Automate vSphere Native Key Providers

main.py

import requests
import urllib3
import os, sys, time
from vmware.vapi.vsphere.client import create_vsphere_client, VsphereClient
from com.vmware.vcenter.crypto_manager import kms_client
from com.vmware.vapi.std.errors_client import AlreadyExists
from pyVim.connect import SmartConnect
from pyVmomi import vim

provider_name="native_kms"
password="$up3r$3cr3t!"

def connect(host: str, user: str, pwd: str, insecure: bool) -> tuple[VsphereClient, vim.ServiceInstance]:
    session = requests.session()
    session.verify = not insecure
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    si = SmartConnect(host=host, user=user, pwd=pwd, disableSslCertValidation=insecure)
    return create_vsphere_client(host, user, pwd, session=session), si

def get_kms_providers(client: VsphereClient) -> kms_client.Providers:
    return vsphere_client.vcenter.crypto_manager.kms.Providers

vsphere_client, si = connect(os.environ["VSPHERE_SERVER"], 
                             os.environ["VSPHERE_USER"],
                             os.environ["VSPHERE_PASSWORD"],
                             True)

kmsProviders = get_kms_providers(vsphere_client)
cm = si.content.cryptoManager

if not isinstance(cm, vim.encryption.CryptoManagerKmip):
    raise TypeError("Expected CryptoManagerKmip")

def print_kms_configurations(kmsProviders: kms_client.Providers):
    providers = kmsProviders.list()
    if not providers:
        print("No Native Key Providers")
        return
    for provider in providers:
        print(f"NKP summary: {provider}")
        print(f"NKP details: {kmsProviders.get(provider.provider)}")
        print()

print_kms_configurations(kmsProviders=kmsProviders)

print("Create native KMS.")
try:
    spec = kmsProviders.CreateSpec(provider_name,
        constraints=kmsProviders.ConstraintsSpec(tpm_required=False))
    kmsProviders.create(spec)
except AlreadyExists as ex:
    print(f"Nice KMS is already set up: {ex}")

print_kms_configurations(kmsProviders=kmsProviders)

print('Backup KMS')
res = kmsProviders.export(kmsProviders.ExportSpec(provider=provider_name, password=password))
print(f"Backup request posted. Here are the download details: {res}")
url = res.location.url
token = res.location.download_token
response = requests.post(
    url,
    headers={'Authorization': 'Bearer %s' % token.token},
    verify=False)
if not response.status_code == 200:
    print(f"Backup failed {response}")
    sys.exit(1)
p12data = response.content
print(f'Backup completed ok')

print_kms_configurations(kmsProviders=kmsProviders)

print("Delete Native KMS")
kmsProviders.delete(provider=provider_name)
print_kms_configurations(kmsProviders=kmsProviders)

ir = kmsProviders.import_provider(kmsProviders.ImportSpec(config=p12data,
            password=password, 
            constraints=kmsProviders.ConstraintsSpec(tpm_required=False)))
print(f'Restored Key Provider: {ir}')
# vCenter needs respite to set all hosts. Immediate read shows warnings.
time.sleep(1)
print_kms_configurations(kmsProviders=kmsProviders)

# Set default Key Native Provider via pyVMOMI CryptoManagerKmip
defaultProvider = cm.GetDefaultKmsCluster()
print(f"Default provider {defaultProvider}")

providerId = vim.encryption.KeyProviderId()
providerId.id = provider_name

cm.SetDefaultKmsCluster(clusterId=providerId)
dp = cm.GetDefaultKmsCluster()
print(f"Updated default provider {dp}")

cm.SetDefaultKmsCluster(clusterId=defaultProvider)
dp = cm.GetDefaultKmsCluster()
print(f"Restored default provider {dp}")

print("Delete Native KMS")
kmsProviders.delete(provider=provider_name)

print("Done.")