feat: mutation handler for encryption configuration

supershal · supershal · commit 9babd103be63 · 2024-05-13T20:53:54.000-07:00
diff --git a/api/v1alpha1/clusterconfig_types.go b/api/v1alpha1/clusterconfig_types.go
@@ -287,8 +287,7 @@ type User struct {
 // Currently the encryption only enabled for secrets and configmaps.
 type Encryption struct {
 	// Encryption providers
-	// +kubebuilder:validation:Enum=aescbc;secretbox
-	// +kubebuilder:default=aescbc
+	// +kubebuilder:default={aescbc:{}}
 	// +kubebuilder:validation:Optional
 	Providers *EncryptionProviders `json:"providers"`
 }
diff --git a/api/v1alpha1/crds/caren.nutanix.com_awsclusterconfigs.yaml b/api/v1alpha1/crds/caren.nutanix.com_awsclusterconfigs.yaml
@@ -329,11 +329,9 @@ spec:
                   Currently the encryption only enabled for secrets and configmaps.
                 properties:
                   providers:
-                    default: aescbc
+                    default:
+                      aescbc: {}
                     description: Encryption providers
-                    enum:
-                    - aescbc
-                    - secretbox
                     properties:
                       aescbc:
                         type: object
diff --git a/api/v1alpha1/crds/caren.nutanix.com_dockerclusterconfigs.yaml b/api/v1alpha1/crds/caren.nutanix.com_dockerclusterconfigs.yaml
@@ -246,11 +246,9 @@ spec:
                   Currently the encryption only enabled for secrets and configmaps.
                 properties:
                   providers:
-                    default: aescbc
+                    default:
+                      aescbc: {}
                     description: Encryption providers
-                    enum:
-                    - aescbc
-                    - secretbox
                     properties:
                       aescbc:
                         type: object
diff --git a/api/v1alpha1/crds/caren.nutanix.com_genericclusterconfigs.yaml b/api/v1alpha1/crds/caren.nutanix.com_genericclusterconfigs.yaml
@@ -240,11 +240,9 @@ spec:
                   Currently the encryption only enabled for secrets and configmaps.
                 properties:
                   providers:
-                    default: aescbc
+                    default:
+                      aescbc: {}
                     description: Encryption providers
-                    enum:
-                    - aescbc
-                    - secretbox
                     properties:
                       aescbc:
                         type: object
diff --git a/api/v1alpha1/crds/caren.nutanix.com_nutanixclusterconfigs.yaml b/api/v1alpha1/crds/caren.nutanix.com_nutanixclusterconfigs.yaml
@@ -417,11 +417,9 @@ spec:
                   Currently the encryption only enabled for secrets and configmaps.
                 properties:
                   providers:
-                    default: aescbc
+                    default:
+                      aescbc: {}
                     description: Encryption providers
-                    enum:
-                    - aescbc
-                    - secretbox
                     properties:
                       aescbc:
                         type: object
diff --git a/pkg/handlers/generic/mutation/encryption/encryptionprovider_test.go b/pkg/handlers/generic/mutation/encryption/encryptionprovider_test.go
@@ -5,7 +5,6 @@ package encryption
 
 import (
 	"encoding/base64"
-	"errors"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -17,14 +16,17 @@ import (
 func Test_encryptionConfigForSecretsAndConfigMaps(t *testing.T) {
 	testcases := []struct {
 		name      string
-		providers []carenv1.EncryptionProvider
+		providers *carenv1.EncryptionProviders
 		wantErr   error
 		want      *apiserverv1.ResourceConfiguration
 	}{
 		{
-			name:      "encryption configuration using aescbc and secretbox providers",
-			providers: []carenv1.EncryptionProvider{carenv1.AESCBC, carenv1.SecretBox},
-			wantErr:   nil,
+			name: "encryption configuration using all providers",
+			providers: &carenv1.EncryptionProviders{
+				AESCBC:    &carenv1.AESConfiguration{},
+				Secretbox: &carenv1.SecretboxConfiguration{},
+			},
+			wantErr: nil,
 			want: &apiserverv1.ResourceConfiguration{
 				Resources: []string{"secrets", "configmaps"},
 				Providers: []apiserverv1.ProviderConfiguration{
@@ -50,10 +52,26 @@ func Test_encryptionConfigForSecretsAndConfigMaps(t *testing.T) {
 			},
 		},
 		{
-			name:      "unsupported encryption provider",
-			providers: []carenv1.EncryptionProvider{carenv1.EncryptionProvider("kmsv2")},
-			wantErr:   errors.New("unknown encryption provider: kmsv2"),
-			want:      nil,
+			name: "encryption configuration using single provider",
+			providers: &carenv1.EncryptionProviders{
+				AESCBC: &carenv1.AESConfiguration{},
+			},
+			wantErr: nil,
+			want: &apiserverv1.ResourceConfiguration{
+				Resources: []string{"secrets", "configmaps"},
+				Providers: []apiserverv1.ProviderConfiguration{
+					{
+						AESCBC: &apiserverv1.AESConfiguration{
+							Keys: []apiserverv1.Key{
+								{
+									Name:   "key1",
+									Secret: base64.StdEncoding.EncodeToString([]byte(testToken)),
+								},
+							},
+						},
+					},
+				},
+			},
 		},
 	}
 
diff --git a/pkg/handlers/generic/mutation/encryption/inject.go b/pkg/handlers/generic/mutation/encryption/inject.go
@@ -150,7 +150,7 @@ func generateEncryptionCredentialsFile(secretName string) cabpkv1.File {
 }
 
 func (h *encryptionPatchHandler) generateEncryptionConfiguration(
-	providers []carenv1.EncryptionProvider,
+	providers *carenv1.EncryptionProviders,
 ) (*apiserverv1.EncryptionConfiguration, error) {
 	// We only support encryption for "secrets" and "configmaps" using "aescbc" provider.
 	resourceConfig, err := encryptionConfigForSecretsAndConfigMaps(
@@ -182,7 +182,6 @@ func (h *encryptionPatchHandler) CreateEncryptionConfigurationSecret(
 	}
 
 	secretData := map[string]string{
-		// creating a Secret with newlines at the end fails
 		SecretKeyForEtcdEncryption: strings.TrimSpace(string(dataYaml)),
 	}
 	secretName := defaultEncryptionSecretName(clusterKey.Name)
@@ -201,59 +200,53 @@ func (h *encryptionPatchHandler) CreateEncryptionConfigurationSecret(
 	}
 
 	// We only support creating encryption config in BeforeClusterCreate hook and ensure that the keys are immutable.
-	// Rotation of the keys can be implemented by cloning existing secret and adding new rotation key.
 	if err := client.Create(ctx, h.config.Client, encryptionConfigSecret); err != nil {
-		return "", fmt.Errorf("failed to create Encryption Configuration Secret: %w", err)
+		return "", fmt.Errorf("failed to create encryption configuration secret: %w", err)
 	}
 	return secretName, nil
 }
 
 // We only support encryption for "secrets" and "configmaps".
 func encryptionConfigForSecretsAndConfigMaps(
-	providers []carenv1.EncryptionProvider,
+	providers *carenv1.EncryptionProviders,
 	secretGenerator TokenGenerator,
 ) (*apiserverv1.ResourceConfiguration, error) {
 	providerConfig := apiserverv1.ProviderConfiguration{}
-	for _, providerType := range providers {
-		// We only support "aescbc", "secretbox" for now.
-		// "aesgcm" is another AESConfiguration. "aesgcm" requires secret key rotation before 200k write calls.
-		// It should not be supported until secret key's rotation is implemented.
-		switch providerType {
-		case carenv1.AESCBC:
-			token, err := secretGenerator()
-			if err != nil {
-				return nil, fmt.Errorf(
-					"could not create random encryption token for aescbc provider: %w",
-					err,
-				)
-			}
-			providerConfig.AESCBC = &apiserverv1.AESConfiguration{
-				Keys: []apiserverv1.Key{
-					{
-						Name:   "key1", // we only support one key during cluster creation.
-						Secret: base64.StdEncoding.EncodeToString(token),
-					},
+	// We only support "aescbc", "secretbox" for now.
+	// "aesgcm" is another AESConfiguration. "aesgcm" requires secret key rotation before 200k write calls.
+	// "aesgcm" should not be supported until secret key's rotation is implemented.
+	if providers.AESCBC != nil {
+		token, err := secretGenerator()
+		if err != nil {
+			return nil, fmt.Errorf(
+				"could not create random encryption token for aescbc provider: %w",
+				err,
+			)
+		}
+		providerConfig.AESCBC = &apiserverv1.AESConfiguration{
+			Keys: []apiserverv1.Key{
+				{
+					Name:   "key1", // we only support one key during cluster creation.
+					Secret: base64.StdEncoding.EncodeToString(token),
 				},
-			}
-		case carenv1.SecretBox:
-			token, err := secretGenerator()
-			if err != nil {
-				return nil, fmt.Errorf(
-					"could not create random encryption token for secretbox provider: %w",
-					err,
-				)
-			}
-			providerConfig.Secretbox = &apiserverv1.SecretboxConfiguration{
-				Keys: []apiserverv1.Key{
-					{
-						Name:   "key1", // we only support one key during cluster creation.
-						Secret: base64.StdEncoding.EncodeToString(token),
-					},
+			},
+		}
+	}
+	if providers.Secretbox != nil {
+		token, err := secretGenerator()
+		if err != nil {
+			return nil, fmt.Errorf(
+				"could not create random encryption token for secretbox provider: %w",
+				err,
+			)
+		}
+		providerConfig.Secretbox = &apiserverv1.SecretboxConfiguration{
+			Keys: []apiserverv1.Key{
+				{
+					Name:   "key1", // we only support one key during cluster creation.
+					Secret: base64.StdEncoding.EncodeToString(token),
 				},
-			}
-		default:
-			// Schema validation should fail earlier upon providing name outside defined Enum
-			return nil, fmt.Errorf("unknown encryption provider: %s", providerType)
+			},
 		}
 	}
 
diff --git a/pkg/handlers/generic/mutation/encryption/inject_test.go b/pkg/handlers/generic/mutation/encryption/inject_test.go
@@ -69,9 +69,9 @@ var _ = Describe("Generate Encryption configuration patches", func() {
 				capitest.VariableWithValue(
 					clusterconfig.MetaVariableName,
 					carenv1.Encryption{
-						Providers: []carenv1.EncryptionProvider{
-							carenv1.AESCBC,
-							carenv1.SecretBox,
+						Providers: &carenv1.EncryptionProviders{
+							AESCBC:    &carenv1.AESConfiguration{},
+							Secretbox: &carenv1.SecretboxConfiguration{},
 						},
 					},
 					VariableName,
diff --git a/pkg/handlers/generic/mutation/handlers.go b/pkg/handlers/generic/mutation/handlers.go
@@ -11,6 +11,7 @@ import (
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/generic/mutation/auditpolicy"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/generic/mutation/containerdapplypatchesandrestart"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/generic/mutation/containerdmetrics"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/generic/mutation/encryption"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/generic/mutation/etcd"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/generic/mutation/extraapiservercertsans"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/generic/mutation/httpproxy"
@@ -33,6 +34,10 @@ func MetaMutators(mgr manager.Manager) []mutation.MetaMutator {
 		calico.NewPatch(),
 		users.NewPatch(),
 		containerdmetrics.NewPatch(),
+		encryption.NewPatch(&encryption.Config{
+			Client:                mgr.GetClient(),
+			AESSecretKeyGenerator: encryption.RandomTokenGenerator,
+		}),
 
 		// Some patches may have changed containerd configuration.
 		// We write the configuration changes to disk, and must run a command
