Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

{AKS} move KMS to GA #5148

Merged
merged 1 commit into from
Jul 27, 2022
Merged

{AKS} move KMS to GA #5148

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions src/aks-preview/HISTORY.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ To release a new version, please select a new version number (usually plus 1 to
Pending
+++++++

0.5.92
++++++

* Move Azure KeyVault KMS to GA.
* Support disabling Azure KeyVault KMS.

0.5.91
Expand Down
18 changes: 9 additions & 9 deletions src/aks-preview/azext_aks_preview/_params.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -298,10 +298,10 @@ def load_arguments(self, _):
c.argument('enable_pod_identity_with_kubenet', action='store_true')
c.argument('enable_workload_identity', arg_type=get_three_state_flag())
c.argument('enable_oidc_issuer', action='store_true', is_preview=True)
c.argument('enable_azure_keyvault_kms', action='store_true', is_preview=True)
c.argument('azure_keyvault_kms_key_id', validator=validate_azure_keyvault_kms_key_id, is_preview=True)
c.argument('azure_keyvault_kms_key_vault_network_access', arg_type=get_enum_type(keyvault_network_access_types), default=CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PUBLIC, is_preview=True)
c.argument('azure_keyvault_kms_key_vault_resource_id', validator=validate_azure_keyvault_kms_key_vault_resource_id, is_preview=True)
c.argument('enable_azure_keyvault_kms', action='store_true')
c.argument('azure_keyvault_kms_key_id', validator=validate_azure_keyvault_kms_key_id)
c.argument('azure_keyvault_kms_key_vault_network_access', arg_type=get_enum_type(keyvault_network_access_types), default=CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PUBLIC)
c.argument('azure_keyvault_kms_key_vault_resource_id', validator=validate_azure_keyvault_kms_key_vault_resource_id)
c.argument('cluster_snapshot_id', validator=validate_cluster_snapshot_id, is_preview=True)
c.argument('disk_driver_version', arg_type=get_enum_type(disk_driver_versions))
c.argument('disable_disk_driver', action='store_true')
Expand Down Expand Up @@ -388,11 +388,11 @@ def load_arguments(self, _):
c.argument('disable_pod_identity', action='store_true')
c.argument('enable_workload_identity', arg_type=get_three_state_flag())
c.argument('enable_oidc_issuer', action='store_true', is_preview=True)
c.argument('enable_azure_keyvault_kms', action='store_true', is_preview=True)
c.argument('disable_azure_keyvault_kms', action='store_true', is_preview=True)
c.argument('azure_keyvault_kms_key_id', validator=validate_azure_keyvault_kms_key_id, is_preview=True)
c.argument('azure_keyvault_kms_key_vault_network_access', arg_type=get_enum_type(keyvault_network_access_types), is_preview=True)
c.argument('azure_keyvault_kms_key_vault_resource_id', validator=validate_azure_keyvault_kms_key_vault_resource_id, is_preview=True)
c.argument('enable_azure_keyvault_kms', action='store_true')
c.argument('disable_azure_keyvault_kms', action='store_true')
c.argument('azure_keyvault_kms_key_id', validator=validate_azure_keyvault_kms_key_id)
c.argument('azure_keyvault_kms_key_vault_network_access', arg_type=get_enum_type(keyvault_network_access_types))
c.argument('azure_keyvault_kms_key_vault_resource_id', validator=validate_azure_keyvault_kms_key_vault_resource_id)
c.argument('enable_disk_driver', action='store_true')
c.argument('disk_driver_version', arg_type=get_enum_type(disk_driver_versions))
c.argument('disable_disk_driver', action='store_true')
Expand Down
62 changes: 20 additions & 42 deletions src/aks-preview/azext_aks_preview/managed_cluster_decorator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -770,31 +770,15 @@ def _get_azure_keyvault_kms_key_vault_network_access(self, enable_validation: bo
azure_keyvault_kms_key_vault_network_access = self.raw_param.get(
"azure_keyvault_kms_key_vault_network_access"
)
if self.decorator_mode == DecoratorMode.CREATE:
pass
# Do not read the property value corresponding to the parameter from the `mc` object in create mode,
# because keyVaultNetworkAccess has the default value "Public" in azure-rest-api-specs, to avoid
# accidentally overwriting user-specified values.
else:
# backfill from existing mc, temp fix before rp handles the backfill
if (
azure_keyvault_kms_key_vault_network_access is None and
self.mc and
self.mc.security_profile and
self.mc.security_profile.azure_key_vault_kms and
self.mc.security_profile.azure_key_vault_kms.key_vault_network_access is not None
):
azure_keyvault_kms_key_vault_network_access = (
self.mc.security_profile.azure_key_vault_kms.key_vault_network_access
)
# backfill to default value, temp fix before rp handles the backfill
if azure_keyvault_kms_key_vault_network_access is None:
azure_keyvault_kms_key_vault_network_access = CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PUBLIC

# validation
if enable_validation:
enable_azure_keyvault_kms = self._get_enable_azure_keyvault_kms(
enable_validation=False)
if azure_keyvault_kms_key_vault_network_access is None:
raise RequiredArgumentMissingError(
'"--azure-keyvault-kms-key-vault-network-access" is required.')

if (
azure_keyvault_kms_key_vault_network_access and
(
Expand All @@ -805,6 +789,16 @@ def _get_azure_keyvault_kms_key_vault_network_access(self, enable_validation: bo
raise RequiredArgumentMissingError(
'"--azure-keyvault-kms-key-vault-network-access" requires "--enable-azure-keyvault-kms".')

if azure_keyvault_kms_key_vault_network_access == CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PRIVATE:
key_vault_resource_id = self._get_azure_keyvault_kms_key_vault_resource_id(
enable_validation=False)
if (
key_vault_resource_id is None or
key_vault_resource_id == ""
):
raise RequiredArgumentMissingError(
'"--azure-keyvault-kms-key-vault-resource-id" is required when "--azure-keyvault-kms-key-vault-network-access" is Private.')

return azure_keyvault_kms_key_vault_network_access

def get_azure_keyvault_kms_key_vault_network_access(self) -> Union[str, None]:
Expand Down Expand Up @@ -839,17 +833,6 @@ def _get_azure_keyvault_kms_key_vault_resource_id(self, enable_validation: bool
azure_keyvault_kms_key_vault_resource_id = (
self.mc.security_profile.azure_key_vault_kms.key_vault_resource_id
)
else:
# backfill from existing mc, temp fix before rp handles the backfill
if (
azure_keyvault_kms_key_vault_resource_id is None and
self.mc.security_profile and
self.mc.security_profile.azure_key_vault_kms and
self.mc.security_profile.azure_key_vault_kms.key_vault_resource_id is not None
):
azure_keyvault_kms_key_vault_resource_id = (
self.mc.security_profile.azure_key_vault_kms.key_vault_resource_id
)

# validation
if enable_validation:
Expand Down Expand Up @@ -1983,17 +1966,12 @@ def update_azure_keyvault_kms(self, mc: ManagedCluster) -> ManagedCluster:
azure_key_vault_kms_profile.key_id = self.context.get_azure_keyvault_kms_key_id()
# set network access, should never be None for now, can be safely assigned, temp fix for rp
# the value is obtained from user input or backfilled from existing mc or to default value
azure_key_vault_kms_profile.key_vault_network_access = (
self.context.get_azure_keyvault_kms_key_vault_network_access()
)
# set key vault id
if (
azure_key_vault_kms_profile.key_vault_network_access ==
CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PRIVATE
):
azure_key_vault_kms_profile.key_vault_resource_id = (
self.context.get_azure_keyvault_kms_key_vault_resource_id()
)
azure_key_vault_kms_profile.key_vault_network_access = self.context.get_azure_keyvault_kms_key_vault_network_access()
# set key vault resource id
if azure_key_vault_kms_profile.key_vault_network_access == CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PRIVATE:
azure_key_vault_kms_profile.key_vault_resource_id = self.context.get_azure_keyvault_kms_key_vault_resource_id()
else:
azure_key_vault_kms_profile.key_vault_resource_id = ""

if self.context.get_disable_azure_keyvault_kms():
# get kms profile
Expand Down
29 changes: 14 additions & 15 deletions src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4024,12 +4024,13 @@ def test_aks_create_with_azurekeyvaultkms_public_key_vault(self, resource_group,

create_cmd = 'aks create --resource-group={resource_group} --name={name} ' \
'--assign-identity {identity_id} ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --azure-keyvault-kms-key-vault-network-access=Public ' \
'--ssh-key-value={ssh_key_value} -o json'
self.cmd(create_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
self.check('securityProfile.azureKeyVaultKms.enabled', True),
self.check('securityProfile.azureKeyVaultKms.keyId', key_id_0)
self.check('securityProfile.azureKeyVaultKms.keyId', key_id_0),
self.check('securityProfile.azureKeyVaultKms.keyVaultNetworkAccess', 'Public')
])

key = self.cmd(create_key, checks=[
Expand All @@ -4043,13 +4044,13 @@ def test_aks_create_with_azurekeyvaultkms_public_key_vault(self, resource_group,

# Rotate key
update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \
'--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --azure-keyvault-kms-key-vault-network-access=Public ' \
'-o json'
self.cmd(update_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
self.check('securityProfile.azureKeyVaultKms.enabled', True),
self.check('securityProfile.azureKeyVaultKms.keyId', key_id_1)
self.check('securityProfile.azureKeyVaultKms.keyId', key_id_1),
self.check('securityProfile.azureKeyVaultKms.keyVaultNetworkAccess', 'Public')
])

# delete
Expand Down Expand Up @@ -4117,11 +4118,13 @@ def test_aks_update_with_azurekeyvaultkms_public_key_vault(self, resource_group,
])

update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview -o json'
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --azure-keyvault-kms-key-vault-network-access=Public ' \
'-o json'
self.cmd(update_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
self.check('securityProfile.azureKeyVaultKms.enabled', True),
self.check('securityProfile.azureKeyVaultKms.keyId', key_id)
self.check('securityProfile.azureKeyVaultKms.keyId', key_id),
self.check('securityProfile.azureKeyVaultKms.keyVaultNetworkAccess', 'Public')
])

# delete
Expand Down Expand Up @@ -4201,7 +4204,6 @@ def test_aks_create_with_azurekeyvaultkms_private_key_vault(self, resource_group
'--assign-identity {identity_id} ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \
'--azure-keyvault-kms-key-vault-network-access=Private --azure-keyvault-kms-key-vault-resource-id {kv_resource_id} ' \
'--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'--ssh-key-value={ssh_key_value} -o json'
self.cmd(create_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
Expand Down Expand Up @@ -4236,7 +4238,6 @@ def test_aks_create_with_azurekeyvaultkms_private_key_vault(self, resource_group
update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \
'--azure-keyvault-kms-key-vault-network-access=Private --azure-keyvault-kms-key-vault-resource-id {kv_resource_id} ' \
'--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'-o json'
self.cmd(update_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
Expand Down Expand Up @@ -4330,7 +4331,6 @@ def test_aks_update_with_azurekeyvaultkms_private_key_vault(self, resource_group
update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \
'--azure-keyvault-kms-key-vault-network-access=Private --azure-keyvault-kms-key-vault-resource-id {kv_resource_id} ' \
'--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'-o json'
self.cmd(update_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
Expand Down Expand Up @@ -4417,7 +4417,6 @@ def test_aks_create_with_azurekeyvaultkms_private_cluster_v1_private_key_vault(s
'--assign-identity {identity_id} --enable-private-cluster ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \
'--azure-keyvault-kms-key-vault-network-access=Private --azure-keyvault-kms-key-vault-resource-id {kv_resource_id} ' \
'--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'--ssh-key-value={ssh_key_value} -o json'
self.cmd(create_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
Expand Down Expand Up @@ -4453,7 +4452,6 @@ def test_aks_create_with_azurekeyvaultkms_private_cluster_v1_private_key_vault(s
update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \
'--azure-keyvault-kms-key-vault-network-access=Private --azure-keyvault-kms-key-vault-resource-id {kv_resource_id} ' \
'--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'-o json'
self.cmd(update_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
Expand Down Expand Up @@ -4521,16 +4519,17 @@ def test_aks_disable_azurekeyvaultkms(self, resource_group, resource_group_locat

create_cmd = 'aks create --resource-group={resource_group} --name={name} ' \
'--assign-identity {identity_id} ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --azure-keyvault-kms-key-vault-network-access=Public ' \
'--ssh-key-value={ssh_key_value} -o json'
self.cmd(create_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
self.check('securityProfile.azureKeyVaultKms.enabled', True),
self.check('securityProfile.azureKeyVaultKms.keyId', key_id)
self.check('securityProfile.azureKeyVaultKms.keyId', key_id),
self.check('securityProfile.azureKeyVaultKms.keyVaultNetworkAccess', "Public")
])

update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \
'--disable-azure-keyvault-kms --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'--disable-azure-keyvault-kms ' \
'-o json'
self.cmd(update_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
Expand Down
Loading