Support PVCs with BYOK

This patch allows PVCs to be attached to VMs encrypted with BYOK.
vmware-tanzu · Oct 17, 2024 · 0bad8f4 · 0bad8f4
1 parent 8c5e06c
commit 0bad8f4
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 72 deletions.
diff --git a/webhooks/virtualmachine/validation/virtualmachine_validator.go b/webhooks/virtualmachine/validation/virtualmachine_validator.go
@@ -827,40 +827,29 @@ func (v validator) validateVolumes(ctx *pkgctx.WebhookRequestContext, vm *vmopv1
 		if vol.PersistentVolumeClaim == nil {
 			allErrs = append(allErrs, field.Required(volPath.Child("persistentVolumeClaim"), ""))
 		} else {
-			allErrs = append(allErrs, v.validateVolumeWithPVC(ctx, vm, vol, volPath)...)
+			allErrs = append(allErrs, v.validateVolumeWithPVC(vol, volPath)...)
 		}
 	}
 
 	return allErrs
 }
 
 func (v validator) validateVolumeWithPVC(
-	ctx *pkgctx.WebhookRequestContext,
-	vm *vmopv1.VirtualMachine,
 	vol vmopv1.VirtualMachineVolume,
 	volPath *field.Path) field.ErrorList {
 
 	var (
-		allErrs      field.ErrorList
-		encClassName string
-		pvcPath      = volPath.Child("persistentVolumeClaim")
-		claimName    = vol.PersistentVolumeClaim.ClaimName
+		allErrs   field.ErrorList
+		pvcPath   = volPath.Child("persistentVolumeClaim")
+		claimName = vol.PersistentVolumeClaim.ClaimName
 	)
 
-	if vm.Spec.Crypto != nil {
-		encClassName = vm.Spec.Crypto.EncryptionClassName
-	}
-
 	if claimName == "" {
 		allErrs = append(
 			allErrs,
 			field.Required(pvcPath.Child("claimName"), ""))
-	} else if encClassName != "" && pkgcfg.FromContext(ctx).Features.BringYourOwnEncryptionKey {
-		allErrs = append(allErrs, field.Invalid(
-			pvcPath.Child("claimName"),
-			claimName,
-			fmt.Sprintf(invalidPVCBYOKFmt, encClassName)))
 	}
+
 	if vol.PersistentVolumeClaim.ReadOnly {
 		allErrs = append(allErrs, field.NotSupported(pvcPath.Child("readOnly"), true, []string{"false"}))
 	}

diff --git a/webhooks/virtualmachine/validation/virtualmachine_validator_unit_test.go b/webhooks/virtualmachine/validation/virtualmachine_validator_unit_test.go
@@ -860,7 +860,7 @@ func unitTestsValidateCreate() {
 					`spec.crypto.encryptionClassName: Invalid value: "fake": requires spec.storageClass specify an encryption storage class`),
 			},
 		),
-		Entry("disallow volume when spec.crypto.encryptionClassName is non-empty when FSS_WCP_VMSERVICE_BYOK is enabled",
+		Entry("allow volume when spec.crypto.encryptionClassName is non-empty when FSS_WCP_VMSERVICE_BYOK is enabled",
 			testParams{
 				setup: func(ctx *unitValidatingWebhookContext) {
 					storageClass1 := builder.DummyStorageClass()
@@ -902,61 +902,6 @@ func unitTestsValidateCreate() {
 						config.Features.BringYourOwnEncryptionKey = true
 					})
 				},
-				validate: doValidateWithMsg(
-					`spec.volumes[0].persistentVolumeClaim.claimName: Invalid value: "dummyPVCName": cannot attach volume to vm with spec.crypto.encryptionClassName="fake"`),
-			},
-		),
-		Entry("allow volume when spec.crypto.encryptionClassName is empty when FSS_WCP_VMSERVICE_BYOK is enabled",
-			testParams{
-				setup: func(ctx *unitValidatingWebhookContext) {
-					storageClass1 := builder.DummyStorageClass()
-					Expect(ctx.Client.Create(ctx, storageClass1)).To(Succeed())
-
-					storageClass2 := builder.DummyStorageClass()
-					storageClass2.Name += "2"
-					Expect(ctx.Client.Create(ctx, storageClass2)).To(Succeed())
-
-					resourceQuota := builder.DummyResourceQuota(
-						ctx.vm.Namespace,
-						storageClass1.Name+".storageclass.storage.k8s.io/persistentvolumeclaims",
-						storageClass2.Name+".storageclass.storage.k8s.io/persistentvolumeclaims")
-					Expect(ctx.Client.Create(ctx, resourceQuota)).To(Succeed())
-
-					pvc := builder.DummyPersistentVolumeClaim()
-					pvc.Name = builder.DummyPVCName
-					pvc.Namespace = ctx.vm.Namespace
-					pvc.Spec.StorageClassName = ptr.To(storageClass2.Name)
-					Expect(ctx.Client.Create(ctx, pvc)).To(Succeed())
-
-					ctx.vm.Spec.StorageClass = storageClass1.Name
-					ctx.vm.Spec.Crypto = &vmopv1.VirtualMachineCryptoSpec{}
-
-					var vmStorageClass storagev1.StorageClass
-					Expect(ctx.Client.Get(
-						ctx,
-						client.ObjectKey{Name: ctx.vm.Spec.StorageClass},
-						&vmStorageClass)).To(Succeed())
-					Expect(kubeutil.MarkEncryptedStorageClass(
-						ctx,
-						ctx.Client,
-						vmStorageClass,
-						false)).To(Succeed())
-
-					var pvcStorageClass storagev1.StorageClass
-					Expect(ctx.Client.Get(
-						ctx,
-						client.ObjectKey{Name: *pvc.Spec.StorageClassName},
-						&pvcStorageClass)).To(Succeed())
-					Expect(kubeutil.MarkEncryptedStorageClass(
-						ctx,
-						ctx.Client,
-						pvcStorageClass,
-						false)).To(Succeed())
-
-					pkgcfg.SetContext(ctx, func(config *pkgcfg.Config) {
-						config.Features.BringYourOwnEncryptionKey = true
-					})
-				},
 				expectAllowed: true,
 			},
 		),