Azure · Greedygre · May 7, 2024 · May 6, 2024 · May 6, 2024 · May 6, 2024
diff --git a/.github/workflows/VersionCalPRComment.yml b/.github/workflows/VersionCalPRComment.yml
@@ -15,10 +15,13 @@ permissions:
 
 jobs:
   version-cal:
-    if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-cal-version') }}
+    if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-cal-version') && (!contains(fromJSON('["labeled", "unlabeled"]'), github.event.action) || github.event.label.name != 'do-not-merge') }}
     runs-on: ubuntu-latest
     steps:
       - name: Set Init Version Message
+        env:
+           action: ${{ toJSON(github.event.action) }}
+           label: ${{ toJSON(github.event.label) }}
         run: |
           echo "message=$(echo 'Suggested init version: 1.0.0b1 for preview release and 1.0.0 for stable release')" >> $GITHUB_ENV
       - name: Set up Python 3.10
@@ -40,6 +43,7 @@ jobs:
           bash_sha: ${{ github.event.pull_request.base.sha }}
           base_branch: ${{ github.event.pull_request.base.ref }}
           base_branch_pre: "upstream"
+          diff_code_file: "diff_codes.txt"
           diff_sha: ${{ github.event.pull_request.head.sha }}
           diff_branch: ${{ github.event.pull_request.head.ref }}
           repo_full_name: ${{ github.event.pull_request.head.repo.full_name }}
@@ -57,13 +61,14 @@ jobs:
             cat changed_files
             cat changed_files | grep azext_ | awk -F"azext_" '{print $1}'| awk -F"/" '{print $2}' | sort | uniq > changed_modules
             echo "changed_module_list=$(cat changed_files | grep azext_ | awk -F"azext_" '{print $1}'| awk -F"/" '{print $2}' | sort | uniq | xargs)" >> $GITHUB_ENV
+            git --no-pager diff --diff-filter=ACMRT ${{ env.base_branch_pre }}/${{ env.base_branch }}...${{ env.diff_branch }} > ${{ env.diff_code_file }}
       - name: Display Diff Modules
         run: |
             for mod in ${{ env.changed_module_list }}
             do
               echo changed module: "${mod}"
             done
-      - name: Checkout CLI main repo 
+      - name: Checkout CLI main repo
         uses: actions/checkout@master
         with:
            repository: Azure/azure-cli
@@ -97,6 +102,7 @@ jobs:
           pr_label_list: ${{ toJson(github.event.pull_request.labels.*.name) }}
           base_branch: ${{ github.event.pull_request.base.ref }}
           base_branch_pre: "upstream"
+          diff_code_file: "diff_codes.txt"
           diff_branch: ${{ github.event.pull_request.head.ref }}
           base_meta_path: "./base_meta/"
           diff_meta_path: "./diff_meta/"
@@ -133,3 +139,12 @@ jobs:
             version_update.txt
            message-failure: |
             Please refer to [Extension version schema](https://github.com/Azure/azure-cli/blob/release/doc/extensions/versioning_guidelines.md) to update release versions.
+      - name: Check output
+        run: |
+           echo steps.get_comment_message.outputs.BlockPR
+           echo ${{ steps.get_comment_message.outputs.BlockPR }}
+      - name: add label
+        uses: actions-ecosystem/action-add-labels@v1
+        if: ${{ steps.get_comment_message.outputs.BlockPR == 1 }}
+        with:
+          labels: do-not-merge
@@ -124,6 +124,9 @@ aks create:
     enable_network_observability:
       rule_exclusions:
       - option_length_too_long
+    enable_advanced_network_observability:
+      rule_exclusions:
+      - option_length_too_long
     cluster_service_load_balancer_health_probe_mode:
       rule_exclusions:
       - option_length_too_long
@@ -207,6 +210,12 @@ aks update:
     disable_network_observability:
       rule_exclusions:
       - option_length_too_long
+    enable_advanced_network_observability:
+      rule_exclusions:
+      - option_length_too_long
+    disable_advanced_network_observability:
+      rule_exclusions:
+      - option_length_too_long
     cluster_service_load_balancer_health_probe_mode:
       rule_exclusions:
       - option_length_too_long

diff --git a/scripts/ci/release_version_cal.py b/scripts/ci/release_version_cal.py
@@ -11,9 +11,17 @@ To release a new version, please select a new version number (usually plus 1 to
 
 Pending
 +++++++
+* Add option `--enable-advanced-network-observability`, `--disable-advanced-network-observability` to `az aks create/update`
+
+3.0.0b12
+++++++++
+* Create three default role assignments for automatic sku clusters.
+    * "Azure Kubernetes Service RBAC Cluster Admin"
+    * "Azure Kubernetes Service RBAC Admin"
+    * "Azure Kubernetes Service Cluster User Role"
 
 3.0.0b11
-+++++++
+++++++++
 * Add `--enable-static-egress-gateway` to `az aks create` and `az aks update`.
 * Add `--disable-static-egress-gateway` to `az aks update` command.
 * Add `--gateway-prefix-size` to `az aks nodepool create` command.

@@ -1196,6 +1196,12 @@
         - name: --disable-network-observability
           type: bool
           short-summary: Disable network observability on a cluster
+        - name: --enable-advanced-network-observability
+          type: bool
+          short-summary: Enable advanced network observability functionalities on a cluster.
+        - name: --disable-advanced-network-observability
+          type: bool
+          short-summary: Disable advanced network observability functionalities on a cluster
         - name: --enable-cost-analysis
           type: bool
           short-summary: Enable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. For more information see aka.ms/aks/docs/cost-analysis.

@@ -796,6 +796,12 @@ def load_arguments(self, _):
             is_preview=True,
             help="enable network observability for cluster",
         )
+        c.argument(
+            "enable_advanced_network_observability",
+            action="store_true",
+            is_preview=True,
+            help="enable advanced network observability functionalities for cluster",
+        )
         c.argument(
             "custom_ca_trust_certificates",
             options_list=["--custom-ca-trust-certificates", "--ca-certs"],
@@ -1279,6 +1285,18 @@ def load_arguments(self, _):
             is_preview=True,
             help="disable network observability for cluster",
         )
+        c.argument(
+            "enable_advanced_network_observability",
+            action="store_true",
+            is_preview=True,
+            help="enable advanced network observability functionalities for cluster",
+        )
+        c.argument(
+            "disable_advanced_network_observability",
+            action="store_true",
+            is_preview=True,
+            help="disable advanced network observability functionalities for cluster",
+        )
         c.argument("enable_cost_analysis", is_preview=True, action="store_true")
         c.argument("disable_cost_analysis", is_preview=True, action="store_true")
         c.argument('enable_ai_toolchain_operator', is_preview=True, action='store_true')

@@ -603,6 +603,7 @@ def aks_create(
     enable_cilium_dataplane=False,
     custom_ca_trust_certificates=None,
     enable_network_observability=None,
+    enable_advanced_network_observability=None,
     # nodepool
     crg_id=None,
     message_of_the_day=None,
@@ -827,6 +828,8 @@ def aks_update(
     safeguards_excluded_ns=None,
     enable_network_observability=None,
     disable_network_observability=None,
+    enable_advanced_network_observability=None,
+    disable_advanced_network_observability=None,
     # metrics profile
     enable_cost_analysis=False,
     disable_cost_analysis=False,

@@ -55,7 +55,10 @@
     _is_pod_identity_addon_enabled,
     _update_addon_pod_identity,
 )
-from azext_aks_preview._roleassignments import add_role_assignment
+from azext_aks_preview._roleassignments import (
+    add_role_assignment,
+    _add_role_assignment_executor_new
+)
 from azext_aks_preview.agentpool_decorator import (
     AKSPreviewAgentPoolAddDecorator,
     AKSPreviewAgentPoolUpdateDecorator,
@@ -67,6 +70,7 @@
 from azext_aks_preview.azuremonitormetrics.azuremonitorprofile import (
     ensure_azure_monitor_profile_prerequisites,
 )
+from azure.cli.command_modules.acs._client_factory import get_graph_client
 from azure.cli.command_modules.acs._consts import (
     CONST_OUTBOUND_TYPE_LOAD_BALANCER,
     CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY,
@@ -188,6 +192,7 @@ def external_functions(self) -> SimpleNamespace:
             ] = ensure_azure_monitor_profile_prerequisites
             # temp workaround for the breaking change caused by default API version bump of the auth SDK
             external_functions["add_role_assignment"] = add_role_assignment
+            external_functions["_add_role_assignment_executor_new"] = _add_role_assignment_executor_new
             # azure container storage functions
             external_functions["perform_enable_azure_container_storage"] = perform_enable_azure_container_storage
             external_functions["perform_disable_azure_container_storage"] = perform_disable_azure_container_storage
@@ -682,6 +687,26 @@ def get_enable_network_observability(self) -> Optional[bool]:
             return not disable_network_observability
         return None
 
+    def get_enable_advanced_network_observability(self) -> Optional[bool]:
+        """Get the value of enable_advanced_network_observability
+
+        :return: bool or None
+        """
+        enable_advanced_network_observability = self.raw_param.get("enable_advanced_network_observability")
+        disable_advanced_network_observability = self.raw_param.get("disable_advanced_network_observability")
+        if enable_advanced_network_observability and disable_advanced_network_observability:
+            raise MutuallyExclusiveArgumentError(
+                "Cannot specify --enable-advanced-network-observability and "
+                "--disable-advanced-network-observability at the same time."
+            )
+        if enable_advanced_network_observability is False and disable_advanced_network_observability is False:
+            return None
+        if enable_advanced_network_observability is not None:
+            return enable_advanced_network_observability
+        if disable_advanced_network_observability is not None:
+            return not disable_advanced_network_observability
+        return None
+
     def get_load_balancer_managed_outbound_ip_count(self) -> Union[int, None]:
         """Obtain the value of load_balancer_managed_outbound_ip_count.
 
@@ -2912,6 +2937,13 @@ def set_up_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
             network_profile.monitoring = self.models.NetworkMonitoring(  # pylint: disable=no-member
                 enabled=network_observability
             )
+        advanced_network_observability = self.context.get_enable_advanced_network_observability()
+        if advanced_network_observability is not None:
+            network_profile.advanced_networking = self.models.AdvancedNetworking(  # pylint: disable=no-member
+                observability=self.models.AdvancedNetworkingObservability(  # pylint: disable=no-member
+                    enabled=advanced_network_observability
+                )
+            )
         return mc
 
     def set_up_api_server_access_profile(self, mc: ManagedCluster) -> ManagedCluster:
@@ -3606,6 +3638,7 @@ def immediate_processing_after_request(self, mc: ManagedCluster) -> None:
                     "Could not create a role assignment for subnet. Are you an Owner on this subscription?"
                 )
 
+    # pylint: disable=too-many-locals
     def postprocessing_after_mc_created(self, cluster: ManagedCluster) -> None:
         """Postprocessing performed after the cluster is created.
 
@@ -3751,6 +3784,35 @@ def postprocessing_after_mc_created(self, cluster: ManagedCluster) -> None:
                 is_called_from_extension=True,
             )
 
+        # Add role assignments for automatic sku
+        if cluster.sku is not None and cluster.sku.name == "Automatic":
+            try:
+                user = get_graph_client(self.cmd.cli_ctx).signed_in_user_get()
+            except Exception as e:  # pylint: disable=broad-except
+                logger.warning("Could not get signed in user: %s", str(e))
+            else:
+                self.context.external_functions._add_role_assignment_executor_new(  # type: ignore # pylint: disable=protected-access
+                    self.cmd,
+                    "Azure Kubernetes Service RBAC Cluster Admin",
+                    user["id"],
+                    scope=cluster.id,
+                    resolve_assignee=False,
+                )
+                self.context.external_functions._add_role_assignment_executor_new(  # type: ignore # pylint: disable=protected-access
+                    self.cmd,
+                    "Azure Kubernetes Service RBAC Admin",
+                    user["id"],
+                    scope=cluster.id,
+                    resolve_assignee=False,
+                )
+                self.context.external_functions._add_role_assignment_executor_new(  # type: ignore # pylint: disable=protected-access
+                    self.cmd,
+                    "Azure Kubernetes Service Cluster User Role",
+                    user["id"],
+                    scope=cluster.id,
+                    resolve_assignee=False,
+                )
+
 
 class AKSPreviewManagedClusterUpdateDecorator(AKSManagedClusterUpdateDecorator):
     def __init__(
@@ -3905,6 +3967,22 @@ def update_enable_network_observability_in_network_profile(self, mc: ManagedClus
             )
         return mc
 
+    def update_enable_advanced_network_observability_in_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
+        """Update enable advanced network observability of network profile for the ManagedCluster object.
+
+        :return: the ManagedCluster object
+        """
+        self._ensure_mc(mc)
+
+        advanced_network_observability = self.context.get_enable_advanced_network_observability()
+        if advanced_network_observability is not None:
+            mc.network_profile.advanced_networking = self.models.AdvancedNetworking(  # pylint: disable=no-member
+                observability=self.models.AdvancedNetworkingObservability(  # pylint: disable=no-member
+                    enabled=advanced_network_observability
+                )
+            )
+        return mc
+
     # pylint: disable=too-many-statements,too-many-locals,too-many-branches
     def update_azure_container_storage(self, mc: ManagedCluster) -> ManagedCluster:
         """Update azure container storage for the Managed Cluster object
@@ -5121,6 +5199,8 @@ def update_mc_profile_preview(self) -> ManagedCluster:
         mc = self.update_nodepool_initialization_taints_mc(mc)
         # update network_observability in network_profile
         mc = self.update_enable_network_observability_in_network_profile(mc)
+        # update advanced_network_observability in network_profile
+        mc = self.update_enable_advanced_network_observability_in_network_profile(mc)
         # update kubernetes support plan
         mc = self.update_k8s_support_plan(mc)
         # update metrics profile