Azure · yanzhudd · Mar 8, 2024 · Jan 19, 2024 · Jan 19, 2024 · Jan 25, 2024
@@ -11,6 +11,13 @@ To release a new version, please select a new version number (usually plus 1 to
 
 Pending
 +++++++
+
+2.0.0b3
++++++++
+* Add `--enable-vtpm` to `az aks create`, `az aks nodepool add` and `az aks nodepool update`.
+* Add `--disable-vtpm` to the `az aks nodepool update` command.
+* Add `--enable-secure-boot` to `az aks create`, `az aks nodepool add` and `az aks nodepool update`.
+* Add `--disable-secure-boot` to the `az aks nodepool update` command.
 * Add parameter to set revision `--revision` for the Azure Service Mesh addon while creating AKS cluster.
 
 2.0.0b2

@@ -49,6 +49,10 @@
         "ai toolchain operator, enabled in staging only": [
             "test_aks_create_with_enable_ai_toolchain_operator",
             "test_aks_update_with_enable_ai_toolchain_operator"
+        ],
+        "trusted launch, missing feature registration & toggle": [
+            "test_aks_create_update_secure_boot_flow",
+            "test_aks_create_update_vtpm_flow"
         ]
     }
 }
@@ -601,6 +601,12 @@
           long-summary: |
               Used together with the "azure" network plugin.
               Requires --pod-subnet-id.
+        - name: --enable-secure-boot
+          type: bool
+          short-summary: Enable Secure Boot on all node pools in the cluster. Must use VMSS agent pool type.
+        - name: --enable-vtpm
+          type: bool
+          short-summary: Enable vTPM on all node pools in the cluster. Must use VMSS agent pool type.
     examples:
         - name: Create a Kubernetes cluster with an existing SSH public key.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey
@@ -1742,6 +1748,12 @@
           long-summary: |
               Used together with the "azure" network plugin.
               Requires --pod-subnet-id.
+        - name: --enable-secure-boot
+          type: bool
+          short-summary: Enable Secure Boot on agent node pool. Must use VMSS agent pool type.
+        - name: --enable-vtpm
+          type: bool
+          short-summary: Enable vTPM on agent node pool. Must use VMSS agent pool type.
     examples:
         - name: Create a nodepool in an existing AKS cluster with ephemeral os enabled.
           text: az aks nodepool add -g MyResourceGroup -n nodepool1 --cluster-name MyManagedCluster --node-osdisk-type Ephemeral --node-osdisk-size 48
@@ -1865,6 +1877,18 @@
         - name: --ssh-access
           type: string
           short-summary: Update SSH setting for the node pool. Use "disabled" to disable SSH access, "localuser" to enable SSH access using private key.
+        - name: --enable-secure-boot
+          type: bool
+          short-summary: Enable Secure Boot on an existing Trusted Launch enabled agent node pool. Must use VMSS agent pool type.
+        - name: --disable-secure-boot
+          type: bool
+          short-summary: Disable Secure Boot on on an existing Trusted Launch enabled agent node pool.
+        - name: --enable-vtpm
+          type: bool
+          short-summary: Enable vTPM on an existing Trusted Launch enabled agent node pool. Must use VMSS agent pool type.
+        - name: --disable-vtpm
+          type: bool
+          short-summary: Disable vTPM on an existing Trusted Launch enabled agent node pool.
     examples:
       - name: Reconcile the nodepool back to its current state.
         text: az aks nodepool update -g MyResourceGroup -n nodepool1 --cluster-name MyManagedCluster

@@ -840,6 +840,17 @@ def load_arguments(self, _):
             default=CONST_SSH_ACCESS_LOCALUSER,
             is_preview=True,
         )
+        # trusted launch
+        c.argument(
+            "enable_secure_boot",
+            is_preview=True,
+            action="store_true"
+        )
+        c.argument(
+            "enable_vtpm",
+            is_preview=True,
+            action="store_true"
+        )
 
     with self.argument_context("aks update") as c:
         # managed cluster paramerters
@@ -1381,6 +1392,17 @@ def load_arguments(self, _):
             default=CONST_SSH_ACCESS_LOCALUSER,
             is_preview=True,
         )
+        # trusted launch
+        c.argument(
+            "enable_secure_boot",
+            is_preview=True,
+            action="store_true"
+        )
+        c.argument(
+            "enable_vtpm",
+            is_preview=True,
+            action="store_true"
+        )
 
     with self.argument_context("aks nodepool update") as c:
         c.argument(
@@ -1439,6 +1461,27 @@ def load_arguments(self, _):
         # In update scenario, use emtpy str as default.
         c.argument('ssh_access', arg_type=get_enum_type(ssh_accesses), is_preview=True)
         c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
+        # trusted launch
+        c.argument(
+            "enable_secure_boot",
+            is_preview=True,
+            action="store_true"
+        )
+        c.argument(
+            "disable_secure_boot",
+            is_preview=True,
+            action="store_true"
+        )
+        c.argument(
+            "enable_vtpm",
+            is_preview=True,
+            action="store_true"
+        )
+        c.argument(
+            "disable_vtpm",
+            is_preview=True,
+            action="store_true"
+        )
 
     with self.argument_context("aks nodepool upgrade") as c:
         c.argument("max_surge", validator=validate_max_surge)

@@ -53,6 +53,7 @@ class AKSPreviewAgentPoolModels(AKSAgentPoolModels):
     """
 
 
+# pylint: disable=too-many-public-methods
 class AKSPreviewAgentPoolContext(AKSAgentPoolContext):
     def __init__(
         self,
@@ -475,6 +476,66 @@ def get_skip_gpu_driver_install(self) -> bool:
 
         return skip_gpu_driver_install
 
+    def get_enable_secure_boot(self) -> bool:
+        """Obtain the value of enable_secure_boot.
+        :return: bool
+        """
+        # read the original value passed by the command
+        enable_secure_boot = self.raw_param.get("enable_secure_boot")
+
+        # In create mode, try and read the property value corresponding to the parameter from the `agentpool` object
+        if self.decorator_mode == DecoratorMode.CREATE:
+            if (
+                self.agentpool and
+                self.agentpool.security_profile is not None and
+                self.agentpool.security_profile.enable_secure_boot is not None
+            ):
+                enable_secure_boot = self.agentpool.security_profile.enable_secure_boot
+
+        if enable_secure_boot and self.get_disable_secure_boot():
+            raise MutuallyExclusiveArgumentError(
+                'Cannot specify "--enable-secure-boot" and "--disable-secure-boot" at the same time'
+            )
+
+        return enable_secure_boot
+
+    def get_disable_secure_boot(self) -> bool:
+        """Obtain the value of disable_secure_boot.
+        :return: bool
+        """
+
+        return self.raw_param.get("disable_secure_boot")
+
+    def get_enable_vtpm(self) -> bool:
+        """Obtain the value of enable_vtpm.
+        :return: bool
+        """
+        # read the original value passed by the command
+        enable_vtpm = self.raw_param.get("enable_vtpm")
+
+        # In create mode, try and read the property value corresponding to the parameter from the `agentpool` object
+        if self.decorator_mode == DecoratorMode.CREATE:
+            if (
+                self.agentpool and
+                self.agentpool.security_profile is not None and
+                self.agentpool.security_profile.enable_vtpm is not None
+            ):
+                enable_vtpm = self.agentpool.security_profile.enable_vtpm
+
+        if enable_vtpm and self.get_disable_vtpm():
+            raise MutuallyExclusiveArgumentError(
+                'Cannot specify "--enable-vtpm" and "--disable-vtpm" at the same time'
+            )
+
+        return enable_vtpm
+
+    def get_disable_vtpm(self) -> bool:
+        """Obtain the value of disable_vtpm.
+        :return: bool
+        """
+
+        return self.raw_param.get("disable_vtpm")
+
 
 class AKSPreviewAgentPoolAddDecorator(AKSAgentPoolAddDecorator):
     def __init__(
@@ -634,6 +695,32 @@ def set_up_pod_ip_allocation_mode(self, agentpool: AgentPool) -> AgentPool:
             agentpool.pod_ip_allocation_mode = pod_ip_allocation_mode
         return agentpool
 
+    def set_up_secure_boot(self, agentpool: AgentPool) -> AgentPool:
+        """Set up secure boot property for the AgentPool object."""
+        self._ensure_agentpool(agentpool)
+
+        if self.context.get_enable_secure_boot():
+            if agentpool.security_profile is None:
+                agentpool.security_profile = self.models.AgentPoolSecurityProfile()  # pylint: disable=no-member
+
+            agentpool.security_profile.enable_secure_boot = True
+
+        # Default is disabled so no need to worry about that here
+        return agentpool
+
+    def set_up_vtpm(self, agentpool: AgentPool) -> AgentPool:
+        """Set up vtpm property for the AgentPool object."""
+        self._ensure_agentpool(agentpool)
+
+        if self.context.get_enable_vtpm():
+            if agentpool.security_profile is None:
+                agentpool.security_profile = self.models.AgentPoolSecurityProfile()  # pylint: disable=no-member
+
+            agentpool.security_profile.enable_vtpm = True
+
+        # Default is disabled so no need to worry about that here
+        return agentpool
+
     def construct_agentpool_profile_preview(self) -> AgentPool:
         """The overall controller used to construct the preview AgentPool profile.
 
@@ -665,6 +752,10 @@ def construct_agentpool_profile_preview(self) -> AgentPool:
         agentpool = self.set_up_ssh_access(agentpool)
         # set up agentpool pod ip allocation mode
         agentpool = self.set_up_pod_ip_allocation_mode(agentpool)
+        # set up secure boot
+        agentpool = self.set_up_secure_boot(agentpool)
+        # set up vtpm
+        agentpool = self.set_up_vtpm(agentpool)
         # DO NOT MOVE: keep this at the bottom, restore defaults
         agentpool = self._restore_defaults_in_agentpool(agentpool)
         return agentpool
@@ -794,6 +885,42 @@ def update_ssh_access(self, agentpool: AgentPool) -> AgentPool:
             agentpool.security_profile.ssh_access = ssh_access
         return agentpool
 
+    def update_secure_boot(self, agentpool: AgentPool) -> AgentPool:
+        """Update secure boot property for the AgentPool object.
+        :return: the AgentPool object
+        """
+        self._ensure_agentpool(agentpool)
+
+        if self.context.get_enable_secure_boot():
+            if agentpool.security_profile is None:
+                agentpool.secure_boot = self.models.AgentPoolSecurityProfile()  # pylint: disable=no-member
+            agentpool.security_profile.enable_secure_boot = True
+
+        if self.context.get_disable_secure_boot():
+            if agentpool.security_profile is None:
+                agentpool.security_profile = self.models.AgentPoolSecurityProfile()  # pylint: disable=no-member
+            agentpool.security_profile.enable_secure_boot = False
+
+        return agentpool
+
+    def update_vtpm(self, agentpool: AgentPool) -> AgentPool:
+        """Update vtpm property for the AgentPool object.
+        :return: the AgentPool object
+        """
+        self._ensure_agentpool(agentpool)
+
+        if self.context.get_enable_vtpm():
+            if agentpool.security_profile is None:
+                agentpool.security_profile = self.models.AgentPoolSecurityProfile()  # pylint: disable=no-member
+            agentpool.security_profile.enable_vtpm = True
+
+        if self.context.get_disable_vtpm():
+            if agentpool.security_profile is None:
+                agentpool.security_profile = self.models.AgentPoolSecurityProfile()  # pylint: disable=no-member
+            agentpool.security_profile.enable_vtpm = False
+
+        return agentpool
+
     def update_agentpool_profile_preview(self, agentpools: List[AgentPool] = None) -> AgentPool:
         """The overall controller used to update the preview AgentPool profile.
 
@@ -814,6 +941,12 @@ def update_agentpool_profile_preview(self, agentpools: List[AgentPool] = None) -
         # update artifact streaming
         agentpool = self.update_artifact_streaming(agentpool)
 
+        # update secure boot
+        agentpool = self.update_secure_boot(agentpool)
+
+        # update vtpm
+        agentpool = self.update_vtpm(agentpool)
+
         # update os sku
         agentpool = self.update_os_sku(agentpool)
 

@@ -620,6 +620,9 @@ def aks_create(
     storage_pool_option=None,
     node_provisioning_mode=None,
     ssh_access=CONST_SSH_ACCESS_LOCALUSER,
+    # trusted launch
+    enable_secure_boot=False,
+    enable_vtpm=False,
 ):
     # DO NOT MOVE: get all the original parameters and save them as a dictionary
     raw_parameters = locals()
@@ -1190,6 +1193,9 @@ def aks_agentpool_add(
     enable_artifact_streaming=False,
     skip_gpu_driver_install=False,
     ssh_access=CONST_SSH_ACCESS_LOCALUSER,
+    # trusted launch
+    enable_secure_boot=False,
+    enable_vtpm=False,
 ):
     # DO NOT MOVE: get all the original parameters and save them as a dictionary
     raw_parameters = locals()
@@ -1245,6 +1251,11 @@ def aks_agentpool_update(
     os_sku=None,
     ssh_access=None,
     yes=False,
+    # trusted launch
+    enable_secure_boot=False,
+    disable_secure_boot=False,
+    enable_vtpm=False,
+    disable_vtpm=False,
 ):
     # DO NOT MOVE: get all the original parameters and save them as a dictionary
     raw_parameters = locals()