From c52f99bba55222ec831eef25e0fe60f25176b32d Mon Sep 17 00:00:00 2001 From: Bin Xia Date: Sat, 23 Jul 2022 12:08:49 +0000 Subject: [PATCH] Move KMS to GA --- src/aks-preview/HISTORY.rst | 4 + src/aks-preview/azext_aks_preview/_params.py | 18 +- .../managed_cluster_decorator.py | 62 ++---- .../tests/latest/test_aks_commands.py | 29 ++- .../latest/test_managed_cluster_decorator.py | 186 ++++++------------ src/aks-preview/setup.py | 2 +- 6 files changed, 104 insertions(+), 197 deletions(-) diff --git a/src/aks-preview/HISTORY.rst b/src/aks-preview/HISTORY.rst index 0a72b6ba3c6..a4b99484d4a 100644 --- a/src/aks-preview/HISTORY.rst +++ b/src/aks-preview/HISTORY.rst @@ -12,6 +12,10 @@ To release a new version, please select a new version number (usually plus 1 to Pending +++++++ +0.5.92 +++++++ + +* Move Azure KeyVault KMS to GA. * Support disabling Azure KeyVault KMS. 0.5.91 diff --git a/src/aks-preview/azext_aks_preview/_params.py b/src/aks-preview/azext_aks_preview/_params.py index bb9f97f5297..59433eeabf0 100644 --- a/src/aks-preview/azext_aks_preview/_params.py +++ b/src/aks-preview/azext_aks_preview/_params.py @@ -298,10 +298,10 @@ def load_arguments(self, _): c.argument('enable_pod_identity_with_kubenet', action='store_true') c.argument('enable_workload_identity', arg_type=get_three_state_flag()) c.argument('enable_oidc_issuer', action='store_true', is_preview=True) - c.argument('enable_azure_keyvault_kms', action='store_true', is_preview=True) - c.argument('azure_keyvault_kms_key_id', validator=validate_azure_keyvault_kms_key_id, is_preview=True) - c.argument('azure_keyvault_kms_key_vault_network_access', arg_type=get_enum_type(keyvault_network_access_types), default=CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PUBLIC, is_preview=True) - c.argument('azure_keyvault_kms_key_vault_resource_id', validator=validate_azure_keyvault_kms_key_vault_resource_id, is_preview=True) + c.argument('enable_azure_keyvault_kms', action='store_true') + c.argument('azure_keyvault_kms_key_id', validator=validate_azure_keyvault_kms_key_id) + c.argument('azure_keyvault_kms_key_vault_network_access', arg_type=get_enum_type(keyvault_network_access_types), default=CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PUBLIC) + c.argument('azure_keyvault_kms_key_vault_resource_id', validator=validate_azure_keyvault_kms_key_vault_resource_id) c.argument('cluster_snapshot_id', validator=validate_cluster_snapshot_id, is_preview=True) c.argument('disk_driver_version', arg_type=get_enum_type(disk_driver_versions)) c.argument('disable_disk_driver', action='store_true') @@ -388,11 +388,11 @@ def load_arguments(self, _): c.argument('disable_pod_identity', action='store_true') c.argument('enable_workload_identity', arg_type=get_three_state_flag()) c.argument('enable_oidc_issuer', action='store_true', is_preview=True) - c.argument('enable_azure_keyvault_kms', action='store_true', is_preview=True) - c.argument('disable_azure_keyvault_kms', action='store_true', is_preview=True) - c.argument('azure_keyvault_kms_key_id', validator=validate_azure_keyvault_kms_key_id, is_preview=True) - c.argument('azure_keyvault_kms_key_vault_network_access', arg_type=get_enum_type(keyvault_network_access_types), is_preview=True) - c.argument('azure_keyvault_kms_key_vault_resource_id', validator=validate_azure_keyvault_kms_key_vault_resource_id, is_preview=True) + c.argument('enable_azure_keyvault_kms', action='store_true') + c.argument('disable_azure_keyvault_kms', action='store_true') + c.argument('azure_keyvault_kms_key_id', validator=validate_azure_keyvault_kms_key_id) + c.argument('azure_keyvault_kms_key_vault_network_access', arg_type=get_enum_type(keyvault_network_access_types)) + c.argument('azure_keyvault_kms_key_vault_resource_id', validator=validate_azure_keyvault_kms_key_vault_resource_id) c.argument('enable_disk_driver', action='store_true') c.argument('disk_driver_version', arg_type=get_enum_type(disk_driver_versions)) c.argument('disable_disk_driver', action='store_true') diff --git a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py index 1188827cf55..ff7f6cf4b54 100644 --- a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py +++ b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py @@ -770,31 +770,15 @@ def _get_azure_keyvault_kms_key_vault_network_access(self, enable_validation: bo azure_keyvault_kms_key_vault_network_access = self.raw_param.get( "azure_keyvault_kms_key_vault_network_access" ) - if self.decorator_mode == DecoratorMode.CREATE: - pass - # Do not read the property value corresponding to the parameter from the `mc` object in create mode, - # because keyVaultNetworkAccess has the default value "Public" in azure-rest-api-specs, to avoid - # accidentally overwriting user-specified values. - else: - # backfill from existing mc, temp fix before rp handles the backfill - if ( - azure_keyvault_kms_key_vault_network_access is None and - self.mc and - self.mc.security_profile and - self.mc.security_profile.azure_key_vault_kms and - self.mc.security_profile.azure_key_vault_kms.key_vault_network_access is not None - ): - azure_keyvault_kms_key_vault_network_access = ( - self.mc.security_profile.azure_key_vault_kms.key_vault_network_access - ) - # backfill to default value, temp fix before rp handles the backfill - if azure_keyvault_kms_key_vault_network_access is None: - azure_keyvault_kms_key_vault_network_access = CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PUBLIC # validation if enable_validation: enable_azure_keyvault_kms = self._get_enable_azure_keyvault_kms( enable_validation=False) + if azure_keyvault_kms_key_vault_network_access is None: + raise RequiredArgumentMissingError( + '"--azure-keyvault-kms-key-vault-network-access" is required.') + if ( azure_keyvault_kms_key_vault_network_access and ( @@ -805,6 +789,16 @@ def _get_azure_keyvault_kms_key_vault_network_access(self, enable_validation: bo raise RequiredArgumentMissingError( '"--azure-keyvault-kms-key-vault-network-access" requires "--enable-azure-keyvault-kms".') + if azure_keyvault_kms_key_vault_network_access == CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PRIVATE: + key_vault_resource_id = self._get_azure_keyvault_kms_key_vault_resource_id( + enable_validation=False) + if ( + key_vault_resource_id is None or + key_vault_resource_id == "" + ): + raise RequiredArgumentMissingError( + '"--azure-keyvault-kms-key-vault-resource-id" is required when "--azure-keyvault-kms-key-vault-network-access" is Private.') + return azure_keyvault_kms_key_vault_network_access def get_azure_keyvault_kms_key_vault_network_access(self) -> Union[str, None]: @@ -839,17 +833,6 @@ def _get_azure_keyvault_kms_key_vault_resource_id(self, enable_validation: bool azure_keyvault_kms_key_vault_resource_id = ( self.mc.security_profile.azure_key_vault_kms.key_vault_resource_id ) - else: - # backfill from existing mc, temp fix before rp handles the backfill - if ( - azure_keyvault_kms_key_vault_resource_id is None and - self.mc.security_profile and - self.mc.security_profile.azure_key_vault_kms and - self.mc.security_profile.azure_key_vault_kms.key_vault_resource_id is not None - ): - azure_keyvault_kms_key_vault_resource_id = ( - self.mc.security_profile.azure_key_vault_kms.key_vault_resource_id - ) # validation if enable_validation: @@ -1983,17 +1966,12 @@ def update_azure_keyvault_kms(self, mc: ManagedCluster) -> ManagedCluster: azure_key_vault_kms_profile.key_id = self.context.get_azure_keyvault_kms_key_id() # set network access, should never be None for now, can be safely assigned, temp fix for rp # the value is obtained from user input or backfilled from existing mc or to default value - azure_key_vault_kms_profile.key_vault_network_access = ( - self.context.get_azure_keyvault_kms_key_vault_network_access() - ) - # set key vault id - if ( - azure_key_vault_kms_profile.key_vault_network_access == - CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PRIVATE - ): - azure_key_vault_kms_profile.key_vault_resource_id = ( - self.context.get_azure_keyvault_kms_key_vault_resource_id() - ) + azure_key_vault_kms_profile.key_vault_network_access = self.context.get_azure_keyvault_kms_key_vault_network_access() + # set key vault resource id + if azure_key_vault_kms_profile.key_vault_network_access == CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PRIVATE: + azure_key_vault_kms_profile.key_vault_resource_id = self.context.get_azure_keyvault_kms_key_vault_resource_id() + else: + azure_key_vault_kms_profile.key_vault_resource_id = "" if self.context.get_disable_azure_keyvault_kms(): # get kms profile diff --git a/src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py b/src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py index 82a780c5df4..9d2c21f522f 100644 --- a/src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py +++ b/src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py @@ -4024,12 +4024,13 @@ def test_aks_create_with_azurekeyvaultkms_public_key_vault(self, resource_group, create_cmd = 'aks create --resource-group={resource_group} --name={name} ' \ '--assign-identity {identity_id} ' \ - '--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \ + '--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --azure-keyvault-kms-key-vault-network-access=Public ' \ '--ssh-key-value={ssh_key_value} -o json' self.cmd(create_cmd, checks=[ self.check('provisioningState', 'Succeeded'), self.check('securityProfile.azureKeyVaultKms.enabled', True), - self.check('securityProfile.azureKeyVaultKms.keyId', key_id_0) + self.check('securityProfile.azureKeyVaultKms.keyId', key_id_0), + self.check('securityProfile.azureKeyVaultKms.keyVaultNetworkAccess', 'Public') ]) key = self.cmd(create_key, checks=[ @@ -4043,13 +4044,13 @@ def test_aks_create_with_azurekeyvaultkms_public_key_vault(self, resource_group, # Rotate key update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \ - '--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \ - '--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \ + '--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --azure-keyvault-kms-key-vault-network-access=Public ' \ '-o json' self.cmd(update_cmd, checks=[ self.check('provisioningState', 'Succeeded'), self.check('securityProfile.azureKeyVaultKms.enabled', True), - self.check('securityProfile.azureKeyVaultKms.keyId', key_id_1) + self.check('securityProfile.azureKeyVaultKms.keyId', key_id_1), + self.check('securityProfile.azureKeyVaultKms.keyVaultNetworkAccess', 'Public') ]) # delete @@ -4117,11 +4118,13 @@ def test_aks_update_with_azurekeyvaultkms_public_key_vault(self, resource_group, ]) update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \ - '--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview -o json' + '--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --azure-keyvault-kms-key-vault-network-access=Public ' \ + '-o json' self.cmd(update_cmd, checks=[ self.check('provisioningState', 'Succeeded'), self.check('securityProfile.azureKeyVaultKms.enabled', True), - self.check('securityProfile.azureKeyVaultKms.keyId', key_id) + self.check('securityProfile.azureKeyVaultKms.keyId', key_id), + self.check('securityProfile.azureKeyVaultKms.keyVaultNetworkAccess', 'Public') ]) # delete @@ -4201,7 +4204,6 @@ def test_aks_create_with_azurekeyvaultkms_private_key_vault(self, resource_group '--assign-identity {identity_id} ' \ '--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \ '--azure-keyvault-kms-key-vault-network-access=Private --azure-keyvault-kms-key-vault-resource-id {kv_resource_id} ' \ - '--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \ '--ssh-key-value={ssh_key_value} -o json' self.cmd(create_cmd, checks=[ self.check('provisioningState', 'Succeeded'), @@ -4236,7 +4238,6 @@ def test_aks_create_with_azurekeyvaultkms_private_key_vault(self, resource_group update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \ '--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \ '--azure-keyvault-kms-key-vault-network-access=Private --azure-keyvault-kms-key-vault-resource-id {kv_resource_id} ' \ - '--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \ '-o json' self.cmd(update_cmd, checks=[ self.check('provisioningState', 'Succeeded'), @@ -4330,7 +4331,6 @@ def test_aks_update_with_azurekeyvaultkms_private_key_vault(self, resource_group update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \ '--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \ '--azure-keyvault-kms-key-vault-network-access=Private --azure-keyvault-kms-key-vault-resource-id {kv_resource_id} ' \ - '--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \ '-o json' self.cmd(update_cmd, checks=[ self.check('provisioningState', 'Succeeded'), @@ -4417,7 +4417,6 @@ def test_aks_create_with_azurekeyvaultkms_private_cluster_v1_private_key_vault(s '--assign-identity {identity_id} --enable-private-cluster ' \ '--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \ '--azure-keyvault-kms-key-vault-network-access=Private --azure-keyvault-kms-key-vault-resource-id {kv_resource_id} ' \ - '--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \ '--ssh-key-value={ssh_key_value} -o json' self.cmd(create_cmd, checks=[ self.check('provisioningState', 'Succeeded'), @@ -4453,7 +4452,6 @@ def test_aks_create_with_azurekeyvaultkms_private_cluster_v1_private_key_vault(s update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \ '--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \ '--azure-keyvault-kms-key-vault-network-access=Private --azure-keyvault-kms-key-vault-resource-id {kv_resource_id} ' \ - '--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \ '-o json' self.cmd(update_cmd, checks=[ self.check('provisioningState', 'Succeeded'), @@ -4521,16 +4519,17 @@ def test_aks_disable_azurekeyvaultkms(self, resource_group, resource_group_locat create_cmd = 'aks create --resource-group={resource_group} --name={name} ' \ '--assign-identity {identity_id} ' \ - '--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \ + '--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --azure-keyvault-kms-key-vault-network-access=Public ' \ '--ssh-key-value={ssh_key_value} -o json' self.cmd(create_cmd, checks=[ self.check('provisioningState', 'Succeeded'), self.check('securityProfile.azureKeyVaultKms.enabled', True), - self.check('securityProfile.azureKeyVaultKms.keyId', key_id) + self.check('securityProfile.azureKeyVaultKms.keyId', key_id), + self.check('securityProfile.azureKeyVaultKms.keyVaultNetworkAccess', "Public") ]) update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \ - '--disable-azure-keyvault-kms --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \ + '--disable-azure-keyvault-kms ' \ '-o json' self.cmd(update_cmd, checks=[ self.check('provisioningState', 'Succeeded'), diff --git a/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py b/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py index d8df7507f2b..539c53596f2 100644 --- a/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py +++ b/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py @@ -1152,55 +1152,47 @@ def test_get_azure_keyvault_kms_key_vault_network_access(self): self.models, decorator_mode=DecoratorMode.CREATE, ) - self.assertIsNone(ctx_0.get_azure_keyvault_kms_key_vault_network_access()) + with self.assertRaises(RequiredArgumentMissingError): + ctx_0.get_azure_keyvault_kms_key_vault_network_access() ctx_1 = AKSPreviewManagedClusterContext( self.cmd, AKSManagedClusterParamDict({ - "enable_azure_keyvault_kms": True, "azure_keyvault_kms_key_vault_network_access": key_vault_network_access_1, }), self.models, decorator_mode=DecoratorMode.CREATE, ) - self.assertEqual(ctx_1.get_azure_keyvault_kms_key_vault_network_access(), key_vault_network_access_1) + with self.assertRaises(RequiredArgumentMissingError): + ctx_1.get_azure_keyvault_kms_key_vault_network_access() ctx_2 = AKSPreviewManagedClusterContext( self.cmd, AKSManagedClusterParamDict({ - "enable_azure_keyvault_kms": True, - "azure_keyvault_kms_key_vault_network_access": key_vault_network_access_2, + "enable_azure_keyvault_kms": False, + "azure_keyvault_kms_key_vault_network_access": key_vault_network_access_1, }), self.models, - decorator_mode=DecoratorMode.UPDATE, - ) - security_profile = self.models.ManagedClusterSecurityProfile() - security_profile.azure_key_vault_kms = self.models.AzureKeyVaultKms( - enabled=True, - key_vault_network_access=key_vault_network_access_1, - ) - mc = self.models.ManagedCluster( - location="test_location", - security_profile=security_profile, + decorator_mode=DecoratorMode.CREATE, ) - ctx_2.attach_mc(mc) - self.assertEqual(ctx_2.get_azure_keyvault_kms_key_vault_network_access(), key_vault_network_access_2) + with self.assertRaises(RequiredArgumentMissingError): + ctx_2.get_azure_keyvault_kms_key_vault_network_access() ctx_3 = AKSPreviewManagedClusterContext( self.cmd, AKSManagedClusterParamDict({ - "azure_keyvault_kms_key_vault_network_access": key_vault_network_access_2, + "enable_azure_keyvault_kms": True, + "azure_keyvault_kms_key_vault_network_access": key_vault_network_access_1, }), self.models, decorator_mode=DecoratorMode.CREATE, ) - with self.assertRaises(RequiredArgumentMissingError): - ctx_3.get_azure_keyvault_kms_key_vault_network_access() + self.assertEqual(ctx_3.get_azure_keyvault_kms_key_vault_network_access(), key_vault_network_access_1) ctx_4 = AKSPreviewManagedClusterContext( self.cmd, AKSManagedClusterParamDict({ - "enable_azure_keyvault_kms": False, + "enable_azure_keyvault_kms": True, "azure_keyvault_kms_key_vault_network_access": key_vault_network_access_2, }), self.models, @@ -1209,42 +1201,38 @@ def test_get_azure_keyvault_kms_key_vault_network_access(self): with self.assertRaises(RequiredArgumentMissingError): ctx_4.get_azure_keyvault_kms_key_vault_network_access() - # update scenario, backfill to default ctx_5 = AKSPreviewManagedClusterContext( self.cmd, AKSManagedClusterParamDict({ "enable_azure_keyvault_kms": True, + "azure_keyvault_kms_key_vault_network_access": key_vault_network_access_2, + "azure_keyvault_kms_key_vault_resource_id": "fake-resource-id", }), self.models, - decorator_mode=DecoratorMode.UPDATE, - ) - security_profile_5 = self.models.ManagedClusterSecurityProfile() - mc_5 = self.models.ManagedCluster( - location="test_location", - security_profile=security_profile_5, + decorator_mode=DecoratorMode.CREATE, ) - ctx_5.attach_mc(mc_5) - self.assertEqual(ctx_5.get_azure_keyvault_kms_key_vault_network_access(), key_vault_network_access_1) + self.assertEqual(ctx_5.get_azure_keyvault_kms_key_vault_network_access(), key_vault_network_access_2) - # update scenario, backfill from existing mc ctx_6 = AKSPreviewManagedClusterContext( self.cmd, AKSManagedClusterParamDict({ "enable_azure_keyvault_kms": True, + "azure_keyvault_kms_key_vault_network_access": key_vault_network_access_2, + "azure_keyvault_kms_key_vault_resource_id": "fake-resource-id", }), self.models, decorator_mode=DecoratorMode.UPDATE, ) - security_profile_6 = self.models.ManagedClusterSecurityProfile() - security_profile_6.azure_key_vault_kms = self.models.AzureKeyVaultKms( + security_profile = self.models.ManagedClusterSecurityProfile() + security_profile.azure_key_vault_kms = self.models.AzureKeyVaultKms( enabled=True, - key_vault_network_access=key_vault_network_access_2, + key_vault_network_access=key_vault_network_access_1, ) - mc_6 = self.models.ManagedCluster( + mc = self.models.ManagedCluster( location="test_location", - security_profile=security_profile_6, + security_profile=security_profile, ) - ctx_6.attach_mc(mc_6) + ctx_6.attach_mc(mc) self.assertEqual(ctx_6.get_azure_keyvault_kms_key_vault_network_access(), key_vault_network_access_2) def test_get_azure_keyvault_kms_key_vault_resource_id(self): @@ -1389,28 +1377,6 @@ def test_get_azure_keyvault_kms_key_vault_resource_id(self): with self.assertRaises(ArgumentUsageError): ctx_9.get_azure_keyvault_kms_key_vault_resource_id() - # update scenario, backfill from existing mc - ctx_10 = AKSPreviewManagedClusterContext( - self.cmd, - AKSManagedClusterParamDict({ - "enable_azure_keyvault_kms": True, - }), - self.models, - decorator_mode=DecoratorMode.UPDATE, - ) - security_profile_10 = self.models.ManagedClusterSecurityProfile() - security_profile_10.azure_key_vault_kms = self.models.AzureKeyVaultKms( - enabled=True, - key_vault_network_access="Private", - key_vault_resource_id=key_vault_resource_id_1, - ) - mc_10 = self.models.ManagedCluster( - location="test_location", - security_profile=security_profile_10, - ) - ctx_10.attach_mc(mc_10) - self.assertEqual(ctx_10.get_azure_keyvault_kms_key_vault_resource_id(), key_vault_resource_id_1) - def test_get_cluster_snapshot_id(self): # default ctx_1 = AKSPreviewManagedClusterContext( @@ -3935,77 +3901,6 @@ def test_update_azure_keyvault_kms(self): ) self.assertEqual(dec_mc_2, ground_truth_mc_2) - # partial update, backfill default network access - dec_3 = AKSPreviewManagedClusterUpdateDecorator( - self.cmd, - self.client, - { - "enable_azure_keyvault_kms": True, - "azure_keyvault_kms_key_id": key_id_1, - }, - CUSTOM_MGMT_AKS_PREVIEW, - ) - mc_3 = self.models.ManagedCluster( - location="test_location", - ) - dec_3.context.attach_mc(mc_3) - dec_mc_3 = dec_3.update_azure_keyvault_kms(mc_3) - - ground_truth_azure_keyvault_kms_profile_3 = self.models.AzureKeyVaultKms( - enabled=True, - key_id=key_id_1, - key_vault_network_access="Public", - ) - ground_truth_security_profile_3 = self.models.ManagedClusterSecurityProfile( - azure_key_vault_kms=ground_truth_azure_keyvault_kms_profile_3, - ) - ground_truth_mc_3 = self.models.ManagedCluster( - location="test_location", - security_profile=ground_truth_security_profile_3, - ) - self.assertEqual(dec_mc_3, ground_truth_mc_3) - - # partial update, backfill network access and key vault id from existing mc - dec_4 = AKSPreviewManagedClusterUpdateDecorator( - self.cmd, - self.client, - { - "enable_azure_keyvault_kms": True, - "azure_keyvault_kms_key_id": key_id_1, - }, - CUSTOM_MGMT_AKS_PREVIEW, - ) - azure_keyvault_kms_profile_4 = self.models.AzureKeyVaultKms( - enabled=True, - key_id="test_key_id", - key_vault_network_access="Private", - key_vault_resource_id="/subscriptions/8ecadfc9-d1a3-4ea4-b844-0d9f87e4d7c8/resourceGroups/foo/providers/Microsoft.KeyVault/vaults/foo", - ) - security_profile_4 = self.models.ManagedClusterSecurityProfile( - azure_key_vault_kms=azure_keyvault_kms_profile_4, - ) - mc_4 = self.models.ManagedCluster( - location="test_location", - security_profile=security_profile_4, - ) - dec_4.context.attach_mc(mc_4) - dec_mc_4 = dec_4.update_azure_keyvault_kms(mc_4) - - ground_truth_azure_keyvault_kms_profile_4 = self.models.AzureKeyVaultKms( - enabled=True, - key_id=key_id_1, - key_vault_network_access="Private", - key_vault_resource_id="/subscriptions/8ecadfc9-d1a3-4ea4-b844-0d9f87e4d7c8/resourceGroups/foo/providers/Microsoft.KeyVault/vaults/foo", - ) - ground_truth_security_profile_4 = self.models.ManagedClusterSecurityProfile( - azure_key_vault_kms=ground_truth_azure_keyvault_kms_profile_4, - ) - ground_truth_mc_4 = self.models.ManagedCluster( - location="test_location", - security_profile=ground_truth_security_profile_4, - ) - self.assertEqual(dec_mc_4, ground_truth_mc_4) - dec_5 = AKSPreviewManagedClusterUpdateDecorator( self.cmd, self.client, @@ -4067,6 +3962,37 @@ def test_update_azure_keyvault_kms(self): ) self.assertEqual(dec_mc_6, ground_truth_mc_6) + dec_7 = AKSPreviewManagedClusterUpdateDecorator( + self.cmd, + self.client, + { + "enable_azure_keyvault_kms": True, + "azure_keyvault_kms_key_id": key_id_1, + "azure_keyvault_kms_key_vault_network_access": "Public", + }, + CUSTOM_MGMT_AKS_PREVIEW, + ) + mc_7 = self.models.ManagedCluster( + location="test_location", + ) + dec_7.context.attach_mc(mc_7) + dec_mc_7 = dec_7.update_azure_keyvault_kms(mc_7) + + ground_truth_azure_keyvault_kms_profile_7 = self.models.AzureKeyVaultKms( + enabled=True, + key_id=key_id_1, + key_vault_network_access="Public", + key_vault_resource_id="", + ) + ground_truth_security_profile_7 = self.models.ManagedClusterSecurityProfile( + azure_key_vault_kms=ground_truth_azure_keyvault_kms_profile_7, + ) + ground_truth_mc_7 = self.models.ManagedCluster( + location="test_location", + security_profile=ground_truth_security_profile_7, + ) + self.assertEqual(dec_mc_7, ground_truth_mc_7) + def test_update_storage_profile(self): dec_1 = AKSPreviewManagedClusterUpdateDecorator( diff --git a/src/aks-preview/setup.py b/src/aks-preview/setup.py index 7627d774874..74f806244ca 100644 --- a/src/aks-preview/setup.py +++ b/src/aks-preview/setup.py @@ -9,7 +9,7 @@ from setuptools import setup, find_packages -VERSION = "0.5.91" +VERSION = "0.5.92" CLASSIFIERS = [ "Development Status :: 4 - Beta", "Intended Audience :: Developers",