Remove all references to WCP_VMService_BYOK FSS

nikolay-andreev · nikolay-andreev · commit 81280e3b9f30 · 2025-08-01T13:40:33.000+03:00
Signed-off-by: Nikolay Andreev &lt;nikolay.andreev@broadcom.com&gt;
diff --git a/cmd/syncer/main.go b/cmd/syncer/main.go
@@ -378,8 +378,7 @@ func initSyncerComponents(ctx context.Context, clusterFlavor cnstypes.CnsCluster
 			}
 		}()
 
-		if clusterFlavor == cnstypes.CnsClusterFlavorWorkload &&
-			commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.WCP_VMService_BYOK) {
+		if clusterFlavor == cnstypes.CnsClusterFlavorWorkload {
 			// Start BYOK Operator for Supervisor clusters.
 			go func() {
 				defer func() {
diff --git a/manifests/supervisorcluster/1.28/cns-csi.yaml b/manifests/supervisorcluster/1.28/cns-csi.yaml
@@ -505,7 +505,6 @@ data:
   "vdpp-on-stretched-supervisor": "true"
   "cns-unregister-volume": "false"
   "workload-domain-isolation": "false"
-  "WCP_VMService_BYOK": "true"
 kind: ConfigMap
 metadata:
   name: csi-feature-states
diff --git a/manifests/supervisorcluster/1.29/cns-csi.yaml b/manifests/supervisorcluster/1.29/cns-csi.yaml
@@ -563,7 +563,6 @@ data:
   "vdpp-on-stretched-supervisor": "true"
   "cns-unregister-volume": "false"
   "workload-domain-isolation": "false"
-  "WCP_VMService_BYOK": "true"
   "file-volume-with-vm-service": "false"
   "csi-transaction-support": "false"
   "linked-clone-support": "false"
diff --git a/manifests/supervisorcluster/1.30/cns-csi.yaml b/manifests/supervisorcluster/1.30/cns-csi.yaml
@@ -567,7 +567,6 @@ data:
   "vdpp-on-stretched-supervisor": "true"
   "cns-unregister-volume": "false"
   "workload-domain-isolation": "false"
-  "WCP_VMService_BYOK": "true"
   "sv-pvc-snapshot-protection-finalizer": "false"
   "file-volume-with-vm-service": "false"
   "csi-transaction-support": "false"
diff --git a/manifests/supervisorcluster/1.31/cns-csi.yaml b/manifests/supervisorcluster/1.31/cns-csi.yaml
@@ -567,7 +567,6 @@ data:
   "vdpp-on-stretched-supervisor": "true"
   "cns-unregister-volume": "false"
   "workload-domain-isolation": "false"
-  "WCP_VMService_BYOK": "true"
   "sv-pvc-snapshot-protection-finalizer": "false"
   "file-volume-with-vm-service": "false"
   "csi-transaction-support": "false"
diff --git a/manifests/supervisorcluster/1.32/cns-csi.yaml b/manifests/supervisorcluster/1.32/cns-csi.yaml
@@ -566,7 +566,6 @@ data:
   "vdpp-on-stretched-supervisor": "true"
   "cns-unregister-volume": "false"
   "workload-domain-isolation": "false"
-  "WCP_VMService_BYOK": "true"
   "sv-pvc-snapshot-protection-finalizer": "false"
   "file-volume-with-vm-service": "false"
   "linked-clone-support": "false"
diff --git a/pkg/csi/service/common/constants.go b/pkg/csi/service/common/constants.go
@@ -440,8 +440,6 @@ const (
 	MultipleClustersPerVsphereZone = "supports_multiple_clusters_per_zone"
 	// VPCCapabilitySupervisor is a supervisor capability indicating if VPC FSS is enabled
 	VPCCapabilitySupervisor = "VPC_Supported"
-	// WCP_VMService_BYOK_FSS enables Bring Your Own Key (BYOK) capabilities.
-	WCP_VMService_BYOK = "WCP_VMService_BYOK"
 	// SVPVCSnapshotProtectionFinalizer is FSS that controls add/remove
 	// CNS finalizer on supervisor PVC/Snapshots from PVCSI
 	SVPVCSnapshotProtectionFinalizer = "sv-pvc-snapshot-protection-finalizer"
diff --git a/pkg/csi/service/common/vsphereutil.go b/pkg/csi/service/common/vsphereutil.go
@@ -58,7 +58,6 @@ type CreateBlockVolumeOptions struct {
 	FilterSuspendedDatastores,
 	UseSupervisorId,
 	IsVdppOnStretchedSvFssEnabled bool
-	IsByokEnabled                  bool
 	IsCSITransactionSupportEnabled bool
 	VolFromSnapshotOnTargetDs      bool
 }
@@ -371,31 +370,28 @@ func CreateBlockVolumeUtil(
 				log.Infof("VolFromSnapshotOnTargetDs is enabled, skip the compatible datastore check")
 			}
 		}
-		if opts.IsByokEnabled {
-			// Retrieve the encryption key ID from the source volume
-			snapshotVolumeCryptoKeyID, err = QueryVolumeCryptoKeyByID(ctx, manager.VolumeManager, cnsVolumeID)
-			if err != nil {
-				return nil, csifault.CSIInternalFault, logger.LogNewErrorf(log,
-					"failed to query volume crypto key for the snapshot %s with error %+v",
-					spec.ContentSourceSnapshotID, err)
-			}
+
+		// Retrieve the encryption key ID from the source volume
+		snapshotVolumeCryptoKeyID, err = QueryVolumeCryptoKeyByID(ctx, manager.VolumeManager, cnsVolumeID)
+		if err != nil {
+			return nil, csifault.CSIInternalFault, logger.LogNewErrorf(log,
+				"failed to query volume crypto key for the snapshot %s with error %+v",
+				spec.ContentSourceSnapshotID, err)
 		}
 	}
 
-	if opts.IsByokEnabled {
-		// Build crypto spec for the new volume.
-		var cryptoKeyID *vim25types.CryptoKeyId
-		if spec.CryptoKeyID != nil {
-			cryptoKeyID = &vim25types.CryptoKeyId{
-				KeyId:      spec.CryptoKeyID.KeyID,
-				ProviderId: &vim25types.KeyProviderId{Id: spec.CryptoKeyID.KeyProvider},
-			}
+	// Build crypto spec for the new volume.
+	var cryptoKeyID *vim25types.CryptoKeyId
+	if spec.CryptoKeyID != nil {
+		cryptoKeyID = &vim25types.CryptoKeyId{
+			KeyId:      spec.CryptoKeyID.KeyID,
+			ProviderId: &vim25types.KeyProviderId{Id: spec.CryptoKeyID.KeyProvider},
 		}
+	}
 
-		cryptoSpec := createCryptoSpec(snapshotVolumeCryptoKeyID, cryptoKeyID)
-		if cryptoSpec != nil {
-			createSpec.CreateSpec = &cnstypes.CnsBlockCreateSpec{CryptoSpec: cryptoSpec}
-		}
+	cryptoSpec := createCryptoSpec(snapshotVolumeCryptoKeyID, cryptoKeyID)
+	if cryptoSpec != nil {
+		createSpec.CreateSpec = &cnstypes.CnsBlockCreateSpec{CryptoSpec: cryptoSpec}
 	}
 
 	log.Debugf("vSphere CSI driver creating volume %s with create spec %+v", spec.Name, spew.Sdump(createSpec))
diff --git a/pkg/csi/service/wcp/controller.go b/pkg/csi/service/wcp/controller.go
@@ -179,13 +179,9 @@ func (c *controller) Init(config *cnsconfig.Config, version string) error {
 		return logger.LogNewErrorf(log, "failed to create an instance of volume manager. err=%v", err)
 	}
 
-	var cryptoClient crypto.Client
-
-	if commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.WCP_VMService_BYOK) {
-		var err error
-		if cryptoClient, err = crypto.NewClientWithDefaultConfig(ctx); err != nil {
-			return logger.LogNewErrorf(log, "failed to create an instance of crypto client. err=%v", err)
-		}
+	cryptoClient, err := crypto.NewClientWithDefaultConfig(ctx)
+	if err != nil {
+		return logger.LogNewErrorf(log, "failed to create an instance of crypto client. err=%v", err)
 	}
 
 	c.manager = &common.Manager{
@@ -770,20 +766,17 @@ func (c *controller) createBlockVolume(ctx context.Context, req *csi.CreateVolum
 	}
 
 	var cryptoKeyID *common.CryptoKeyID
-	isByokEnabled := commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.WCP_VMService_BYOK)
-	if isByokEnabled {
-		if encClass, err := c.manager.CryptoClient.GetEncryptionClassForPVC(
-			ctx,
-			pvcName,
-			pvcNamespace); err != nil {
+	if encClass, err := c.manager.CryptoClient.GetEncryptionClassForPVC(
+		ctx,
+		pvcName,
+		pvcNamespace); err != nil {
 
-			return nil, csifault.CSIInternalFault, logger.LogNewErrorCodef(log, codes.Internal,
-				"failed to get encryption class for PVC. Error: %+v", err)
-		} else if encClass != nil {
-			cryptoKeyID = &common.CryptoKeyID{
-				KeyID:       encClass.Spec.KeyID,
-				KeyProvider: encClass.Spec.KeyProvider,
-			}
+		return nil, csifault.CSIInternalFault, logger.LogNewErrorCodef(log, codes.Internal,
+			"failed to get encryption class for PVC. Error: %+v", err)
+	} else if encClass != nil {
+		cryptoKeyID = &common.CryptoKeyID{
+			KeyID:       encClass.Spec.KeyID,
+			KeyProvider: encClass.Spec.KeyProvider,
 		}
 	}
 
@@ -807,7 +800,6 @@ func (c *controller) createBlockVolume(ctx context.Context, req *csi.CreateVolum
 		FilterSuspendedDatastores:      filterSuspendedDatastores,
 		UseSupervisorId:                isTKGSHAEnabled,
 		IsVdppOnStretchedSvFssEnabled:  isVdppOnStretchedSVEnabled,
-		IsByokEnabled:                  isByokEnabled,
 		IsCSITransactionSupportEnabled: isCSITransactionSupportEnabled,
 		VolFromSnapshotOnTargetDs:      volFromSnapshotOnTargetDs,
 	}
diff --git a/pkg/syncer/admissionhandler/admissionhandler.go b/pkg/syncer/admissionhandler/admissionhandler.go
@@ -59,7 +59,6 @@ var (
 	featureGateBlockVolumeSnapshotEnabled     bool
 	featureGateTKGSHaEnabled                  bool
 	featureGateTopologyAwareFileVolumeEnabled bool
-	featureGateByokEnabled                    bool
 	featureFileVolumesWithVmServiceEnabled    bool
 	featureIsSharedDiskEnabled                bool
 	featureIsLinkedCloneSupportEnabled        bool
@@ -146,7 +145,6 @@ func StartWebhookServer(ctx context.Context, enableWebhookClientCertVerification
 	if clusterFlavor == cnstypes.CnsClusterFlavorWorkload {
 		featureGateTKGSHaEnabled = containerOrchestratorUtility.IsFSSEnabled(ctx, common.TKGsHA)
 		featureGateBlockVolumeSnapshotEnabled = containerOrchestratorUtility.IsFSSEnabled(ctx, common.BlockVolumeSnapshot)
-		featureGateByokEnabled = containerOrchestratorUtility.IsFSSEnabled(ctx, common.WCP_VMService_BYOK)
 		featureIsSharedDiskEnabled = containerOrchestratorUtility.IsFSSEnabled(ctx, common.SharedDiskFss)
 		featureFileVolumesWithVmServiceEnabled = containerOrchestratorUtility.IsFSSEnabled(ctx,
 			common.FileVolumesWithVmService)
diff --git a/pkg/syncer/admissionhandler/cnscsi_admissionhandler.go b/pkg/syncer/admissionhandler/cnscsi_admissionhandler.go
@@ -107,20 +107,20 @@ func startCNSCSIWebhookManager(ctx context.Context, enableWebhookClientCertVerif
 			ClientCAName: clientCAName,
 		})}
 
-	if featureGateByokEnabled {
-		var err error
-		if mgrOpts.Scheme, err = crypto.NewK8sScheme(); err != nil {
-			return err
-		}
+	schema, err := crypto.NewK8sScheme()
+	if err != nil {
+		return err
+	}
+
+	mgrOpts.Scheme = schema
 
-		mgrOpts.Client = client.Options{
-			Cache: &client.CacheOptions{
-				DisableFor: []client.Object{
-					&corev1.ConfigMap{},
-					&corev1.Secret{},
-				},
+	mgrOpts.Client = client.Options{
+		Cache: &client.CacheOptions{
+			DisableFor: []client.Object{
+				&corev1.ConfigMap{},
+				&corev1.Secret{},
 			},
-		}
+		},
 	}
 
 	mgr, err := manager.New(crConfig.GetConfigOrDie(), mgrOpts)
@@ -172,12 +172,11 @@ func (h *CSISupervisorWebhook) Handle(ctx context.Context, req admission.Request
 
 	resp = admission.Allowed("")
 	if req.Kind.Kind == "PersistentVolumeClaim" {
-		if featureGateByokEnabled {
-			resp = validatePVCRequestForCrypto(ctx, h.CryptoClient, req)
-			if !resp.Allowed {
-				return
-			}
+		resp = validatePVCRequestForCrypto(ctx, h.CryptoClient, req)
+		if !resp.Allowed {
+			return
 		}
+
 		if featureGateTKGSHaEnabled {
 			resp = validatePVCAnnotationForTKGSHA(ctx, req)
 			if !resp.Allowed {
@@ -289,12 +288,10 @@ func (h *CSISupervisorMutationWebhook) mutateNewPVC(ctx context.Context, req adm
 
 	var wasMutated bool
 
-	if featureGateByokEnabled {
-		if ok, err := setDefaultEncryptionClass(ctx, h.CryptoClient, newPVC); err != nil {
-			return admission.Denied(err.Error())
-		} else if ok {
-			wasMutated = true
-		}
+	if ok, err := setDefaultEncryptionClass(ctx, h.CryptoClient, newPVC); err != nil {
+		return admission.Denied(err.Error())
+	} else if ok {
+		wasMutated = true
 	}
 
 	if featureIsLinkedCloneSupportEnabled &&

Original file line number	Diff line number	Diff line change
`@@ -378,8 +378,7 @@ func initSyncerComponents(ctx context.Context, clusterFlavor cnstypes.CnsCluster`
`378`	`378`	`}`
`379`	`379`	`}()`
`380`	`380`
`381`		`- if clusterFlavor == cnstypes.CnsClusterFlavorWorkload &&`
`382`		`- commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.WCP_VMService_BYOK) {`
	`381`	`+ if clusterFlavor == cnstypes.CnsClusterFlavorWorkload {`
`383`	`382`	`// Start BYOK Operator for Supervisor clusters.`
`384`	`383`	`go func() {`
`385`	`384`	`defer func() {`