aks-preview: Support BYO VNet for --enable-hosted-system automatic clusters + --disable-hosted-system

src/aks-preview/HISTORY.rst

@@ -11,6 +11,7 @@ To release a new version, please select a new version number (usually plus 1 to
 
 Pending
 +++++++
+* `az aks create`: Support BYO VNet for hosted-system automatic clusters via `--system-node-subnet-id` and `--node-subnet-id`; add `--disable-hosted-system` opt-out.
 
 20.0.0b4
 +++++++

src/aks-preview/azext_aks_preview/_help.py

@@ -715,6 +715,27 @@
         - name: --enable-hosted-system
           type: bool
           short-summary: Create a cluster with fully hosted system components. This applies only when creating a new automatic cluster.
+          long-summary: |
+              Deterministically opts the cluster into HOBO (Hosted Overlay System Pool). AKS hosts and manages the system node pool.
+              Cannot be used with `--disable-hosted-system`.
+        - name: --disable-hosted-system
+          type: bool
+          short-summary: Opt the automatic cluster out of hosted system components.
+          long-summary: |
+              Deterministically creates an automatic cluster WITHOUT HOBO, even in regions where HOBO is the default.
+              Only valid with `--sku automatic`. Mutually exclusive with `--enable-hosted-system`.
+        - name: --sys-node-subnet-id --system-node-subnet-id
+          type: string
+          short-summary: Resource ID of the subnet to be used by AKS-managed hosted system nodes (BYO VNet HOBO).
+          long-summary: |
+              Only valid with `--enable-hosted-system`. Must be provided together with `--node-subnet-id`
+              and `--apiserver-subnet-id`, and all three subnets must belong to the same VNet.
+        - name: --node-subnet-id
+          type: string
+          short-summary: Resource ID of the subnet joined by tenant worker nodes in BYO VNet HOBO clusters.
+          long-summary: |
+              Only valid with `--enable-hosted-system`. Must be provided together with `--system-node-subnet-id`
+              and `--apiserver-subnet-id`, and all three subnets must belong to the same VNet.
     examples:
         - name: Create a Kubernetes cluster with an existing SSH public key.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey
@@ -808,6 +829,12 @@
           text: az aks create -g MyResourceGroup -n MyManagedCluster --enable-gateway-api
         - name: Create an automatic cluster with hosted system components enabled.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --sku automatic --enable-hosted-system
+        - name: Create a hosted-system automatic cluster in a BYO VNet (NAT gateway outbound, the default).
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --sku automatic --enable-hosted-system --system-node-subnet-id <systemNodeSubnetID> --node-subnet-id <nodeSubnetID> --apiserver-subnet-id <apiserverSubnetID>
+        - name: Create a hosted-system automatic cluster in a BYO VNet with Load Balancer outbound.
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --sku automatic --enable-hosted-system --system-node-subnet-id <systemNodeSubnetID> --node-subnet-id <nodeSubnetID> --apiserver-subnet-id <apiserverSubnetID> --outbound-type loadBalancer
+        - name: Create an automatic cluster and opt out of hosted system components.
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --sku automatic --disable-hosted-system
 
 """
 

src/aks-preview/azext_aks_preview/_params.py

@@ -237,6 +237,8 @@
     validate_utc_offset,
     validate_vm_set_type,
     validate_vnet_subnet_id,
+    validate_system_node_subnet_id,
+    validate_node_subnet_id,
     validate_force_upgrade_disable_and_enable_parameters,
     validate_azure_service_mesh_revision,
     validate_artifact_streaming,
@@ -1261,6 +1263,19 @@ def load_arguments(self, _):
             help="Enable Gateway API based ingress on App Routing via Istio"
         )
         c.argument("enable_hosted_system", action="store_true", is_preview=True)
+        c.argument("disable_hosted_system", action="store_true", is_preview=True)
+        c.argument(
+            "system_node_subnet_id",
+            options_list=["--system-node-subnet-id", "--sys-node-subnet-id"],
+            validator=validate_system_node_subnet_id,
+            is_preview=True,
+        )
+        c.argument(
+            "node_subnet_id",
+            options_list=["--node-subnet-id"],
+            validator=validate_node_subnet_id,
+            is_preview=True,
+        )
         c.argument(
             "enable_continuous_control_plane_and_addon_monitor",
             action="store_true",

src/aks-preview/azext_aks_preview/_validators.py

@@ -355,6 +355,14 @@ def validate_apiserver_subnet_id(namespace):
     _validate_subnet_id(namespace.apiserver_subnet_id, "--apiserver-subnet-id")
 
 
+def validate_system_node_subnet_id(namespace):
+    _validate_subnet_id(namespace.system_node_subnet_id, "--system-node-subnet-id")
+
+
+def validate_node_subnet_id(namespace):
+    _validate_subnet_id(namespace.node_subnet_id, "--node-subnet-id")
+
+
 def _validate_subnet_id(subnet_id, name):
     if subnet_id is None or subnet_id == '':
         return

src/aks-preview/azext_aks_preview/custom.py

@@ -1180,6 +1180,9 @@ def aks_create(
     # app routing istio
     enable_app_routing_istio=False,
     enable_hosted_system=False,
+    disable_hosted_system=False,
+    system_node_subnet_id=None,
+    node_subnet_id=None,
     # health monitor
     enable_continuous_control_plane_and_addon_monitor=False,
 ):