Skip to content

Commit

Permalink
Move KMS to GA (#5148)
Browse files Browse the repository at this point in the history
  • Loading branch information
bingosummer authored Jul 27, 2022
1 parent 36dbe76 commit 2cc1404
Show file tree
Hide file tree
Showing 6 changed files with 104 additions and 197 deletions.
4 changes: 4 additions & 0 deletions src/aks-preview/HISTORY.rst
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ To release a new version, please select a new version number (usually plus 1 to
Pending
+++++++

0.5.92
++++++

* Move Azure KeyVault KMS to GA.
* Support disabling Azure KeyVault KMS.

0.5.91
Expand Down
18 changes: 9 additions & 9 deletions src/aks-preview/azext_aks_preview/_params.py
Original file line number Diff line number Diff line change
Expand Up @@ -298,10 +298,10 @@ def load_arguments(self, _):
c.argument('enable_pod_identity_with_kubenet', action='store_true')
c.argument('enable_workload_identity', arg_type=get_three_state_flag())
c.argument('enable_oidc_issuer', action='store_true', is_preview=True)
c.argument('enable_azure_keyvault_kms', action='store_true', is_preview=True)
c.argument('azure_keyvault_kms_key_id', validator=validate_azure_keyvault_kms_key_id, is_preview=True)
c.argument('azure_keyvault_kms_key_vault_network_access', arg_type=get_enum_type(keyvault_network_access_types), default=CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PUBLIC, is_preview=True)
c.argument('azure_keyvault_kms_key_vault_resource_id', validator=validate_azure_keyvault_kms_key_vault_resource_id, is_preview=True)
c.argument('enable_azure_keyvault_kms', action='store_true')
c.argument('azure_keyvault_kms_key_id', validator=validate_azure_keyvault_kms_key_id)
c.argument('azure_keyvault_kms_key_vault_network_access', arg_type=get_enum_type(keyvault_network_access_types), default=CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PUBLIC)
c.argument('azure_keyvault_kms_key_vault_resource_id', validator=validate_azure_keyvault_kms_key_vault_resource_id)
c.argument('cluster_snapshot_id', validator=validate_cluster_snapshot_id, is_preview=True)
c.argument('disk_driver_version', arg_type=get_enum_type(disk_driver_versions))
c.argument('disable_disk_driver', action='store_true')
Expand Down Expand Up @@ -388,11 +388,11 @@ def load_arguments(self, _):
c.argument('disable_pod_identity', action='store_true')
c.argument('enable_workload_identity', arg_type=get_three_state_flag())
c.argument('enable_oidc_issuer', action='store_true', is_preview=True)
c.argument('enable_azure_keyvault_kms', action='store_true', is_preview=True)
c.argument('disable_azure_keyvault_kms', action='store_true', is_preview=True)
c.argument('azure_keyvault_kms_key_id', validator=validate_azure_keyvault_kms_key_id, is_preview=True)
c.argument('azure_keyvault_kms_key_vault_network_access', arg_type=get_enum_type(keyvault_network_access_types), is_preview=True)
c.argument('azure_keyvault_kms_key_vault_resource_id', validator=validate_azure_keyvault_kms_key_vault_resource_id, is_preview=True)
c.argument('enable_azure_keyvault_kms', action='store_true')
c.argument('disable_azure_keyvault_kms', action='store_true')
c.argument('azure_keyvault_kms_key_id', validator=validate_azure_keyvault_kms_key_id)
c.argument('azure_keyvault_kms_key_vault_network_access', arg_type=get_enum_type(keyvault_network_access_types))
c.argument('azure_keyvault_kms_key_vault_resource_id', validator=validate_azure_keyvault_kms_key_vault_resource_id)
c.argument('enable_disk_driver', action='store_true')
c.argument('disk_driver_version', arg_type=get_enum_type(disk_driver_versions))
c.argument('disable_disk_driver', action='store_true')
Expand Down
62 changes: 20 additions & 42 deletions src/aks-preview/azext_aks_preview/managed_cluster_decorator.py
Original file line number Diff line number Diff line change
Expand Up @@ -770,31 +770,15 @@ def _get_azure_keyvault_kms_key_vault_network_access(self, enable_validation: bo
azure_keyvault_kms_key_vault_network_access = self.raw_param.get(
"azure_keyvault_kms_key_vault_network_access"
)
if self.decorator_mode == DecoratorMode.CREATE:
pass
# Do not read the property value corresponding to the parameter from the `mc` object in create mode,
# because keyVaultNetworkAccess has the default value "Public" in azure-rest-api-specs, to avoid
# accidentally overwriting user-specified values.
else:
# backfill from existing mc, temp fix before rp handles the backfill
if (
azure_keyvault_kms_key_vault_network_access is None and
self.mc and
self.mc.security_profile and
self.mc.security_profile.azure_key_vault_kms and
self.mc.security_profile.azure_key_vault_kms.key_vault_network_access is not None
):
azure_keyvault_kms_key_vault_network_access = (
self.mc.security_profile.azure_key_vault_kms.key_vault_network_access
)
# backfill to default value, temp fix before rp handles the backfill
if azure_keyvault_kms_key_vault_network_access is None:
azure_keyvault_kms_key_vault_network_access = CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PUBLIC

# validation
if enable_validation:
enable_azure_keyvault_kms = self._get_enable_azure_keyvault_kms(
enable_validation=False)
if azure_keyvault_kms_key_vault_network_access is None:
raise RequiredArgumentMissingError(
'"--azure-keyvault-kms-key-vault-network-access" is required.')

if (
azure_keyvault_kms_key_vault_network_access and
(
Expand All @@ -805,6 +789,16 @@ def _get_azure_keyvault_kms_key_vault_network_access(self, enable_validation: bo
raise RequiredArgumentMissingError(
'"--azure-keyvault-kms-key-vault-network-access" requires "--enable-azure-keyvault-kms".')

if azure_keyvault_kms_key_vault_network_access == CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PRIVATE:
key_vault_resource_id = self._get_azure_keyvault_kms_key_vault_resource_id(
enable_validation=False)
if (
key_vault_resource_id is None or
key_vault_resource_id == ""
):
raise RequiredArgumentMissingError(
'"--azure-keyvault-kms-key-vault-resource-id" is required when "--azure-keyvault-kms-key-vault-network-access" is Private.')

return azure_keyvault_kms_key_vault_network_access

def get_azure_keyvault_kms_key_vault_network_access(self) -> Union[str, None]:
Expand Down Expand Up @@ -839,17 +833,6 @@ def _get_azure_keyvault_kms_key_vault_resource_id(self, enable_validation: bool
azure_keyvault_kms_key_vault_resource_id = (
self.mc.security_profile.azure_key_vault_kms.key_vault_resource_id
)
else:
# backfill from existing mc, temp fix before rp handles the backfill
if (
azure_keyvault_kms_key_vault_resource_id is None and
self.mc.security_profile and
self.mc.security_profile.azure_key_vault_kms and
self.mc.security_profile.azure_key_vault_kms.key_vault_resource_id is not None
):
azure_keyvault_kms_key_vault_resource_id = (
self.mc.security_profile.azure_key_vault_kms.key_vault_resource_id
)

# validation
if enable_validation:
Expand Down Expand Up @@ -1983,17 +1966,12 @@ def update_azure_keyvault_kms(self, mc: ManagedCluster) -> ManagedCluster:
azure_key_vault_kms_profile.key_id = self.context.get_azure_keyvault_kms_key_id()
# set network access, should never be None for now, can be safely assigned, temp fix for rp
# the value is obtained from user input or backfilled from existing mc or to default value
azure_key_vault_kms_profile.key_vault_network_access = (
self.context.get_azure_keyvault_kms_key_vault_network_access()
)
# set key vault id
if (
azure_key_vault_kms_profile.key_vault_network_access ==
CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PRIVATE
):
azure_key_vault_kms_profile.key_vault_resource_id = (
self.context.get_azure_keyvault_kms_key_vault_resource_id()
)
azure_key_vault_kms_profile.key_vault_network_access = self.context.get_azure_keyvault_kms_key_vault_network_access()
# set key vault resource id
if azure_key_vault_kms_profile.key_vault_network_access == CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PRIVATE:
azure_key_vault_kms_profile.key_vault_resource_id = self.context.get_azure_keyvault_kms_key_vault_resource_id()
else:
azure_key_vault_kms_profile.key_vault_resource_id = ""

if self.context.get_disable_azure_keyvault_kms():
# get kms profile
Expand Down
29 changes: 14 additions & 15 deletions src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py
Original file line number Diff line number Diff line change
Expand Up @@ -4024,12 +4024,13 @@ def test_aks_create_with_azurekeyvaultkms_public_key_vault(self, resource_group,

create_cmd = 'aks create --resource-group={resource_group} --name={name} ' \
'--assign-identity {identity_id} ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --azure-keyvault-kms-key-vault-network-access=Public ' \
'--ssh-key-value={ssh_key_value} -o json'
self.cmd(create_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
self.check('securityProfile.azureKeyVaultKms.enabled', True),
self.check('securityProfile.azureKeyVaultKms.keyId', key_id_0)
self.check('securityProfile.azureKeyVaultKms.keyId', key_id_0),
self.check('securityProfile.azureKeyVaultKms.keyVaultNetworkAccess', 'Public')
])

key = self.cmd(create_key, checks=[
Expand All @@ -4043,13 +4044,13 @@ def test_aks_create_with_azurekeyvaultkms_public_key_vault(self, resource_group,

# Rotate key
update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \
'--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --azure-keyvault-kms-key-vault-network-access=Public ' \
'-o json'
self.cmd(update_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
self.check('securityProfile.azureKeyVaultKms.enabled', True),
self.check('securityProfile.azureKeyVaultKms.keyId', key_id_1)
self.check('securityProfile.azureKeyVaultKms.keyId', key_id_1),
self.check('securityProfile.azureKeyVaultKms.keyVaultNetworkAccess', 'Public')
])

# delete
Expand Down Expand Up @@ -4117,11 +4118,13 @@ def test_aks_update_with_azurekeyvaultkms_public_key_vault(self, resource_group,
])

update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview -o json'
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --azure-keyvault-kms-key-vault-network-access=Public ' \
'-o json'
self.cmd(update_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
self.check('securityProfile.azureKeyVaultKms.enabled', True),
self.check('securityProfile.azureKeyVaultKms.keyId', key_id)
self.check('securityProfile.azureKeyVaultKms.keyId', key_id),
self.check('securityProfile.azureKeyVaultKms.keyVaultNetworkAccess', 'Public')
])

# delete
Expand Down Expand Up @@ -4201,7 +4204,6 @@ def test_aks_create_with_azurekeyvaultkms_private_key_vault(self, resource_group
'--assign-identity {identity_id} ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \
'--azure-keyvault-kms-key-vault-network-access=Private --azure-keyvault-kms-key-vault-resource-id {kv_resource_id} ' \
'--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'--ssh-key-value={ssh_key_value} -o json'
self.cmd(create_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
Expand Down Expand Up @@ -4236,7 +4238,6 @@ def test_aks_create_with_azurekeyvaultkms_private_key_vault(self, resource_group
update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \
'--azure-keyvault-kms-key-vault-network-access=Private --azure-keyvault-kms-key-vault-resource-id {kv_resource_id} ' \
'--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'-o json'
self.cmd(update_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
Expand Down Expand Up @@ -4330,7 +4331,6 @@ def test_aks_update_with_azurekeyvaultkms_private_key_vault(self, resource_group
update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \
'--azure-keyvault-kms-key-vault-network-access=Private --azure-keyvault-kms-key-vault-resource-id {kv_resource_id} ' \
'--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'-o json'
self.cmd(update_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
Expand Down Expand Up @@ -4417,7 +4417,6 @@ def test_aks_create_with_azurekeyvaultkms_private_cluster_v1_private_key_vault(s
'--assign-identity {identity_id} --enable-private-cluster ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \
'--azure-keyvault-kms-key-vault-network-access=Private --azure-keyvault-kms-key-vault-resource-id {kv_resource_id} ' \
'--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'--ssh-key-value={ssh_key_value} -o json'
self.cmd(create_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
Expand Down Expand Up @@ -4453,7 +4452,6 @@ def test_aks_create_with_azurekeyvaultkms_private_cluster_v1_private_key_vault(s
update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} ' \
'--azure-keyvault-kms-key-vault-network-access=Private --azure-keyvault-kms-key-vault-resource-id {kv_resource_id} ' \
'--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'-o json'
self.cmd(update_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
Expand Down Expand Up @@ -4521,16 +4519,17 @@ def test_aks_disable_azurekeyvaultkms(self, resource_group, resource_group_locat

create_cmd = 'aks create --resource-group={resource_group} --name={name} ' \
'--assign-identity {identity_id} ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'--enable-azure-keyvault-kms --azure-keyvault-kms-key-id={key_id} --azure-keyvault-kms-key-vault-network-access=Public ' \
'--ssh-key-value={ssh_key_value} -o json'
self.cmd(create_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
self.check('securityProfile.azureKeyVaultKms.enabled', True),
self.check('securityProfile.azureKeyVaultKms.keyId', key_id)
self.check('securityProfile.azureKeyVaultKms.keyId', key_id),
self.check('securityProfile.azureKeyVaultKms.keyVaultNetworkAccess', "Public")
])

update_cmd = 'aks update --resource-group={resource_group} --name={name} ' \
'--disable-azure-keyvault-kms --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureKeyVaultKmsPreview ' \
'--disable-azure-keyvault-kms ' \
'-o json'
self.cmd(update_cmd, checks=[
self.check('provisioningState', 'Succeeded'),
Expand Down
Loading

0 comments on commit 2cc1404

Please sign in to comment.