Merge pull request #853 from melonrush13/keyvaultsku

Tier Options to KeyVault
Azure · Apr 1, 2020 · c5fb4e8 · c5fb4e8
2 parents cc0ee06 + 0cbf956
commit c5fb4e8
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 9 deletions.
diff --git a/api/v1alpha1/keyvault_types.go b/api/v1alpha1/keyvault_types.go
@@ -14,6 +14,7 @@ type KeyVaultSpec struct {
 	EnableSoftDelete bool                 `json:"enableSoftDelete,omitempty"`
 	NetworkPolicies  *NetworkRuleSet      `json:"networkPolicies,omitempty"`
 	AccessPolicies   *[]AccessPolicyEntry `json:"accessPolicies,omitempty"`
+	Sku              KeyVaultSku          `json:"sku,omitempty"`
 }
 
 type NetworkRuleSet struct {
@@ -38,6 +39,13 @@ type AccessPolicyEntry struct {
 	Permissions *Permissions `json:"permissions,omitempty"`
 }
 
+// KeyVaultSku the SKU of the Key Vault
+type KeyVaultSku struct {
+	// Name - The SKU name. Required for account creation; optional for update.
+	// Possible values include: 'Premium', `Standard`
+	Name string `json:"name,omitempty"`
+}
+
 type Permissions struct {
 	Keys         *[]string `json:"keys,omitempty"`
 	Secrets      *[]string `json:"secrets,omitempty"`

diff --git a/config/samples/azure_v1alpha1_keyvault.yaml b/config/samples/azure_v1alpha1_keyvault.yaml
@@ -9,6 +9,9 @@ spec:
   resourceGroup: resourcegroup-azure-operators
   location: westus
   enableSoftDelete: false
+  # possible values for sku.Name are "Standard" or "Premium"  
+  sku:
+    name: standard
   networkPolicies: 
     bypass: AzureServices # AzureServices or None
     defaultAction: Allow # Allow or Deny

diff --git a/config/samples/azure_v1alpha1_keyvault_simple.yaml b/config/samples/azure_v1alpha1_keyvault_simple.yaml
@@ -9,3 +9,6 @@ spec:
   resourceGroup: resourcegroup-azure-operators
   location: westus
   enableSoftDelete: false
+  # Optional: possible values for sku.Name are "Standard" or "Premium". Default is "Standard"  
+  #sku:
+  #  name: standard
diff --git a/pkg/resourcemanager/keyvaults/keyvault.go b/pkg/resourcemanager/keyvaults/keyvault.go
@@ -6,6 +6,7 @@ package keyvaults
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	auth "github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac"
 	"github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2018-02-14/keyvault"
@@ -247,7 +248,7 @@ func InstantiateVault(ctx context.Context, vaultName string, containsUpdate bool
 }
 
 // CreateVault creates a new key vault
-func (k *azureKeyVaultManager) CreateVault(ctx context.Context, instance *v1alpha1.KeyVault, tags map[string]*string) (keyvault.Vault, error) {
+func (k *azureKeyVaultManager) CreateVault(ctx context.Context, instance *v1alpha1.KeyVault, sku azurev1alpha1.KeyVaultSku, tags map[string]*string) (keyvault.Vault, error) {
 	vaultName := instance.Name
 	location := instance.Spec.Location
 	groupName := instance.Spec.ResourceGroup
@@ -278,14 +279,20 @@ func (k *azureKeyVaultManager) CreateVault(ctx context.Context, instance *v1alph
 		networkAcls = keyvault.NetworkRuleSet{}
 	}
 
+	keyVaultSku := keyvault.Sku{
+		Family: to.StringPtr("A"),
+		Name:   keyvault.Standard,
+	}
+
+	if strings.ToLower(sku.Name) == "premium" {
+		keyVaultSku.Name = keyvault.Premium
+	}
+
 	params := keyvault.VaultCreateOrUpdateParameters{
 		Properties: &keyvault.VaultProperties{
-			TenantID:       &id,
-			AccessPolicies: &accessPolicies,
-			Sku: &keyvault.Sku{
-				Family: to.StringPtr("A"),
-				Name:   keyvault.Standard,
-			},
+			TenantID:         &id,
+			AccessPolicies:   &accessPolicies,
+			Sku:              &keyVaultSku,
 			NetworkAcls:      &networkAcls,
 			EnableSoftDelete: &enableSoftDelete,
 		},
@@ -298,7 +305,7 @@ func (k *azureKeyVaultManager) CreateVault(ctx context.Context, instance *v1alph
 	return future.Result(vaultsClient)
 }
 
-// CreateVaultWithAccessPolicies creates a new key vault and provides access policies to the specified user
+//CreateVaultWithAccessPolicies creates a new key vault and provides access policies to the specified user
 func (k *azureKeyVaultManager) CreateVaultWithAccessPolicies(ctx context.Context, groupName string, vaultName string, location string, clientID string) (keyvault.Vault, error) {
 	vaultsClient, id, err := InstantiateVault(ctx, vaultName, false)
 	if err != nil {
@@ -406,6 +413,7 @@ func (k *azureKeyVaultManager) Ensure(ctx context.Context, obj runtime.Object, o
 	keyvault, err = k.CreateVault(
 		ctx,
 		instance,
+		instance.Spec.Sku,
 		labels,
 	)
 

diff --git a/pkg/resourcemanager/keyvaults/keyvault_manager.go b/pkg/resourcemanager/keyvaults/keyvault_manager.go
@@ -16,7 +16,7 @@ import (
 var AzureKeyVaultManager KeyVaultManager = &azureKeyVaultManager{}
 
 type KeyVaultManager interface {
-	CreateVault(ctx context.Context, instance *azurev1alpha1.KeyVault, tags map[string]*string) (keyvault.Vault, error)
+	CreateVault(ctx context.Context, instance *azurev1alpha1.KeyVault, sku azurev1alpha1.KeyVaultSku, tags map[string]*string) (keyvault.Vault, error)
 
 	// CreateVault and grant access to the specific user ID
 	CreateVaultWithAccessPolicies(ctx context.Context, groupName string, vaultName string, location string, userID string) (keyvault.Vault, error)

diff --git a/pkg/resourcemanager/keyvaults/keyvault_test.go b/pkg/resourcemanager/keyvaults/keyvault_test.go
@@ -60,11 +60,16 @@ var _ = Describe("KeyVault Resource Manager test", func() {
 				},
 			}
 
+			sku := v1alpha1.KeyVaultSku{
+				Name: "Standard",
+			}
+
 			// Create Key Vault instance
 			Eventually(func() bool {
 				_, err := keyVaultManager.CreateVault(
 					ctx,
 					&kv,
+					sku,
 					tags,
 				)
 				if err != nil {