[AKS] Add mesh Istio CNI commands for az aks mesh#32992
Open
german1608 wants to merge 3 commits intoAzure:devfrom
Open
[AKS] Add mesh Istio CNI commands for az aks mesh#32992german1608 wants to merge 3 commits intoAzure:devfrom
german1608 wants to merge 3 commits intoAzure:devfrom
Conversation
Add enable-istio-cni and disable-istio-cni commands under az aks mesh. These commands allow users to toggle the proxy redirection mechanism for Azure Service Mesh between CNI chaining (better security and performance) and init containers (traditional method). Changes: - _consts.py: Add CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_INIT_CONTAINERS and CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_CNI_CHAINING constants - _help.py: Add help text for enable-istio-cni and disable-istio-cni commands - commands.py: Register the two new commands under aks mesh group - custom.py: Add aks_mesh_enable_istio_cni() and aks_mesh_disable_istio_cni() functions and update _aks_mesh_update() signature - managed_cluster_decorator.py: Add _handle_istio_cni_asm() method and wire it into update_azure_service_mesh_profile() - test_managed_cluster_decorator.py: Add unit tests for _handle_istio_cni_asm - test_aks_commands.py: Add live test for enable/disable Istio CNI
️✔️AzureCLI-FullTest
|
|
| rule | cmd_name | rule_message | suggest_message |
|---|---|---|---|
| aks mesh disable-istio-cni | cmd aks mesh disable-istio-cni added |
||
| aks mesh enable-istio-cni | cmd aks mesh enable-istio-cni added |
Collaborator
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
microsoft-github-policy-service
bot
requested review from
FumingZhang,
yanzhudd,
yonzhan and
zhoxing-ms
microsoft-github-policy-service
bot
added
Auto-Assign
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds first-class CLI support for toggling Istio CNI proxy redirection for the AKS Azure Service Mesh (Istio) add-on via new az aks mesh subcommands.
Changes:
- Adds
az aks mesh enable-istio-cniandaz aks mesh disable-istio-cnicommands wired throughacs/custom.pyand command table registration. - Implements service mesh profile mutation logic in
managed_cluster_decorator.pyto setproxy_redirection_mechanismtoCNIChainingorInitContainers. - Adds unit + scenario coverage, updates help text, introduces constants, and records the feature in
HISTORY.rst.
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py | Adds _handle_istio_cni_asm and wires it into service mesh profile updates. |
| src/azure-cli/azure/cli/command_modules/acs/custom.py | Adds aks_mesh_enable_istio_cni / aks_mesh_disable_istio_cni wrappers and threads new params into _aks_mesh_update. |
| src/azure-cli/azure/cli/command_modules/acs/commands.py | Registers the two new aks mesh custom commands. |
| src/azure-cli/azure/cli/command_modules/acs/_help.py | Adds help entries and examples for the new commands. |
| src/azure-cli/azure/cli/command_modules/acs/_consts.py | Introduces constants for proxy redirection mechanism values. |
| src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_managed_cluster_decorator.py | Adds unit tests for _handle_istio_cni_asm behavior and error cases. |
| src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_aks_commands.py | Adds scenario test coverage for enable/disable Istio CNI end-to-end. |
| src/azure-cli/HISTORY.rst | Adds release notes entries for the new commands. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+4936
to
+4943
| if enable_istio_cni: | ||
| new_profile.istio.components.proxy_redirection_mechanism = \ | ||
| CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_CNI_CHAINING | ||
| updated = True | ||
| elif disable_istio_cni: | ||
| new_profile.istio.components.proxy_redirection_mechanism = \ | ||
| CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_INIT_CONTAINERS | ||
| updated = True |
There was a problem hiding this comment.
_handle_istio_cni_asm always sets updated = True when enable_istio_cni/disable_istio_cni is passed, even if proxy_redirection_mechanism is already at the requested value. This causes an unnecessary update_mc call (and likely an ARM PUT / LRO) for a no-op. Consider checking the current value first and only marking updated when the mechanism actually changes (or alternatively raising an ArgumentUsageError when the cluster is already in the desired state, similar to _handle_enable_disable_asm).
Suggested change
| if enable_istio_cni: | |
| new_profile.istio.components.proxy_redirection_mechanism = \ | |
| CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_CNI_CHAINING | |
| updated = True | |
| elif disable_istio_cni: | |
| new_profile.istio.components.proxy_redirection_mechanism = \ | |
| CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_INIT_CONTAINERS | |
| updated = True | |
| # Only update when the proxy redirection mechanism actually changes | |
| current_mechanism = getattr( | |
| new_profile.istio.components, | |
| "proxy_redirection_mechanism", | |
| None, | |
| ) | |
| if enable_istio_cni: | |
| if current_mechanism != CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_CNI_CHAINING: | |
| new_profile.istio.components.proxy_redirection_mechanism = \ | |
| CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_CNI_CHAINING | |
| updated = True | |
| elif disable_istio_cni: | |
| if current_mechanism != CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_INIT_CONTAINERS: | |
| new_profile.istio.components.proxy_redirection_mechanism = \ | |
| CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_INIT_CONTAINERS | |
| updated = True |
FumingZhang
reviewed
Mar 20, 2026
Member
FumingZhang
left a comment
FumingZhang
left a comment
There was a problem hiding this comment.
Queued live test to validate the change.
src/azure-cli/HISTORY.rst
Outdated
Comment on lines
+11
to
+12
| * `az aks mesh enable-istio-cni`: Add command to enable Istio CNI chaining for Azure Service Mesh proxy redirection mechanism | ||
| * `az aks mesh disable-istio-cni`: Add command to disable Istio CNI chaining for Azure Service Mesh proxy redirection mechanism |
Member
There was a problem hiding this comment.
There’s no need to manually update the history note for changes to azure-cli. Please follow the instructions to update your PR title or description, as these will be used as release history notes.
Member
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
…st entries - managed_cluster_decorator.py: Check current proxy_redirection_mechanism before marking updated to avoid unnecessary ARM PUT calls (per Copilot review) - HISTORY.rst: Remove manual history entries per @FumingZhang — PR title/description is used automatically for release notes - test_managed_cluster_decorator.py: Add idempotency test cases for enable/disable when already at desired state
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related command
az aks mesh enable-istio-cniaz aks mesh disable-istio-cniDescription
This PR adds
az aks mesh enable-istio-cniandaz aks mesh disable-istio-cnito enable and disable Istio CNI for the Istio-based service mesh add-on for AKSTesting Guide
This checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.