Clarify storage class requirement for crypto.encryptionClassName API (#…

…747)
vmware-tanzu · Oct 15, 2024 · ddd2c56 · ddd2c56
1 parent 8797c6d
commit ddd2c56
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 1 deletion.
diff --git a/api/v1alpha3/virtualmachine_types.go b/api/v1alpha3/virtualmachine_types.go
@@ -344,6 +344,9 @@ type VirtualMachineCryptoSpec struct {
 	// If the underlying vSphere platform does not have a default key provider,
 	// then this field is required when specifying an encryption storage class
 	// and/or a VM Class with a vTPM.
+	//
+	// If this field is set, spec.storageClass must use an encryption-enabled
+	// storage class.
 	EncryptionClassName string `json:"encryptionClassName,omitempty"`
 
 	// +optional

diff --git a/config/crd/bases/vmoperator.vmware.com_virtualmachinereplicasets.yaml b/config/crd/bases/vmoperator.vmware.com_virtualmachinereplicasets.yaml
@@ -1034,6 +1034,9 @@ spec:
                               If the underlying vSphere platform does not have a default key provider,
                               then this field is required when specifying an encryption storage class
                               and/or a VM Class with a vTPM.
+
+                              If this field is set, spec.storageClass must use an encryption-enabled
+                              storage class.
                             type: string
                           useDefaultKeyProvider:
                             default: true

diff --git a/config/crd/bases/vmoperator.vmware.com_virtualmachines.yaml b/config/crd/bases/vmoperator.vmware.com_virtualmachines.yaml
@@ -3818,6 +3818,9 @@ spec:
                       If the underlying vSphere platform does not have a default key provider,
                       then this field is required when specifying an encryption storage class
                       and/or a VM Class with a vTPM.
+
+                      If this field is set, spec.storageClass must use an encryption-enabled
+                      storage class.
                     type: string
                   useDefaultKeyProvider:
                     default: true

diff --git a/docs/ref/api/v1alpha3.md b/docs/ref/api/v1alpha3.md
@@ -826,7 +826,10 @@ minus any virtual disks, will be encrypted.
 
 If the underlying vSphere platform does not have a default key provider,
 then this field is required when specifying an encryption storage class
-and/or a VM Class with a vTPM. |
+and/or a VM Class with a vTPM.
+
+If this field is set, spec.storageClass must use an encryption-enabled
+storage class. |
 | `useDefaultKeyProvider` _boolean_ | UseDefaultKeyProvider describes the desired behavior for when an explicit
 EncryptionClass is not provided.
 

diff --git a/webhooks/virtualmachine/validation/virtualmachine_validator.go b/webhooks/virtualmachine/validation/virtualmachine_validator.go
@@ -514,6 +514,9 @@ func (v validator) validateCrypto(
 		allErrs = append(allErrs, field.InternalError(encClassNamePath, err))
 
 	} else if !ok {
+		// Return an error on the "vm.Spec.Crypto.EncryptionClassName" path
+		// instead of "vm.Spec.StorageClass" because the storage class is
+		// invalid due to the user's choice of encryption class name.
 		allErrs = append(allErrs, field.Invalid(
 			encClassNamePath,
 			vm.Spec.Crypto.EncryptionClassName,