docs: API docs for encryptionAtRest

Author: supershal

docs/content/customization/generic/encryption-at-rest.md

@@ -0,0 +1,60 @@
++++
+title = "Encryption At REST"
++++
+
+`encryptionAtRest` variable enables encrypting kubernetes resources at REST using provided encryption provider.
+When this variable is set, kuberntetes secrets and configmaps are encrypted before writing them at `etcd`.
+
+If the `encryptionAtRest` property is not specified, then
+the customization will be skipped. The secrets and configmaps will not be stored as encrypted in `etcd`.
+
+We support following encryption providers
+
+- aescbc
+- secretbox
+
+More information about encryption at REST: [Encrypting Confidential Data at Rest
+](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/)
+
+## Example
+
+To encrypt configmaps and secrets for using `aescbc` and `secretbox` encryption providers:
+
+```yaml
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: <NAME>
+spec:
+  topology:
+    variables:
+      - name: clusterConfig
+        value:
+          encryptionAtRest:
+            providers:
+              - aescbc: {}
+              - secretbox: {}
+```
+
+Applying this configuration will result in
+
+1. `<CLUSTER_NAME>-encryption-config` secret generated
+1. following value being set:
+
+- `KubeadmControlPlaneTemplate`:
+
+  - ```yaml
+    spec:
+      kubeadmConfigSpec:
+        clusterConfiguration:
+          apiServer:
+            extraArgs:
+              encryption-provider-config: /etc/kubernetes/pki/encryptionconfig.yaml
+      files:
+        - contentFrom:
+            secret:
+              key: config
+              name: my-cluster-encryption-config
+          path: /etc/kubernetes/pki/encryptionconfig.yaml
+          permissions: "0640"
+    ```