feat: add azure disk encryption(SSE+CMK) support

pkg/volume/azure_dd/azure_provision.go

@@ -133,6 +133,7 @@ func (p *azureDiskProvisioner) Provision(selectedNode *v1.Node, allowedTopologie
 
 		diskIopsReadWrite   string
 		diskMbpsReadWrite   string
+		diskEncryptionSetID string
 	)
 	// maxLength = 79 - (4 for ".vhd") = 75
 	name := util.GenerateVolumeName(p.options.ClusterName, p.options.PVName, 75)
@@ -175,6 +176,8 @@ func (p *azureDiskProvisioner) Provision(selectedNode *v1.Node, allowedTopologie
 			diskIopsReadWrite = v
 		case "diskmbpsreadwrite":
 			diskMbpsReadWrite = v
+		case "diskencryptionsetid":
+			diskEncryptionSetID = v
 		default:
 			return nil, fmt.Errorf("AzureDisk - invalid option %s in storage class", k)
 		}
@@ -253,6 +256,7 @@ func (p *azureDiskProvisioner) Provision(selectedNode *v1.Node, allowedTopologie
 			AvailabilityZone:    selectedAvailabilityZone,
 			DiskIOPSReadWrite:   diskIopsReadWrite,
 			DiskMBpsReadWrite:   diskMbpsReadWrite,
+			DiskEncryptionSetID: diskEncryptionSetID,
 		}
 		diskURI, err = diskController.CreateManagedDisk(volumeOptions)
 		if err != nil {

staging/src/k8s.io/legacy-cloud-providers/azure/azure_managedDiskController.go

@@ -67,6 +67,8 @@ type ManagedDiskOptions struct {
 	DiskIOPSReadWrite string
 	// Throughput Cap (MBps) for UltraSSD disk
 	DiskMBpsReadWrite string
+	// ResourceId of the disk encryption set to use for enabling encryption at rest.
+	DiskEncryptionSetID string
 }
 
 //CreateManagedDisk : create managed disk
@@ -129,6 +131,13 @@ func (c *ManagedDiskController) CreateManagedDisk(options *ManagedDiskOptions) (
 		}
 	}
 
+	if options.DiskEncryptionSetID != "" {
+		diskProperties.Encryption = &compute.Encryption{
+			DiskEncryptionSetID: &options.DiskEncryptionSetID,
+			Type:                compute.EncryptionAtRestWithCustomerKey,
+		}
+	}
+
 	model := compute.Disk{
 		Location: &c.common.location,
 		Tags:     newTags,