Merge remote-tracking branch 'upstream/main' into jonathanhe/api-upgrade

.github/policies/resourceManagement.yml

@@ -5114,6 +5114,8 @@ configuration:
           reviewer: jsntcy
       - requestReview:
           reviewer: bebound
+      - requestReview:
+          reviewer: Pan-Qi
       - assignTo:
           users:
           - wangzelin007
@@ -6365,5 +6367,27 @@ configuration:
           - kairu-ms
           - AllyW
       description: '[PowerBI] Auto assign labels and reviewers based on PR title/description.'
+    - if:
+      - payloadType: Pull_Request
+      - isAction:
+          action: Opened
+      - or:
+        - titleContains:
+            pattern: 'k8s-runtime'
+            isRegex: True
+        - bodyContains:
+            pattern: 'k8s-runtime'
+            isRegex: True
+      then:
+      - addLabel:
+          label: Auto-Assign
+      - requestReview:
+          reviewer: yonzhan
+      - requestReview:
+          reviewer: ReaNAiveD
+      - assignTo:
+          users:
+          - ReaNAiveD
+      description: '[k8s-runtime] Auto assign labels and reviewers based on PR title/description.'
 onFailure: 
 onSuccess: 

src/aks-preview/HISTORY.rst

@@ -12,6 +12,10 @@ To release a new version, please select a new version number (usually plus 1 to
 Pending
 +++++++
 
+5.0.0b3
+++++++++
+* Add support for mutable fips in agentpool update. (enable/disable flags)
+
 5.0.0b2
 ++++++++
 * Add option `--ephemeral-disk-volume-type` to `az aks create` and `az aks update` for Azure Container Storage operations.

src/aks-preview/azext_aks_preview/_help.py

@@ -2004,6 +2004,12 @@
         - name: --if-none-match
           type: string
           short-summary: Set to '*' to allow a new node pool to be created, but to prevent updating an existing node pool. Other values will be ignored.
+        - name: --enable-fips-image
+          type: bool
+          short-summary: Switch to use FIPS-enabled OS on agent nodes.
+        - name: --disable-fips-image
+          type: bool
+          short-summary: Switch to use non-FIPS-enabled OS on agent nodes.
     examples:
       - name: Reconcile the nodepool back to its current state.
         text: az aks nodepool update -g MyResourceGroup -n nodepool1 --cluster-name MyManagedCluster

src/aks-preview/azext_aks_preview/_params.py

@@ -1645,6 +1645,16 @@ def load_arguments(self, _):
         )
         c.argument("if_match")
         c.argument("if_none_match")
+        c.argument(
+            "enable_fips_image",
+            is_preview=True,
+            action="store_true"
+        )
+        c.argument(
+            "disable_fips_image",
+            is_preview=True,
+            action="store_true"
+        )
 
     with self.argument_context("aks nodepool upgrade") as c:
         c.argument("max_surge", validator=validate_max_surge)

src/aks-preview/azext_aks_preview/agentpool_decorator.py

@@ -655,6 +655,39 @@ def get_vm_sizes(self) -> List[str]:
             vm_sizes = [self.get_node_vm_size()]
         return vm_sizes
 
+    # Overrides azure-cli command to allow changes after create
+    def get_enable_fips_image(self) -> bool:
+        """Obtain the value of enable_fips_image, default value is False.
+
+        :return: bool
+        """
+
+        # read the original value passed by the command
+        enable_fips_image = self.raw_param.get("enable_fips_image", False)
+        # In create mode, try and read the property value corresponding to the parameter from the `agentpool` object
+        if self.decorator_mode == DecoratorMode.CREATE:
+            if (
+                self.agentpool and
+                hasattr(self.agentpool, "enable_fips") and      # backward compatibility
+                self.agentpool.enable_fips is not None
+            ):
+                enable_fips_image = self.agentpool.enable_fips
+
+        # Verify both flags have not been set
+        if enable_fips_image and self.get_disable_fips_image():
+            raise MutuallyExclusiveArgumentError(
+                'Cannot specify "--enable-fips-image" and "--disable-fips-image" at the same time'
+            )
+
+        return enable_fips_image
+
+    def get_disable_fips_image(self) -> bool:
+        """Obtain the value of disable_fips_image.
+        :return: bool
+        """
+        # read the original value passed by the command
+        return self.raw_param.get("disable_fips_image")
+
 
 class AKSPreviewAgentPoolAddDecorator(AKSAgentPoolAddDecorator):
     def __init__(
@@ -1092,6 +1125,21 @@ def update_vtpm(self, agentpool: AgentPool) -> AgentPool:
 
         return agentpool
 
+    def update_fips_image(self, agentpool: AgentPool) -> AgentPool:
+        """Update fips image property for the AgentPool object.
+        :return: the AgentPool object
+        """
+        self._ensure_agentpool(agentpool)
+
+        # Updates enable_fips property allowing switching of fips mode
+        if self.context.get_enable_fips_image():
+            agentpool.enable_fips = True
+
+        if self.context.get_disable_fips_image():
+            agentpool.enable_fips = False
+
+        return agentpool
+
     def update_agentpool_profile_preview(self, agentpools: List[AgentPool] = None) -> AgentPool:
         """The overall controller used to update the preview AgentPool profile.
 
@@ -1121,6 +1169,9 @@ def update_agentpool_profile_preview(self, agentpools: List[AgentPool] = None) -
         # update os sku
         agentpool = self.update_os_sku(agentpool)
 
+        # update fips image
+        agentpool = self.update_fips_image(agentpool)
+
         # update ssh access
         agentpool = self.update_ssh_access(agentpool)
 

src/aks-preview/azext_aks_preview/custom.py

@@ -1387,6 +1387,8 @@ def aks_agentpool_update(
     disable_vtpm=False,
     if_match=None,
     if_none_match=None,
+    enable_fips_image=False,
+    disable_fips_image=False,
 ):
     # DO NOT MOVE: get all the original parameters and save them as a dictionary
     raw_parameters = locals()