mgmt, AKS, support disk encryption set (Azure#27768)

* support disk encryption set in AKS

* extract common test base for disk encryption set

* add test case

* modify TestBase to enable record/replace for vault/storage

* fix key/secret client version at 7.2

Author: weidongxu-microsoft

sdk/resourcemanager/azure-resourcemanager-containerservice/CHANGELOG.md

@@ -7,6 +7,7 @@
 - Supported disabling Kubernetes Role-Based Access Control for `KubernetesCluster` during create.
 - Supported enabling Azure AD integration for `KubernetesCluster`.
 - Supported disabling local accounts for `KubernetesCluster`.
+- Supported disk encryption set for `KubernetesCluster`.
 
 ### Other Changes
 

sdk/resourcemanager/azure-resourcemanager-containerservice/src/main/java/com/azure/resourcemanager/containerservice/implementation/KubernetesClusterImpl.java

@@ -262,6 +262,11 @@ public boolean isAzureRbacEnabled() {
             && ResourceManagerUtils.toPrimitiveBoolean(innerModel().aadProfile().enableAzureRbac());
     }
 
+    @Override
+    public String diskEncryptionSetId() {
+        return innerModel().diskEncryptionSetId();
+    }
+
     @Override
     public void start() {
         this.startAsync().block();
@@ -546,6 +551,12 @@ public KubernetesCluster.DefinitionStages.WithCreate disableKubernetesRbac() {
         return this;
     }
 
+    @Override
+    public KubernetesCluster.DefinitionStages.WithCreate withDiskEncryptionSet(String diskEncryptionSetId) {
+        this.innerModel().withDiskEncryptionSetId(diskEncryptionSetId);
+        return this;
+    }
+
     private static final class PrivateLinkResourceImpl implements PrivateLinkResource {
         private final PrivateLinkResourceInner innerModel;
 

sdk/resourcemanager/azure-resourcemanager-containerservice/src/main/java/com/azure/resourcemanager/containerservice/models/KubernetesCluster.java

@@ -110,6 +110,9 @@ public interface KubernetesCluster
     /** @return whether Azure Role-Based Access Control for Kubernetes authorization is enabled. */
     boolean isAzureRbacEnabled();
 
+    /** @return resource ID of the disk encryption set. */
+    String diskEncryptionSetId();
+
     // Actions
 
     /**
@@ -517,6 +520,17 @@ interface WithLocalAccounts {
             WithCreate disableLocalAccounts();
         }
 
+        /** The stage of the Kubernetes cluster definition allowing to specify disk encryption. */
+        interface WithDiskEncryption {
+            /**
+             * Specifies the disk encryption set for the disk in cluster.
+             *
+             * @param diskEncryptionSetId the ID of disk encryption set.
+             * @return the next stage of the definition
+             */
+            WithCreate withDiskEncryptionSet(String diskEncryptionSetId);;
+        }
+
         /**
          * The stage of the definition which contains all the minimum required inputs for the resource to be created,
          * but also allows for any other optional settings to be specified.
@@ -533,6 +547,7 @@ interface WithCreate
                 WithRBAC,
                 WithAAD,
                 WithLocalAccounts,
+                WithDiskEncryption,
                 Resource.DefinitionWithTags<WithCreate> {
         }
     }

sdk/resourcemanager/azure-resourcemanager-keyvault/src/main/java/com/azure/resourcemanager/keyvault/implementation/KeyImpl.java

@@ -12,6 +12,7 @@
 import com.azure.resourcemanager.resources.fluentcore.utils.ResourceManagerUtils;
 import com.azure.security.keyvault.keys.cryptography.CryptographyAsyncClient;
 import com.azure.security.keyvault.keys.cryptography.CryptographyClientBuilder;
+import com.azure.security.keyvault.keys.cryptography.CryptographyServiceVersion;
 import com.azure.security.keyvault.keys.cryptography.models.DecryptResult;
 import com.azure.security.keyvault.keys.cryptography.models.EncryptResult;
 import com.azure.security.keyvault.keys.cryptography.models.EncryptionAlgorithm;
@@ -84,6 +85,7 @@ private void init(boolean createNewCryptographyClient) {
                     new CryptographyClientBuilder()
                         .keyIdentifier(innerModel().getId())
                         .pipeline(vault.vaultHttpPipeline())
+                        .serviceVersion(CryptographyServiceVersion.V7_2)
                         .buildAsyncClient();
             }
         }

sdk/resourcemanager/azure-resourcemanager-keyvault/src/main/java/com/azure/resourcemanager/keyvault/implementation/VaultImpl.java

@@ -39,8 +39,10 @@
 import com.azure.resourcemanager.resources.fluentcore.utils.ResourceManagerUtils;
 import com.azure.security.keyvault.keys.KeyAsyncClient;
 import com.azure.security.keyvault.keys.KeyClientBuilder;
+import com.azure.security.keyvault.keys.KeyServiceVersion;
 import com.azure.security.keyvault.secrets.SecretAsyncClient;
 import com.azure.security.keyvault.secrets.SecretClientBuilder;
+import com.azure.security.keyvault.secrets.SecretServiceVersion;
 import reactor.core.publisher.Mono;
 
 import java.util.ArrayList;
@@ -89,11 +91,13 @@ private void init() {
                 new SecretClientBuilder()
                     .vaultUrl(vaultUrl)
                     .pipeline(vaultHttpPipeline)
+                    .serviceVersion(SecretServiceVersion.V7_2)
                     .buildAsyncClient();
             this.keyClient =
                 new KeyClientBuilder()
                     .vaultUrl(vaultUrl)
                     .pipeline(vaultHttpPipeline)
+                    .serviceVersion(KeyServiceVersion.V7_2)
                     .buildAsyncClient();
         }
     }

sdk/resourcemanager/azure-resourcemanager-test/src/main/java/com/azure/resourcemanager/test/ResourceManagerTestBase.java

@@ -55,6 +55,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
 /**
@@ -288,8 +289,14 @@ protected void beforeTest() {
 
             textReplacementRules.put(testProfile.getSubscriptionId(), ZERO_SUBSCRIPTION);
             textReplacementRules.put(testProfile.getTenantId(), ZERO_TENANT);
-            textReplacementRules.put(AzureEnvironment.AZURE.getResourceManagerEndpoint(), PLAYBACK_URI + "/");
-            textReplacementRules.put(AzureEnvironment.AZURE.getMicrosoftGraphEndpoint(), PLAYBACK_URI + "/");
+            // ARM endpoint
+            textReplacementRules.put(Pattern.quote(AzureEnvironment.AZURE.getResourceManagerEndpoint()), PLAYBACK_URI + "/");
+            // MSGraph endpoint
+            textReplacementRules.put(Pattern.quote(AzureEnvironment.AZURE.getMicrosoftGraphEndpoint()), PLAYBACK_URI + "/");
+            // vault endpoint
+            textReplacementRules.put("https://[a-zA-Z0-9]+?" + AzureEnvironment.AZURE.getKeyVaultDnsSuffix().replace(".", "\\.") + "/", PLAYBACK_URI + "/");
+            // storage account endpoint
+            textReplacementRules.put("https://[a-zA-Z0-9]+?" + AzureEnvironment.AZURE.getStorageEndpointSuffix().replace(".", "\\.") + "/", PLAYBACK_URI + "/");
             addTextReplacementRules(textReplacementRules);
         }
         initializeClients(httpPipeline, testProfile);

sdk/resourcemanager/azure-resourcemanager/src/test/java/com/azure/resourcemanager/DiskEncryptionTestBase.java

@@ -0,0 +1,137 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.resourcemanager;
+
+import com.azure.core.credential.TokenCredential;
+import com.azure.core.http.HttpClient;
+import com.azure.core.http.HttpPipeline;
+import com.azure.core.http.policy.HttpLogOptions;
+import com.azure.core.http.policy.HttpPipelinePolicy;
+import com.azure.core.http.policy.RetryPolicy;
+import com.azure.core.management.Region;
+import com.azure.core.management.profile.AzureProfile;
+import com.azure.resourcemanager.authorization.models.BuiltInRole;
+import com.azure.resourcemanager.compute.fluent.models.DiskEncryptionSetInner;
+import com.azure.resourcemanager.compute.models.DiskEncryptionSetIdentityType;
+import com.azure.resourcemanager.compute.models.DiskEncryptionSetType;
+import com.azure.resourcemanager.compute.models.EncryptionSetIdentity;
+import com.azure.resourcemanager.compute.models.KeyForDiskEncryptionSet;
+import com.azure.resourcemanager.compute.models.SourceVault;
+import com.azure.resourcemanager.keyvault.models.Key;
+import com.azure.resourcemanager.keyvault.models.Vault;
+import com.azure.resourcemanager.resources.fluentcore.utils.HttpPipelineProvider;
+import com.azure.resourcemanager.resources.fluentcore.utils.ResourceManagerUtils;
+import com.azure.resourcemanager.test.ResourceManagerTestBase;
+import com.azure.resourcemanager.test.utils.TestDelayProvider;
+import com.azure.resourcemanager.test.utils.TestIdentifierProvider;
+import com.azure.security.keyvault.keys.models.KeyType;
+
+import java.time.Duration;
+import java.time.temporal.ChronoUnit;
+import java.util.List;
+
+public class DiskEncryptionTestBase extends ResourceManagerTestBase {
+
+    protected AzureResourceManager azureResourceManager;
+
+    protected String rgName = "";
+    protected final Region region = Region.US_EAST;
+
+    @Override
+    protected HttpPipeline buildHttpPipeline(
+        TokenCredential credential,
+        AzureProfile profile,
+        HttpLogOptions httpLogOptions,
+        List<HttpPipelinePolicy> policies,
+        HttpClient httpClient) {
+        return HttpPipelineProvider.buildHttpPipeline(
+            credential,
+            profile,
+            null,
+            httpLogOptions,
+            null,
+            new RetryPolicy("Retry-After", ChronoUnit.SECONDS),
+            policies,
+            httpClient);
+    }
+
+    @Override
+    protected void initializeClients(HttpPipeline httpPipeline, AzureProfile profile) {
+        ResourceManagerUtils.InternalRuntimeContext.setDelayProvider(new TestDelayProvider(!isPlaybackMode()));
+        ResourceManagerUtils.InternalRuntimeContext internalContext = new ResourceManagerUtils.InternalRuntimeContext();
+        internalContext.setIdentifierFunction(name -> new TestIdentifierProvider(testResourceNamer));
+        azureResourceManager = buildManager(AzureResourceManager.class, httpPipeline, profile);
+        setInternalContext(internalContext, azureResourceManager);
+
+        rgName = generateRandomResourceName("javacsmrg", 15);
+    }
+
+    @Override
+    protected void cleanUpResources() {
+        try {
+            azureResourceManager.resourceGroups().beginDeleteByName(rgName);
+        } catch (Exception e) {
+        }
+    }
+
+    protected static final class VaultAndKey {
+        private final Vault vault;
+        private final Key key;
+
+        private VaultAndKey(Vault vault, Key key) {
+            this.vault = vault;
+            this.key = key;
+        }
+    }
+
+    protected VaultAndKey createVaultAndKey(String name, String clientId) {
+        // create vault
+        Vault vault = azureResourceManager.vaults().define(name)
+            .withRegion(region)
+            .withNewResourceGroup(rgName)
+            .withRoleBasedAccessControl()
+            .withPurgeProtectionEnabled()
+            .create();
+
+        // RBAC for this app
+        String rbacName = generateRandomUuid();
+        azureResourceManager.accessManagement().roleAssignments().define(rbacName)
+            .forServicePrincipal(clientId)
+            .withBuiltInRole(BuiltInRole.KEY_VAULT_ADMINISTRATOR)
+            .withResourceScope(vault)
+            .create();
+        // wait for propagation time
+        ResourceManagerUtils.sleep(Duration.ofMinutes(1));
+
+        // create key
+        Key key = vault.keys().define("key1")
+            .withKeyTypeToCreate(KeyType.RSA)
+            .withKeySize(4096)
+            .create();
+
+        return new VaultAndKey(vault, key);
+    }
+
+    protected DiskEncryptionSetInner createDiskEncryptionSet(String name, DiskEncryptionSetType type, VaultAndKey vaultAndKey) {
+        // create disk encryption set
+        DiskEncryptionSetInner diskEncryptionSet = azureResourceManager.disks().manager().serviceClient()
+            .getDiskEncryptionSets().createOrUpdate(rgName, name, new DiskEncryptionSetInner()
+                .withLocation(region.name())
+                .withEncryptionType(type)
+                .withIdentity(new EncryptionSetIdentity().withType(DiskEncryptionSetIdentityType.SYSTEM_ASSIGNED))
+                .withActiveKey(new KeyForDiskEncryptionSet()
+                    .withSourceVault(new SourceVault().withId(vaultAndKey.vault.id()))
+                    .withKeyUrl(vaultAndKey.key.id())));
+
+        // RBAC for disk encryption set
+        String rbacName = generateRandomUuid();
+        azureResourceManager.accessManagement().roleAssignments().define(rbacName)
+            .forObjectId(diskEncryptionSet.identity().principalId())
+            .withBuiltInRole(BuiltInRole.KEY_VAULT_CRYPTO_SERVICE_ENCRYPTION_USER)
+            .withResourceScope(vaultAndKey.vault)
+            .create();
+
+        return diskEncryptionSet;
+    }
+}

sdk/resourcemanager/azure-resourcemanager/src/test/java/com/azure/resourcemanager/KubernetesEncryptionTests.java

@@ -0,0 +1,55 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.resourcemanager;
+
+import com.azure.resourcemanager.compute.fluent.models.DiskEncryptionSetInner;
+import com.azure.resourcemanager.compute.models.DiskEncryptionSetType;
+import com.azure.resourcemanager.containerservice.models.AgentPoolMode;
+import com.azure.resourcemanager.containerservice.models.ContainerServiceVMSizeTypes;
+import com.azure.resourcemanager.containerservice.models.KubernetesCluster;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import java.util.Locale;
+
+public class KubernetesEncryptionTests extends DiskEncryptionTestBase {
+
+    @Test
+    public void canCreateClusterWithDiskEncryption() {
+        final String clientId = this.clientIdFromFile();
+
+        // create vault and key
+        final String vaultName = generateRandomResourceName("kv", 8);
+        VaultAndKey vaultAndKey = createVaultAndKey(vaultName, clientId);
+
+        // create disk encryption set
+        DiskEncryptionSetInner diskEncryptionSet = createDiskEncryptionSet("des1",
+            DiskEncryptionSetType.ENCRYPTION_AT_REST_WITH_PLATFORM_AND_CUSTOMER_KEYS, vaultAndKey);
+
+        final String aksName = generateRandomResourceName("aks", 15);
+        final String dnsPrefix = generateRandomResourceName("dns", 10);
+        final String agentPoolName = generateRandomResourceName("ap0", 10);
+
+        // create
+        KubernetesCluster kubernetesCluster = azureResourceManager
+            .kubernetesClusters()
+            .define(aksName)
+            .withRegion(region)
+            .withNewResourceGroup(rgName)
+            .withDefaultVersion()
+            .withSystemAssignedManagedServiceIdentity()
+            .disableLocalAccounts()
+            .withDiskEncryptionSet(diskEncryptionSet.id())
+            .defineAgentPool(agentPoolName)
+                .withVirtualMachineSize(ContainerServiceVMSizeTypes.STANDARD_D2_V3)
+                .withAgentPoolVirtualMachineCount(1)
+                .withAgentPoolMode(AgentPoolMode.SYSTEM)
+                .withOSDiskSizeInGB(30)
+                .attach()
+            .withDnsPrefix("mp1" + dnsPrefix)
+            .create();
+
+        Assertions.assertEquals(diskEncryptionSet.id().toLowerCase(Locale.ROOT), kubernetesCluster.diskEncryptionSetId().toLowerCase(Locale.ROOT));
+    }
+}