From d4258d7b0bc05c7556d743599134345fdbab65bc Mon Sep 17 00:00:00 2001
From: Lia Kazakova <liakaz@microsoft.com>
Date: Sat, 24 Apr 2021 21:56:56 -0700
Subject: [PATCH 1/4] cli validation starter

---
 .../partner_extensions/AzureMLKubernetes.py   | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py b/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
index 34aac58e017..d56b3c377c8 100644
--- a/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
+++ b/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
@@ -177,6 +177,36 @@ def __validate_config(self, configuration_settings, configuration_protected_sett
         configuration_protected_settings.pop(self.ENABLE_TRAINING, None)
         configuration_protected_settings.pop(self.ENABLE_INFERENCE, None)
 
+    def __validate_scoring_fe_settings(self, configuration_settings, configuration_protected_settings):
+        clusterPurpose = _get_value_from_config_protected_config(
+            'clusterPurpose', configuration_settings, configuration_protected_settings)
+        if clusterPurpose and clusterPurpose not in ["DevTest", "FastProd"]:
+            raise InvalidArgumentValueError(
+                "Accepted values for '--configuration-settings clusterPurpose' "
+                "are 'DevTest' and 'FastProd'")
+
+        feSslCert = _get_value_from_config_protected_config(
+            'scoringFe.sslCert', configuration_settings, configuration_protected_settings)
+        sslKey = _get_value_from_config_protected_config(
+            'scoringFe.sslKey', configuration_settings, configuration_protected_settings)
+        allowInsecureConnections = _get_value_from_config_protected_config(
+            'allowInsecureConnections', configuration_settings, configuration_protected_settings)
+        allowInsecureConnections = str(allowInsecureConnections).lower() == 'true'
+        if (not feSslCert or not sslKey) and not allowInsecureConnections:
+            raise InvalidArgumentValueError(
+                "Provide ssl certificate and key. "
+                "Otherwise explicitly allow insecure connection by specifying "
+                "'--configuration-settings allowInsecureConnections=true'")
+
+        feIsNodeport = _get_value_from_config_protected_config(
+            'scoringFe.serviceType.nodePort', configuration_settings, configuration_protected_settings)
+        feIsInternalLoadBalancer = _get_value_from_config_protected_config(
+            'scoringFe.serviceType.internalLoadBalancer', configuration_settings, configuration_protected_settings)
+        feIsInternalLoadBalancer = str(feIsInternalLoadBalancer).lower() == 'true'
+        if feIsInternalLoadBalancer:
+            logger.warn(
+                'Internal load balancer only supported on AKS and AKS Engine Clusters.')
+
     def __create_required_resource(
             self, cmd, configuration_settings, configuration_protected_settings, subscription_id, resource_group_name,
             cluster_name, cluster_location):

From 6c6e55e86ee75e8eb1b62c3c2a9a64f1457a06bb Mon Sep 17 00:00:00 2001
From: Lia Kazakova <liakaz@microsoft.com>
Date: Mon, 26 Apr 2021 10:47:00 -0700
Subject: [PATCH 2/4] added the call to the fe validation function

---
 .../azext_k8s_extension/partner_extensions/AzureMLKubernetes.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py b/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
index d56b3c377c8..76a80df2dfc 100644
--- a/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
+++ b/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
@@ -171,6 +171,8 @@ def __validate_config(self, configuration_settings, configuration_protected_sett
                 "for Machine Learning training or inference by specifying "
                 f"'--configuration-settings {self.ENABLE_TRAINING}=true' or '--configuration-settings {self.ENABLE_INFERENCE}=true'")
 
+        self.__validate_scoring_fe_settings(configuration_settings, configuration_protected_settings)
+
         configuration_settings[self.ENABLE_TRAINING] = configuration_settings.get(self.ENABLE_TRAINING, enable_training)
         configuration_settings[self.ENABLE_INFERENCE] = configuration_settings.get(
             self.ENABLE_INFERENCE, enable_inference)

From cb43c84785ce8aee634db29a9dc270f530255778 Mon Sep 17 00:00:00 2001
From: Lia Kazakova <liakaz@microsoft.com>
Date: Mon, 26 Apr 2021 13:23:53 -0700
Subject: [PATCH 3/4] nodeport validation not required

---
 .../azext_k8s_extension/partner_extensions/AzureMLKubernetes.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py b/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
index 76a80df2dfc..1338765bab2 100644
--- a/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
+++ b/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
@@ -200,8 +200,6 @@ def __validate_scoring_fe_settings(self, configuration_settings, configuration_p
                 "Otherwise explicitly allow insecure connection by specifying "
                 "'--configuration-settings allowInsecureConnections=true'")
 
-        feIsNodeport = _get_value_from_config_protected_config(
-            'scoringFe.serviceType.nodePort', configuration_settings, configuration_protected_settings)
         feIsInternalLoadBalancer = _get_value_from_config_protected_config(
             'scoringFe.serviceType.internalLoadBalancer', configuration_settings, configuration_protected_settings)
         feIsInternalLoadBalancer = str(feIsInternalLoadBalancer).lower() == 'true'

From 1b6a1fe94574a9de9cc953dd79369603b00db52b Mon Sep 17 00:00:00 2001
From: Lia Kazakova <liakaz@microsoft.com>
Date: Mon, 26 Apr 2021 14:27:48 -0700
Subject: [PATCH 4/4] test fix

---
 testing/test/extensions/public/AzureMLKubernetes.Tests.ps1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/test/extensions/public/AzureMLKubernetes.Tests.ps1 b/testing/test/extensions/public/AzureMLKubernetes.Tests.ps1
index 344e36a296c..a434544da12 100644
--- a/testing/test/extensions/public/AzureMLKubernetes.Tests.ps1
+++ b/testing/test/extensions/public/AzureMLKubernetes.Tests.ps1
@@ -10,7 +10,7 @@ Describe 'AzureML Kubernetes Testing' {
     }
 
     It 'Creates the extension and checks that it onboards correctly' {
-        $output = az k8s-extension create -c $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup --cluster-type connectedClusters --extension-type $extensionType --name $extensionName --release-train preview --config enableTraining=true
+        $output = az k8s-extension create -c $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup --cluster-type connectedClusters --extension-type $extensionType --name $extensionName --release-train preview --config enableTraining=true allowInsecureConnections=true
         $? | Should -BeTrue
 
         $output = az k8s-extension show -c $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup --cluster-type connectedClusters --name $extensionName