Merge pull request #56655 from lpettyjo/OSDOCS-5223

OSDOCS-5223: vSphere encryption

Author: lpettyjo

modules/persistent-storage-csi-vsphere-encryption-datastore-url.adoc

@@ -0,0 +1,31 @@
+// Module included in the following assemblies:
+//
+// * storage/container_storage_interface/persistent-storage-csi-vsphere.adoc
+//
+
+:content-type: PROCEDURE
+[id="persistent-storage-csi-vsphere-encryption-datastore-url_{context}"]
+= Using datastore URL
+
+.Procedure
+
+To encrypt using the datastore URL:
+
+. Find out the name of the default storage policy in your datastore that supports encryption. 
++
+This is same policy that was used for encrypting your VMs. 
+
+. Create a storage class that uses this storage policy:
++
+[source, yaml]
+----
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+ name: encryption
+provisioner: csi.vsphere.vmware.com
+parameters:
+ storagePolicyName: <storage-policy-name> <1>
+ datastoreurl: "ds:///vmfs/volumes/vsan:522e875627d-b090c96b526bb79c/"
+----
+<1> Name of default storage policy in your datastore that supports encryption

modules/persistent-storage-csi-vsphere-encryption-tag-based.adoc

@@ -0,0 +1,52 @@
+// Module included in the following assemblies:
+//
+// storage/container_storage_interface/persistent-storage-csi-vsphere.adoc
+//
+
+:content-type: PROCEDURE
+[id="persistent-storage-csi-vsphere-encryption-tag-based_{context}"]
+= Using tag-based placement
+
+.Procedure
+
+To encrypt using tag-based placement:
+
+. In vCenter create a category for tagging datastores that will be made available to this storage class. Also, ensure that *StoragePod(Datastore clusters)*, *Datastore*, and *Folder* are selected as Associable Entities for the created category.
+
+. In vCenter, create a tag that uses the category created earlier.
+
+. Assign the previously created tag to each datastore that will be made available to the storage class. Make sure that datastores are shared with hosts participating in the {product-title} cluster.
+
+. In vCenter, from the main menu, click *Policies and Profiles*.
+
+. On the *Policies and Profiles* page, in the navigation pane, click *VM Storage Policies*.
+
+. Click *CREATE*.
+
+. Type a name for the storage policy.
+
+. Select *Enable host based rules* and *Enable tag based placement rules*.
+
+. In the *Next* tab:
+
+.. Select *Encryption* and *Default Encryption Properties*.
+
+.. Select the tag category created earlier, and select tag selected. Verify that the policy is selecting matching datastores.
+
+. Create the storage policy.
+
+. Create a storage class that uses the storage policy:
++
+[source, yaml]
+----
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+ name:  csi-encrypted  
+provisioner: csi.vsphere.vmware.com
+reclaimPolicy: Delete
+volumeBindingMode: WaitForFirstConsumer
+parameters:
+ storagePolicyName: <storage-policy-name> <1>
+----
+<1> Name of the storage policy that you created for encryption

storage/container_storage_interface/persistent-storage-csi-vsphere.adoc

@@ -51,7 +51,38 @@ include::modules/persistent-storage-csi-vsphere-install-issues.adoc[leveloffset=
 include::modules/persistent-storage-csi-vsphere-top-aware.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
-* https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-vcenter-esxi-management/GUID-16422FF7-235B-4A44-92E2-532F6AED0923.html?hWord=N4IghgNiBcIC5gOYgL5A[VMware vSphere tag documenation]
+* https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-vcenter-esxi-management/GUID-16422FF7-235B-4A44-92E2-532F6AED0923.html?hWord=N4IghgNiBcIC5gOYgL5A[VMware vSphere tag documentation]
 
+[id="vsphere-pv-encryption"]
+== vSphere persistent disks encryption
+
+You can encrypt virtual machines (VMs) and dynamically provisioned persistent volumes (PVs) on {product-title} running on top of vSphere. 
+
+[NOTE]
+====
+{product-title} does not support RWX-encrypted PVs. You cannot request RWX PVs out of a storage class that uses an encrypted storage policy.
+====
+
+You must encrypt VMs before you can encrypt PVs, which you can do during installation or post-installation. 
+
+For information about encrypting VMs, see:
+
+* xref:../../installing/installing_vsphere/installing-vsphere.adoc#installation-vsphere-encrypted-vms_installing-vsphere[Requirements for encrypting virtual machines]
+
+* xref:../../installing/installing_vsphere/installing-vsphere.adoc#installation-vsphere-machines_installing-vsphere[During installation: Step 7 of Installing RHCOS and starting the {product-title} bootstrap process]
+
+* xref:../../post_installation_configuration/vsphere-post-installation-encryption.adoc[Post-installation enabling encryption on a vSphere cluster]
+
+After encrypting VMs, you can configure a storage class that supports dynamic encryption volume provisioning using the vSphere Container Storage Interface (CSI) driver. This can be accomplished in one of two ways using:
+
+* xref:../../storage/container_storage_interface/persistent-storage-csi-vsphere.adoc#persistent-storage-csi-vsphere-encryption-datastore-url_persistent-storage-csi-vsphere[Datastore URL]: This approach is not very flexible, and forces you to use a single datastore. It also does not support topology-aware provisioning. 
+
+* xref:../../storage/container_storage_interface/persistent-storage-csi-vsphere.adoc#persistent-storage-csi-vsphere-encryption-tag-based_persistent-storage-csi-vsphere[Tag-based placement]: Encrypts the provisioned volumes and uses tag-based placement to target specific datastores. 
+
+include::modules/persistent-storage-csi-vsphere-encryption-datastore-url.adoc[leveloffset=+2]
+
+include::modules/persistent-storage-csi-vsphere-encryption-tag-based.adoc[leveloffset=+2]
+
+[id="additional-resources"]
 == Additional resources
 * xref:../../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-csi[Configuring CSI volumes]