feat(acns): Add mTLS as transit encryption type for ACNS#9668
Open
nddq wants to merge 1 commit intoAzure:mainfrom
Open
feat(acns): Add mTLS as transit encryption type for ACNS#9668nddq wants to merge 1 commit intoAzure:mainfrom
nddq wants to merge 1 commit intoAzure:mainfrom
Conversation
|
| rule | cmd_name | rule_message | suggest_message |
|---|---|---|---|
| aks create | cmd aks create update parameter acns_transit_encryption_type: updated property choices from ['None', 'WireGuard'] to ['None', 'WireGuard', 'mTLS'] |
||
| aks update | cmd aks update update parameter acns_transit_encryption_type: updated property choices from ['None', 'WireGuard'] to ['None', 'WireGuard', 'mTLS'] |
Collaborator
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
Contributor
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
microsoft-github-policy-service
bot
requested review from
yanzhudd,
yonzhan and
zhoxing-ms
nddq
changed the title
Contributor
CodeGen Tools Feedback CollectionThank you for using our CodeGen tool. We value your feedback, and we would like to know how we can improve our product. Please take a few minutes to fill our codegen survey |
Contributor
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds support for mTLS as a new ACNS transit encryption type in the aks-preview extension, including CLI enum exposure and validation that prevents incompatible combinations with L7 advanced network policies and Istio service mesh during both create and update flows.
Changes:
- Add
mTLSto--acns-transit-encryption-typeallowed values and help text foraz aks createandaz aks update. - Add validation blocking
mTLSwhen L7 advanced network policies are requested or already enabled, and when Azure Service Mesh (Istio) is enabled or already present. - Add/extend unit tests, scenario tests, and recordings for the new
mTLSoption.
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/aks-preview/setup.py | Bumps extension version to 19.0.0b25. |
| src/aks-preview/HISTORY.rst | Documents the new mTLS transit encryption option in release notes. |
| src/aks-preview/azext_aks_preview/_consts.py | Adds CONST_TRANSIT_ENCRYPTION_TYPE_MTLS = "mTLS". |
| src/aks-preview/azext_aks_preview/_params.py | Adds mTLS to enum list and updates help text for create/update arguments. |
| src/aks-preview/azext_aks_preview/managed_cluster_decorator.py | Adds create/update validation to block mTLS with L7 policies or Istio service mesh. |
| src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py | Adds unit tests for mTLS value and mutual exclusion cases (create + update). |
| src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py | Adds scenario tests for mTLS in create/update flows. |
| src/aks-preview/azext_aks_preview/tests/latest/recordings/test_aks_create_with_transit_encryption_type_mtls.yaml | Adds recording for the new mTLS create scenario test. |
Member
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
nddq
force-pushed
the
add-mtls-transit-encryption
branch
from
6b5c916 to
610dfbb
Compare
src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py
Outdated
Show resolved
Hide resolved
src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py
Outdated
Show resolved
Hide resolved
src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py
Outdated
Show resolved
Hide resolved
Member
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
nddq
force-pushed
the
add-mtls-transit-encryption
branch
from
610dfbb to
aae778c
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 9 changed files in this pull request and generated 3 comments.
You can also share your feedback on Copilot code review. Take the survey.
src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py
Outdated
Show resolved
Hide resolved
src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py
Outdated
Show resolved
Hide resolved
src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py
Outdated
Show resolved
Hide resolved
FumingZhang
reviewed
Mar 12, 2026
src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py
Outdated
Show resolved
Hide resolved
nddq
force-pushed
the
add-mtls-transit-encryption
branch
from
aae778c to
07fa159
Compare
Member
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
nddq
force-pushed
the
add-mtls-transit-encryption
branch
from
07fa159 to
def6faa
Compare
Member
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
Member
|
Please resolve merge conflicts, @nddq |
Remove explicit aks delete step from mTLS transit encryption test to avoid 409 EtagMismatch race condition. Resource cleanup is handled by AKSCustomResourceGroupPreparer. Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
nddq
force-pushed
the
add-mtls-transit-encryption
branch
from
def6faa to
e79acb5
Compare
Member
|
/azp run |
FumingZhang
approved these changes
Mar 13, 2026
|
Azure Pipelines successfully started running 2 pipeline(s). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add 'mTLS' as a new option for --acns-transit-encryption-type in az aks create/update. Includes validation to prevent mTLS from being used with L7 advanced network policies or Istio service mesh, both for create and update scenarios.
This checklist is used to make sure that common guidelines for a pull request are followed.
Related command
General Guidelines
azdev style <YOUR_EXT>locally? (pip install azdevrequired)python scripts/ci/test_index.py -qlocally? (pip install wheel==0.30.0required)For new extensions:
About Extension Publish
There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update
src/index.jsonautomatically.You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify
src/index.json.