Azure
/
aks-engine
зеркало из https://github.com/Azure/aks-engine.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
aks-engine/pkg/engine/keyvaults.go

176 строки
5.9 KiB
Go
Исходник Ответственный История

// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT license.
package engine
import (
"fmt"
"strings"
"github.com/Azure/aks-engine/pkg/api"
"github.com/Azure/go-autorest/autorest/to"
)
func CreateKeyVaultVMAS(cs *api.ContainerService) map[string]interface{} {
keyVaultMap := map[string]interface{}{
"type": "Microsoft.KeyVault/vaults",
"name": "[variables('clusterKeyVaultName')]",
"apiVersion": "[variables('apiVersionKeyVault')]",
"location": "[variables('location')]",
}
useManagedIdentity := to.Bool(cs.Properties.OrchestratorProfile.KubernetesConfig.UseManagedIdentity)
userAssignedIDEnabled := cs.Properties.OrchestratorProfile.KubernetesConfig.UserAssignedIDEnabled()
creatingNewUserAssignedIdentity := cs.Properties.OrchestratorProfile.KubernetesConfig.ShouldCreateNewUserAssignedIdentity()
masterCount := cs.Properties.MasterProfile.Count
if useManagedIdentity {
var dependencies []string
if userAssignedIDEnabled {
if creatingNewUserAssignedIdentity {
dependencies = append(dependencies, "[variables('userAssignedIDReference')]")
}
} else {
for i := 0; i < masterCount; i++ {
dependencies = append(dependencies, fmt.Sprintf("[concat('Microsoft.Compute/virtualMachines/', variables('masterVMNamePrefix'), '%d')]", i))
dependencies = append(dependencies, fmt.Sprintf("[concat('Microsoft.Authorization/roleAssignments/', guid(concat('Microsoft.Compute/virtualMachines/', variables('masterVMNamePrefix'), '%d', 'vmidentity')))]", i))
}
}
keyVaultMap["dependsOn"] = dependencies
}
keyVaultProps := map[string]interface{}{
"enabledForDeployment": "false",
"enabledForDiskEncryption": "false",
"enabledForTemplateDeployment": "false",
"tenantId": "[variables('tenantID')]",
"sku": map[string]interface{}{
"name": "[parameters('clusterKeyVaultSku')]",
"family": "A",
},
}
var accessPolicies []interface{}
if useManagedIdentity {
if userAssignedIDEnabled {
accessPolicy := map[string]interface{}{
"tenantId": "[variables('tenantID')]",
"objectId": "[reference(variables('userAssignedIDReference'), variables('apiVersionManagedIdentity')).principalId]",
"permissions": map[string]interface{}{
"keys": []string{"create", "encrypt", "decrypt", "get", "list"},
},
}
accessPolicies = append(accessPolicies, accessPolicy)
} else {
for i := 0; i < masterCount; i++ {
accessPolicy := map[string]interface{}{
"objectId": fmt.Sprintf("[reference(concat('Microsoft.Compute/virtualMachines/', variables('masterVMNamePrefix'), '%d'), '2017-03-30', 'Full').identity.principalId]", i),
"permissions": map[string]interface{}{
"keys": []string{
"create",
"encrypt",
"decrypt",
"get",
"list",
},
},
"tenantId": "[variables('tenantID')]",
}
accessPolicies = append(accessPolicies, accessPolicy)
}
}
} else {
accessPolicy := map[string]interface{}{
"tenantId": "[variables('tenantID')]",
"objectId": "[parameters('servicePrincipalObjectId')]",
"permissions": map[string]interface{}{
"keys": []string{"create", "encrypt", "decrypt", "get", "list"},
},
}
accessPolicies = append(accessPolicies, accessPolicy)
}
keyVaultProps["accessPolicies"] = accessPolicies
keyVaultMap["properties"] = keyVaultProps
return keyVaultMap
}
func CreateKeyVaultVMSS(cs *api.ContainerService) map[string]interface{} {
keyVaultMap := map[string]interface{}{
"type": "Microsoft.KeyVault/vaults",
"name": "[variables('clusterKeyVaultName')]",
"apiVersion": "[variables('apiVersionKeyVault')]",
"location": "[variables('location')]",
}
useManagedIdentity := to.Bool(cs.Properties.OrchestratorProfile.KubernetesConfig.UseManagedIdentity)
userAssignedIDEnabled := cs.Properties.OrchestratorProfile.KubernetesConfig.UserAssignedIDEnabled()
creatingNewUserAssignedIdentity := cs.Properties.OrchestratorProfile.KubernetesConfig.ShouldCreateNewUserAssignedIdentity()
accessPolicy := map[string]interface{}{
"tenantId": "[variables('tenantID')]",
"objectId": "[parameters('servicePrincipalObjectId')]",
"permissions": map[string]interface{}{
"keys": []string{"create", "encrypt", "decrypt", "get", "list"},
},
}
if useManagedIdentity {
dependencies := []string{
"[concat('Microsoft.Compute/virtualMachineScaleSets/', variables('masterVMNamePrefix'), 'vmss')]",
}
if userAssignedIDEnabled {
if creatingNewUserAssignedIdentity {
dependencies = append(dependencies, "[variables('userAssignedIDReference')]")
}
accessPolicy["objectId"] = "[reference(variables('userAssignedIDReference'), variables('apiVersionManagedIdentity')).principalId]"
}
keyVaultMap["dependsOn"] = dependencies
}
keyVaultProps := map[string]interface{}{
"enabledForDeployment": "false",
"enabledForDiskEncryption": "false",
"enabledForTemplateDeployment": "false",
"tenantId": "[variables('tenantID')]",
"sku": map[string]interface{}{
"name": "[parameters('clusterKeyVaultSku')]",
"family": "A",
},
"accessPolicies": []interface{}{
accessPolicy,
},
}
keyVaultMap["properties"] = keyVaultProps
return keyVaultMap
}
func CreateKeyVaultKey(cs *api.ContainerService) map[string]interface{} {
keyMap := map[string]interface{}{
"type": "Microsoft.KeyVault/vaults/keys",
"name": "[concat(variables('clusterKeyVaultName'), '/', 'k8s')]",
"apiVersion": "[variables('apiVersionKeyVault')]",
"location": "[variables('location')]",
"dependsOn": []string{
"[resourceId('Microsoft.KeyVault/vaults', variables('clusterKeyVaultName'))]",
},
}
keyType := "RSA"
if strings.EqualFold(cs.Properties.OrchestratorProfile.KubernetesConfig.KeyVaultSku, "premium") {
keyType = "RSA-HSM"
}
keyProps := map[string]interface{}{
"kty": keyType,
"keyOps": []string{
"encrypt",
"decrypt",
},
"keySize": 2048,
}
keyMap["properties"] = keyProps
return keyMap
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку