[Container app] az containerapp env create/update: Support peer-to-peer traffic encryption with --enable-peer-to-peer-encryption (Azure#7464)

* Support p2p traffic encryption.

* fix style.

* fix linter error.

* Add param validation.

* Add test case.

Author: LGDoor

linter_exclusions.yml

@@ -377,6 +377,14 @@ containerapp env create:
     platform_reserved_dns_ip:
       rule_exclusions:
       - option_length_too_long
+    p2p_encryption_enabled:
+      rule_exclusions:
+      - option_length_too_long
+containerapp env update:
+  parameters:
+    p2p_encryption_enabled:
+      rule_exclusions:
+      - option_length_too_long
 containerapp github-action add:
   parameters:
     service_principal_client_id:

src/containerapp/HISTORY.rst

@@ -9,6 +9,7 @@ upcoming
 * 'az containerapp env java-component eureka-server-for-spring': Support create/update/show/delete Spring Cloud Eureka; deprecation of 'az containerapp env java-component spring-cloud-eureka'
 * 'az containerapp up': Fix InvalidResourceType error when cloud is not AzureCloud
 * 'az containerapp create/update': Support enable or disable Java metrics with --runtime and --enable-java-metrics
+* 'az containerapp env create/update': Support peer-to-peer traffic encryption with --enable-peer-to-peer-encryption
 * 'az containerapp update': Fix --scale-rule-tcp-concurrency for TCP scale rule
 * 'az containerapp compose create': Fix an issue where the environment's location is not resolved from --location
 * 'az containerapp up': Fix an issue about creating resource group automatically

src/containerapp/azext_containerapp/_params.py

@@ -344,3 +344,6 @@ def load_arguments(self, _):
         c.argument('environment_name', options_list=['--environment'], help="The environment name.")
         c.argument('resource_group_name', arg_type=resource_group_name_type, id_part=None)
         c.argument('configuration', nargs="*", help="Java component configuration. Configuration must be in format \"<propertyName>=<value> <propertyName>=<value> ...\".")
+
+    with self.argument_context('containerapp env', arg_group='Peer Traffic Configuration') as c:
+        c.argument('p2p_encryption_enabled', arg_type=get_three_state_flag(), options_list=['--enable-peer-to-peer-encryption'], is_preview=True, help='Boolean indicating whether the peer-to-peer traffic encryption is enabled for the environment.')

src/containerapp/azext_containerapp/containerapp_env_decorator.py

@@ -36,10 +36,9 @@ def construct_payload(self):
         # Vnet
         self.set_up_vnet_configuration()
 
-        if self.get_argument_mtls_enabled() is not None:
-            safe_set(self.managed_env_def, "properties", "peerAuthentication", "mtls", "enabled", value=self.get_argument_mtls_enabled())
+        self.set_up_peer_to_peer_encryption()
         ### copy end
-            
+
         ### overwrite custom_domain_configuration
         self.set_up_custom_domain_configuration()
 
@@ -58,13 +57,17 @@ def validate_arguments(self):
             if not self.get_argument_enable_workload_profiles():
                 raise RequiredArgumentMissingError("Cannot use --infrastructure-resource-group/-i without "
                                                    "--enable-workload-profiles/-w")
-        
+
         # validate custom domain configuration
         if self.get_argument_hostname():
             if self.get_argument_certificate_file() and self.get_argument_certificate_key_vault_url():
                 raise ValidationError("Cannot use --certificate-file with --certificate-akv-url at the same time")
             if (not self.get_argument_certificate_file()) and (not self.get_argument_certificate_key_vault_url()):
                 raise ValidationError("Either --certificate-file or --certificate-akv-url should be set when --dns-suffix is set")
+            
+        # validate mtls and p2p traffic encryption
+        if self.get_argument_p2p_encryption_enabled() is False and self.get_argument_mtls_enabled() is True:
+            raise ValidationError("Cannot use '--enable-mtls' with '--enable-peer-to-peer-encryption False'")
 
     def set_up_dynamic_json_columns(self):
         if self.get_argument_logs_destination() == "log-analytics" and self.get_argument_logs_dynamic_json_columns() is not None:
@@ -73,7 +76,7 @@ def set_up_dynamic_json_columns(self):
     def set_up_infrastructure_resource_group(self):
         if self.get_argument_enable_workload_profiles() and self.get_argument_infrastructure_subnet_resource_id() is not None:
             self.managed_env_def["properties"]["infrastructureResourceGroup"] = self.get_argument_infrastructure_resource_group()
-    
+
     def set_up_managed_identity(self):
         identity_def = ManagedServiceIdentity
         identity_def["type"] = "None"
@@ -149,6 +152,16 @@ def set_up_custom_domain_configuration(self):
                 }
             self.managed_env_def["properties"]["customDomainConfiguration"] = custom_domain
 
+    def set_up_peer_to_peer_encryption(self):
+        is_p2p_encryption_enabled = self.get_argument_p2p_encryption_enabled()
+        is_mtls_enabled = self.get_argument_mtls_enabled()
+
+        if is_p2p_encryption_enabled is not None:
+            safe_set(self.managed_env_def, "properties", "peerTrafficConfiguration", "encryption", "enabled", value=is_p2p_encryption_enabled)
+
+        if is_mtls_enabled is not None:
+            safe_set(self.managed_env_def, "properties", "peerAuthentication", "mtls", "enabled", value=is_mtls_enabled)
+
     def get_argument_enable_workload_profiles(self):
         return self.get_param("enable_workload_profiles")
 
@@ -163,13 +176,16 @@ def get_argument_system_assigned(self):
 
     def get_argument_user_assigned(self):
         return self.get_param("user_assigned")
-    
+
     def get_argument_certificate_identity(self):
         return self.get_param("certificate_identity")
-    
+
     def get_argument_certificate_key_vault_url(self):
         return self.get_param("certificate_key_vault_url")
 
+    def get_argument_p2p_encryption_enabled(self):
+        return self.get_param("p2p_encryption_enabled")
+
 
 class ContainerappEnvPreviewUpdateDecorator(ContainerAppEnvUpdateDecorator):
     def validate_arguments(self):
@@ -178,6 +194,15 @@ def validate_arguments(self):
         # validate custom domain configuration
         if self.get_argument_certificate_file() and self.get_argument_certificate_key_vault_url():
             raise ValidationError("Cannot use certificate --certificate-file with --certificate-akv-url at the same time")
+        
+        # validate mtls and p2p traffic encryption
+        if self.get_argument_p2p_encryption_enabled() is False and self.get_argument_mtls_enabled() is True:
+            raise ValidationError("Cannot use '--enable-mtls' with '--enable-peer-to-peer-encryption False'")
+
+    def construct_payload(self):
+        super().construct_payload()
+
+        self.set_up_peer_to_peer_encryption()
 
     def set_up_app_log_configuration(self):
         logs_destination = self.get_argument_logs_destination()
@@ -217,12 +242,24 @@ def set_up_custom_domain_configuration(self):
             safe_set(self.managed_env_def, "properties", "customDomainConfiguration", "certificateValue", value="")
             safe_set(self.managed_env_def, "properties", "customDomainConfiguration", "certificatePassword", value="")
 
+    def set_up_peer_to_peer_encryption(self):
+        is_p2p_encryption_enabled = self.get_argument_p2p_encryption_enabled()
+        is_mtls_enabled = self.get_argument_mtls_enabled()
+
+        if is_p2p_encryption_enabled is not None:
+            safe_set(self.managed_env_def, "properties", "peerTrafficConfiguration", "encryption", "enabled", value=is_p2p_encryption_enabled)
+
+        if is_mtls_enabled is not None:
+            safe_set(self.managed_env_def, "properties", "peerAuthentication", "mtls", "enabled", value=is_mtls_enabled)
+
     def get_argument_logs_dynamic_json_columns(self):
         return self.get_param("logs_dynamic_json_columns")
-    
+
     def get_argument_certificate_identity(self):
         return self.get_param("certificate_identity")
-    
+
     def get_argument_certificate_key_vault_url(self):
         return self.get_param("certificate_key_vault_url")
-    
+
+    def get_argument_p2p_encryption_enabled(self):
+        return self.get_param("p2p_encryption_enabled")

src/containerapp/azext_containerapp/custom.py

@@ -717,6 +717,7 @@ def create_managed_environment(cmd,
                                certificate_key_vault_url=None,
                                enable_workload_profiles=True,
                                mtls_enabled=None,
+                               p2p_encryption_enabled=None,
                                enable_dedicated_gpu=False,
                                no_wait=False,
                                logs_dynamic_json_columns=False,
@@ -757,6 +758,7 @@ def update_managed_environment(cmd,
                                min_nodes=None,
                                max_nodes=None,
                                mtls_enabled=None,
+                               p2p_encryption_enabled=None,
                                no_wait=False,
                                logs_dynamic_json_columns=None):
     raw_parameters = locals()