[AKS] Add Key Management Service feature for AKS to encrypt the Kubernetes data in etcd using Azure Key Vault with KMS plugin

linter_exclusions.yml

@@ -321,6 +321,18 @@ aks create:
     assign_kubelet_identity:
       rule_exclusions:
       - option_length_too_long
+    enable_azure_keyvault_kms:
+      rule_exclusions:
+        - option_length_too_long
+    azure_keyvault_kms_key_id:
+      rule_exclusions:
+        - option_length_too_long
+    azure_keyvault_kms_key_vault_network_access:
+      rule_exclusions:
+        - option_length_too_long
+    azure_keyvault_kms_key_vault_resource_id:
+      rule_exclusions:
+        - option_length_too_long
 aks enable-addons:
   parameters:
     workspace_resource_id:
@@ -371,6 +383,21 @@ aks update:
     enable_managed_identity:
       rule_exclusions:
       - option_length_too_long
+    enable_azure_keyvault_kms:
+      rule_exclusions:
+        - option_length_too_long
+    disable_azure_keyvault_kms:
+      rule_exclusions:
+        - option_length_too_long
+    azure_keyvault_kms_key_id:
+      rule_exclusions:
+        - option_length_too_long
+    azure_keyvault_kms_key_vault_network_access:
+      rule_exclusions:
+        - option_length_too_long
+    azure_keyvault_kms_key_vault_resource_id:
+      rule_exclusions:
+        - option_length_too_long
 aks update-credentials:
   parameters:
     aad_server_app_secret:

src/azure-cli/azure/cli/command_modules/acs/_consts.py

@@ -113,6 +113,10 @@
 CONST_SECRET_ROTATION_ENABLED = "enableSecretRotation"
 CONST_ROTATION_POLL_INTERVAL = "rotationPollInterval"
 
+# azure keyvault kms
+CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PUBLIC = "Public"
+CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PRIVATE = "Private"
+
 # all supported addons
 ADDONS = {
     'http_application_routing': CONST_HTTP_APPLICATION_ROUTING_ADDON_NAME,

src/azure-cli/azure/cli/command_modules/acs/_help.py

@@ -531,6 +531,20 @@
   - name: --host-group-id
     type: string
     short-summary: The fully qualified dedicated host group id used to provision agent node pool.
+  - name: --enable-azure-keyvault-kms
+    type: bool
+    short-summary: Enable Azure KeyVault Key Management Service.
+  - name: --azure-keyvault-kms-key-id
+    type: string
+    short-summary: Identifier of Azure Key Vault key.
+  - name: --azure-keyvault-kms-key-vault-network-access
+    type: string
+    short-summary: Network Access of Azure Key Vault.
+    long-summary: Allowed values are "Public", "Private". If not set, defaults to type "Public". Requires --azure-keyvault-kms-key-id to be used.
+  - name: --azure-keyvault-kms-key-vault-resource-id
+    type: string
+    short-summary: Resource ID of Azure Key Vault.
+
 examples:
   - name: Create a Kubernetes cluster with an existing SSH public key.
     text: az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey
@@ -758,6 +772,22 @@
   - name: --defender-config
     type: string
     short-summary: Path to JSON file containing Microsoft Defender profile configurations.
+  - name: --enable-azure-keyvault-kms
+    type: bool
+    short-summary: Enable Azure KeyVault Key Management Service.
+  - name: --disable-azure-keyvault-kms
+    type: bool
+    short-summary: Disable Azure KeyVault Key Management Service.
+  - name: --azure-keyvault-kms-key-id
+    type: string
+    short-summary: Identifier of Azure Key Vault key.
+  - name: --azure-keyvault-kms-key-vault-network-access
+    type: string
+    short-summary: Network Access of Azure Key Vault.
+    long-summary: Allowed values are "Public", "Private". If not set, defaults to type "Public". Requires --azure-keyvault-kms-key-id to be used.
+  - name: --azure-keyvault-kms-key-vault-resource-id
+    type: string
+    short-summary: Resource ID of Azure Key Vault.
 
 examples:
   - name: Update a kubernetes cluster with standard SKU load balancer to use two AKS created IPs for the load balancer outbound connection usage.

src/azure-cli/azure/cli/command_modules/acs/_params.py

@@ -23,7 +23,8 @@
     CONST_RAPID_UPGRADE_CHANNEL, CONST_SCALE_DOWN_MODE_DEALLOCATE,
     CONST_SCALE_DOWN_MODE_DELETE, CONST_SCALE_SET_PRIORITY_REGULAR,
     CONST_SCALE_SET_PRIORITY_SPOT, CONST_SPOT_EVICTION_POLICY_DEALLOCATE,
-    CONST_SPOT_EVICTION_POLICY_DELETE, CONST_STABLE_UPGRADE_CHANNEL)
+    CONST_SPOT_EVICTION_POLICY_DELETE, CONST_STABLE_UPGRADE_CHANNEL,
+    CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PUBLIC, CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PRIVATE)
 from azure.cli.command_modules.acs._validators import (
     validate_acr, validate_assign_identity, validate_assign_kubelet_identity,
     validate_create_parameters, validate_credential_format,
@@ -43,7 +44,8 @@
     validate_vm_set_type, validate_vnet_subnet_id,
     validate_keyvault_secrets_provider_disable_and_enable_parameters,
     validate_defender_disable_and_enable_parameters, validate_defender_config_parameter,
-    validate_host_group_id)
+    validate_host_group_id,
+    validate_azure_keyvault_kms_key_id, validate_azure_keyvault_kms_key_vault_resource_id)
 from azure.cli.core.commands.parameters import (
     edge_zone_type, file_type, get_enum_type,
     get_resource_name_completion_list, get_three_state_flag, name_type,
@@ -111,6 +113,8 @@
 
 dev_space_endpoint_types = ['Public', 'Private', 'None']
 
+keyvault_network_access_types = [CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PUBLIC, CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PRIVATE]
+
 
 def load_arguments(self, _):
 
@@ -274,6 +278,10 @@ def load_arguments(self, _):
         c.argument('node_resource_group')
         c.argument('enable_defender', action='store_true')
         c.argument('defender_config', validator=validate_defender_config_parameter)
+        c.argument('enable_azure_keyvault_kms', action='store_true')
+        c.argument('azure_keyvault_kms_key_id', validator=validate_azure_keyvault_kms_key_id)
+        c.argument('azure_keyvault_kms_key_vault_network_access', arg_type=get_enum_type(keyvault_network_access_types))
+        c.argument('azure_keyvault_kms_key_vault_resource_id', validator=validate_azure_keyvault_kms_key_vault_resource_id)
         # addons
         c.argument('enable_addons', options_list=['--enable-addons', '-a'])
         c.argument('workspace_resource_id')
@@ -356,6 +364,11 @@ def load_arguments(self, _):
         c.argument('disable_defender', action='store_true', validator=validate_defender_disable_and_enable_parameters)
         c.argument('enable_defender', action='store_true')
         c.argument('defender_config', validator=validate_defender_config_parameter)
+        c.argument('enable_azure_keyvault_kms', action='store_true')
+        c.argument('disable_azure_keyvault_kms', action='store_true')
+        c.argument('azure_keyvault_kms_key_id', validator=validate_azure_keyvault_kms_key_id)
+        c.argument('azure_keyvault_kms_key_vault_network_access', arg_type=get_enum_type(keyvault_network_access_types))
+        c.argument('azure_keyvault_kms_key_vault_resource_id', validator=validate_azure_keyvault_kms_key_vault_resource_id)
         # addons
         c.argument('enable_secret_rotation', action='store_true')
         c.argument('disable_secret_rotation', action='store_true', validator=validate_keyvault_secrets_provider_disable_and_enable_parameters)

src/azure-cli/azure/cli/command_modules/acs/_validators.py

@@ -537,3 +537,27 @@ def validate_defender_config_parameter(namespace):
 def validate_defender_disable_and_enable_parameters(namespace):
     if namespace.disable_defender and namespace.enable_defender:
         raise ArgumentUsageError('Providing both --disable-defender and --enable-defender flags is invalid')
+
+
+def validate_azure_keyvault_kms_key_id(namespace):
+    key_id = namespace.azure_keyvault_kms_key_id
+    if key_id:
+        # pylint:disable=line-too-long
+        err_msg = '--azure-keyvault-kms-key-id is not a valid Key Vault key ID. See https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name'
+
+        https_prefix = "https://"
+        if not key_id.startswith(https_prefix):
+            raise InvalidArgumentValueError(err_msg)
+
+        segments = key_id[len(https_prefix):].split("/")
+        if len(segments) != 4 or segments[1] != "keys":
+            raise InvalidArgumentValueError(err_msg)
+
+
+def validate_azure_keyvault_kms_key_vault_resource_id(namespace):
+    key_vault_resource_id = namespace.azure_keyvault_kms_key_vault_resource_id
+    if key_vault_resource_id is None or key_vault_resource_id == '':
+        return
+    from msrestazure.tools import is_valid_resource_id
+    if not is_valid_resource_id(key_vault_resource_id):
+        raise InvalidArgumentValueError("--azure-keyvault-kms-key-vault-resource-id is not a valid Azure resource ID.")

src/azure-cli/azure/cli/command_modules/acs/custom.py

@@ -1533,6 +1533,10 @@ def aks_create(
     node_resource_group=None,
     enable_defender=False,
     defender_config=None,
+    enable_azure_keyvault_kms=False,
+    azure_keyvault_kms_key_id=None,
+    azure_keyvault_kms_key_vault_network_access=None,
+    azure_keyvault_kms_key_vault_resource_id=None,
     # addons
     enable_addons=None,
     workspace_resource_id=None,
@@ -1639,6 +1643,11 @@ def aks_update(
     enable_defender=False,
     disable_defender=False,
     defender_config=None,
+    enable_azure_keyvault_kms=False,
+    disable_azure_keyvault_kms=False,
+    azure_keyvault_kms_key_id=None,
+    azure_keyvault_kms_key_vault_network_access=None,
+    azure_keyvault_kms_key_vault_resource_id=None,
     # addons
     enable_secret_rotation=False,
     disable_secret_rotation=False,