Support Bring Your Own (Encryption) Key (BYOK)

This patch adds support for bringing your own encryption key used
to encrypt/recrypt VMs.

api/v1alpha1/virtualmachine_conversion.go

@@ -822,6 +822,10 @@ func Convert_v1alpha3_VirtualMachineStatus_To_v1alpha1_VirtualMachineStatus(
 	return nil
 }
 
+func restore_v1alpha3_VirtualMachineEncryptionClass(dst, src *vmopv1.VirtualMachine) {
+	dst.Spec.Crypto.ClassName = src.Spec.Crypto.ClassName
+}
+
 func restore_v1alpha3_VirtualMachineImage(dst, src *vmopv1.VirtualMachine) {
 	dst.Spec.Image = src.Spec.Image
 	dst.Spec.ImageName = src.Spec.ImageName
@@ -1239,6 +1243,7 @@ func (src *VirtualMachine) ConvertTo(dstRaw ctrlconversion.Hub) error {
 	restore_v1alpha3_VirtualMachineInstanceUUID(dst, restored)
 	restore_v1alpha3_VirtualMachineGuestID(dst, restored)
 	restore_v1alpha3_VirtualMachineCdrom(dst, restored)
+	restore_v1alpha3_VirtualMachineEncryptionClass(dst, restored)
 
 	// END RESTORE
 

api/v1alpha2/virtualmachine_conversion.go

@@ -142,6 +142,10 @@ func Convert_v1alpha3_VirtualMachine_To_v1alpha2_VirtualMachine(
 	return nil
 }
 
+func restore_v1alpha3_VirtualMachineEncryptionClass(dst, src *vmopv1.VirtualMachine) {
+	dst.Spec.Crypto.ClassName = src.Spec.Crypto.ClassName
+}
+
 func restore_v1alpha3_VirtualMachineImage(dst, src *vmopv1.VirtualMachine) {
 	dst.Spec.Image = src.Spec.Image
 	dst.Spec.ImageName = src.Spec.ImageName
@@ -293,6 +297,7 @@ func (src *VirtualMachine) ConvertTo(dstRaw ctrlconversion.Hub) error {
 	restore_v1alpha3_VirtualMachineSpecNetworkDomainName(dst, restored)
 	restore_v1alpha3_VirtualMachineGuestID(dst, restored)
 	restore_v1alpha3_VirtualMachineCdrom(dst, restored)
+	restore_v1alpha3_VirtualMachineEncryptionClass(dst, restored)
 
 	// END RESTORE
 

api/v1alpha3/virtualmachine_types.go

@@ -41,6 +41,14 @@ const (
 	// VirtualMachineConditionPlacementReady indicates that the placement decision for the VM is ready.
 	VirtualMachineConditionPlacementReady = "VirtualMachineConditionPlacementReady"
 
+	// VirtualMachineEncryptionClassReady indicates that a referenced
+	// EncryptionClass is ready.
+	VirtualMachineEncryptionClassReady = "VirtualMachineEncryptionClassReady"
+
+	// VirtualMachineEncryptionSynced indicates that the VirtualMachine's
+	// encryption state is synced to the desired encryption state.
+	VirtualMachineEncryptionSynced = "VirtualMachineEncryptionSynced"
+
 	// VirtualMachineConditionCreated indicates that the VM has been created.
 	VirtualMachineConditionCreated = "VirtualMachineCreated"
 
@@ -357,6 +365,84 @@ type VirtualMachineCdromSpec struct {
 	AllowGuestControl *bool `json:"allowGuestControl,omitempty"`
 }
 
+// +kubebuilder:validation:Enum=NoOp;DefaultKeyProvider
+
+// VirtualMachineCryptoFallbackMode represents the various fallback modes for
+// when an encrypted VirtualMachine does not specify an encryption class.
+type VirtualMachineCryptoFallbackMode string
+
+const (
+	// VirtualMachinePowerOpModeHard indicates to halt a VM when powering it
+	// off or when suspending a VM to not involve the guest.
+	VirtualMachineCryptoFallbackModeNoOp VirtualMachineCryptoFallbackMode = "NoOp"
+
+	// VirtualMachinePowerOpModeSoft indicates to ask VM Tools running
+	// inside of a VM's guest to shutdown the guest gracefully when powering
+	// off a VM or when suspending a VM to allow the guest to participate.
+	//
+	// If this mode is set on a VM whose guest does not have VM Tools or if
+	// VM Tools is present but the operation fails, the VM may never realize
+	// the desired power state. This can prevent a VM from being deleted as well
+	// as many other unexpected issues. It is recommended to use trySoft
+	// instead.
+	VirtualMachineCryptoFallbackModeDefaultKeyProvider VirtualMachineCryptoFallbackMode = "DefaultKeyProvider"
+)
+
+// VirtualMachineCryptoSpec defines the desired state of a VirtualMachine's
+// encryption state.
+type VirtualMachineCryptoSpec struct {
+	// +optional
+
+	// ClassName describes the name of the EncryptionClass resource
+	// used to encrypt this VM.
+	//
+	// Please note, this field is not required to encrypt the VM. If the
+	// underlying platform has a default key provider, the VM may still be fully
+	// or partially encrypted depending on the specified storage and VM classes.
+	//
+	// If there is a default key provider and an encryption storage class is
+	// selected, the VM's home files and non-PVC disks will be encrypted.
+	//
+	// If there is a default key provider and a and a VM Class with a virtual,
+	// trusted platform module (vTPM) is selected, the VM's home files will be
+	// encrypted.
+	//
+	// If the underlying vSphere platform does not have a default key provider,
+	// then this field is required when specifying an encryption storage class
+	// and/or a VM Class with a vTPM.
+	ClassName string `json:"className,omitempty"`
+
+	// +optional
+	// +kubebuilder:default=true
+
+	// UseDefaultKeyProvider describes the desired behavior for when an explicit
+	// EncryptionClass is not provided.
+	//
+	// When this value is true:
+	//
+	// - If a VirtualMachine is not encrypted, uses an encryption storage
+	//   policy or has a virtual, trusted platform module (vTPM), there is a
+	//   default key provider, and an EncryptionClass is not provided, the VM
+	//   will be encrypted using the default key provider.
+	//
+	// - If a VirtualMachine was encrypted using an EncryptionClass and the
+	//   the field spec.crypto.className is set to an empty value, the VM will
+	//   be rekeyed using the default key provider.
+	//
+	// When this value is false:
+	//
+	// - If a VirtualMachine was encrypted using an EncryptionClass and the
+	//   the field spec.crypto.className is set to an empty value, the VM will
+	//   remain encrypted using its current provider and key ID.
+	//
+	//   Please note, this could result in a VirtualMachine that cannot be
+	//   powered on if the EncryptionClass was removed and its referenced,
+	//   underlying key provider no longer exists.
+	//
+	// Defaults to true if omitted.
+	UseDefaultKeyProvider *bool `json:"useDefaultKeyProvider,omitempty"`
+}
+
 // VirtualMachineSpec defines the desired state of a VirtualMachine.
 type VirtualMachineSpec struct {
 	// +optional
@@ -439,6 +525,11 @@ type VirtualMachineSpec struct {
 
 	// +optional
 
+	// Crypto describes the desired encryption state of the VirtualMachine.
+	Crypto VirtualMachineCryptoSpec `json:"crypto,omitempty"`
+
+	// +optional
+
 	// StorageClass describes the name of a Kubernetes StorageClass resource
 	// used to configure this VM's storage-related attributes.
 	//

config/crd/bases/vmoperator.vmware.com_virtualmachinereplicasets.yaml

@@ -1007,6 +1007,60 @@ spec:
                           an existing VM on the underlying platform that was not deployed from a
                           VM class.
                         type: string
+                      crypto:
+                        description: Crypto describes the desired encryption state
+                          of the VirtualMachine.
+                        properties:
+                          className:
+                            description: |-
+                              ClassName describes the name of the EncryptionClass resource
+                              used to encrypt this VM.
+
+                              Please note, this field is not required to encrypt the VM. If the
+                              underlying platform has a default key provider, the VM may still be fully
+                              or partially encrypted depending on the specified storage and VM classes.
+
+                              If there is a default key provider and an encryption storage class is
+                              selected, the VM's home files and non-PVC disks will be encrypted.
+
+                              If there is a default key provider and a and a VM Class with a virtual,
+                              trusted platform module (vTPM) is selected, the VM's home files will be
+                              encrypted.
+
+                              If the underlying vSphere platform does not have a default key provider,
+                              then this field is required when specifying an encryption storage class
+                              and/or a VM Class with a vTPM.
+                            type: string
+                          useDefaultKeyProvider:
+                            default: true
+                            description: |-
+                              UseDefaultKeyProvider describes the desired behavior for when an explicit
+                              EncryptionClass is not provided.
+
+                              When this value is true:
+
+                              - If a VirtualMachine is not encrypted, uses an encryption storage
+                                policy or has a virtual, trusted platform module (vTPM), there is a
+                                default key provider, and an EncryptionClass is not provided, the VM
+                                will be encrypted using the default key provider.
+
+                              - If a VirtualMachine was encrypted using an EncryptionClass and the
+                                the field spec.crypto.className is set to an empty value, the VM will
+                                be rekeyed using the default key provider.
+
+                              When this value is false:
+
+                              - If a VirtualMachine was encrypted using an EncryptionClass and the
+                                the field spec.crypto.className is set to an empty value, the VM will
+                                remain encrypted using its current provider and key ID.
+
+                                Please note, this could result in a VirtualMachine that cannot be
+                                powered on if the EncryptionClass was removed and its referenced,
+                                underlying key provider no longer exists.
+
+                              Defaults to true if omitted.
+                            type: boolean
+                        type: object
                       guestID:
                         description: |-
                           GuestID describes the desired guest operating system identifier for a VM.

config/crd/bases/vmoperator.vmware.com_virtualmachines.yaml

@@ -3791,6 +3791,60 @@ spec:
                   an existing VM on the underlying platform that was not deployed from a
                   VM class.
                 type: string
+              crypto:
+                description: Crypto describes the desired encryption state of the
+                  VirtualMachine.
+                properties:
+                  className:
+                    description: |-
+                      ClassName describes the name of the EncryptionClass resource
+                      used to encrypt this VM.
+
+                      Please note, this field is not required to encrypt the VM. If the
+                      underlying platform has a default key provider, the VM may still be fully
+                      or partially encrypted depending on the specified storage and VM classes.
+
+                      If there is a default key provider and an encryption storage class is
+                      selected, the VM's home files and non-PVC disks will be encrypted.
+
+                      If there is a default key provider and a and a VM Class with a virtual,
+                      trusted platform module (vTPM) is selected, the VM's home files will be
+                      encrypted.
+
+                      If the underlying vSphere platform does not have a default key provider,
+                      then this field is required when specifying an encryption storage class
+                      and/or a VM Class with a vTPM.
+                    type: string
+                  useDefaultKeyProvider:
+                    default: true
+                    description: |-
+                      UseDefaultKeyProvider describes the desired behavior for when an explicit
+                      EncryptionClass is not provided.
+
+                      When this value is true:
+
+                      - If a VirtualMachine is not encrypted, uses an encryption storage
+                        policy or has a virtual, trusted platform module (vTPM), there is a
+                        default key provider, and an EncryptionClass is not provided, the VM
+                        will be encrypted using the default key provider.
+
+                      - If a VirtualMachine was encrypted using an EncryptionClass and the
+                        the field spec.crypto.className is set to an empty value, the VM will
+                        be rekeyed using the default key provider.
+
+                      When this value is false:
+
+                      - If a VirtualMachine was encrypted using an EncryptionClass and the
+                        the field spec.crypto.className is set to an empty value, the VM will
+                        remain encrypted using its current provider and key ID.
+
+                        Please note, this could result in a VirtualMachine that cannot be
+                        powered on if the EncryptionClass was removed and its referenced,
+                        underlying key provider no longer exists.
+
+                      Defaults to true if omitted.
+                    type: boolean
+                type: object
               guestID:
                 description: |-
                   GuestID describes the desired guest operating system identifier for a VM.