🐛 Do not attempt to encrypt VMs erroneously (vmware-tanzu#1396)

aruneshpa · web-flow · commit e3c04309d733 · 2025-12-26T10:41:56.000-08:00
We have a bug where if a native key provider is configured, VM
operator will attempt to encrypt that VM.  This is incorrect.  The
only scenarios where a VM should be encrypted is:
- if it specifies an encryption storage class
- uses a vTPM (existing, or new device being added)
(and a native key provider, or a custom one is specified via BYOK).

This results in the VM reporting the following Condition erroneously:
```
k get vm -n parunesh-ns parunesh-vm -o=json | jq -r '.status.conditions[] | select(.type == "VirtualMachineEncryptionSynced")'
{
  "lastTransitionTime": "2025-12-15T21:31:37Z",
  "message": "Must use encryption storage class or have vTPM when encrypting vm",
  "reason": "InvalidState",
  "status": "False",
  "type": "VirtualMachineEncryptionSynced"
}
```

This change fixes this bug.
diff --git a/pkg/vmconfig/crypto/crypto_reconciler_pre.go b/pkg/vmconfig/crypto/crypto_reconciler_pre.go
@@ -352,8 +352,15 @@ func (r reconciler) reconcileUpdateDefaultKeyProvider(
 			// There is a default key provider.
 			//
 
-			// Encrypt the existing VM.
-			return true, doOp(ctx, args, doEncrypt)
+			if args.hasVTPM || args.addVTPM || args.isEncStorClass {
+
+				//
+				// The existing VM meets the requirements to be encrypted.
+				//
+
+				// Encrypt the existing VM.
+				return true, doOp(ctx, args, doEncrypt)
+			}
 		}
 
 	} else {
diff --git a/pkg/vmconfig/crypto/crypto_reconciler_pre_test.go b/pkg/vmconfig/crypto/crypto_reconciler_pre_test.go
@@ -614,15 +614,13 @@ var _ = Describe("Reconcile", Label(testlabels.Crypto), func() {
 					When("the vm is not already encrypted", func() {
 						BeforeEach(func() {
 							moVM.Config.KeyId = nil
+							vm.Spec.StorageClass = storageClass1.Name
 						})
-						It("should encrypt the vm", func() {
+						It("should not encrypt the vm", func() {
 							Expect(err).ToNot(HaveOccurred())
 							c := conditions.Get(vm, vmopv1.VirtualMachineEncryptionSynced)
 							Expect(c).To(BeNil())
-							cryptoSpec, ok := configSpec.Crypto.(*vimtypes.CryptoSpecEncrypt)
-							Expect(ok).To(BeTrue())
-							Expect(cryptoSpec.CryptoKeyId.KeyId).To(BeEmpty())
-							Expect(cryptoSpec.CryptoKeyId.ProviderId.Id).To(Equal(provider1ID))
+							Expect(configSpec.Crypto).To(BeNil())
 						})
 						When("the vm has a vtpm but not encrypted storage class", func() {
 							BeforeEach(func() {
