yanzhudd done |
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
Co-authored-by: Yan Zhu <105691024+yanzhudd@users.noreply.github.com>
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
|
[Release] Update index.json for extension [ aks-preview-19.0.0b26 ] : https://dev.azure.com/msazure/One/_build/results?buildId=157184247&view=results |
Add 'mTLS' as a new option for --acns-transit-encryption-type in az aks create/update. Includes validation to prevent mTLS from being used with L7 advanced network policies or Istio service mesh, both for create and update scenarios.
This checklist is used to make sure that common guidelines for a pull request are followed.
Related command
General Guidelines
azdev style <YOUR_EXT>locally? (pip install azdevrequired)python scripts/ci/test_index.py -qlocally? (pip install wheel==0.30.0required)For new extensions:
About Extension Publish
There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update
src/index.jsonautomatically.You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify
src/index.json.