Add Encryption Class to the vcsim test

Author: laozc

test/e2e/ownerrefs_finalizers_test.go

@@ -238,6 +238,7 @@ var (
 				"VirtualMachineClassBinding":      func(_ types.NamespacedName, _ []metav1.OwnerReference) error { return nil },
 				"VirtualMachineClass":             func(_ types.NamespacedName, _ []metav1.OwnerReference) error { return nil },
 				"VMOperatorDependencies":          func(_ types.NamespacedName, _ []metav1.OwnerReference) error { return nil },
+				"EncryptionClass":                 func(_ types.NamespacedName, _ []metav1.OwnerReference) error { return nil },
 			}
 		}
 

test/framework/vmoperator/vmoperator.go

@@ -38,6 +38,8 @@ import (
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/klog/v2"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -453,6 +455,65 @@ func ReconcileDependencies(ctx context.Context, c client.Client, dependenciesCon
 		}
 	}
 
+	// Create EncryptionClass in K8s
+	encryptionClassGVR := schema.GroupVersionResource{
+		Group:    "encryption.vmware.com",
+		Version:  "v1alpha1",
+		Resource: "encryptionclasses",
+	}
+	for _, ec := range config.Spec.EncryptionClasses {
+		metadata := map[string]interface{}{
+			"name":      ec.Name,
+			"namespace": config.Namespace,
+		}
+		// Add default label if this is the default EncryptionClass
+		if ec.Default {
+			metadata["labels"] = map[string]interface{}{
+				"encryption.vmware.com/default": "true",
+			}
+		}
+
+		spec := map[string]interface{}{}
+		spec["keyProvider"] = ec.KeyProvider
+		spec["keyID"] = ec.KeyID
+
+		encryptionClass := &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"apiVersion": "encryption.vmware.com/v1alpha1",
+				"kind":       "EncryptionClass",
+				"metadata":   metadata,
+				"spec":       spec,
+			},
+		}
+		_ = wait.PollUntilContextTimeout(ctx, 250*time.Millisecond, 5*time.Second, true, func(ctx context.Context) (bool, error) {
+			retryError = nil
+			existing := &unstructured.Unstructured{}
+			existing.SetGroupVersionKind(schema.GroupVersionKind{
+				Group:   encryptionClassGVR.Group,
+				Version: encryptionClassGVR.Version,
+				Kind:    "EncryptionClass",
+			})
+			if err := c.Get(ctx, client.ObjectKey{
+				Name:      ec.Name,
+				Namespace: config.Namespace,
+			}, existing); err != nil {
+				if !apierrors.IsNotFound(err) {
+					retryError = errors.Wrapf(err, "failed to get EncryptionClass %s", ec.Name)
+					return false, nil
+				}
+				if err := c.Create(ctx, encryptionClass); err != nil {
+					retryError = errors.Wrapf(err, "failed to create EncryptionClass %s", ec.Name)
+					return false, nil
+				}
+				log.Info("Created EncryptionClass", "EncryptionClass", klog.KRef(config.Namespace, ec.Name))
+			}
+			return true, nil
+		})
+		if retryError != nil {
+			return retryError
+		}
+	}
+
 	// Create a ContentLibrary in K8s and in vCenter,
 	// This requires a set of objects in vCenter(or vcsim) as well as their mapping in K8s
 	// - vCenter: a Library containing an Item

test/infrastructure/vcsim/api/v1alpha1/vmoperatordependencies_types.go

@@ -45,6 +45,9 @@ type VMOperatorDependenciesSpec struct {
 
 	// VirtualMachineClasses defines a list of VirtualMachineClasses to be bound to the namespace where this object is created.
 	VirtualMachineClasses []VirtualMachineClass `json:"virtualMachineClasses,omitempty"`
+
+	// EncryptionClasses defines a list of EncryptionClasses to be created in the namespace where this object is created.
+	EncryptionClasses []EncryptionClass `json:"encryptionClasses,omitempty"`
 }
 
 // VMOperatorRef provide a reference to the running instance of vm-operator.
@@ -80,6 +83,14 @@ type VirtualMachineClass struct {
 	Memory resource.Quantity `json:"memory,omitempty"`
 }
 
+type EncryptionClass struct {
+	Name        string `json:"name,omitempty"`
+	KeyProvider string `json:"keyProvider,omitempty"`
+	KeyID       string `json:"keyID,omitempty"`
+	// Default indicates if this EncryptionClass should be marked as default
+	Default bool `json:"default,omitempty"`
+}
+
 type ContentLibraryItemFilesConfig struct {
 	Name    string `json:"name,omitempty"`
 	Content []byte `json:"content,omitempty"`
@@ -179,7 +190,7 @@ func (d *VMOperatorDependencies) SetVCenterFromVCenterSimulator(vCenterSimulator
 		)
 	}
 
-	//  Add default storage and vm class for vcsim in not otherwise specified.
+	// Add default storage and vm class for vcsim if not otherwise specified.
 	if len(d.Spec.StorageClasses) == 0 {
 		d.Spec.StorageClasses = []StorageClass{
 			{
@@ -197,4 +208,15 @@ func (d *VMOperatorDependencies) SetVCenterFromVCenterSimulator(vCenterSimulator
 			},
 		}
 	}
+	// Add default encryption class for vcsim if not otherwise specified.
+	if len(d.Spec.EncryptionClasses) == 0 {
+		d.Spec.EncryptionClasses = []EncryptionClass{
+			{
+				Name:        "vcsim-default-encryption-class",
+				KeyProvider: "vcsim-key-provider",
+				KeyID:       "vcsim-key-id",
+				Default:     true,
+			},
+		}
+	}
 }

test/infrastructure/vcsim/api/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,71 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: encryptionclasses.encryption.vmware.com
+spec:
+  group: encryption.vmware.com
+  names:
+    kind: EncryptionClass
+    listKind: EncryptionClassList
+    plural: encryptionclasses
+    shortNames:
+    - encclass
+    singular: encryptionclass
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.keyProvider
+      name: KeyProvider
+      type: string
+    - jsonPath: .spec.keyID
+      name: KeyID
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: EncryptionClass is the Schema for the encryptionclasses API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: EncryptionClassSpec defines the desired state of EncryptionClass.
+            properties:
+              keyID:
+                description: |-
+                  KeyID describes the key used to encrypt/recrypt/decrypt resources.
+                  When omitted, a key will be generated from the specified provider.
+                type: string
+              keyProvider:
+                description: |-
+                  KeyProvider describes the key provider used to encrypt/recrypt/decrypt
+                  resources.
+                type: string
+            required:
+            - keyProvider
+            type: object
+          status:
+            description: EncryptionClassStatus defines the observed state of EncryptionClass.
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

test/infrastructure/vcsim/config/crd/bases/encryption.vmware.com_encryptionclasses.yaml

@@ -43,6 +43,23 @@ spec:
               VMOperatorDependenciesSpec defines the desired state of the VMOperatorDependencies in
               the namespace where this object is created.
             properties:
+              encryptionClasses:
+                description: EncryptionClasses defines a list of EncryptionClasses
+                  to be created in the namespace where this object is created.
+                items:
+                  properties:
+                    default:
+                      description: Default indicates if this EncryptionClass should
+                        be marked as default
+                      type: boolean
+                    keyID:
+                      type: string
+                    keyProvider:
+                      type: string
+                    name:
+                      type: string
+                  type: object
+                type: array
               operatorRef:
                 description: OperatorRef provides a reference to the running instance
                   of vm-operator.

test/infrastructure/vcsim/config/crd/bases/vcsim.infrastructure.cluster.x-k8s.io_vmoperatordependencies.yaml

@@ -11,6 +11,7 @@ resources:
   - bases/vcsim.infrastructure.cluster.x-k8s.io_controlplaneendpoints.yaml
   - bases/vcsim.infrastructure.cluster.x-k8s.io_envvars.yaml
   - bases/vcsim.infrastructure.cluster.x-k8s.io_vmoperatordependencies.yaml
+  - bases/encryption.vmware.com_encryptionclasses.yaml
 
 patchesStrategicMerge:
   # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.

test/infrastructure/vcsim/config/crd/kustomization.yaml

@@ -56,6 +56,16 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - encryption.vmware.com
+  resources:
+  - encryptionclasses
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
 - apiGroups:
   - infrastructure.cluster.x-k8s.io
   resources:

test/infrastructure/vcsim/config/rbac/role.yaml

@@ -79,6 +79,7 @@ type VCenterSimulatorReconciler struct {
 // +kubebuilder:rbac:groups=vmoperator.vmware.com,resources=virtualmachineimages,verbs=get;list;watch;create
 // +kubebuilder:rbac:groups=vmoperator.vmware.com,resources=virtualmachineimages/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=get;list;watch;create
+// +kubebuilder:rbac:groups=encryption.vmware.com,resources=encryptionclasses,verbs=get;list;watch;create;update
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create