diff --git a/api/v1alpha1/keyvault_types.go b/api/v1alpha1/keyvault_types.go index cc2185af49b..3b21a2c1f67 100644 --- a/api/v1alpha1/keyvault_types.go +++ b/api/v1alpha1/keyvault_types.go @@ -14,6 +14,7 @@ type KeyVaultSpec struct { EnableSoftDelete bool `json:"enableSoftDelete,omitempty"` NetworkPolicies *NetworkRuleSet `json:"networkPolicies,omitempty"` AccessPolicies *[]AccessPolicyEntry `json:"accessPolicies,omitempty"` + Sku KeyVaultSku `json:"sku,omitempty"` } type NetworkRuleSet struct { @@ -38,6 +39,13 @@ type AccessPolicyEntry struct { Permissions *Permissions `json:"permissions,omitempty"` } +// KeyVaultSku the SKU of the Key Vault +type KeyVaultSku struct { + // Name - The SKU name. Required for account creation; optional for update. + // Possible values include: 'Premium', `Standard` + Name string `json:"name,omitempty"` +} + type Permissions struct { Keys *[]string `json:"keys,omitempty"` Secrets *[]string `json:"secrets,omitempty"` diff --git a/config/samples/azure_v1alpha1_keyvault.yaml b/config/samples/azure_v1alpha1_keyvault.yaml index 0a45688bbe4..cc482ebacf9 100644 --- a/config/samples/azure_v1alpha1_keyvault.yaml +++ b/config/samples/azure_v1alpha1_keyvault.yaml @@ -9,6 +9,9 @@ spec: resourceGroup: resourcegroup-azure-operators location: westus enableSoftDelete: false + # possible values for sku.Name are "Standard" or "Premium" + sku: + name: standard networkPolicies: bypass: AzureServices # AzureServices or None defaultAction: Allow # Allow or Deny diff --git a/config/samples/azure_v1alpha1_keyvault_simple.yaml b/config/samples/azure_v1alpha1_keyvault_simple.yaml index 6cc965923fd..23c256f9ae1 100644 --- a/config/samples/azure_v1alpha1_keyvault_simple.yaml +++ b/config/samples/azure_v1alpha1_keyvault_simple.yaml @@ -9,3 +9,6 @@ spec: resourceGroup: resourcegroup-azure-operators location: westus enableSoftDelete: false + # Optional: possible values for sku.Name are "Standard" or "Premium". Default is "Standard" + #sku: + # name: standard diff --git a/pkg/resourcemanager/keyvaults/keyvault.go b/pkg/resourcemanager/keyvaults/keyvault.go index bb6eb0a0e84..200fd19e707 100644 --- a/pkg/resourcemanager/keyvaults/keyvault.go +++ b/pkg/resourcemanager/keyvaults/keyvault.go @@ -6,6 +6,7 @@ package keyvaults import ( "context" "fmt" + "strings" auth "github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac" "github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2018-02-14/keyvault" @@ -247,7 +248,7 @@ func InstantiateVault(ctx context.Context, vaultName string, containsUpdate bool } // CreateVault creates a new key vault -func (k *azureKeyVaultManager) CreateVault(ctx context.Context, instance *v1alpha1.KeyVault, tags map[string]*string) (keyvault.Vault, error) { +func (k *azureKeyVaultManager) CreateVault(ctx context.Context, instance *v1alpha1.KeyVault, sku azurev1alpha1.KeyVaultSku, tags map[string]*string) (keyvault.Vault, error) { vaultName := instance.Name location := instance.Spec.Location groupName := instance.Spec.ResourceGroup @@ -278,14 +279,20 @@ func (k *azureKeyVaultManager) CreateVault(ctx context.Context, instance *v1alph networkAcls = keyvault.NetworkRuleSet{} } + keyVaultSku := keyvault.Sku{ + Family: to.StringPtr("A"), + Name: keyvault.Standard, + } + + if strings.ToLower(sku.Name) == "premium" { + keyVaultSku.Name = keyvault.Premium + } + params := keyvault.VaultCreateOrUpdateParameters{ Properties: &keyvault.VaultProperties{ - TenantID: &id, - AccessPolicies: &accessPolicies, - Sku: &keyvault.Sku{ - Family: to.StringPtr("A"), - Name: keyvault.Standard, - }, + TenantID: &id, + AccessPolicies: &accessPolicies, + Sku: &keyVaultSku, NetworkAcls: &networkAcls, EnableSoftDelete: &enableSoftDelete, }, @@ -298,7 +305,7 @@ func (k *azureKeyVaultManager) CreateVault(ctx context.Context, instance *v1alph return future.Result(vaultsClient) } -// CreateVaultWithAccessPolicies creates a new key vault and provides access policies to the specified user +//CreateVaultWithAccessPolicies creates a new key vault and provides access policies to the specified user func (k *azureKeyVaultManager) CreateVaultWithAccessPolicies(ctx context.Context, groupName string, vaultName string, location string, clientID string) (keyvault.Vault, error) { vaultsClient, id, err := InstantiateVault(ctx, vaultName, false) if err != nil { @@ -406,6 +413,7 @@ func (k *azureKeyVaultManager) Ensure(ctx context.Context, obj runtime.Object, o keyvault, err = k.CreateVault( ctx, instance, + instance.Spec.Sku, labels, ) diff --git a/pkg/resourcemanager/keyvaults/keyvault_manager.go b/pkg/resourcemanager/keyvaults/keyvault_manager.go index c1f23f948b5..b5681d395cb 100644 --- a/pkg/resourcemanager/keyvaults/keyvault_manager.go +++ b/pkg/resourcemanager/keyvaults/keyvault_manager.go @@ -16,7 +16,7 @@ import ( var AzureKeyVaultManager KeyVaultManager = &azureKeyVaultManager{} type KeyVaultManager interface { - CreateVault(ctx context.Context, instance *azurev1alpha1.KeyVault, tags map[string]*string) (keyvault.Vault, error) + CreateVault(ctx context.Context, instance *azurev1alpha1.KeyVault, sku azurev1alpha1.KeyVaultSku, tags map[string]*string) (keyvault.Vault, error) // CreateVault and grant access to the specific user ID CreateVaultWithAccessPolicies(ctx context.Context, groupName string, vaultName string, location string, userID string) (keyvault.Vault, error) diff --git a/pkg/resourcemanager/keyvaults/keyvault_test.go b/pkg/resourcemanager/keyvaults/keyvault_test.go index 32475d76ceb..56b7be06ac1 100644 --- a/pkg/resourcemanager/keyvaults/keyvault_test.go +++ b/pkg/resourcemanager/keyvaults/keyvault_test.go @@ -60,11 +60,16 @@ var _ = Describe("KeyVault Resource Manager test", func() { }, } + sku := v1alpha1.KeyVaultSku{ + Name: "Standard", + } + // Create Key Vault instance Eventually(func() bool { _, err := keyVaultManager.CreateVault( ctx, &kv, + sku, tags, ) if err != nil {