Support Bring Your Own (Encryption) Key (BYOK)

This patch adds support for bringing your own encryption key used to encrypt/recrypt VMs.
vmware-tanzu · Sep 16, 2024 · e68a64a · e68a64a
1 parent 14b7303
commit e68a64a
Show file tree

Hide file tree

Showing 36 changed files with 4,063 additions and 19 deletions.
diff --git a/api/v1alpha1/virtualmachine_conversion.go b/api/v1alpha1/virtualmachine_conversion.go
@@ -822,6 +822,10 @@ func Convert_v1alpha3_VirtualMachineStatus_To_v1alpha1_VirtualMachineStatus(
 	return nil
 }
 
+func restore_v1alpha3_VirtualMachineEncryptionClass(dst, src *vmopv1.VirtualMachine) {
+	dst.Spec.Crypto.ClassName = src.Spec.Crypto.ClassName
+}
+
 func restore_v1alpha3_VirtualMachineImage(dst, src *vmopv1.VirtualMachine) {
 	dst.Spec.Image = src.Spec.Image
 	dst.Spec.ImageName = src.Spec.ImageName
@@ -1239,6 +1243,7 @@ func (src *VirtualMachine) ConvertTo(dstRaw ctrlconversion.Hub) error {
 	restore_v1alpha3_VirtualMachineInstanceUUID(dst, restored)
 	restore_v1alpha3_VirtualMachineGuestID(dst, restored)
 	restore_v1alpha3_VirtualMachineCdrom(dst, restored)
+	restore_v1alpha3_VirtualMachineEncryptionClass(dst, restored)
 
 	// END RESTORE
 

diff --git a/api/v1alpha1/zz_generated.conversion.go b/api/v1alpha1/zz_generated.conversion.go
diff --git a/api/v1alpha2/virtualmachine_conversion.go b/api/v1alpha2/virtualmachine_conversion.go
@@ -142,6 +142,10 @@ func Convert_v1alpha3_VirtualMachine_To_v1alpha2_VirtualMachine(
 	return nil
 }
 
+func restore_v1alpha3_VirtualMachineEncryptionClass(dst, src *vmopv1.VirtualMachine) {
+	dst.Spec.Crypto.ClassName = src.Spec.Crypto.ClassName
+}
+
 func restore_v1alpha3_VirtualMachineImage(dst, src *vmopv1.VirtualMachine) {
 	dst.Spec.Image = src.Spec.Image
 	dst.Spec.ImageName = src.Spec.ImageName
@@ -293,6 +297,7 @@ func (src *VirtualMachine) ConvertTo(dstRaw ctrlconversion.Hub) error {
 	restore_v1alpha3_VirtualMachineSpecNetworkDomainName(dst, restored)
 	restore_v1alpha3_VirtualMachineGuestID(dst, restored)
 	restore_v1alpha3_VirtualMachineCdrom(dst, restored)
+	restore_v1alpha3_VirtualMachineEncryptionClass(dst, restored)
 
 	// END RESTORE
 

diff --git a/api/v1alpha2/zz_generated.conversion.go b/api/v1alpha2/zz_generated.conversion.go
diff --git a/api/v1alpha3/virtualmachine_types.go b/api/v1alpha3/virtualmachine_types.go
@@ -41,6 +41,10 @@ const (
 	// VirtualMachineConditionPlacementReady indicates that the placement decision for the VM is ready.
 	VirtualMachineConditionPlacementReady = "VirtualMachineConditionPlacementReady"
 
+	// VirtualMachineEncryptionSynced indicates that the VirtualMachine's
+	// encryption state is synced to the desired encryption state.
+	VirtualMachineEncryptionSynced = "VirtualMachineEncryptionSynced"
+
 	// VirtualMachineConditionCreated indicates that the VM has been created.
 	VirtualMachineConditionCreated = "VirtualMachineCreated"
 
@@ -357,6 +361,65 @@ type VirtualMachineCdromSpec struct {
 	AllowGuestControl *bool `json:"allowGuestControl,omitempty"`
 }
 
+// VirtualMachineCryptoSpec defines the desired state of a VirtualMachine's
+// encryption state.
+type VirtualMachineCryptoSpec struct {
+	// +optional
+
+	// ClassName describes the name of the EncryptionClass resource
+	// used to encrypt this VM.
+	//
+	// Please note, this field is not required to encrypt the VM. If the
+	// underlying platform has a default key provider, the VM may still be fully
+	// or partially encrypted depending on the specified storage and VM classes.
+	//
+	// If there is a default key provider and an encryption storage class is
+	// selected, the VM's home files and non-PVC disks will be encrypted.
+	//
+	// If there is a default key provider and a and a VM Class with a virtual,
+	// trusted platform module (vTPM) is selected, the VM's home files will be
+	// encrypted.
+	//
+	// If the underlying vSphere platform does not have a default key provider,
+	// then this field is required when specifying an encryption storage class
+	// and/or a VM Class with a vTPM.
+	ClassName string `json:"className,omitempty"`
+
+	// +optional
+	// +kubebuilder:default=true
+
+	// UseDefaultKeyProvider describes the desired behavior for when an explicit
+	// EncryptionClass is not provided.
+	//
+	// When an explicit EncryptionClass is not provided and this value is true:
+	//
+	// - Deploying a VirtualMachine with an encryption storage policy or vTPM
+	//   will be encrypted using the default key provider.
+	//
+	// - If a VirtualMachine is not encrypted, uses an encryption storage
+	//   policy or has a virtual, trusted platform module (vTPM), there is a
+	//   default key provider, the VM will be encrypted using the default key
+	//   provider.
+	//
+	// - If a VirtualMachine is encrypted with a provider other than the default
+	//   key provider, the VM will be rekeyed using the default key provider.
+	//
+	// When an explicit EncryptionClass is not provided and this value is false:
+	//
+	// - Deploying a VirtualMachine with an encryption storage policy or vTPM
+	//   will fail.
+	//
+	// - If a VirtualMachine is encrypted with a provider other than the default
+	//   key provider, the VM will be not be rekeyed.
+	//
+	//   Please note, this could result in a VirtualMachine that cannot be
+	//   powered on since it is encrypted using a provider that may have been
+	//   removed.
+	//
+	// Defaults to true if omitted.
+	UseDefaultKeyProvider *bool `json:"useDefaultKeyProvider,omitempty"`
+}
+
 // VirtualMachineSpec defines the desired state of a VirtualMachine.
 type VirtualMachineSpec struct {
 	// +optional
@@ -439,6 +502,11 @@ type VirtualMachineSpec struct {
 
 	// +optional
 
+	// Crypto describes the desired encryption state of the VirtualMachine.
+	Crypto VirtualMachineCryptoSpec `json:"crypto,omitempty"`
+
+	// +optional
+
 	// StorageClass describes the name of a Kubernetes StorageClass resource
 	// used to configure this VM's storage-related attributes.
 	//

diff --git a/api/v1alpha3/zz_generated.deepcopy.go b/api/v1alpha3/zz_generated.deepcopy.go
diff --git a/config/crd/bases/vmoperator.vmware.com_virtualmachinereplicasets.yaml b/config/crd/bases/vmoperator.vmware.com_virtualmachinereplicasets.yaml
@@ -1007,6 +1007,64 @@ spec:
                           an existing VM on the underlying platform that was not deployed from a
                           VM class.
                         type: string
+                      crypto:
+                        description: Crypto describes the desired encryption state
+                          of the VirtualMachine.
+                        properties:
+                          className:
+                            description: |-
+                              ClassName describes the name of the EncryptionClass resource
+                              used to encrypt this VM.
+
+                              Please note, this field is not required to encrypt the VM. If the
+                              underlying platform has a default key provider, the VM may still be fully
+                              or partially encrypted depending on the specified storage and VM classes.
+
+                              If there is a default key provider and an encryption storage class is
+                              selected, the VM's home files and non-PVC disks will be encrypted.
+
+                              If there is a default key provider and a and a VM Class with a virtual,
+                              trusted platform module (vTPM) is selected, the VM's home files will be
+                              encrypted.
+
+                              If the underlying vSphere platform does not have a default key provider,
+                              then this field is required when specifying an encryption storage class
+                              and/or a VM Class with a vTPM.
+                            type: string
+                          useDefaultKeyProvider:
+                            default: true
+                            description: |-
+                              UseDefaultKeyProvider describes the desired behavior for when an explicit
+                              EncryptionClass is not provided.
+
+                              When an explicit EncryptionClass is not provided and this value is true:
+
+                              - Deploying a VirtualMachine with an encryption storage policy or vTPM
+                                will be encrypted using the default key provider.
+
+                              - If a VirtualMachine is not encrypted, uses an encryption storage
+                                policy or has a virtual, trusted platform module (vTPM), there is a
+                                default key provider, the VM will be encrypted using the default key
+                                provider.
+
+                              - If a VirtualMachine is encrypted with a provider other than the default
+                                key provider, the VM will be rekeyed using the default key provider.
+
+                              When an explicit EncryptionClass is not provided and this value is false:
+
+                              - Deploying a VirtualMachine with an encryption storage policy or vTPM
+                                will fail.
+
+                              - If a VirtualMachine is encrypted with a provider other than the default
+                                key provider, the VM will be not be rekeyed.
+
+                                Please note, this could result in a VirtualMachine that cannot be
+                                powered on since it is encrypted using a provider that may have been
+                                removed.
+
+                              Defaults to true if omitted.
+                            type: boolean
+                        type: object
                       guestID:
                         description: |-
                           GuestID describes the desired guest operating system identifier for a VM.

diff --git a/config/crd/bases/vmoperator.vmware.com_virtualmachines.yaml b/config/crd/bases/vmoperator.vmware.com_virtualmachines.yaml
@@ -3791,6 +3791,64 @@ spec:
                   an existing VM on the underlying platform that was not deployed from a
                   VM class.
                 type: string
+              crypto:
+                description: Crypto describes the desired encryption state of the
+                  VirtualMachine.
+                properties:
+                  className:
+                    description: |-
+                      ClassName describes the name of the EncryptionClass resource
+                      used to encrypt this VM.
+
+                      Please note, this field is not required to encrypt the VM. If the
+                      underlying platform has a default key provider, the VM may still be fully
+                      or partially encrypted depending on the specified storage and VM classes.
+
+                      If there is a default key provider and an encryption storage class is
+                      selected, the VM's home files and non-PVC disks will be encrypted.
+
+                      If there is a default key provider and a and a VM Class with a virtual,
+                      trusted platform module (vTPM) is selected, the VM's home files will be
+                      encrypted.
+
+                      If the underlying vSphere platform does not have a default key provider,
+                      then this field is required when specifying an encryption storage class
+                      and/or a VM Class with a vTPM.
+                    type: string
+                  useDefaultKeyProvider:
+                    default: true
+                    description: |-
+                      UseDefaultKeyProvider describes the desired behavior for when an explicit
+                      EncryptionClass is not provided.
+
+                      When an explicit EncryptionClass is not provided and this value is true:
+
+                      - Deploying a VirtualMachine with an encryption storage policy or vTPM
+                        will be encrypted using the default key provider.
+
+                      - If a VirtualMachine is not encrypted, uses an encryption storage
+                        policy or has a virtual, trusted platform module (vTPM), there is a
+                        default key provider, the VM will be encrypted using the default key
+                        provider.
+
+                      - If a VirtualMachine is encrypted with a provider other than the default
+                        key provider, the VM will be rekeyed using the default key provider.
+
+                      When an explicit EncryptionClass is not provided and this value is false:
+
+                      - Deploying a VirtualMachine with an encryption storage policy or vTPM
+                        will fail.
+
+                      - If a VirtualMachine is encrypted with a provider other than the default
+                        key provider, the VM will be not be rekeyed.
+
+                        Please note, this could result in a VirtualMachine that cannot be
+                        powered on since it is encrypted using a provider that may have been
+                        removed.
+
+                      Defaults to true if omitted.
+                    type: boolean
+                type: object
               guestID:
                 description: |-
                   GuestID describes the desired guest operating system identifier for a VM.

diff --git a/config/crd/external-crds/vmencryption.vmware.com_encryptionclasses.yaml b/config/crd/external-crds/vmencryption.vmware.com_encryptionclasses.yaml
@@ -49,16 +49,16 @@ spec:
             description: EncryptionClassSpec defines the desired state of EncryptionClass.
             properties:
               keyID:
-                description: KeyID describes the key used to encrypt/recrypt/decrypt
-                  resources.
+                description: |-
+                  KeyID describes the key used to encrypt/recrypt/decrypt resources.
+                  When omitted, a key will be generated from the specified provider.
                 type: string
               keyProvider:
                 description: |-
                   KeyProvider describes the key provider used to encrypt/recrypt/decrypt
                   resources.
                 type: string
             required:
-            - keyID
             - keyProvider
             type: object
           status: