From f10d44bad21078703aeefeb6d3435cd87d5d2830 Mon Sep 17 00:00:00 2001 From: andyzhangx Date: Thu, 31 Oct 2019 13:24:43 +0000 Subject: [PATCH] feat: add azure disk encryption(SSE+CMK) support --- pkg/volume/azure_dd/azure_provision.go | 26 +++++++++++-------- .../azure/azure_managedDiskController.go | 9 +++++++ 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/pkg/volume/azure_dd/azure_provision.go b/pkg/volume/azure_dd/azure_provision.go index 1f6efb64a1e..6936e40428d 100644 --- a/pkg/volume/azure_dd/azure_provision.go +++ b/pkg/volume/azure_dd/azure_provision.go @@ -131,8 +131,9 @@ func (p *azureDiskProvisioner) Provision(selectedNode *v1.Node, allowedTopologie availabilityZones sets.String selectedAvailabilityZone string - diskIopsReadWrite string - diskMbpsReadWrite string + diskIopsReadWrite string + diskMbpsReadWrite string + diskEncryptionSetID string ) // maxLength = 79 - (4 for ".vhd") = 75 name := util.GenerateVolumeName(p.options.ClusterName, p.options.PVName, 75) @@ -175,6 +176,8 @@ func (p *azureDiskProvisioner) Provision(selectedNode *v1.Node, allowedTopologie diskIopsReadWrite = v case "diskmbpsreadwrite": diskMbpsReadWrite = v + case "diskencryptionsetid": + diskEncryptionSetID = v default: return nil, fmt.Errorf("AzureDisk - invalid option %s in storage class", k) } @@ -244,15 +247,16 @@ func (p *azureDiskProvisioner) Provision(selectedNode *v1.Node, allowedTopologie } volumeOptions := &azure.ManagedDiskOptions{ - DiskName: name, - StorageAccountType: skuName, - ResourceGroup: resourceGroup, - PVCName: p.options.PVC.Name, - SizeGB: requestGiB, - Tags: tags, - AvailabilityZone: selectedAvailabilityZone, - DiskIOPSReadWrite: diskIopsReadWrite, - DiskMBpsReadWrite: diskMbpsReadWrite, + DiskName: name, + StorageAccountType: skuName, + ResourceGroup: resourceGroup, + PVCName: p.options.PVC.Name, + SizeGB: requestGiB, + Tags: tags, + AvailabilityZone: selectedAvailabilityZone, + DiskIOPSReadWrite: diskIopsReadWrite, + DiskMBpsReadWrite: diskMbpsReadWrite, + DiskEncryptionSetID: diskEncryptionSetID, } diskURI, err = diskController.CreateManagedDisk(volumeOptions) if err != nil { diff --git a/staging/src/k8s.io/legacy-cloud-providers/azure/azure_managedDiskController.go b/staging/src/k8s.io/legacy-cloud-providers/azure/azure_managedDiskController.go index ebbae1da8d0..6417519c706 100644 --- a/staging/src/k8s.io/legacy-cloud-providers/azure/azure_managedDiskController.go +++ b/staging/src/k8s.io/legacy-cloud-providers/azure/azure_managedDiskController.go @@ -67,6 +67,8 @@ type ManagedDiskOptions struct { DiskIOPSReadWrite string // Throughput Cap (MBps) for UltraSSD disk DiskMBpsReadWrite string + // ResourceId of the disk encryption set to use for enabling encryption at rest. + DiskEncryptionSetID string } //CreateManagedDisk : create managed disk @@ -129,6 +131,13 @@ func (c *ManagedDiskController) CreateManagedDisk(options *ManagedDiskOptions) ( } } + if options.DiskEncryptionSetID != "" { + diskProperties.Encryption = &compute.Encryption{ + DiskEncryptionSetID: &options.DiskEncryptionSetID, + Type: compute.EncryptionAtRestWithCustomerKey, + } + } + model := compute.Disk{ Location: &c.common.location, Tags: newTags,