Add supports to Crypto Spec in VMOp VirtualMachine and PVC

Author: laozc

apis/vmware/v1beta1/types.go

@@ -76,3 +76,67 @@ const (
 	// state within the configured timeout (default 5m).
 	VirtualMachinePowerOpModeTrySoft VirtualMachinePowerOpMode = "trySoft"
 )
+
+// VirtualMachineCryptoSpec defines the desired state of a VirtualMachine's
+// encryption state.
+type VirtualMachineCryptoSpec struct {
+	// +optional
+
+	// EncryptionClassName describes the name of the EncryptionClass resource
+	// used to encrypt this VM.
+	//
+	// Please note, this field is not required to encrypt the VM. If the
+	// underlying platform has a default key provider, the VM may still be fully
+	// or partially encrypted depending on the specified storage and VM classes.
+	//
+	// If there is a default key provider and an encryption storage class is
+	// selected, the files in the VM's home directory and non-PVC virtual disks
+	// will be encrypted
+	//
+	// If there is a default key provider and a VM Class with a virtual, trusted
+	// platform module (vTPM) is selected, the files in the VM's home directory,
+	// minus any virtual disks, will be encrypted.
+	//
+	// If the underlying vSphere platform does not have a default key provider,
+	// then this field is required when specifying an encryption storage class
+	// and/or a VM Class with a vTPM.
+	//
+	// If this field is set, spec.storageClass must use an encryption-enabled
+	// storage class.
+	EncryptionClassName string `json:"encryptionClassName,omitempty"`
+
+	// +optional
+	// +kubebuilder:default=true
+
+	// UseDefaultKeyProvider describes the desired behavior for when an explicit
+	// EncryptionClass is not provided.
+	//
+	// When an explicit EncryptionClass is not provided and this value is true:
+	//
+	// - Deploying a VirtualMachine with an encryption storage policy or vTPM
+	//   will be encrypted using the default key provider.
+	//
+	// - If a VirtualMachine is not encrypted, uses an encryption storage
+	//   policy or has a virtual, trusted platform module (vTPM), there is a
+	//   default key provider, the VM will be encrypted using the default key
+	//   provider.
+	//
+	// - If a VirtualMachine is encrypted with a provider other than the default
+	//   key provider, the VM will be rekeyed using the default key provider.
+	//
+	// When an explicit EncryptionClass is not provided and this value is false:
+	//
+	// - Deploying a VirtualMachine with an encryption storage policy or vTPM
+	//   will fail.
+	//
+	// - If a VirtualMachine is encrypted with a provider other than the default
+	//   key provider, the VM will be not be rekeyed.
+	//
+	//   Please note, this could result in a VirtualMachine that cannot be
+	//   powered on since it is encrypted using a provider or key that may have
+	//   been removed. Without the key, the VM cannot be decrypted and thus
+	//   cannot be powered on.
+	//
+	// Defaults to true if omitted.
+	UseDefaultKeyProvider *bool `json:"useDefaultKeyProvider,omitempty"`
+}

apis/vmware/v1beta1/vspheremachine_types.go

@@ -35,6 +35,14 @@ type VSphereMachineVolume struct {
 	// StorageClass defaults to VSphereMachineSpec.StorageClass
 	// +optional
 	StorageClass string `json:"storageClass,omitempty"`
+	// EncryptionClassName describes the name of the EncryptionClass resource
+	// used to encrypt this volume. Defaults to VSphereMachineSpec.Crypto.EncryptionClassName.
+	//
+	// Please note, this field is not required to encrypt the volume. If the
+	// underlying platform has a default key provider, the volume may still be fully
+	// or partially encrypted depending on the specified storage.
+	// +optional
+	EncryptionClassName string `json:"encryptionClassName,omitempty"`
 }
 
 // VSphereMachineSpec defines the desired state of VSphereMachine.
@@ -63,6 +71,10 @@ type VSphereMachineSpec struct {
 	// +optional
 	StorageClass string `json:"storageClass,omitempty"`
 
+	// Crypto describes the desired encryption state of the VirtualMachine.
+	// +optional
+	Crypto *VirtualMachineCryptoSpec `json:"crypto,omitempty"`
+
 	// Volumes is the set of PVCs to be created and attached to the VSphereMachine
 	// +optional
 	Volumes []VSphereMachineVolume `json:"volumes,omitempty"`

apis/vmware/v1beta1/zz_generated.deepcopy.go

@@ -59,6 +59,69 @@ spec:
                   ClassName is the name of the class used when specifying the underlying
                   virtual machine
                 type: string
+              crypto:
+                description: Crypto describes the desired encryption state of the
+                  VirtualMachine.
+                properties:
+                  encryptionClassName:
+                    description: |-
+                      EncryptionClassName describes the name of the EncryptionClass resource
+                      used to encrypt this VM.
+
+                      Please note, this field is not required to encrypt the VM. If the
+                      underlying platform has a default key provider, the VM may still be fully
+                      or partially encrypted depending on the specified storage and VM classes.
+
+                      If there is a default key provider and an encryption storage class is
+                      selected, the files in the VM's home directory and non-PVC virtual disks
+                      will be encrypted
+
+                      If there is a default key provider and a VM Class with a virtual, trusted
+                      platform module (vTPM) is selected, the files in the VM's home directory,
+                      minus any virtual disks, will be encrypted.
+
+                      If the underlying vSphere platform does not have a default key provider,
+                      then this field is required when specifying an encryption storage class
+                      and/or a VM Class with a vTPM.
+
+                      If this field is set, spec.storageClass must use an encryption-enabled
+                      storage class.
+                    type: string
+                  useDefaultKeyProvider:
+                    default: true
+                    description: |-
+                      UseDefaultKeyProvider describes the desired behavior for when an explicit
+                      EncryptionClass is not provided.
+
+                      When an explicit EncryptionClass is not provided and this value is true:
+
+                      - Deploying a VirtualMachine with an encryption storage policy or vTPM
+                        will be encrypted using the default key provider.
+
+                      - If a VirtualMachine is not encrypted, uses an encryption storage
+                        policy or has a virtual, trusted platform module (vTPM), there is a
+                        default key provider, the VM will be encrypted using the default key
+                        provider.
+
+                      - If a VirtualMachine is encrypted with a provider other than the default
+                        key provider, the VM will be rekeyed using the default key provider.
+
+                      When an explicit EncryptionClass is not provided and this value is false:
+
+                      - Deploying a VirtualMachine with an encryption storage policy or vTPM
+                        will fail.
+
+                      - If a VirtualMachine is encrypted with a provider other than the default
+                        key provider, the VM will be not be rekeyed.
+
+                        Please note, this could result in a VirtualMachine that cannot be
+                        powered on since it is encrypted using a provider or key that may have
+                        been removed. Without the key, the VM cannot be decrypted and thus
+                        cannot be powered on.
+
+                      Defaults to true if omitted.
+                    type: boolean
+                type: object
               failureDomain:
                 description: |-
                   FailureDomain is the failure domain the machine will be created in.
@@ -344,6 +407,15 @@ spec:
                         x-kubernetes-int-or-string: true
                       description: Capacity is the PVC capacity
                       type: object
+                    encryptionClassName:
+                      description: |-
+                        EncryptionClassName describes the name of the EncryptionClass resource
+                        used to encrypt this volume. Defaults to VSphereMachineSpec.Crypto.EncryptionClassName.
+
+                        Please note, this field is not required to encrypt the volume. If the
+                        underlying platform has a default key provider, the volume may still be fully
+                        or partially encrypted depending on the specified storage.
+                      type: string
                     name:
                       description: 'Name is suffix used to name this PVC as: VSphereMachine.Name
                         + "-" + Name'

config/supervisor/crd/bases/vmware.infrastructure.cluster.x-k8s.io_vspheremachines.yaml

@@ -55,6 +55,69 @@ spec:
                           ClassName is the name of the class used when specifying the underlying
                           virtual machine
                         type: string
+                      crypto:
+                        description: Crypto describes the desired encryption state
+                          of the VirtualMachine.
+                        properties:
+                          encryptionClassName:
+                            description: |-
+                              EncryptionClassName describes the name of the EncryptionClass resource
+                              used to encrypt this VM.
+
+                              Please note, this field is not required to encrypt the VM. If the
+                              underlying platform has a default key provider, the VM may still be fully
+                              or partially encrypted depending on the specified storage and VM classes.
+
+                              If there is a default key provider and an encryption storage class is
+                              selected, the files in the VM's home directory and non-PVC virtual disks
+                              will be encrypted
+
+                              If there is a default key provider and a VM Class with a virtual, trusted
+                              platform module (vTPM) is selected, the files in the VM's home directory,
+                              minus any virtual disks, will be encrypted.
+
+                              If the underlying vSphere platform does not have a default key provider,
+                              then this field is required when specifying an encryption storage class
+                              and/or a VM Class with a vTPM.
+
+                              If this field is set, spec.storageClass must use an encryption-enabled
+                              storage class.
+                            type: string
+                          useDefaultKeyProvider:
+                            default: true
+                            description: |-
+                              UseDefaultKeyProvider describes the desired behavior for when an explicit
+                              EncryptionClass is not provided.
+
+                              When an explicit EncryptionClass is not provided and this value is true:
+
+                              - Deploying a VirtualMachine with an encryption storage policy or vTPM
+                                will be encrypted using the default key provider.
+
+                              - If a VirtualMachine is not encrypted, uses an encryption storage
+                                policy or has a virtual, trusted platform module (vTPM), there is a
+                                default key provider, the VM will be encrypted using the default key
+                                provider.
+
+                              - If a VirtualMachine is encrypted with a provider other than the default
+                                key provider, the VM will be rekeyed using the default key provider.
+
+                              When an explicit EncryptionClass is not provided and this value is false:
+
+                              - Deploying a VirtualMachine with an encryption storage policy or vTPM
+                                will fail.
+
+                              - If a VirtualMachine is encrypted with a provider other than the default
+                                key provider, the VM will be not be rekeyed.
+
+                                Please note, this could result in a VirtualMachine that cannot be
+                                powered on since it is encrypted using a provider or key that may have
+                                been removed. Without the key, the VM cannot be decrypted and thus
+                                cannot be powered on.
+
+                              Defaults to true if omitted.
+                            type: boolean
+                        type: object
                       failureDomain:
                         description: |-
                           FailureDomain is the failure domain the machine will be created in.
@@ -341,6 +404,15 @@ spec:
                                 x-kubernetes-int-or-string: true
                               description: Capacity is the PVC capacity
                               type: object
+                            encryptionClassName:
+                              description: |-
+                                EncryptionClassName describes the name of the EncryptionClass resource
+                                used to encrypt this volume. Defaults to VSphereMachineSpec.Crypto.EncryptionClassName.
+
+                                Please note, this field is not required to encrypt the volume. If the
+                                underlying platform has a default key provider, the volume may still be fully
+                                or partially encrypted depending on the specified storage.
+                              type: string
                             name:
                               description: 'Name is suffix used to name this PVC as:
                                 VSphereMachine.Name + "-" + Name'

config/supervisor/crd/bases/vmware.infrastructure.cluster.x-k8s.io_vspheremachinetemplates.yaml

@@ -7,7 +7,7 @@ replace sigs.k8s.io/cluster-api => sigs.k8s.io/cluster-api v1.12.0-beta.0
 replace github.com/vmware-tanzu/vm-operator/pkg/constants/testlabels => github.com/vmware-tanzu/vm-operator/pkg/constants/testlabels v0.0.0-20240404200847-de75746a9505
 
 // The version of vm-operator should be kept in sync with the manifests at: config/deployments/integration-tests
-replace github.com/vmware-tanzu/vm-operator/api => github.com/vmware-tanzu/vm-operator/api v1.8.6
+replace github.com/vmware-tanzu/vm-operator/api => github.com/vmware-tanzu/vm-operator/api v1.9.1-0.20251029150609-93918c59a719
 
 require (
 	github.com/vmware-tanzu/net-operator-api v0.0.0-20240326163340-1f32d6bf7f9d

go.mod

@@ -241,8 +241,8 @@ github.com/vmware-tanzu/net-operator-api v0.0.0-20240326163340-1f32d6bf7f9d h1:c
 github.com/vmware-tanzu/net-operator-api v0.0.0-20240326163340-1f32d6bf7f9d/go.mod h1:JbFOh22iDsT5BowJe0GgpMI5e2/S7cWaJlv9LdURVQM=
 github.com/vmware-tanzu/nsx-operator/pkg/apis v0.0.0-20241112044858-9da8637c1b0d h1:z9lrzKVtNlujduv9BilzPxuge/LE2F0N1ms3TP4JZvw=
 github.com/vmware-tanzu/nsx-operator/pkg/apis v0.0.0-20241112044858-9da8637c1b0d/go.mod h1:Q4JzNkNMvjo7pXtlB5/R3oME4Nhah7fAObWgghVmtxk=
-github.com/vmware-tanzu/vm-operator/api v1.8.6 h1:NIndORjcnSmIlQsCMIewpIwg/ocRVDh2lYjOroTVLrU=
-github.com/vmware-tanzu/vm-operator/api v1.8.6/go.mod h1:HHA2SNI9B5Yqtyp5t+Gt9WTWBi/fIkM6+MukDDSf11A=
+github.com/vmware-tanzu/vm-operator/api v1.9.1-0.20251029150609-93918c59a719 h1:nb/5ytRj7E/5eo9UzLfaR29JytMtbGpqMVs3hjaRwZ0=
+github.com/vmware-tanzu/vm-operator/api v1.9.1-0.20251029150609-93918c59a719/go.mod h1:nWTPpxfe4gHuuYuFcrs86+NMxfkqPk3a3IlvI8TCWak=
 github.com/vmware-tanzu/vm-operator/external/ncp v0.0.0-20240404200847-de75746a9505 h1:y4wXx1FUFqqSgJ/xUOEM1DLS2Uu0KaeLADWpzpioGTU=
 github.com/vmware-tanzu/vm-operator/external/ncp v0.0.0-20240404200847-de75746a9505/go.mod h1:5rqRJ9zGR+KnKbkGx373WgN8xJpvAj99kHnfoDYRO5I=
 github.com/vmware/govmomi v0.52.0 h1:JyxQ1IQdllrY7PJbv2am9mRsv3p9xWlIQ66bv+XnyLw=

go.sum

@@ -136,7 +136,7 @@ func (np *netopNetworkProvider) ConfigureVirtualMachine(ctx context.Context, clu
 	// Set the VM primary interface
 	vm.Spec.Network.Interfaces = append(vm.Spec.Network.Interfaces, vmoprv1.VirtualMachineNetworkInterfaceSpec{
 		Name: PrimaryInterfaceName,
-		Network: vmoprv1common.PartialObjectRef{
+		Network: &vmoprv1common.PartialObjectRef{
 			TypeMeta: metav1.TypeMeta{
 				Kind:       NetworkGVKNetOperator.Kind,
 				APIVersion: NetworkGVKNetOperator.GroupVersion().String(),

pkg/services/network/netop_provider.go

@@ -223,7 +223,7 @@ func (np *nsxtNetworkProvider) ConfigureVirtualMachine(_ context.Context, cluste
 	}
 	vm.Spec.Network.Interfaces = append(vm.Spec.Network.Interfaces, vmoprv1.VirtualMachineNetworkInterfaceSpec{
 		Name: fmt.Sprintf("eth%d", len(vm.Spec.Network.Interfaces)),
-		Network: vmoprv1common.PartialObjectRef{
+		Network: &vmoprv1common.PartialObjectRef{
 			TypeMeta: metav1.TypeMeta{
 				Kind:       NetworkGVKNSXT.Kind,
 				APIVersion: NetworkGVKNSXT.GroupVersion().String(),

pkg/services/network/nsxt_provider.go

@@ -224,7 +224,7 @@ func (vp *nsxtVPCNetworkProvider) ConfigureVirtualMachine(_ context.Context, clu
 		networkName := clusterCtx.VSphereCluster.Name
 		vm.Spec.Network.Interfaces = append(vm.Spec.Network.Interfaces, vmoprv1.VirtualMachineNetworkInterfaceSpec{
 			Name: PrimaryInterfaceName,
-			Network: vmoprv1common.PartialObjectRef{
+			Network: &vmoprv1common.PartialObjectRef{
 				TypeMeta: metav1.TypeMeta{
 					Kind:       NetworkGVKNSXTVPCSubnetSet.Kind,
 					APIVersion: NetworkGVKNSXTVPCSubnetSet.GroupVersion().String(),
@@ -243,7 +243,7 @@ func (vp *nsxtVPCNetworkProvider) ConfigureVirtualMachine(_ context.Context, clu
 		}
 		vmInterface := vmoprv1.VirtualMachineNetworkInterfaceSpec{
 			Name: PrimaryInterfaceName,
-			Network: vmoprv1common.PartialObjectRef{
+			Network: &vmoprv1common.PartialObjectRef{
 				TypeMeta: metav1.TypeMeta{
 					Kind:       primary.Network.Kind,
 					APIVersion: primary.Network.APIVersion,
@@ -281,7 +281,7 @@ func setVMSecondaryInterfaces(machine *vmwarev1.VSphereMachine, vm *vmoprv1.Virt
 		}
 		vmInterface := vmoprv1.VirtualMachineNetworkInterfaceSpec{
 			Name: secondaryInterface.Name,
-			Network: vmoprv1common.PartialObjectRef{
+			Network: &vmoprv1common.PartialObjectRef{
 				TypeMeta: metav1.TypeMeta{
 					Kind:       secondaryInterface.Network.Kind,
 					APIVersion: secondaryInterface.Network.APIVersion,