[AKS] add AKS CMK argument in cluster creation (Azure#14688)

andyzhangx · web-flow · commit ee5b00e94d9f · 2020-08-14T10:27:15.000+08:00
diff --git a/linter_exclusions.yml b/linter_exclusions.yml
@@ -253,6 +253,9 @@ aks create:
     workspace_resource_id:
       rule_exclusions:
       - option_length_too_long
+    node_osdisk_diskencryptionset_id:
+      rule_exclusions:
+      - option_length_too_long
 aks enable-addons:
   parameters:
     workspace_resource_id:
diff --git a/src/azure-cli/azure/cli/command_modules/acs/_help.py b/src/azure-cli/azure/cli/command_modules/acs/_help.py
@@ -356,6 +356,9 @@
   - name: --enable-managed-identity
     type: bool
     short-summary: Using a system assigned managed identity to manage cluster resource group.
+  - name: --node-osdisk-diskencryptionset-id -d
+    type: string
+    short-summary: ResourceId of the disk encryption set to use for enabling encryption at rest on agent node os disk.
 examples:
   - name: Create a Kubernetes cluster with an existing SSH public key.
     text: az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey
@@ -387,6 +390,8 @@
     text: az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$'
   - name: Create a kubernetes cluster with managed AAD enabled.
     text: az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>
+  - name: Create a kubernetes cluster with server side encryption using your owned key.
+    text: az aks create -g MyResourceGroup -n MyManagedCluster --node-osdisk-diskencryptionset-id <disk-encryption-set-resource-id>
 """
 
 helps['aks update'] = """
diff --git a/src/azure-cli/azure/cli/command_modules/acs/_params.py b/src/azure-cli/azure/cli/command_modules/acs/_params.py
@@ -210,6 +210,7 @@ def load_arguments(self, _):
         c.argument('enable_node_public_ip', action='store_true', is_preview=True)
         c.argument('windows_admin_username', options_list=['--windows-admin-username'])
         c.argument('windows_admin_password', options_list=['--windows-admin-password'])
+        c.argument('node_osdisk_diskencryptionset_id', type=str, options_list=['--node-osdisk-diskencryptionset-id', '-d'])
 
     with self.argument_context('aks update') as c:
         c.argument('attach_acr', acr_arg_type, validator=validate_acr)
diff --git a/src/azure-cli/azure/cli/command_modules/acs/custom.py b/src/azure-cli/azure/cli/command_modules/acs/custom.py
@@ -1748,6 +1748,7 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value,  # pylint:
                kubernetes_version='',
                node_vm_size="Standard_DS2_v2",
                node_osdisk_size=0,
+               node_osdisk_diskencryptionset_id='',
                node_count=3,
                nodepool_name="nodepool1",
                nodepool_tags=None,
@@ -2007,7 +2008,8 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value,  # pylint:
         addon_profiles=addon_profiles,
         aad_profile=aad_profile,
         api_server_access_profile=api_server_access_profile,
-        identity=identity
+        identity=identity,
+        disk_encryption_set_id=node_osdisk_diskencryptionset_id
     )
 
     if uptime_sla:
