feat(acns): Add advanced networking observability tls management for az aks create and update commands

src/aks-preview/HISTORY.rst

@@ -11,6 +11,7 @@ To release a new version, please select a new version number (usually plus 1 to
 
 Pending
 +++++++
+* Add `--advanced-networking-observability-tls-management` to `az aks create/update` command.
 * Vendor new SDK and bump API version to 2024-06-02-preview.
 
 7.0.0b3

src/aks-preview/azext_aks_preview/_consts.py

@@ -322,3 +322,7 @@
 # IMDS restriction consts
 CONST_IMDS_RESTRICTION_ENABLED = "None"
 CONST_IMDS_RESTRICTION_DISABLED = "IMDS"
+
+# TLS Management Consts
+CONST_TLS_MANAGEMENT_MANAGED = "Managed"
+CONST_TLS_MANAGEMENT_NONE = "None"

src/aks-preview/azext_aks_preview/_help.py

@@ -236,6 +236,9 @@
         - name: --enable-advanced-network-observability
           type: bool
           short-summary: Enable advanced network observability functionalities on a cluster. Note that enabling this will incur additional costs.
+        - name: --advanced-networking-observability-tls-management
+          type: string
+          short-summary: Management of TLS certificates for querying network flow logs via the flow log endpoint for Advanced Networking observability clusters. Valid values are "Managed" and "None". If not specified, the default is Managed.
         - name: --no-ssh-key -x
           type: string
           short-summary: Do not use or create a local SSH key.
@@ -1228,6 +1231,9 @@
         - name: --disable-advanced-network-observability
           type: bool
           short-summary: Disable advanced network observability functionalities on a cluster
+        - name: --advanced-networking-observability-tls-management
+          type: string
+          short-summary: Management of TLS certificates for querying network flow logs via the flow log endpoint for Advanced Networking observability clusters. Valid values are "Managed" and "None". If not specified, the default is Managed.
         - name: --enable-cost-analysis
           type: bool
           short-summary: Enable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. For more information see aka.ms/aks/docs/cost-analysis.

src/aks-preview/azext_aks_preview/_params.py

@@ -122,6 +122,8 @@
     CONST_ARTIFACT_SOURCE_DIRECT,
     CONST_ARTIFACT_SOURCE_CACHE,
     CONST_OUTBOUND_TYPE_NONE,
+    CONST_TLS_MANAGEMENT_MANAGED,
+    CONST_TLS_MANAGEMENT_NONE,
 )
 from azext_aks_preview._validators import (
     validate_acr,
@@ -399,6 +401,11 @@
     CONST_ARTIFACT_SOURCE_CACHE,
 ]
 
+tls_management_types = [
+    CONST_TLS_MANAGEMENT_MANAGED,
+    CONST_TLS_MANAGEMENT_NONE,
+]
+
 
 def load_arguments(self, _):
     acr_arg_type = CLIArgumentType(metavar="ACR_NAME_OR_RESOURCE_ID")
@@ -814,6 +821,12 @@ def load_arguments(self, _):
             action="store_true",
             is_preview=True,
         )
+        c.argument(
+            "advanced_networking_observability_tls_management",
+            arg_type=get_enum_type(tls_management_types),
+            default=CONST_TLS_MANAGEMENT_MANAGED,
+            is_preview=True,
+        )
         c.argument(
             "custom_ca_trust_certificates",
             options_list=["--custom-ca-trust-certificates", "--ca-certs"],
@@ -1312,6 +1325,11 @@ def load_arguments(self, _):
             action="store_true",
             is_preview=True,
         )
+        c.argument(
+            "advanced_networking_observability_tls_management",
+            is_preview=True,
+            arg_type=get_enum_type(tls_management_types),
+        )
         c.argument("enable_cost_analysis", action="store_true")
         c.argument("disable_cost_analysis", action="store_true")
         c.argument('enable_ai_toolchain_operator', is_preview=True, action='store_true')

src/aks-preview/azext_aks_preview/custom.py

@@ -606,6 +606,7 @@ def aks_create(
     enable_cilium_dataplane=False,
     custom_ca_trust_certificates=None,
     enable_advanced_network_observability=None,
+    advanced_networking_observability_tls_management=None,
     # nodepool
     crg_id=None,
     message_of_the_day=None,
@@ -838,6 +839,7 @@ def aks_update(
     safeguards_excluded_ns=None,
     enable_advanced_network_observability=None,
     disable_advanced_network_observability=None,
+    advanced_networking_observability_tls_management=None,
     # metrics profile
     enable_cost_analysis=False,
     disable_cost_analysis=False,

src/aks-preview/azext_aks_preview/managed_cluster_decorator.py

@@ -728,6 +728,13 @@ def get_enable_advanced_network_observability(self) -> Optional[bool]:
             return not disable_advanced_network_observability
         return None
 
+    def get_advanced_networking_observability_tls_management(self) -> Union[str, None]:
+        """Obtain the value of advanced_networking_observability_tls_management.
+
+        :return str or None
+        """
+        return self.raw_param.get("advanced_networking_observability_tls_management")
+
     def get_load_balancer_managed_outbound_ip_count(self) -> Union[int, None]:
         """Obtain the value of load_balancer_managed_outbound_ip_count.
 
@@ -2984,10 +2991,12 @@ def set_up_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
 
         advanced_network_observability = self.context.get_enable_advanced_network_observability()
         if advanced_network_observability is not None:
-            network_profile.advanced_networking = self.models.AdvancedNetworking(  # pylint: disable=no-member
-                observability=self.models.AdvancedNetworkingObservability(  # pylint: disable=no-member
-                    enabled=advanced_network_observability
-                )
+            # Create an advanced networking model with an observability model if it does not exist.
+            if network_profile.advanced_networking is None:
+                network_profile.advanced_networking = self.models.AdvancedNetworking()  # pylint: disable=no-member
+            network_profile.advanced_networking.observability = self.models.AdvancedNetworkingObservability(  # pylint: disable=no-member
+                enabled=advanced_network_observability,
+                tls_management=self.context.get_advanced_networking_observability_tls_management(),
             )
         return mc
 
@@ -4060,11 +4069,27 @@ def update_enable_advanced_network_observability_in_network_profile(self, mc: Ma
 
         advanced_network_observability = self.context.get_enable_advanced_network_observability()
         if advanced_network_observability is not None:
-            mc.network_profile.advanced_networking = self.models.AdvancedNetworking(  # pylint: disable=no-member
-                observability=self.models.AdvancedNetworkingObservability(  # pylint: disable=no-member
-                    enabled=advanced_network_observability
-                )
-            )
+            if mc.network_profile.advanced_networking is None:
+                mc.network_profile.advanced_networking = self.models.AdvancedNetworking()  # pylint: disable=no-member
+            if mc.network_profile.advanced_networking.observability is None:
+                mc.network_profile.advanced_networking.observability = self.models.AdvancedNetworkingObservability()  # pylint: disable=no-member
+            mc.network_profile.advanced_networking.observability.enabled = advanced_network_observability
+        return mc
+
+    def update_advanced_networking_observability_tls_management(self, mc: ManagedCluster) -> ManagedCluster:
+        """Update advanced network observability tls mangement of network profile for the ManagedCluster object.
+
+        :return: the ManagedCluster object
+        """
+        self._ensure_mc(mc)
+
+        tls_management = self.context.get_advanced_networking_observability_tls_management()
+        if tls_management is not None:
+            if mc.network_profile.advanced_networking is not None:
+                if mc.network_profile.advanced_networking.observability is not None:
+                    if mc.network_profile.advanced_networking.observability.enabled:
+                        # set tls management only if advanced network observability is enabled
+                        mc.network_profile.advanced_networking.observability.tls_management = tls_management
         return mc
 
     # pylint: disable=too-many-statements,too-many-locals,too-many-branches
@@ -5341,6 +5366,8 @@ def update_mc_profile_preview(self) -> ManagedCluster:
         mc = self.update_nodepool_initialization_taints_mc(mc)
         # update advanced_network_observability in network_profile
         mc = self.update_enable_advanced_network_observability_in_network_profile(mc)
+        # update advanced_networking_observability_tls_management in network_profile
+        mc = self.update_advanced_networking_observability_tls_management(mc)
         # update kubernetes support plan
         mc = self.update_k8s_support_plan(mc)
         # update AI toolchain operator