Azure · zhoxing-ms · Aug 15, 2024 · Jul 30, 2024 · Jul 30, 2024 · Jul 31, 2024
@@ -9,6 +9,10 @@ If there is no rush to release a new version, please just add a description of t
 
 To release a new version, please select a new version number (usually plus 1 to last patch version, X.Y.Z -> Major.Minor.Patch, more details in `\doc <https://semver.org/>`_), and then add a new section named as the new version number in this file, the content should include the new modifications and everything from the *Pending* section. Finally, update the `VERSION` variable in `setup.py` with this new version number.
 
+7.0.0b6
++++++++
+* Add `--advanced-networking-observability-tls-management` to `az aks create/update` command.
+
 7.0.0b5
 +++++++
 * Add option `--enable-acns`, `--disable-acns` to `az aks create/update`

@@ -326,3 +326,7 @@
 # IMDS restriction consts
 CONST_IMDS_RESTRICTION_ENABLED = "None"
 CONST_IMDS_RESTRICTION_DISABLED = "IMDS"
+
+# TLS Management Consts
+CONST_TLS_MANAGEMENT_MANAGED = "Managed"
+CONST_TLS_MANAGEMENT_NONE = "None"
@@ -242,6 +242,9 @@
         - name: --enable-acns
           type: bool
           short-summary: Enable advanced network functionalities on a cluster. Note that enabling this will incur additional costs.
+        - name: --advanced-networking-observability-tls-management
+          type: string
+          short-summary: Management of TLS certificates for querying network flow logs via the flow log endpoint for Advanced Networking observability clusters. Valid values are "Managed" and "None". If not specified, the default is Managed.
         - name: --no-ssh-key -x
           type: string
           short-summary: Do not use or create a local SSH key.
@@ -1237,6 +1240,9 @@
         - name: --disable-advanced-network-observability
           type: bool
           short-summary: Disable advanced network observability functionalities on a cluster
+        - name: --advanced-networking-observability-tls-management
+          type: string
+          short-summary: Management of TLS certificates for querying network flow logs via the flow log endpoint for Advanced Networking observability clusters. Valid values are "Managed" and "None". If not specified, the default is Managed.
         - name: --enable-fqdn-policy
           type: bool
           short-summary: Enable advanced network security FQDN functionalities on a cluster. Note that enabling this will incur additional costs.

@@ -126,6 +126,8 @@
     CONST_APP_ROUTING_EXTERNAL_NGINX,
     CONST_APP_ROUTING_INTERNAL_NGINX,
     CONST_APP_ROUTING_NONE_NGINX,
+    CONST_TLS_MANAGEMENT_MANAGED,
+    CONST_TLS_MANAGEMENT_NONE,
 )
 from azext_aks_preview._validators import (
     validate_acr,
@@ -411,6 +413,11 @@
     CONST_APP_ROUTING_NONE_NGINX
 ]
 
+tls_management_types = [
+    CONST_TLS_MANAGEMENT_MANAGED,
+    CONST_TLS_MANAGEMENT_NONE,
+]
+
 
 def load_arguments(self, _):
     acr_arg_type = CLIArgumentType(metavar="ACR_NAME_OR_RESOURCE_ID")
@@ -831,6 +838,12 @@ def load_arguments(self, _):
             action="store_true",
             is_preview=True,
         )
+        c.argument(
+            "advanced_networking_observability_tls_management",
+            arg_type=get_enum_type(tls_management_types),
+            default=CONST_TLS_MANAGEMENT_MANAGED,
+            is_preview=True,
+        )
         c.argument(
             "enable_fqdn_policy",
             action="store_true",
@@ -1339,6 +1352,11 @@ def load_arguments(self, _):
             action="store_true",
             is_preview=True,
         )
+        c.argument(
+            "advanced_networking_observability_tls_management",
+            arg_type=get_enum_type(tls_management_types),
+            is_preview=True,
+        )
         c.argument(
             "enable_fqdn_policy",
             action="store_true",

@@ -607,6 +607,7 @@ def aks_create(
     enable_cilium_dataplane=False,
     custom_ca_trust_certificates=None,
     enable_advanced_network_observability=None,
+    advanced_networking_observability_tls_management=None,
     enable_fqdn_policy=None,
     enable_acns=None,
     # nodepool
@@ -841,6 +842,7 @@ def aks_update(
     safeguards_excluded_ns=None,
     enable_advanced_network_observability=None,
     disable_advanced_network_observability=None,
+    advanced_networking_observability_tls_management=None,
     enable_fqdn_policy=None,
     disable_fqdn_policy=None,
     enable_acns=None,

@@ -729,6 +729,31 @@ def get_enable_advanced_network_observability(self) -> Optional[bool]:
             return not disable_advanced_network_observability
         return None
 
+    def get_advanced_networking_observability_tls_management(self) -> Union[str, None]:
+        """Obtain the value of advanced_networking_observability_tls_management.
+
+        :return str or None
+        """
+        tls_management = self.raw_param.get("advanced_networking_observability_tls_management")
+        enable_advanced_network_observability = self.raw_param.get("enable_advanced_network_observability")
+        enable_acns = self.raw_param.get("enable_acns")
+        if tls_management is not None:
+            if (
+                self.mc and
+                self.mc.network_profile is not None and
+                self.mc.network_profile.advanced_networking is not None and
+                self.mc.network_profile.advanced_networking.observability is not None and
+                self.mc.network_profile.advanced_networking.observability.enabled
+            ):
+                return tls_management
+            if enable_advanced_network_observability or enable_acns:
+                return tls_management
+            raise ArgumentUsageError(
+                "Cannot set --tls-management without enabling advanced network observability"
+                "(--enable-advanced-network-observability or --enable-acns)."
+            )
+        return tls_management
+
     def get_enable_fqdn_policy(self) -> Optional[bool]:
         """Get the value of enable_fqdn_policy
 
@@ -3064,6 +3089,9 @@ def set_up_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
                     )
                 )
             )
+            tls_management = self.context.get_advanced_networking_observability_tls_management()
+            if tls_management is not None:
+                network_profile.advanced_networking.observability.tls_management = tls_management
 
         advanced_network_observability = self.context.get_enable_advanced_network_observability()
         if advanced_network_observability is not None:
@@ -3073,6 +3101,9 @@ def set_up_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
             network_profile.advanced_networking.observability = self.models.AdvancedNetworkingObservability(  # pylint: disable=no-member
                 enabled=advanced_network_observability
             )
+            tls_management = self.context.get_advanced_networking_observability_tls_management()
+            if tls_management is not None:
+                network_profile.advanced_networking.observability.tls_management = tls_management
 
         fqdn_policy = self.context.get_enable_fqdn_policy()
         if fqdn_policy is not None:
@@ -4157,20 +4188,27 @@ def update_network_plugin_settings(self, mc: ManagedCluster) -> ManagedCluster:
 
         return mc
 
-    def update_enable_advanced_network_observability_in_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
-        """Update enable advanced network observability of network profile for the ManagedCluster object.
+    def update_advanced_networking_observability_in_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
+        """Update the advanced network observability model of network profile for the ManagedCluster object.
 
         :return: the ManagedCluster object
         """
         self._ensure_mc(mc)
 
         advanced_network_observability = self.context.get_enable_advanced_network_observability()
         if advanced_network_observability is not None:
-            mc.network_profile.advanced_networking = self.models.AdvancedNetworking(  # pylint: disable=no-member
-                observability=self.models.AdvancedNetworkingObservability(  # pylint: disable=no-member
-                    enabled=advanced_network_observability
-                )
-            )
+            if mc.network_profile.advanced_networking is None:
+                mc.network_profile.advanced_networking = self.models.AdvancedNetworking()  # pylint: disable=no-member
+            if mc.network_profile.advanced_networking.observability is None:
+                mc.network_profile.advanced_networking.observability = self.models.AdvancedNetworkingObservability()  # pylint: disable=no-member
+            mc.network_profile.advanced_networking.observability.enabled = advanced_network_observability
+        tls_management = self.context.get_advanced_networking_observability_tls_management()
+        if (
+            mc.network_profile.advanced_networking is not None and
+            mc.network_profile.advanced_networking.observability is not None and
+            tls_management is not None
+        ):
+            mc.network_profile.advanced_networking.observability.tls_management = tls_management
         return mc
 
     def update_enable_fqdn_policy_in_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
@@ -4212,6 +4250,13 @@ def update_enable_acns_in_network_profile(self, mc: ManagedCluster) -> ManagedCl
                     )
                 )
             )
+            tls_management = self.context.get_advanced_networking_observability_tls_management()
+            if (
+                mc.network_profile.advanced_networking is not None and
+                mc.network_profile.advanced_networking.observability is not None and
+                tls_management is not None
+            ):
+                mc.network_profile.advanced_networking.observability.tls_management = tls_management
         return mc
 
     # pylint: disable=too-many-statements,too-many-locals,too-many-branches
@@ -5504,8 +5549,8 @@ def update_mc_profile_preview(self) -> ManagedCluster:
         mc = self.update_nodepool_taints_mc(mc)
         # update nodepool initialization taints
         mc = self.update_nodepool_initialization_taints_mc(mc)
-        # update advanced_network_observability in network_profile
-        mc = self.update_enable_advanced_network_observability_in_network_profile(mc)
+        # update advanced_networking_observability in network_profile
+        mc = self.update_advanced_networking_observability_in_network_profile(mc)
         # update fqdn policy in network_profile
         mc = self.update_enable_fqdn_policy_in_network_profile(mc)
         # update acns in network_profile