add --node-os-upgrade-channel to az aks create and az aks update (#5788)

* add --node-os-upgrade-channel to create and update

* add exclusion

* fix linter

* order imports?

* remove instances of self._ensure_mc(mc)

* add help text

* cleanup help comment

* remove default comment

* add version bump

* switched to node_os_upgrade_channels

* remove whitespace

* rerun tests with current setup

* Update src/aks-preview/azext_aks_preview/_help.py

Co-authored-by: FumingZhang <[email protected]>

* Update src/aks-preview/azext_aks_preview/_help.py

Co-authored-by: FumingZhang <[email protected]>

* remove whitespace

Co-authored-by: Charlie McBride <[email protected]>
Co-authored-by: FumingZhang <[email protected]>

src/aks-preview/HISTORY.rst

@@ -13,6 +13,10 @@ Pending
 +++++++
 * Raise InvalidArgumentValueError for azure cni + pod_cidr without overlay.
 
+0.5.127
++++++++
+* Add `--node-os-upgrade-channel <node os upgrade channel>` option for specifying the manner in which the OS on your nodes is updated in `aks create` and `aks update`
+
 0.5.126
 +++++++
 * Add `--nrg-lockdown-restriction-level <restriction level>` option for chosing the node resource group restriction level in `aks create` and `aks update`

src/aks-preview/azext_aks_preview/_consts.py

@@ -84,6 +84,12 @@
 CONST_NODE_IMAGE_UPGRADE_CHANNEL = "node-image"
 CONST_NONE_UPGRADE_CHANNEL = "none"
 
+# consts for node os upgrade channel
+CONST_NODE_OS_CHANNEL_NODE_IMAGE = "NodeImage"
+CONST_NODE_OS_CHANNEL_NONE = "None"
+CONST_NODE_OS_CHANNEL_SECURITY_PATCH = "SecurityPatch"
+CONST_NODE_OS_CHANNEL_UNMANAGED = "Unmanaged"
+
 # consts for nrg-lockdown restriction level
 CONST_NRG_LOCKDOWN_RESTRICTION_LEVEL_READONLY = "ReadOnly"
 CONST_NRG_LOCKDOWN_RESTRICTION_LEVEL_UNRESTRICTED = "Unrestricted"

src/aks-preview/azext_aks_preview/_help.py

@@ -363,6 +363,9 @@
         - name: --auto-upgrade-channel
           type: string
           short-summary: Specify the upgrade channel for autoupgrade. It could be rapid, stable, patch, node-image or none, none means disable autoupgrade.
+        - name: --node-os-upgrade-channel
+          type: string
+          short-summary: Manner in which the OS on your nodes is updated. It could be NodeImage, None, SecurityPatch or Unmanaged.
         - name: --kubelet-config
           type: string
           short-summary: Kubelet configurations for agent nodes.
@@ -721,6 +724,9 @@
         - name: --auto-upgrade-channel
           type: string
           short-summary: Specify the upgrade channel for autoupgrade. It could be rapid, stable, patch, node-image or none, none means disable autoupgrade.
+        - name: --node-os-upgrade-channel
+          type: string
+          short-summary: Manner in which the OS on your nodes is updated. It could be NodeImage, None, SecurityPatch or Unmanaged.
         - name: --enable-managed-identity
           type: bool
           short-summary: Update current cluster to managed identity to manage cluster resource group.

src/aks-preview/azext_aks_preview/_params.py

@@ -44,6 +44,10 @@
     CONST_NODE_IMAGE_UPGRADE_CHANNEL,
     CONST_NODEPOOL_MODE_SYSTEM,
     CONST_NODEPOOL_MODE_USER,
+    CONST_NODE_OS_CHANNEL_NODE_IMAGE,
+    CONST_NODE_OS_CHANNEL_NONE,
+    CONST_NODE_OS_CHANNEL_SECURITY_PATCH,
+    CONST_NODE_OS_CHANNEL_UNMANAGED,
     CONST_NONE_UPGRADE_CHANNEL,
     CONST_NRG_LOCKDOWN_RESTRICTION_LEVEL_READONLY,
     CONST_NRG_LOCKDOWN_RESTRICTION_LEVEL_UNRESTRICTED,
@@ -191,6 +195,12 @@
     CONST_NODE_IMAGE_UPGRADE_CHANNEL,
     CONST_NONE_UPGRADE_CHANNEL,
 ]
+node_os_upgrade_channels = [
+    CONST_NODE_OS_CHANNEL_NODE_IMAGE,
+    CONST_NODE_OS_CHANNEL_NONE,
+    CONST_NODE_OS_CHANNEL_SECURITY_PATCH,
+    CONST_NODE_OS_CHANNEL_UNMANAGED,
+]
 nrg_lockdown_restriction_levels = [
     CONST_NRG_LOCKDOWN_RESTRICTION_LEVEL_READONLY,
     CONST_NRG_LOCKDOWN_RESTRICTION_LEVEL_UNRESTRICTED,
@@ -268,6 +278,7 @@ def load_arguments(self, _):
         c.argument('network_policy')
         c.argument('kube_proxy_config')
         c.argument('auto_upgrade_channel', arg_type=get_enum_type(auto_upgrade_channels))
+        c.argument('node_os_upgrade_channel', arg_type=get_enum_type(node_os_upgrade_channels))
         c.argument('cluster_autoscaler_profile', nargs='+', options_list=["--cluster-autoscaler-profile", "--ca-profile"],
                    help="Space-separated list of key=value pairs for configuring cluster autoscaler. Pass an empty string to clear the profile.")
         c.argument('uptime_sla', action='store_true')
@@ -407,6 +418,7 @@ def load_arguments(self, _):
         c.argument('nat_gateway_idle_timeout', type=int, validator=validate_nat_gateway_idle_timeout)
         c.argument('kube_proxy_config')
         c.argument('auto_upgrade_channel', arg_type=get_enum_type(auto_upgrade_channels))
+        c.argument('node_os_upgrade_channel', arg_type=get_enum_type(node_os_upgrade_channels))
         c.argument('cluster_autoscaler_profile', nargs='+', options_list=["--cluster-autoscaler-profile", "--ca-profile"],
                    help="Space-separated list of key=value pairs for configuring cluster autoscaler. Pass an empty string to clear the profile.")
         c.argument('uptime_sla', action='store_true')

src/aks-preview/azext_aks_preview/custom.py

@@ -598,6 +598,7 @@ def aks_create(
     network_policy=None,
     kube_proxy_config=None,
     auto_upgrade_channel=None,
+    node_os_upgrade_channel=None,
     cluster_autoscaler_profile=None,
     uptime_sla=False,
     fqdn_subdomain=None,
@@ -759,6 +760,7 @@ def aks_update(
     nat_gateway_idle_timeout=None,
     kube_proxy_config=None,
     auto_upgrade_channel=None,
+    node_os_upgrade_channel=None,
     cluster_autoscaler_profile=None,
     uptime_sla=False,
     no_uptime_sla=False,

src/aks-preview/azext_aks_preview/managed_cluster_decorator.py

@@ -595,6 +595,26 @@ def get_kube_proxy_config(self) -> Union[Dict, ContainerServiceNetworkProfileKub
         # this parameter does not need validation
         return kube_proxy_config
 
+    def get_node_os_upgrade_channel(self) -> Union[str, None]:
+        """Obtain the value of node_os_upgrade_channel.
+        :return: string or None
+        """
+        # read the original value passed by the command
+        node_os_upgrade_channel = self.raw_param.get("node_os_upgrade_channel")
+
+        # In create mode, try to read the property value corresponding to the parameter from the `mc` object.
+        if self.decorator_mode == DecoratorMode.CREATE:
+            if (
+                self.mc and
+                self.mc.auto_upgrade_profile and
+                self.mc.auto_upgrade_profile.node_os_upgrade_channel is not None
+            ):
+                node_os_upgrade_channel = self.mc.auto_upgrade_profile.node_os_upgrade_channel
+
+        # this parameter does not need dynamic completion
+        # this parameter does not need validation
+        return node_os_upgrade_channel
+
     def _get_enable_pod_security_policy(self, enable_validation: bool = False) -> bool:
         """Internal function to obtain the value of enable_pod_security_policy.
 
@@ -2228,6 +2248,19 @@ def set_up_node_resource_group_profile(self, mc: ManagedCluster) -> ManagedClust
         mc.node_resource_group_profile = node_resource_group_profile
         return mc
 
+    def set_up_auto_upgrade_profile(self, mc: ManagedCluster) -> ManagedCluster:
+        """Set up auto upgrade profile for the ManagedCluster object.
+        :return: the ManagedCluster object
+        """
+        mc = super().set_up_auto_upgrade_profile(mc)
+
+        node_os_upgrade_channel = self.context.get_node_os_upgrade_channel()
+        if node_os_upgrade_channel:
+            if mc.auto_upgrade_profile is None:
+                mc.auto_upgrade_profile = self.models.ManagedClusterAutoUpgradeProfile()
+            mc.auto_upgrade_profile.node_os_upgrade_channel = node_os_upgrade_channel
+        return mc
+
     def construct_mc_profile_preview(self, bypass_restore_defaults: bool = False) -> ManagedCluster:
         """The overall controller used to construct the default ManagedCluster profile.
 
@@ -2263,6 +2296,8 @@ def construct_mc_profile_preview(self, bypass_restore_defaults: bool = False) ->
         mc = self.set_up_custom_ca_trust_certificates(mc)
         # set up node resource group profile
         mc = self.set_up_node_resource_group_profile(mc)
+        # set up auto upgrade profile
+        mc = self.set_up_auto_upgrade_profile(mc)
 
         # DO NOT MOVE: keep this at the bottom, restore defaults
         mc = self._restore_defaults_in_mc(mc)
@@ -2781,6 +2816,19 @@ def update_node_resource_group_profile(self, mc: ManagedCluster) -> ManagedClust
             mc.node_resource_group_profile.restriction_level = nrg_lockdown_restriction_level
         return mc
 
+    def update_auto_upgrade_profile(self, mc: ManagedCluster) -> ManagedCluster:
+        """Update auto upgrade profile for the ManagedCluster object.
+        :return: the ManagedCluster object
+        """
+        mc = super().update_auto_upgrade_profile(mc)
+
+        node_os_upgrade_channel = self.context.get_node_os_upgrade_channel()
+        if node_os_upgrade_channel is not None:
+            if mc.auto_upgrade_profile is None:
+                mc.auto_upgrade_profile = self.models.ManagedClusterAutoUpgradeProfile()
+            mc.auto_upgrade_profile.node_os_upgrade_channel = node_os_upgrade_channel
+        return mc
+
     def update_mc_profile_preview(self) -> ManagedCluster:
         """The overall controller used to update the preview ManagedCluster profile.
 
@@ -2820,5 +2868,7 @@ def update_mc_profile_preview(self) -> ManagedCluster:
         mc = self.update_custom_ca_trust_certificates(mc)
         # update node resource group profile
         mc = self.update_node_resource_group_profile(mc)
+        # update auto upgrade profile
+        mc = self.update_auto_upgrade_profile(mc)
 
         return mc