[AKS] Add mesh Istio CNI commands for az aks mesh

src/azure-cli/azure/cli/command_modules/acs/_consts.py

@@ -247,6 +247,8 @@
 CONST_AZURE_SERVICE_MESH_UPGRADE_COMMAND_ROLLBACK = "Rollback"
 CONST_AZURE_SERVICE_MESH_DEFAULT_EGRESS_NAMESPACE = "aks-istio-egress"
 CONST_AZURE_SERVICE_MESH_MAX_EGRESS_NAME_LENGTH = 63
+CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_INIT_CONTAINERS = "InitContainers"
+CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_CNI_CHAINING = "CNIChaining"
 
 # Dns zone contributor role
 CONST_PRIVATE_DNS_ZONE_CONTRIBUTOR_ROLE = "Private DNS Zone Contributor"

src/azure-cli/azure/cli/command_modules/acs/_help.py

@@ -2850,6 +2850,31 @@
         text: az aks mesh upgrade rollback --resource-group MyResourceGroup --name MyManagedCluster
 """
 
+helps['aks mesh enable-istio-cni'] = """
+    type: command
+    short-summary: Enable Istio CNI chaining for Azure Service Mesh proxy redirection mechanism.
+    long-summary: >
+      This command enables Istio CNI chaining as the proxy redirection mechanism
+      for Azure Service Mesh. CNI chaining provides better security and performance
+      compared to init containers by using CNI plugins to set up traffic redirection.
+    examples:
+      - name: Enable Istio CNI chaining for Azure Service Mesh.
+        text: az aks mesh enable-istio-cni --resource-group MyResourceGroup --name MyManagedCluster
+"""
+
+helps['aks mesh disable-istio-cni'] = """
+    type: command
+    short-summary: Disable Istio CNI chaining for Azure Service Mesh proxy redirection mechanism.
+    long-summary: >
+      This command disables Istio CNI chaining and reverts to using init
+      containers as the proxy redirection mechanism for Azure Service Mesh. This
+      is the traditional method using privileged init containers to set up
+      iptables rules.
+    examples:
+      - name: Disable Istio CNI chaining for Azure Service Mesh.
+        text: az aks mesh disable-istio-cni --resource-group MyResourceGroup --name MyManagedCluster
+"""
+
 helps["aks approuting"] = """
     type: group
     short-summary: Commands to manage App Routing addon.

src/azure-cli/azure/cli/command_modules/acs/commands.py

@@ -299,6 +299,16 @@ def load_command_table(self, _):
             'get-upgrades',
             'aks_mesh_get_upgrades',
             table_transformer=aks_mesh_upgrades_table_format)
+        g.custom_command(
+            "enable-istio-cni",
+            "aks_mesh_enable_istio_cni",
+            supports_no_wait=True,
+        )
+        g.custom_command(
+            "disable-istio-cni",
+            "aks_mesh_disable_istio_cni",
+            supports_no_wait=True,
+        )
 
     # AKS mesh upgrade commands
     with self.command_group('aks mesh upgrade', managed_clusters_sdk, client_factory=cf_managed_clusters) as g:

src/azure-cli/azure/cli/command_modules/acs/custom.py

@@ -3816,6 +3816,38 @@ def aks_mesh_upgrade_rollback(
         mesh_upgrade_command=CONST_AZURE_SERVICE_MESH_UPGRADE_COMMAND_ROLLBACK)
 
 
+def aks_mesh_enable_istio_cni(
+        cmd,
+        client,
+        resource_group_name,
+        name,
+):
+    """Enable Istio CNI chaining for the Azure Service Mesh proxy redirection mechanism."""
+    return _aks_mesh_update(
+        cmd,
+        client,
+        resource_group_name,
+        name,
+        enable_istio_cni=True,
+    )
+
+
+def aks_mesh_disable_istio_cni(
+        cmd,
+        client,
+        resource_group_name,
+        name,
+):
+    """Disable Istio CNI chaining for the Azure Service Mesh proxy redirection mechanism."""
+    return _aks_mesh_update(
+        cmd,
+        client,
+        resource_group_name,
+        name,
+        disable_istio_cni=True,
+    )
+
+
 def _aks_mesh_get_supported_revisions(
         cmd,
         client,
@@ -3849,6 +3881,8 @@ def _aks_mesh_update(
         revision=None,
         yes=False,
         mesh_upgrade_command=None,
+        enable_istio_cni=None,
+        disable_istio_cni=None,
 ):
     raw_parameters = locals()
 

src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py

@@ -42,6 +42,8 @@
     CONST_AZURE_SERVICE_MESH_UPGRADE_COMMAND_COMPLETE,
     CONST_AZURE_SERVICE_MESH_UPGRADE_COMMAND_ROLLBACK,
     CONST_AZURE_SERVICE_MESH_DEFAULT_EGRESS_NAMESPACE,
+    CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_CNI_CHAINING,
+    CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_INIT_CONTAINERS,
     CONST_PRIVATE_DNS_ZONE_CONTRIBUTOR_ROLE,
     CONST_DNS_ZONE_CONTRIBUTOR_ROLE,
     CONST_ARTIFACT_SOURCE_CACHE,
@@ -4903,6 +4905,54 @@ def _handle_enable_disable_asm(self, new_profile: ServiceMeshProfile) -> Tuple[S
 
         return new_profile, updated
 
+    def _handle_istio_cni_asm(self, new_profile: ServiceMeshProfile) -> Tuple[ServiceMeshProfile, bool]:
+        """Handle enable/disable Istio CNI proxy redirection mechanism."""
+        updated = False
+        enable_istio_cni = self.raw_param.get("enable_istio_cni", False)
+        disable_istio_cni = self.raw_param.get("disable_istio_cni", False)
+
+        if enable_istio_cni and disable_istio_cni:
+            raise MutuallyExclusiveArgumentError(
+                "Cannot specify --enable-istio-cni and "
+                "--disable-istio-cni at the same time."
+            )
+
+        # Check if service mesh is enabled before allowing CNI changes
+        if enable_istio_cni or disable_istio_cni:
+            if new_profile is None or new_profile.mode == CONST_AZURE_SERVICE_MESH_MODE_DISABLED:
+                raise ArgumentUsageError(
+                    "Istio has not been enabled for this cluster, please refer to https://aka.ms/asm-aks-addon-docs "
+                    "for more details on enabling Azure Service Mesh."
+                )
+
+            # Ensure istio profile exists
+            if new_profile.istio is None:
+                new_profile.istio = self.models.IstioServiceMesh()  # pylint: disable=no-member
+
+            # Ensure components exist
+            if new_profile.istio.components is None:
+                new_profile.istio.components = self.models.IstioComponents()  # pylint: disable=no-member
+
+            # Only update when the proxy redirection mechanism actually changes
+            current_mechanism = getattr(
+                new_profile.istio.components,
+                "proxy_redirection_mechanism",
+                None,
+            )
+
+            if enable_istio_cni:
+                if current_mechanism != CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_CNI_CHAINING:
+                    new_profile.istio.components.proxy_redirection_mechanism = \
+                        CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_CNI_CHAINING
+                    updated = True
+            elif disable_istio_cni:
+                if current_mechanism != CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_INIT_CONTAINERS:
+                    new_profile.istio.components.proxy_redirection_mechanism = \
+                        CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_INIT_CONTAINERS
+                    updated = True
+
+        return new_profile, updated
+
     # pylint: disable=too-many-branches,too-many-locals,too-many-statements
     def update_azure_service_mesh_profile(self) -> ServiceMeshProfile:
         """ Update azure service mesh profile.
@@ -4937,6 +4987,9 @@ def update_azure_service_mesh_profile(self) -> ServiceMeshProfile:
         new_profile, updated_upgrade_asm = self._handle_upgrade_asm(new_profile)
         updated |= updated_upgrade_asm
 
+        new_profile, updated_istio_cni = self._handle_istio_cni_asm(new_profile)
+        updated |= updated_istio_cni
+
         if updated:
             return new_profile
         return self.mc.service_mesh_profile