Skip to content

Add support for Disk Encryption Sets (DES)#1042

Open
xinWeiWei24 wants to merge 24 commits intomainfrom
xinwei/diskencription
Open

Add support for Disk Encryption Sets (DES)#1042
xinWeiWei24 wants to merge 24 commits intomainfrom
xinwei/diskencription

Conversation

@xinWeiWei24
Copy link
Collaborator

@xinWeiWei24 xinWeiWei24 commented Feb 3, 2026

This PR adds support for Disk Encryption Sets (DES), enabling customers to create AKS clusters with a specified DES.

@xinWeiWei24 xinWeiWei24 marked this pull request as ready for review February 3, 2026 05:51
Copilot AI review requested due to automatic review settings February 3, 2026 05:51
Copilot AI reviewed Feb 3, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Disk Encryption Set (DES) support to the Azure Terraform modules so AKS clusters can be created with customer-managed key (CMK) disk encryption, and updates the nap-complex perf scenario to exercise the new configuration.

Changes:

  • Introduces a new disk-encryption-set Terraform submodule and new input variables to define DES resources.
  • Wires DES into AKS provisioning paths (Terraform AKS resource + az aks create CLI path), including DES-related RBAC.
  • Updates the nap-complex scenario inputs to provision a DES and reference it from AKS.

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
scenarios/perf-eval/nap-complex/terraform-inputs/azure.tfvars Adds DES + key config to the scenario and sets disk_encryption_set_name for AKS CLI usage (also removes firewall/UDR config).
modules/terraform/azure/variables.tf Adds disk_encryption_set_name to AKS configs and introduces disk_encryption_set_config_list.
modules/terraform/azure/main.tf Creates DES modules and passes DES map into aks-cli (and computes DES locals).
modules/terraform/azure/key-vault/main.tf Adjusts Key Vault settings to support CMK/DES requirements (purge protection/soft delete retention).
modules/terraform/azure/disk-encryption-set/variables.tf Defines inputs for DES creation and validation rules.
modules/terraform/azure/disk-encryption-set/main.tf Implements DES creation and Key Vault RBAC assignments for DES identity.
modules/terraform/azure/disk-encryption-set/outputs.tf Exposes DES ID for downstream AKS usage.
modules/terraform/azure/disk-encryption-set/README.md Documents how to use the DES module and its inputs/outputs.
modules/terraform/azure/aks/variables.tf Adds DES inputs (disk_encryption_sets, disk_encryption_set_name) to the AKS module interface.
modules/terraform/azure/aks/main.tf Sets disk_encryption_set_id on the azurerm_kubernetes_cluster resource when configured.
modules/terraform/azure/aks-cli/variables.tf Adds DES inputs (disk_encryption_sets, disk_encryption_set_name) for CLI-driven AKS creation.
modules/terraform/azure/aks-cli/main.tf Adds DES CLI flag generation and DES RBAC assignments (plus cluster lookup for kubelet identity).
jobs/competitive-test.yml Comments out the cleanup step in the pipeline job.

@xinWeiWei24
Add disk encription module
e9dce76
@xinWeiWei24
Add disk encription to nap complex to test
4a3d56d
@xinWeiWei24
Add reader role to the cluster
3ff7d22
@xinWeiWei24
Add reader role to principle id
d093f4d
@xinWeiWei24
flexible run
0881fe8
@xinWeiWei24
no need to use azurerm_client_config
0319344
@xinWeiWei24
commnet cleanup in karpenter collect step
bec702a
@xinWeiWei24
fix timeout in kubelogin
c093b5a
@xinWeiWei24
don't delete deployment
c0867a1
@xinWeiWei24
don't delete ns
ebf4122
@xinWeiWei24
disable disk encryption
0a9c33b
@xinWeiWei24
Revert "disable disk encryption"
f4240ca 
This reverts commit 6efb7a3.
@xinWeiWei24
Revert "don't delete ns"
1a3118f 
This reverts commit 42894d3.
@xinWeiWei24
Revert "don't delete deployment"
112edfc 
This reverts commit 14db3b7.
@xinWeiWei24
Revert "commnet cleanup in karpenter collect step"
2d0db7c 
This reverts commit 1104cbd.
@xinWeiWei24
Revert "fix timeout in kubelogin"
1e12a3c 
This reverts commit 3078640.
@xinWeiWei24
passing disk_encryption_sets to aks module
b53370c
@xinWeiWei24
Add role assignment to both identities
ab51f95
@xinWeiWei24
Add testing
9464313
@xinWeiWei24
consider dry run
0bbe7d1
@xinWeiWei24
Revert "Add disk encription to nap complex to test"
603c76d 
This reverts commit 344f160.
@xinWeiWei24 xinWeiWei24 force-pushed the xinwei/diskencription branch from de66a48 to 70d0f35 Compare February 6, 2026 07:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@alyssa1303 alyssa1303 Awaiting requested review from alyssa1303 alyssa1303 is a code owner

@anson627 anson627 Awaiting requested review from anson627 anson627 is a code owner

@sumanthreddy29 sumanthreddy29 Awaiting requested review from sumanthreddy29 sumanthreddy29 is a code owner

@vittoriasalim vittoriasalim Awaiting requested review from vittoriasalim vittoriasalim is a code owner

@wonderyl wonderyl Awaiting requested review from wonderyl wonderyl is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xinWeiWei24