From 51bde0dbbec2bf90a18ad3fda5bdf3b127c94c3a Mon Sep 17 00:00:00 2001 From: Andy Zhang Date: Thu, 9 Apr 2020 08:38:03 +0800 Subject: [PATCH] feat: EncryptionAtHost support (#3041) --- pkg/api/converterfromapi.go | 2 ++ pkg/api/convertertoapi.go | 2 ++ pkg/api/types.go | 2 ++ pkg/api/types_test.go | 58 ++++++++++++++++++++++++++++++------- pkg/api/vlabs/types.go | 2 ++ pkg/api/vlabs/types_test.go | 14 +++++++-- 6 files changed, 67 insertions(+), 13 deletions(-) diff --git a/pkg/api/converterfromapi.go b/pkg/api/converterfromapi.go index 1c0ae575a..a0fd59f70 100644 --- a/pkg/api/converterfromapi.go +++ b/pkg/api/converterfromapi.go @@ -523,6 +523,7 @@ func convertMasterProfileToVLabs(api *MasterProfile, vlabsProfile *vlabs.MasterP vlabsProfile.CosmosEtcd = api.CosmosEtcd vlabsProfile.AuditDEnabled = api.AuditDEnabled vlabsProfile.UltraSSDEnabled = api.UltraSSDEnabled + vlabsProfile.EncryptionAtHost = api.EncryptionAtHost convertCustomFilesToVlabs(api, vlabsProfile) vlabsProfile.SysctlDConfig = map[string]string{} for key, val := range api.SysctlDConfig { @@ -574,6 +575,7 @@ func convertAgentPoolProfileToVLabs(api *AgentPoolProfile, p *vlabs.AgentPoolPro p.AuditDEnabled = api.AuditDEnabled p.UltraSSDEnabled = api.UltraSSDEnabled p.DiskEncryptionSetID = api.DiskEncryptionSetID + p.EncryptionAtHost = api.EncryptionAtHost for k, v := range api.CustomNodeLabels { p.CustomNodeLabels[k] = v diff --git a/pkg/api/convertertoapi.go b/pkg/api/convertertoapi.go index 0243f85e5..eb710ca90 100644 --- a/pkg/api/convertertoapi.go +++ b/pkg/api/convertertoapi.go @@ -579,6 +579,7 @@ func convertVLabsMasterProfile(vlabs *vlabs.MasterProfile, api *MasterProfile) { api.SinglePlacementGroup = vlabs.SinglePlacementGroup api.CosmosEtcd = vlabs.CosmosEtcd api.UltraSSDEnabled = vlabs.UltraSSDEnabled + api.EncryptionAtHost = vlabs.EncryptionAtHost api.AuditDEnabled = vlabs.AuditDEnabled convertCustomFilesToAPI(vlabs, api) api.SysctlDConfig = map[string]string{} @@ -620,6 +621,7 @@ func convertVLabsAgentPoolProfile(vlabs *vlabs.AgentPoolProfile, api *AgentPoolP api.AuditDEnabled = vlabs.AuditDEnabled api.DiskEncryptionSetID = vlabs.DiskEncryptionSetID api.UltraSSDEnabled = vlabs.UltraSSDEnabled + api.EncryptionAtHost = vlabs.EncryptionAtHost api.CustomNodeLabels = map[string]string{} for k, v := range vlabs.CustomNodeLabels { diff --git a/pkg/api/types.go b/pkg/api/types.go index 43486ba60..a7e40dd3c 100644 --- a/pkg/api/types.go +++ b/pkg/api/types.go @@ -572,6 +572,7 @@ type MasterProfile struct { SinglePlacementGroup *bool `json:"singlePlacementGroup,omitempty"` AuditDEnabled *bool `json:"auditDEnabled,omitempty"` UltraSSDEnabled *bool `json:"ultraSSDEnabled,omitempty"` + EncryptionAtHost *bool `json:"encryptionAtHost,omitempty"` CustomVMTags map[string]string `json:"customVMTags,omitempty"` // Master LB public endpoint/FQDN with port // The format will be FQDN:2376 @@ -658,6 +659,7 @@ type AgentPoolProfile struct { DiskEncryptionSetID string `json:"diskEncryptionSetID,omitempty"` SysctlDConfig map[string]string `json:"sysctldConfig,omitempty"` UltraSSDEnabled *bool `json:"ultraSSDEnabled,omitempty"` + EncryptionAtHost *bool `json:"encryptionAtHost,omitempty"` } // AgentPoolProfileRole represents an agent role diff --git a/pkg/api/types_test.go b/pkg/api/types_test.go index 47d14785c..7395db769 100644 --- a/pkg/api/types_test.go +++ b/pkg/api/types_test.go @@ -684,17 +684,18 @@ func TestMasterProfileGetCosmosEndPointURI(t *testing.T) { func TestHasStorageProfile(t *testing.T) { cases := []struct { - name string - p Properties - expectedHasMD bool - expectedHasSA bool - expectedMasterMD bool - expectedAgent0E bool - expectedAgent0MD bool - expectedPrivateJB bool - expectedHasDisks bool - expectedDesID string - expectedUltraSSDEnabled bool + name string + p Properties + expectedHasMD bool + expectedHasSA bool + expectedMasterMD bool + expectedAgent0E bool + expectedAgent0MD bool + expectedPrivateJB bool + expectedHasDisks bool + expectedDesID string + expectedUltraSSDEnabled bool + expectedEncryptionAtHost bool }{ { name: "Storage Account", @@ -925,6 +926,35 @@ func TestHasStorageProfile(t *testing.T) { expectedPrivateJB: false, expectedUltraSSDEnabled: true, }, + { + name: "EncryptionAtHost setting", + p: Properties{ + OrchestratorProfile: &OrchestratorProfile{ + OrchestratorType: Kubernetes, + }, + MasterProfile: &MasterProfile{ + StorageProfile: ManagedDisks, + EncryptionAtHost: to.BoolPtr(true), + }, + AgentPoolProfiles: []*AgentPoolProfile{ + { + StorageProfile: ManagedDisks, + EncryptionAtHost: to.BoolPtr(true), + }, + { + StorageProfile: ManagedDisks, + EncryptionAtHost: to.BoolPtr(true), + }, + }, + }, + expectedHasMD: true, + expectedHasSA: false, + expectedMasterMD: true, + expectedAgent0MD: true, + expectedAgent0E: false, + expectedPrivateJB: false, + expectedEncryptionAtHost: true, + }, } for _, c := range cases { @@ -946,6 +976,9 @@ func TestHasStorageProfile(t *testing.T) { if to.Bool(c.p.MasterProfile.UltraSSDEnabled) != c.expectedUltraSSDEnabled { t.Fatalf("expected UltraSSDEnabled to return %v but instead returned %v", c.expectedUltraSSDEnabled, to.Bool(c.p.MasterProfile.UltraSSDEnabled)) } + if to.Bool(c.p.MasterProfile.EncryptionAtHost) != c.expectedEncryptionAtHost { + t.Fatalf("expected EncryptionAtHost to return %v but instead returned %v", c.expectedEncryptionAtHost, to.Bool(c.p.MasterProfile.EncryptionAtHost)) + } if c.p.AgentPoolProfiles[0].IsManagedDisks() != c.expectedAgent0MD { t.Fatalf("expected IsManagedDisks() to return %t but instead returned %t", c.expectedAgent0MD, c.p.AgentPoolProfiles[0].IsManagedDisks()) } @@ -968,6 +1001,9 @@ func TestHasStorageProfile(t *testing.T) { if to.Bool(c.p.AgentPoolProfiles[0].UltraSSDEnabled) != c.expectedUltraSSDEnabled { t.Fatalf("expected UltraSSDEnabled to return %v but instead returned %v", c.expectedUltraSSDEnabled, to.Bool(c.p.AgentPoolProfiles[0].UltraSSDEnabled)) } + if to.Bool(c.p.AgentPoolProfiles[0].EncryptionAtHost) != c.expectedEncryptionAtHost { + t.Fatalf("expected EncryptionAtHost to return %v but instead returned %v", c.expectedUltraSSDEnabled, to.Bool(c.p.AgentPoolProfiles[0].UltraSSDEnabled)) + } }) } } diff --git a/pkg/api/vlabs/types.go b/pkg/api/vlabs/types.go index ee4d64861..b83462ceb 100644 --- a/pkg/api/vlabs/types.go +++ b/pkg/api/vlabs/types.go @@ -438,6 +438,7 @@ type MasterProfile struct { CustomVMTags map[string]string `json:"customVMTags,omitempty"` SysctlDConfig map[string]string `json:"sysctldConfig,omitempty"` UltraSSDEnabled *bool `json:"ultraSSDEnabled,omitempty"` + EncryptionAtHost *bool `json:"encryptionAtHost,omitempty"` // subnet is internal subnet string @@ -509,6 +510,7 @@ type AgentPoolProfile struct { CustomVMTags map[string]string `json:"customVMTags,omitempty"` DiskEncryptionSetID string `json:"diskEncryptionSetID,omitempty"` UltraSSDEnabled *bool `json:"ultraSSDEnabled,omitempty"` + EncryptionAtHost *bool `json:"encryptionAtHost,omitempty"` // subnet is internal subnet string diff --git a/pkg/api/vlabs/types_test.go b/pkg/api/vlabs/types_test.go index 2b31686ab..1504cf4cb 100644 --- a/pkg/api/vlabs/types_test.go +++ b/pkg/api/vlabs/types_test.go @@ -145,6 +145,10 @@ func TestAgentPoolProfile(t *testing.T) { t.Fatalf("AgentPoolProfile.UltraSSDEnabled should be false by default") } + if to.Bool(ap.EncryptionAtHost) { + t.Fatalf("AgentPoolProfile.EncryptionAtHost should be false by default") + } + // With osType Windows AgentPoolProfileText = `{ "name": "linuxpool1", "osType" : "Windows", "count": 1, "vmSize": "Standard_D2_v2", "availabilityProfile": "AvailabilitySet", "storageProfile" : "ManagedDisks", "vnetSubnetID" : "12345" }` @@ -167,7 +171,7 @@ func TestAgentPoolProfile(t *testing.T) { // With osType Windows and Ephemeral disks AgentPoolProfileText = `{ "name": "linuxpool1", "osType" : "Windows", "count": 1, "vmSize": "Standard_D2_v2", -"availabilityProfile": "AvailabilitySet", "storageProfile" : "Ephemeral", "vnetSubnetID" : "12345", "diskEncryptionSetID": "diskEncryptionSetID", "ultraSSDEnabled": true }` +"availabilityProfile": "AvailabilitySet", "storageProfile" : "Ephemeral", "vnetSubnetID" : "12345", "diskEncryptionSetID": "diskEncryptionSetID", "ultraSSDEnabled": true, "encryptionAtHost": true }` ap = &AgentPoolProfile{} if e := json.Unmarshal([]byte(AgentPoolProfileText), ap); e != nil { t.Fatalf("unexpectedly detected unmarshal failure for AgentPoolProfile, %+v", e) @@ -197,6 +201,9 @@ func TestAgentPoolProfile(t *testing.T) { t.Fatalf("AgentPoolProfile.UltraSSDEnabled should be true after unmarshal") } + if !to.Bool(ap.EncryptionAtHost) { + t.Fatalf("AgentPoolProfile.EncryptionAtHost should be true after unmarshal") + } // With osType Linux and RHEL distro AgentPoolProfileText = `{ "name": "linuxpool1", "osType" : "Linux", "distro" : "rhel", "count": 1, "vmSize": "Standard_D2_v2", "availabilityProfile": "AvailabilitySet", "storageProfile" : "ManagedDisks", "vnetSubnetID" : "12345", "diskEncryptionSetID": "diskEncryptionSetID" }` @@ -231,7 +238,7 @@ func TestAgentPoolProfile(t *testing.T) { // With VMSS and Spot VMs AgentPoolProfileText = `{"name":"linuxpool1","osType":"Linux","distro":"rhel","count":1,"vmSize":"Standard_D2_v2", -"availabilityProfile":"VirtualMachineScaleSets","scaleSetPriority":"Spot","ScaleSetEvictionPolicy":"Delete","SpotMaxPrice":88, "ultraSSDEnabled": true}` +"availabilityProfile":"VirtualMachineScaleSets","scaleSetPriority":"Spot","ScaleSetEvictionPolicy":"Delete","SpotMaxPrice":88, "ultraSSDEnabled": true, "encryptionAtHost": true}` ap = &AgentPoolProfile{} if e := json.Unmarshal([]byte(AgentPoolProfileText), ap); e != nil { t.Fatalf("unexpectedly detected unmarshal failure for AgentPoolProfile, %+v", e) @@ -253,6 +260,9 @@ func TestAgentPoolProfile(t *testing.T) { t.Fatalf("AgentPoolProfile.UltraSSDEnabled should be true after unmarshal") } + if !to.Bool(ap.EncryptionAtHost) { + t.Fatalf("AgentPoolProfile.EncryptionAtHost should be true after unmarshal") + } // With osType Linux and coreos distro AgentPoolProfileText = `{ "name": "linuxpool1", "osType" : "Linux", "distro" : "coreos", "count": 1, "vmSize": "Standard_D2_v2", "availabilityProfile": "VirtualMachineScaleSets", "storageProfile" : "ManagedDisks", "diskSizesGB" : [750, 250, 600, 1000], "diskEncryptionSetID": "diskEncryptionSetID" }`