nojnhuh
commented
4 weeks ago This should be possible already with the new ASO-based API by applying a patch like this (filling in the details to point to your KeyVault) to the AKS ASO flavor template at https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/ca18c2c818db69d8c2314ea3c68a8e5c3e00b968/templates/cluster-template-aks-aso.yaml.
You'll also need to invoke clusterctl init when installing CAPZ with the ADDITIONAL_ASO_CRDS environment variable set to include compute.azure.com/DiskEncryptionSet.
diff --git a/templates/cluster-template-aks-aso.yaml b/templates/cluster-template-aks-aso.yaml
index 29f77594e..7f86dbd61 100644
--- a/templates/cluster-template-aks-aso.yaml
+++ b/templates/cluster-template-aks-aso.yaml
@@ -37,6 +37,29 @@ spec:
name: ${CLUSTER_NAME}
servicePrincipalProfile:
clientId: msi
+ diskEncryptionSetReference:
+ group: compute.azure.com
+ kind: DiskEncryptionSet
+ name: ${CLUSTER_NAME}
+ - apiVersion: compute.azure.com/v1api20220702
+ kind: DiskEncryptionSet
+ metadata:
+ name: ${CLUSTER_NAME}
+ spec:
+ activeKey:
+ keyUrl: https://aso-sample-kv.vault.azure.net/keys/testkey/{version}
+ sourceVault:
+ reference:
+ armId: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}
+ encryptionType: EncryptionAtRestWithCustomerKey
+ identity:
+ type: SystemAssigned
+ location: ${AZURE_LOCATION}
+ owner:
+ name: ${CLUSTER_NAME}
version: ${KUBERNETES_VERSION}
---
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1/close
k8s-ci-robot
/kind feature
Describe the solution you'd like We can implement a
diskEncryptionSetsfield in AKS cluster just like we did in Azure IaaS. In this case, we can make AKS encryption type to be Encryption at rest with customer-managed key. Customer-managed key is supported in AKS when creating it using azure CLI.Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]
Environment:
kubectl version): 1.29.9/etc/os-release):