diff --git a/src/aks-preview/HISTORY.rst b/src/aks-preview/HISTORY.rst index 32a1e19d520..eff788e1d6c 100644 --- a/src/aks-preview/HISTORY.rst +++ b/src/aks-preview/HISTORY.rst @@ -12,6 +12,10 @@ To release a new version, please select a new version number (usually plus 1 to Pending +++++++ +0.5.157 ++++++++ +* Add `--disable-workload-identity` to the `az aks update` command. + 0.5.156 +++++++ * Add `az aks copilot` command to start a chat with the Azure Kubernetes Service expert. API keys for OpenAI or Azure are required. diff --git a/src/aks-preview/azext_aks_preview/_help.py b/src/aks-preview/azext_aks_preview/_help.py index 9804ff34e52..615c5250f59 100644 --- a/src/aks-preview/azext_aks_preview/_help.py +++ b/src/aks-preview/azext_aks_preview/_help.py @@ -829,6 +829,9 @@ - name: --enable-workload-identity type: bool short-summary: (PREVIEW) Enable Workload Identity addon for cluster. + - name: --disable-workload-identity + type: bool + short-summary: (PREVIEW) Disable Workload Identity addon for cluster. - name: --enable-secret-rotation type: bool short-summary: Enable secret rotation. Use with azure-keyvault-secrets-provider addon. diff --git a/src/aks-preview/azext_aks_preview/_params.py b/src/aks-preview/azext_aks_preview/_params.py index ae91b8262cf..61474fe680b 100644 --- a/src/aks-preview/azext_aks_preview/_params.py +++ b/src/aks-preview/azext_aks_preview/_params.py @@ -409,7 +409,7 @@ def load_arguments(self, _): c.argument('enable_pod_security_policy', action='store_true', deprecate_info=c.deprecate(target='--enable-pod-security-policy', hide=True)) c.argument('enable_pod_identity', action='store_true') c.argument('enable_pod_identity_with_kubenet', action='store_true') - c.argument('enable_workload_identity', arg_type=get_three_state_flag(), is_preview=True) + c.argument('enable_workload_identity', action='store_true', is_preview=True) c.argument('enable_image_cleaner', action='store_true', is_preview=True) c.argument('enable_azure_service_mesh', options_list=["--enable-azure-service-mesh", "--enable-asm"], @@ -544,7 +544,8 @@ def load_arguments(self, _): c.argument('enable_pod_identity', action='store_true') c.argument('enable_pod_identity_with_kubenet', action='store_true') c.argument('disable_pod_identity', action='store_true') - c.argument('enable_workload_identity', arg_type=get_three_state_flag(), is_preview=True) + c.argument('enable_workload_identity', action='store_true', is_preview=True) + c.argument('disable_workload_identity', action='store_true', is_preview=True) c.argument('enable_image_cleaner', action='store_true', is_preview=True) c.argument('disable_image_cleaner', action='store_true', validator=validate_image_cleaner_enable_disable_mutually_exclusive, is_preview=True) c.argument('image_cleaner_interval_hours', type=int, is_preview=True) diff --git a/src/aks-preview/azext_aks_preview/custom.py b/src/aks-preview/azext_aks_preview/custom.py index caa042ef479..c119f641e6e 100644 --- a/src/aks-preview/azext_aks_preview/custom.py +++ b/src/aks-preview/azext_aks_preview/custom.py @@ -554,7 +554,7 @@ def aks_create( enable_pod_security_policy=False, enable_pod_identity=False, enable_pod_identity_with_kubenet=False, - enable_workload_identity=None, + enable_workload_identity=False, enable_image_cleaner=False, image_cleaner_interval_hours=None, cluster_snapshot_id=None, @@ -725,7 +725,8 @@ def aks_update( enable_pod_identity=False, enable_pod_identity_with_kubenet=False, disable_pod_identity=False, - enable_workload_identity=None, + enable_workload_identity=False, + disable_workload_identity=False, enable_image_cleaner=False, disable_image_cleaner=False, image_cleaner_interval_hours=None, diff --git a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py index f995e6d0b74..265b8b65be6 100644 --- a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py +++ b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py @@ -985,11 +985,22 @@ def get_workload_identity_profile(self) -> Optional[ManagedClusterSecurityProfil # - False: sets by user, to disable the workload identity feature # - None: user unspecified, don't set the profile and let server side to backfill enable_workload_identity = self.raw_param.get("enable_workload_identity") + disable_workload_identity = self.raw_param.get("disable_workload_identity") - if enable_workload_identity is None: + if not enable_workload_identity and not disable_workload_identity: return None + if enable_workload_identity and disable_workload_identity: + raise MutuallyExclusiveArgumentError( + "Cannot specify --enable-workload-identity and " + "--disable-workload-identity at the same time." + ) + + if not hasattr(self.models, "ManagedClusterSecurityProfileWorkloadIdentity"): + raise UnknownError("Workload Identity's data model not found") + profile = self.models.ManagedClusterSecurityProfileWorkloadIdentity() + if self.decorator_mode == DecoratorMode.UPDATE: if self.mc.security_profile is not None and self.mc.security_profile.workload_identity is not None: # reuse previous profile is has been set @@ -2510,15 +2521,10 @@ def set_up_workload_identity_profile(self, mc: ManagedCluster) -> ManagedCluster self._ensure_mc(mc) profile = self.context.get_workload_identity_profile() - if profile is None: - if mc.security_profile is not None: - # set the value to None to let server side to fill in the default value - mc.security_profile.workload_identity = None - return mc - - if mc.security_profile is None: - mc.security_profile = self.models.ManagedClusterSecurityProfile() - mc.security_profile.workload_identity = profile + if profile: + if mc.security_profile is None: + mc.security_profile = self.models.ManagedClusterSecurityProfile() + mc.security_profile.workload_identity = profile return mc diff --git a/src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py b/src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py index 33357887c86..0cf333e8d50 100644 --- a/src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py +++ b/src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py @@ -4981,7 +4981,7 @@ def test_aks_update_with_workload_identity(self, resource_group, resource_group_ disable_cmd = ' '.join([ 'aks', 'update', '--resource-group={resource_group}', '--name={name}', - '--enable-workload-identity', 'False', + '--disable-workload-identity', '--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/EnableWorkloadIdentityPreview,AKSHTTPCustomFeatures=Microsoft.ContainerService/EnableOIDCIssuerPreview', ]) self.cmd(disable_cmd, checks=[ diff --git a/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py b/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py index 35e716d16f7..696f407212e 100644 --- a/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py +++ b/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py @@ -1172,6 +1172,21 @@ def test_get_workload_identity_profile__update_not_set(self): ctx.attach_mc(self.models.ManagedCluster(location="test_location")) self.assertIsNone(ctx.get_workload_identity_profile()) + def test_get_workload_identity_profile__update_with_enable_and_disable(self): + ctx = AKSPreviewManagedClusterContext( + self.cmd, + AKSManagedClusterParamDict( + { + "enable_workload_identity": True, + "disable_workload_identity": True, + } + ), + self.models, decorator_mode=DecoratorMode.UPDATE + ) + ctx.attach_mc(self.models.ManagedCluster(location="test_location")) + with self.assertRaises(MutuallyExclusiveArgumentError): + ctx.get_workload_identity_profile() + def test_get_workload_identity_profile__update_with_enable_without_oidc_issuer(self): ctx = AKSPreviewManagedClusterContext( self.cmd, @@ -1227,7 +1242,7 @@ def test_get_workload_identity_profile__update_with_disable(self): self.cmd, AKSManagedClusterParamDict( { - "enable_workload_identity": False, + "disable_workload_identity": True, } ), self.models, @@ -5485,7 +5500,7 @@ def test_update_workload_identity_profile__disabled(self): self.cmd, self.client, { - "enable_workload_identity": False, + "disable_workload_identity": True, }, CUSTOM_MGMT_AKS_PREVIEW, ) diff --git a/src/aks-preview/linter_exclusions.yml b/src/aks-preview/linter_exclusions.yml index 7188c34b9b0..edbb9ed7ed6 100644 --- a/src/aks-preview/linter_exclusions.yml +++ b/src/aks-preview/linter_exclusions.yml @@ -80,6 +80,9 @@ aks update: enable_workload_identity: rule_exclusions: - option_length_too_long + disable_workload_identity: + rule_exclusions: + - option_length_too_long enable_snapshot_controller: rule_exclusions: - option_length_too_long diff --git a/src/aks-preview/setup.py b/src/aks-preview/setup.py index e7f2b628616..0dce79a9333 100644 --- a/src/aks-preview/setup.py +++ b/src/aks-preview/setup.py @@ -9,7 +9,7 @@ from setuptools import setup, find_packages -VERSION = "0.5.156" +VERSION = "0.5.157" CLASSIFIERS = [ "Development Status :: 4 - Beta",