govc: add native kms provider support

govc/USAGE.md

@@ -220,6 +220,7 @@ but appear via `govc $cmd -h`:
  - [import.vmdk](#importvmdk)
  - [kms.add](#kmsadd)
  - [kms.default](#kmsdefault)
+ - [kms.export](#kmsexport)
  - [kms.ls](#kmsls)
  - [kms.rm](#kmsrm)
  - [kms.trust](#kmstrust)
@@ -3597,12 +3598,15 @@ Add KMS cluster.
 Server name and address are required, port defaults to 5696.
 
 Examples:
+  govc kms.add -N knp
   govc kms.add -n my-server -a kms.example.com my-kp
 
 Options:
+  -N=false               Add native key provider
   -a=                    Server address
   -n=                    Server name
   -p=5696                Server port
+  -tpm=true              Use only with TPM protected ESXi hosts (native only)
 ```
 
 ## kms.default
@@ -3622,6 +3626,22 @@ Options:
   -e=                    Set entity default KMS cluster (cluster or host folder)
 ```
 
+## kms.export
+
+```
+Usage: govc kms.export [OPTIONS] NAME
+
+Export KMS cluster for backup.
+
+Examples:
+  govc kms.export my-kp
+  govc kms.export -f my-backup.p12 my-kp
+
+Options:
+  -f=                    File name
+  -p=                    Password
+```
+
 ## kms.ls
 
 ```

govc/kms/add.go

@@ -23,13 +23,16 @@ import (
 	"github.com/vmware/govmomi/crypto"
 	"github.com/vmware/govmomi/govc/cli"
 	"github.com/vmware/govmomi/govc/flags"
+	vapicrypto "github.com/vmware/govmomi/vapi/crypto"
 	"github.com/vmware/govmomi/vim25/types"
 )
 
 type add struct {
 	*flags.ClientFlag
 
 	types.KmipServerSpec
+	native vapicrypto.KmsProviderCreateSpec
+	nkp    bool
 }
 
 func init() {
@@ -44,6 +47,9 @@ func (cmd *add) Register(ctx context.Context, f *flag.FlagSet) {
 	f.StringVar(&cmd.Info.Address, "a", "", "Server address")
 	cmd.Info.Port = 5696 // default
 	f.Var(flags.NewInt32(&cmd.Info.Port), "p", "Server port")
+
+	f.BoolVar(&cmd.nkp, "N", false, "Add native key provider")
+	f.BoolVar(&cmd.native.Constraints.TpmRequired, "tpm", true, "Use only with TPM protected ESXi hosts (native only)")
 }
 
 func (cmd *add) Usage() string {
@@ -56,6 +62,7 @@ func (cmd *add) Description() string {
 Server name and address are required, port defaults to 5696.
 
 Examples:
+  govc kms.add -N knp
   govc kms.add -n my-server -a kms.example.com my-kp`
 }
 
@@ -65,6 +72,15 @@ func (cmd *add) Run(ctx context.Context, f *flag.FlagSet) error {
 		return flag.ErrHelp
 	}
 
+	if cmd.nkp {
+		rc, err := cmd.RestClient()
+		if err != nil {
+			return err
+		}
+		cmd.native.Provider = id
+		return vapicrypto.NewManager(rc).KmsProviderCreate(ctx, cmd.native)
+	}
+
 	c, err := cmd.Client()
 	if err != nil {
 		return err

govc/kms/export.go

@@ -0,0 +1,89 @@
+/*
+Copyright (c) 2024-2024 VMware, Inc. All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kms
+
+import (
+	"context"
+	"flag"
+	"fmt"
+
+	"github.com/vmware/govmomi/govc/cli"
+	"github.com/vmware/govmomi/govc/flags"
+	"github.com/vmware/govmomi/vapi/crypto"
+)
+
+type export struct {
+	*flags.ClientFlag
+
+	spec crypto.KmsProviderExportSpec
+	file string
+}
+
+func init() {
+	cli.Register("kms.export", &export{})
+}
+
+func (cmd *export) Register(ctx context.Context, f *flag.FlagSet) {
+	cmd.ClientFlag, ctx = flags.NewClientFlag(ctx)
+	cmd.ClientFlag.Register(ctx, f)
+
+	f.StringVar(&cmd.file, "f", "", "File name")
+	f.StringVar(&cmd.spec.Password, "p", "", "Password")
+}
+
+func (cmd *export) Usage() string {
+	return "NAME"
+}
+
+func (cmd *export) Description() string {
+	return `Export KMS cluster for backup.
+
+Examples:
+  govc kms.export my-kp
+  govc kms.export -f my-backup.p12 my-kp`
+}
+
+func (cmd *export) Run(ctx context.Context, f *flag.FlagSet) error {
+	id := f.Arg(0)
+	if id == "" {
+		return flag.ErrHelp
+	}
+
+	rc, err := cmd.RestClient()
+	if err != nil {
+		return err
+	}
+
+	m := crypto.NewManager(rc)
+
+	cmd.spec.Provider = id
+	export, err := m.KmsProviderExport(ctx, cmd.spec)
+	if err != nil {
+		return err
+	}
+
+	if export.Type != "LOCATION" {
+		return fmt.Errorf("unsupported export type: %s", export.Type)
+	}
+
+	req, err := m.KmsProviderExportRequest(ctx, export.Location)
+	if err != nil {
+		return err
+	}
+
+	return rc.DownloadAttachment(ctx, req, cmd.file)
+}

govc/kms/rm.go

@@ -23,6 +23,7 @@ import (
 	"github.com/vmware/govmomi/crypto"
 	"github.com/vmware/govmomi/govc/cli"
 	"github.com/vmware/govmomi/govc/flags"
+	vapicrypto "github.com/vmware/govmomi/vapi/crypto"
 )
 
 type rm struct {
@@ -70,6 +71,18 @@ func (cmd *rm) Run(ctx context.Context, f *flag.FlagSet) error {
 		return err
 	}
 
+	native, err := m.IsNativeProvider(ctx, id)
+	if err != nil {
+		return err
+	}
+	if native {
+		rc, err := cmd.RestClient()
+		if err != nil {
+			return err
+		}
+		return vapicrypto.NewManager(rc).KmsProviderDelete(ctx, id)
+	}
+
 	if cmd.server != "" {
 		return m.RemoveKmipServer(ctx, id, cmd.server)
 	}

govc/test/kms.bats

@@ -2,7 +2,7 @@
 
 load test_helper
 
-@test "kms" {
+@test "kms standard" {
   vcsim_env
 
   run govc kms.ls
@@ -47,9 +47,36 @@ load test_helper
   run govc kms.add -n my-server -a "$host" vcsim-kp
   assert_success
 
+  run govc kms.export vcsim-kp
+  assert_failure # export is only supported for native
+  assert_matches "400 Bad Request"
+
+  run govc session.login -r -X DELETE "/api/vcenter/crypto-manager/kms/providers/vcsim-kp"
+  assert_failure # vapi can only delete native providers
+  assert_matches "400 Bad Request"
+
   run govc kms.rm vcsim-kp
   assert_success
 
   run govc kms.rm vcsim-kp
   assert_failure # does not exist
 }
+
+@test "kms native" {
+  vcsim_env
+
+  run govc kms.add -N nkp
+  assert_success
+
+  run govc kms.ls nkp
+  assert_success
+
+  run govc kms.export -f /dev/null nkp
+  assert_success
+
+  run govc kms.default nkp
+  assert_success
+
+  run govc kms.rm nkp
+  assert_success
+}