[connectedk8s] Update Connectedk8s extension CLI to v1.10.12 (Azure#9416)

* add pester tests for connectedk8s cli extension

* Pass the force delete param to the API call (#4)

* forcedelete

* format

* add code owner

* mypy

* fix CI testcases for nodepool image issues (#8)

* update python version to 3.13 (#12)

* changes to support gateway association/disassociation for api version '2025-08-01-preview' (#17)

* [Azure RBAC] Deprecate 3P mode flags, fix Azure RBAC enablement bug, add E2E coverage and improve logging (#20)

* add pester tests for connectedk8s cli extension

* Pass the force delete param to the API call (#4)

* forcedelete

* format

* add code owner

* mypy

* Parameterize for airgapped clouds (#5)

* Add parameterization for the airgapped clouds

* Fix azdev style

* MCR path function

* azdev, ruff, and mypy

---------

Co-authored-by: Matthew McNeal (from Dev Box) <[email protected]>

* Oras client fix to work with different MCRs (#6)

Co-authored-by: mmcneal <[email protected]>

* fix CI testcases for nodepool image issues (#8)

* update errors for the config and connectivity issues (#11)

* update errors

* format

* style

* update python version to 3.13 (#12)

* Update cluster diagnostics image to 1.29.3 (#7)

* Update cluster diagnostics helm chart to 1.29.3

* Fix lint issues

---------

Co-authored-by: bgriddaluru <[email protected]>

* RBAC deprecation & fix the issue

* typo

* fix comments

* update tests

* add pester tests for connectedk8s cli extension

* Pass the force delete param to the API call (#4)

* forcedelete

* format

* add code owner

* mypy

* fix CI testcases for nodepool image issues (#8)

* update errors for the config and connectivity issues (#11)

* update errors

* format

* style

* update python version to 3.13 (#12)

* rebase

* fix tests

* fix version

* fix mypy, lint

* fix test

* fix test

* fix test

* fix test

* fix test

* rename test

* deprecate flags

* rebase

* rebase

* bump version for release

---------

Co-authored-by: Bavneet Singh <[email protected]>
Co-authored-by: Atchut Kumar Barli <[email protected]>
Co-authored-by: mcnealm13 <[email protected]>
Co-authored-by: Matthew McNeal (from Dev Box) <[email protected]>
Co-authored-by: Bavneet Singh <[email protected]>
Co-authored-by: bgriddaluru <[email protected]>
Co-authored-by: bgriddaluru <[email protected]>
Co-authored-by: vithumma <[email protected]>

* remove hardcoded public ARM endpoint url for fairfax and mooncake (#24)

* Bug Fix for FFX mcr url  (#22)

* [connectedk8s] update release notes and version (#26)

* Add Helm Overrides for AGC (#23)

* add agc overrides

* update gns endpoint

* add indentation

* fix linter error

* fix ruff formatting

* move overrides to it's own method

* update method

* update ruff formatting

* [Azure RBAC] Remove deprecated flags (#16)

* add pester tests for connectedk8s cli extension

* Pass the force delete param to the API call (#4)

* forcedelete

* format

* add code owner

* mypy

* Parameterize for airgapped clouds (#5)

* Add parameterization for the airgapped clouds

* Fix azdev style

* MCR path function

* azdev, ruff, and mypy

---------

Co-authored-by: Matthew McNeal (from Dev Box) <[email protected]>

* Oras client fix to work with different MCRs (#6)

Co-authored-by: mmcneal <[email protected]>

* fix CI testcases for nodepool image issues (#8)

* update errors for the config and connectivity issues (#11)

* update errors

* format

* style

* update python version to 3.13 (#12)

* Update cluster diagnostics image to 1.29.3 (#7)

* Update cluster diagnostics helm chart to 1.29.3

* Fix lint issues

---------

Co-authored-by: bgriddaluru <[email protected]>

* RBAC deprecation & fix the issue

* typo

* fix comments

* update tests

* add pester tests for connectedk8s cli extension

* Pass the force delete param to the API call (#4)

* forcedelete

* format

* add code owner

* mypy

* fix CI testcases for nodepool image issues (#8)

* update errors for the config and connectivity issues (#11)

* update errors

* format

* style

* update python version to 3.13 (#12)

* rebase

* fix tests

* fix version

* fix mypy, lint

* fix test

* fix test

* fix test

* fix test

* fix test

* rename test

* add pester tests for connectedk8s cli extension

* Pass the force delete param to the API call (#4)

* forcedelete

* format

* add code owner

* mypy

* fix CI testcases for nodepool image issues (#8)

* update python version to 3.13 (#12)

* changes to support gateway association/disassociation for api version '2025-08-01-preview' (#17)

* [Azure RBAC] Deprecate 3P mode flags, fix Azure RBAC enablement bug, add E2E coverage and improve logging (#20)

* add pester tests for connectedk8s cli extension

* Pass the force delete param to the API call (#4)

* forcedelete

* format

* add code owner

* mypy

* Parameterize for airgapped clouds (#5)

* Add parameterization for the airgapped clouds

* Fix azdev style

* MCR path function

* azdev, ruff, and mypy

---------

Co-authored-by: Matthew McNeal (from Dev Box) <[email protected]>

* Oras client fix to work with different MCRs (#6)

Co-authored-by: mmcneal <[email protected]>

* fix CI testcases for nodepool image issues (#8)

* update errors for the config and connectivity issues (#11)

* update errors

* format

* style

* update python version to 3.13 (#12)

* Update cluster diagnostics image to 1.29.3 (#7)

* Update cluster diagnostics helm chart to 1.29.3

* Fix lint issues

---------

Co-authored-by: bgriddaluru <[email protected]>

* RBAC deprecation & fix the issue

* typo

* fix comments

* update tests

* add pester tests for connectedk8s cli extension

* Pass the force delete param to the API call (#4)

* forcedelete

* format

* add code owner

* mypy

* fix CI testcases for nodepool image issues (#8)

* update errors for the config and connectivity issues (#11)

* update errors

* format

* style

* update python version to 3.13 (#12)

* rebase

* fix tests

* fix version

* fix mypy, lint

* fix test

* fix test

* fix test

* fix test

* fix test

* rename test

* deprecate flags

* rebase

* rebase

* bump version for release

---------

Co-authored-by: Bavneet Singh <[email protected]>
Co-authored-by: Atchut Kumar Barli <[email protected]>
Co-authored-by: mcnealm13 <[email protected]>
Co-authored-by: Matthew McNeal (from Dev Box) <[email protected]>
Co-authored-by: Bavneet Singh <[email protected]>
Co-authored-by: bgriddaluru <[email protected]>
Co-authored-by: bgriddaluru <[email protected]>
Co-authored-by: vithumma <[email protected]>

* remove breaking change announcement for removed flags

---------

Co-authored-by: Bavneet Singh <[email protected]>
Co-authored-by: Atchut Kumar Barli <[email protected]>
Co-authored-by: mcnealm13 <[email protected]>
Co-authored-by: Matthew McNeal (from Dev Box) <[email protected]>
Co-authored-by: Bavneet Singh <[email protected]>
Co-authored-by: bgriddaluru <[email protected]>
Co-authored-by: bgriddaluru <[email protected]>
Co-authored-by: vithumma <[email protected]>

* update prediag version (#27)

* Updating the proxy version constant (#28)

* Update relesae notes

* dropping 3.9

* dropping testing folder

* fixed code review comments

* updateversion

* Update src/connectedk8s/HISTORY.rst

Co-authored-by: Xing Zhou <[email protected]>

---------

Co-authored-by: Bavneet Singh <[email protected]>
Co-authored-by: Bavneet Singh <[email protected]>
Co-authored-by: Vineeth Thumma <[email protected]>
Co-authored-by: mcnealm13 <[email protected]>
Co-authored-by: Matthew McNeal (from Dev Box) <[email protected]>
Co-authored-by: bgriddaluru <[email protected]>
Co-authored-by: bgriddaluru <[email protected]>
Co-authored-by: vithumma <[email protected]>
Co-authored-by: hapate <[email protected]>
Co-authored-by: junw98 <[email protected]>
Co-authored-by: gabemousa <[email protected]>
Co-authored-by: Xing Zhou <[email protected]>

Author: 13 people

src/connectedk8s/HISTORY.rst

@@ -2,6 +2,13 @@
 
 Release History
 ===============
+1.11.0
++++++
+* [Breaking Change] Removed deprecated '--app-id' and '--app-secret' RBAC parameters from the extension.
+* Update cluster diagnostics image to comply with Pod Security Standards-Restricted level( Updated image version:1.31.2).
+* Add endpoint overrides for Azure Government cloud environments
+* Update Proxy Image to 1.3.032281
+
 1.10.11
 +++++++
 * Removed hardcoded public ARM endpoint URL for Government clouds.

src/connectedk8s/azext_connectedk8s/_breaking_change.py

@@ -418,7 +418,7 @@
 
 # Connect Precheck Diagnoser constants
 Cluster_Diagnostic_Checks_Job_Registry_Path = (
-    "azurearck8s/helmchart/stable/clusterdiagnosticchecks:1.29.3"
+    "azurearck8s/helmchart/stable/clusterdiagnosticchecks:1.31.2"
 )
 Cluster_Diagnostic_Checks_Helm_Install_Failed_Fault_Type = (
     "Error while installing cluster diagnostic checks helm release"
@@ -476,7 +476,7 @@
 )
 DNS_Check_Result_String = "DNS Result:"
 AZ_CLI_ADAL_TO_MSAL_MIGRATE_VERSION = "2.30.0"
-CLIENT_PROXY_VERSION = "1.3.029301"
+CLIENT_PROXY_VERSION = "1.3.032281"
 CLIENT_PROXY_FOLDER = ".clientproxy"
 API_SERVER_PORT = 47011
 CLIENT_PROXY_PORT = 47010

src/connectedk8s/azext_connectedk8s/_constants.py

@@ -440,20 +440,6 @@ def load_arguments(self: Connectedk8sCommandsLoader, _: CLICommand) -> None:
             options_list=["--features"],
             help="Space-separated list of features you want to enable.",
         )
-        c.argument(
-            "azrbac_client_id",
-            options_list=["--app-id"],
-            arg_group="Azure RBAC",
-            help="Application ID for enabling Azure RBAC.",
-            deprecate_info=c.deprecate(hide=True),
-        )
-        c.argument(
-            "azrbac_client_secret",
-            options_list=["--app-secret"],
-            arg_group="Azure RBAC",
-            help="Application secret for enabling Azure RBAC.",
-            deprecate_info=c.deprecate(hide=True),
-        )
         c.argument(
             "azrbac_skip_authz_check",
             options_list=["--skip-azure-rbac-list"],

src/connectedk8s/azext_connectedk8s/_params.py

@@ -1315,6 +1315,7 @@ def helm_install_release(
     ]
 
     # Special configurations from 2022-09-01 ARM metadata.
+    # "dataplaneEndpoints" property does not appear in arm_metadata structure for public and AGC clouds.
     if "dataplaneEndpoints" in arm_metadata:
         if "arcConfigEndpoint" in arm_metadata["dataplaneEndpoints"]:
             notification_endpoint = arm_metadata["dataplaneEndpoints"][
@@ -1364,6 +1365,10 @@ def helm_install_release(
                 "'arcConfigEndpoint' doesn't exist under 'dataplaneEndpoints' in the ARM metadata."
             )
 
+    # Add overrides for AGC Scenario
+    if cloud_name.lower() == "ussec" or cloud_name.lower() == "usnat":
+        add_agc_endpoint_overrides(location, cloud_name, arm_metadata, cmd_helm_install)
+
     # Add helmValues content response from DP
     cmd_helm_install = parse_helm_values(helm_content_values, cmd_helm=cmd_helm_install)
 
@@ -1839,3 +1844,51 @@ def helm_update_agent(
     logger.info(str.format(consts.Update_Agent_Success, cluster_name))
     with contextlib.suppress(OSError):
         os.remove(user_values_location)
+
+
+def add_agc_endpoint_overrides(
+    location: str,
+    cloud_name: str,
+    arm_metadata: dict[str, Any],
+    cmd_helm_install: list[str],
+) -> None:
+    logger.debug("Adding AGC scenario overrides.")
+
+    arm_metadata_endpoint_array = (
+        arm_metadata["authentication"]["loginEndpoint"].strip("/").split(".")
+    )
+    if len(arm_metadata_endpoint_array) < 4:
+        raise CLIInternalError("Unexpected loginEndpoint format for AGC")
+
+    cloud_suffix = arm_metadata_endpoint_array[3]
+    endpoint_suffix = (
+        arm_metadata_endpoint_array[2] + "." + arm_metadata_endpoint_array[3]
+    )
+    if cloud_name.lower() == "usnat":
+        cloud_suffix = (
+            arm_metadata_endpoint_array[2]
+            + "."
+            + arm_metadata_endpoint_array[3]
+            + "."
+            + arm_metadata_endpoint_array[4]
+        )
+        endpoint_suffix = cloud_suffix
+
+    cmd_helm_install.extend(
+        [
+            "--set",
+            f"global.microsoftArtifactRepository=mcr.microsoft.{cloud_suffix}",
+            "--set",
+            f"systemDefaultValues.activeDirectoryEndpoint=https://login.microsoftonline.{endpoint_suffix}",
+            "--set",
+            f"systemDefaultValues.azureArcAgents.config_dp_endpoint_override=https://{location}.dp.kubernetesconfiguration.azure.{endpoint_suffix}",
+            "--set",
+            f"systemDefaultValues.clusterconnect-agent.notification_dp_endpoint_override=https://guestnotificationservice.azure.{endpoint_suffix}",
+            "--set",
+            f"systemDefaultValues.clusterconnect-agent.relay_endpoint_suffix_override=.servicebus.cloudapi.{endpoint_suffix}",
+            "--set",
+            f"systemDefaultValues.clusteridentityoperator.his_endpoint_override=https://gbl.his.arc.azure.{endpoint_suffix}/discovery?location={location}&api-version=1.1-preview",
+            "--set",
+            f"systemDefaultValues.image.repository=mcr.microsoft.{cloud_suffix}",
+        ]
+    )

src/connectedk8s/azext_connectedk8s/_utils.py

@@ -2975,8 +2975,6 @@ def enable_features(
     features: list[str],
     kube_config: str | None = None,
     kube_context: str | None = None,
-    azrbac_client_id: str | None = None,
-    azrbac_client_secret: str | None = None,
     azrbac_skip_authz_check: str | None = None,
     skip_ssl_verification: bool = False,
     cl_oid: str | None = None,

src/connectedk8s/azext_connectedk8s/custom.py

@@ -13,7 +13,7 @@
 # TODO: Confirm this is the right version number you want and it matches your
 # HISTORY.rst entry.
 
-VERSION = "1.10.11"
+VERSION = "1.11.0"
 
 # The full list of classifiers is available at
 # https://pypi.python.org/pypi?%3Aaction=list_classifiers

src/connectedk8s/setup.py

@@ -763,7 +763,7 @@ def install_helm_client(cmd: CLICommand) -> str:
             "Downloading helm client for first time. This can take few minutes..."
         )
 
-        mcr_url = utils.get_mcr_path(cmd)
+        mcr_url = utils.get_mcr_path(cmd.cli_ctx.cloud.endpoints.active_directory)
 
         client = oras.client.OrasClient(hostname=mcr_url)
         retry_count = 3

src/k8s-extension/azext_k8s_extension/custom.py

@@ -361,11 +361,15 @@ def create_folder_diagnosticlogs(folder_name: str, base_folder_name: str) -> tup
         )
         return "", False
 
-def get_mcr_path(cmd: CLICommand) -> str:
-    active_directory_array = cmd.cli_ctx.cloud.endpoints.active_directory.split(".")
+def get_mcr_path(active_directory_endpoint: str) -> str:
+    active_directory_array = active_directory_endpoint.split(".")
 
-    # default for public, mc, ff clouds
-    mcr_postfix = active_directory_array[2]
+    # For US Government and China clouds, use public mcr
+    if active_directory_endpoint.endswith((".us", ".cn")):
+        return "mcr.microsoft.com"
+
+    # Default MCR postfix
+    mcr_postfix = "com"
     # special cases for USSec, exclude part of suffix
     if len(active_directory_array) == 4 and active_directory_array[2] == "microsoft":
         mcr_postfix = active_directory_array[3]