From f10d44bad21078703aeefeb6d3435cd87d5d2830 Mon Sep 17 00:00:00 2001
From: andyzhangx <xiazhang@microsoft.com>
Date: Thu, 31 Oct 2019 13:24:43 +0000
Subject: [PATCH] feat: add azure disk encryption(SSE+CMK) support

---
 pkg/volume/azure_dd/azure_provision.go        | 26 +++++++++++--------
 .../azure/azure_managedDiskController.go      |  9 +++++++
 2 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/pkg/volume/azure_dd/azure_provision.go b/pkg/volume/azure_dd/azure_provision.go
index 1f6efb64a1e..6936e40428d 100644
--- a/pkg/volume/azure_dd/azure_provision.go
+++ b/pkg/volume/azure_dd/azure_provision.go
@@ -131,8 +131,9 @@ func (p *azureDiskProvisioner) Provision(selectedNode *v1.Node, allowedTopologie
 		availabilityZones        sets.String
 		selectedAvailabilityZone string
 
-		diskIopsReadWrite string
-		diskMbpsReadWrite string
+		diskIopsReadWrite   string
+		diskMbpsReadWrite   string
+		diskEncryptionSetID string
 	)
 	// maxLength = 79 - (4 for ".vhd") = 75
 	name := util.GenerateVolumeName(p.options.ClusterName, p.options.PVName, 75)
@@ -175,6 +176,8 @@ func (p *azureDiskProvisioner) Provision(selectedNode *v1.Node, allowedTopologie
 			diskIopsReadWrite = v
 		case "diskmbpsreadwrite":
 			diskMbpsReadWrite = v
+		case "diskencryptionsetid":
+			diskEncryptionSetID = v
 		default:
 			return nil, fmt.Errorf("AzureDisk - invalid option %s in storage class", k)
 		}
@@ -244,15 +247,16 @@ func (p *azureDiskProvisioner) Provision(selectedNode *v1.Node, allowedTopologie
 		}
 
 		volumeOptions := &azure.ManagedDiskOptions{
-			DiskName:           name,
-			StorageAccountType: skuName,
-			ResourceGroup:      resourceGroup,
-			PVCName:            p.options.PVC.Name,
-			SizeGB:             requestGiB,
-			Tags:               tags,
-			AvailabilityZone:   selectedAvailabilityZone,
-			DiskIOPSReadWrite:  diskIopsReadWrite,
-			DiskMBpsReadWrite:  diskMbpsReadWrite,
+			DiskName:            name,
+			StorageAccountType:  skuName,
+			ResourceGroup:       resourceGroup,
+			PVCName:             p.options.PVC.Name,
+			SizeGB:              requestGiB,
+			Tags:                tags,
+			AvailabilityZone:    selectedAvailabilityZone,
+			DiskIOPSReadWrite:   diskIopsReadWrite,
+			DiskMBpsReadWrite:   diskMbpsReadWrite,
+			DiskEncryptionSetID: diskEncryptionSetID,
 		}
 		diskURI, err = diskController.CreateManagedDisk(volumeOptions)
 		if err != nil {
diff --git a/staging/src/k8s.io/legacy-cloud-providers/azure/azure_managedDiskController.go b/staging/src/k8s.io/legacy-cloud-providers/azure/azure_managedDiskController.go
index ebbae1da8d0..6417519c706 100644
--- a/staging/src/k8s.io/legacy-cloud-providers/azure/azure_managedDiskController.go
+++ b/staging/src/k8s.io/legacy-cloud-providers/azure/azure_managedDiskController.go
@@ -67,6 +67,8 @@ type ManagedDiskOptions struct {
 	DiskIOPSReadWrite string
 	// Throughput Cap (MBps) for UltraSSD disk
 	DiskMBpsReadWrite string
+	// ResourceId of the disk encryption set to use for enabling encryption at rest.
+	DiskEncryptionSetID string
 }
 
 //CreateManagedDisk : create managed disk
@@ -129,6 +131,13 @@ func (c *ManagedDiskController) CreateManagedDisk(options *ManagedDiskOptions) (
 		}
 	}
 
+	if options.DiskEncryptionSetID != "" {
+		diskProperties.Encryption = &compute.Encryption{
+			DiskEncryptionSetID: &options.DiskEncryptionSetID,
+			Type:                compute.EncryptionAtRestWithCustomerKey,
+		}
+	}
+
 	model := compute.Disk{
 		Location: &c.common.location,
 		Tags:     newTags,