[AKS] az aks create/update: Add new parameters --enable-gateway-api and --disable-gateway-api to manage Gateway API installation#33238
Open
meecethereese wants to merge 11 commits intoAzure:devfrom
Open
Conversation
meecethereese
requested review from
DanielMicrosoft,
FumingZhang,
NoriZC,
ReaNAiveD,
bebound,
jiasli,
necusjz,
teresaritorto,
yanzhudd and
yonzhan
as code owners
❌AzureCLI-FullTest
|
|
Hi @meecethereese, |
|
| rule | cmd_name | rule_message | suggest_message |
|---|---|---|---|
| aks create | cmd aks create added parameter enable_gateway_api |
||
| aks update | cmd aks update added parameter disable_gateway_api |
||
| aks update | cmd aks update added parameter enable_gateway_api |
Collaborator
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
microsoft-github-policy-service
Bot
requested review from
jsntcy,
wangzelin007 and
zhoxing-ms
microsoft-github-policy-service
Bot
added
Auto-Assign
meecethereese
changed the title
az aks create/update: Add new parameters --enable-gateway-api and --disable-gateway-api to manage Gateway API installationaz aks create/update: Add new parameters --enable-gateway-api and --disable-gateway-api to manage Gateway API installation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR promotes the managed Kubernetes Gateway API installation controls from aks-preview into Azure CLI GA by adding new flags to az aks create/az aks update and wiring them to ingressProfile.gatewayApi.installation via the mgmt-containerservice SDK.
Changes:
- Add
--enable-gateway-api(create/update) and--disable-gateway-api(update) flags and plumb them into managed cluster ingress profile updates. - Introduce constants for Gateway API installation state and add unit/live scenario coverage for the new behavior.
- Bump
azure-mgmt-containerserviceinsetup.pyto expose the GA SDK model needed for gateway API configuration.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| src/azure-cli/setup.py | Bumps azure-mgmt-containerservice SDK range used by the CLI package metadata. |
| src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py | Adds context getters and create/update decorator logic to set ingress_profile.gateway_api.installation. |
| src/azure-cli/azure/cli/command_modules/acs/custom.py | Adds new keyword parameters to aks_create/aks_update entry points. |
| src/azure-cli/azure/cli/command_modules/acs/_params.py | Registers the new CLI arguments for aks create and aks update. |
| src/azure-cli/azure/cli/command_modules/acs/_help.py | Documents the new flags and adds examples. |
| src/azure-cli/azure/cli/command_modules/acs/_consts.py | Adds constants for Gateway API installation enum strings. |
| src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_managed_cluster_decorator.py | Adds unit tests for the new context getters and decorator update/create methods. |
| src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_aks_commands.py | Adds live scenario tests for enabling/disabling managed Gateway API and for the provider prerequisite. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+15075
to
+15115
| # Test successful creation with Gateway API and Azure Service Mesh addon | ||
| create_cmd = ( | ||
| "aks create --resource-group={resource_group} --name={name} " | ||
| "--enable-azure-service-mesh " | ||
| "--enable-gateway-api " | ||
| "--ssh-key-value={ssh_key_value} -o json " | ||
| ) | ||
| self.cmd( | ||
| create_cmd, | ||
| checks=[ | ||
| self.check("provisioningState", "Succeeded"), | ||
| self.check("serviceMeshProfile.mode", "Istio"), | ||
| self.check("ingressProfile.gatewayApi.installation", "Standard"), | ||
| ], | ||
| ) | ||
|
|
||
| # Test disabling Gateway API | ||
| update_cmd = ( | ||
| "aks update --resource-group={resource_group} --name={name} " | ||
| "--disable-gateway-api " | ||
| ) | ||
| self.cmd( | ||
| update_cmd, | ||
| checks=[ | ||
| self.check("provisioningState", "Succeeded"), | ||
| self.check("ingressProfile.gatewayApi.installation", "Disabled"), | ||
| ], | ||
| ) | ||
|
|
||
| # Test re-enabling Gateway API | ||
| update_cmd = ( | ||
| "aks update --resource-group={resource_group} --name={name} " | ||
| "--enable-gateway-api " | ||
| ) | ||
| self.cmd( | ||
| update_cmd, | ||
| checks=[ | ||
| self.check("provisioningState", "Succeeded"), | ||
| self.check("ingressProfile.gatewayApi.installation", "Standard"), | ||
| ], | ||
| ) |
There was a problem hiding this comment.
test_aks_create_with_gateway_api_and_azureservicemesh creates a cluster but never deletes it. This will leak live-test resources (and can cause subsequent test failures/cost). Please add cleanup at the end (ideally aks delete ... --yes --no-wait like other tests in this file).
Suggested change
| # Test successful creation with Gateway API and Azure Service Mesh addon | |
| create_cmd = ( | |
| "aks create --resource-group={resource_group} --name={name} " | |
| "--enable-azure-service-mesh " | |
| "--enable-gateway-api " | |
| "--ssh-key-value={ssh_key_value} -o json " | |
| ) | |
| self.cmd( | |
| create_cmd, | |
| checks=[ | |
| self.check("provisioningState", "Succeeded"), | |
| self.check("serviceMeshProfile.mode", "Istio"), | |
| self.check("ingressProfile.gatewayApi.installation", "Standard"), | |
| ], | |
| ) | |
| # Test disabling Gateway API | |
| update_cmd = ( | |
| "aks update --resource-group={resource_group} --name={name} " | |
| "--disable-gateway-api " | |
| ) | |
| self.cmd( | |
| update_cmd, | |
| checks=[ | |
| self.check("provisioningState", "Succeeded"), | |
| self.check("ingressProfile.gatewayApi.installation", "Disabled"), | |
| ], | |
| ) | |
| # Test re-enabling Gateway API | |
| update_cmd = ( | |
| "aks update --resource-group={resource_group} --name={name} " | |
| "--enable-gateway-api " | |
| ) | |
| self.cmd( | |
| update_cmd, | |
| checks=[ | |
| self.check("provisioningState", "Succeeded"), | |
| self.check("ingressProfile.gatewayApi.installation", "Standard"), | |
| ], | |
| ) | |
| try: | |
| # Test successful creation with Gateway API and Azure Service Mesh addon | |
| create_cmd = ( | |
| "aks create --resource-group={resource_group} --name={name} " | |
| "--enable-azure-service-mesh " | |
| "--enable-gateway-api " | |
| "--ssh-key-value={ssh_key_value} -o json " | |
| ) | |
| self.cmd( | |
| create_cmd, | |
| checks=[ | |
| self.check("provisioningState", "Succeeded"), | |
| self.check("serviceMeshProfile.mode", "Istio"), | |
| self.check("ingressProfile.gatewayApi.installation", "Standard"), | |
| ], | |
| ) | |
| # Test disabling Gateway API | |
| update_cmd = ( | |
| "aks update --resource-group={resource_group} --name={name} " | |
| "--disable-gateway-api " | |
| ) | |
| self.cmd( | |
| update_cmd, | |
| checks=[ | |
| self.check("provisioningState", "Succeeded"), | |
| self.check("ingressProfile.gatewayApi.installation", "Disabled"), | |
| ], | |
| ) | |
| # Test re-enabling Gateway API | |
| update_cmd = ( | |
| "aks update --resource-group={resource_group} --name={name} " | |
| "--enable-gateway-api " | |
| ) | |
| self.cmd( | |
| update_cmd, | |
| checks=[ | |
| self.check("provisioningState", "Succeeded"), | |
| self.check("ingressProfile.gatewayApi.installation", "Standard"), | |
| ], | |
| ) | |
| finally: | |
| self.cmd( | |
| "aks delete --resource-group={resource_group} --name={name} --yes --no-wait" | |
| ) |
Comment on lines
+82
to
83
| 'azure-mgmt-containerservice~=41.1.0', | ||
| 'azure-mgmt-cosmosdb==9.9.0', |
There was a problem hiding this comment.
setup.py bumps azure-mgmt-containerservice to ~=41.1.0, but the platform-specific requirement pins still reference azure-mgmt-containerservice==41.0.0 (requirements.py3.{Linux,Darwin,windows}.txt). This can lead to release builds/installers using the older SDK and missing ManagedClusterIngressProfileGatewayConfiguration. Please update the pinned versions in those requirements files as well (or document why setup.py alone is sufficient).
| c.argument( | ||
| "enable_gateway_api", | ||
| action="store_true", | ||
| help="Enable managed installation of Gateway API CRDs from the standard release channel." |
There was a problem hiding this comment.
The help text for enable_gateway_api here doesn't mention the documented prerequisite (a managed Gateway API ingress provider such as Azure Service Mesh/Istio). In _help.py the same flag states this requirement. Please align the argparse help with the command help so users see the prerequisite consistently (including in -h output).
Suggested change
| help="Enable managed installation of Gateway API CRDs from the standard release channel." | |
| help=( | |
| "Enable managed installation of Gateway API CRDs from the standard release channel. " | |
| "Requires a managed Gateway API ingress provider such as Azure Service Mesh/Istio." | |
| ) |
Comment on lines
+884
to
+889
| help="Enable managed installation of Gateway API CRDs from the standard release channel." | ||
| ) | ||
| c.argument( | ||
| "disable_gateway_api", | ||
| action="store_true", | ||
| help="Disable managed installation of Gateway API CRDs." |
There was a problem hiding this comment.
Same as aks create: the argparse help for --enable-gateway-api/--disable-gateway-api doesn't reflect the prerequisite described in _help.py (requires a managed Gateway API ingress provider). Please update these help strings to match the public help/documentation so az aks update -h is accurate.
Suggested change
| help="Enable managed installation of Gateway API CRDs from the standard release channel." | |
| ) | |
| c.argument( | |
| "disable_gateway_api", | |
| action="store_true", | |
| help="Disable managed installation of Gateway API CRDs." | |
| help=( | |
| "Enable managed installation of Gateway API CRDs from the standard release channel. " | |
| "Requires a managed Gateway API ingress provider." | |
| ) | |
| ) | |
| c.argument( | |
| "disable_gateway_api", | |
| action="store_true", | |
| help=( | |
| "Disable managed installation of Gateway API CRDs. " | |
| "Requires a managed Gateway API ingress provider." | |
| ) |
Author
There was a problem hiding this comment.
It makes sense to add it for enable but not for disable
Comment on lines
+7381
to
+7392
| def set_up_ingress_profile_gateway_api(self, mc: ManagedCluster) -> ManagedCluster: | ||
| self._ensure_mc(mc) | ||
| if self.context.get_enable_gateway_api(): | ||
| if mc.ingress_profile is None: | ||
| mc.ingress_profile = self.models.ManagedClusterIngressProfile() | ||
| if mc.ingress_profile.gateway_api is None: | ||
| mc.ingress_profile.gateway_api = ( | ||
| self.models.ManagedClusterIngressProfileGatewayConfiguration( | ||
| installation=CONST_MANAGED_GATEWAY_INSTALLATION_STANDARD | ||
| ) | ||
| ) | ||
| return mc |
There was a problem hiding this comment.
--enable-gateway-api is documented as requiring an ingress provider (e.g., Azure Service Mesh/Istio), but this create-path setup unconditionally sets ingress_profile.gateway_api when the flag is present and does not validate the prerequisite. This means users may get a late RP-side failure or end up with an invalid configuration depending on RP behavior. Consider adding an explicit validation here (or in the context getter) that checks the relevant provider flags (e.g., enable_azure_service_mesh / other managed providers) and raises a clear CLI error before sending the PUT.
Comment on lines
+9045
to
+9068
| def update_ingress_profile_gateway_api(self, mc: ManagedCluster) -> ManagedCluster: | ||
| """Update gateway api installation in the ingress profile for the ManagedCluster object. | ||
|
|
||
| :return: the ManagedCluster object | ||
| """ | ||
| self._ensure_mc(mc) | ||
| enable_gateway_api = self.context.get_enable_gateway_api() | ||
| disable_gateway_api = self.context.get_disable_gateway_api() | ||
| if enable_gateway_api and disable_gateway_api: | ||
| raise MutuallyExclusiveArgumentError( | ||
| "Cannot specify --enable-gateway-api and --disable-gateway-api at the same time." | ||
| ) | ||
| if enable_gateway_api or disable_gateway_api: | ||
| if mc.ingress_profile is None: | ||
| mc.ingress_profile = self.models.ManagedClusterIngressProfile() # pylint: disable=no-member | ||
| if mc.ingress_profile.gateway_api is None: | ||
| mc.ingress_profile.gateway_api = ( | ||
| self.models.ManagedClusterIngressProfileGatewayConfiguration() # pylint: disable=no-member | ||
| ) | ||
| if enable_gateway_api: | ||
| mc.ingress_profile.gateway_api.installation = CONST_MANAGED_GATEWAY_INSTALLATION_STANDARD | ||
| elif disable_gateway_api: | ||
| mc.ingress_profile.gateway_api.installation = CONST_MANAGED_GATEWAY_INSTALLATION_DISABLED | ||
| return mc |
There was a problem hiding this comment.
This update-path method sets/clears gateway_api.installation but does not validate the documented prerequisite that a managed Gateway API ingress provider is enabled on the cluster. Please add a precondition check (e.g., when enabling, verify service_mesh_profile.mode != Disabled or other supported providers are enabled) and raise a clear RequiredArgumentMissingError/InvalidArgumentValueError, instead of relying on an RP-side failure.
Member
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
FumingZhang
reviewed
Apr 23, 2026
Member
There was a problem hiding this comment.
Could you remove these unrelated changes from the updates to feature support?
| @AKSCustomResourceGroupPreparer( | ||
| random_name_length=17, name_prefix="clitest", location="centraluseuap" | ||
| ) | ||
| def test_aks_create_with_gateway_api_and_azureservicemesh( |
Member
There was a problem hiding this comment.
Please commit recording files to pass built-in CI checks.
Member
There was a problem hiding this comment.
The live test failed with error
E azure.cli.core.azclierror.BadRequestError: (PreviewFeatureNotRegistered) Preview feature Microsoft.ContainerService/ManagedGatewayAPIPreview not registered.
E Code: PreviewFeatureNotRegistered
E Message: Preview feature Microsoft.ContainerService/ManagedGatewayAPIPreview not registered.
- Remove the feature flag validation for features published to the stable API.
- For now, you can test it with a subscription where the feature is registered to confirm it works as intended.
Please also resolve merge conflict.
@meecethereese
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related command
az aks create
az aks update
Description
Promote the Managed Gateway API feature from the
aks-previewextension to the GA Azure CLI.Adds two new mutually-exclusive flags to
az aks create(enable only) andaz aks update(enable and disable):--enable-gateway-api: install the managed Kubernetes Gateway API on the cluster (setsingressProfile.gatewayApi.installationtoStandard).--disable-gateway-api: uninstall it (sets the value toDisabled).The feature requires a gateway implementation, such as Azure Service Mesh (Istio), to be enabled on the cluster. This change
ports the implementation from Azure/azure-cli-extensions#9077 and
bumps
azure-mgmt-containerserviceto~=41.1.0so the GA SDK exposesManagedClusterIngressProfileGatewayConfiguration(see changelog here).Testing Guide
History Notes
[AKS]
az aks create: Add--enable-gateway-apito install the managed Kubernetes GatewayAPI.
[AKS]
az aks update: Add--enable-gateway-apiand--disable-gateway-apito manageinstallation of the managed Kubernetes Gateway API.
This checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.