feat: mutation handler for EncryptionConfig

Author: supershal

api/v1alpha1/clusterconfig_types.go

@@ -12,6 +12,11 @@ import (
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/common/pkg/capi/clustertopology/variables"
 )
 
+const (
+	AESCBC    EncryptionProvider = "aescbc"
+	SecretBox EncryptionProvider = "secretbox"
+)
+
 var (
 	DefaultDockerCertSANs = []string{
 		"localhost",

api/v1alpha1/crds/caren.nutanix.com_genericclusterconfigs.yaml

@@ -233,6 +233,23 @@ spec:
                     - provider
                     type: object
                 type: object
+              encryption:
+                description: |-
+                  Encryption defines the configuration to enable encryption at REST
+                  This configuration is used by API server to encrypt data before storing it in ETCD.
+                  Currently the encryption only enabled for secrets and configmaps.
+                properties:
+                  providers:
+                    default: aescbc
+                    description: Encryption providers
+                    enum:
+                    - aescbc
+                    items:
+                      type: string
+                    maxItems: 1
+                    type: array
+                    uniqueItems: true
+                type: object
               etcd:
                 properties:
                   image:

common/pkg/k8s/client/create.go

@@ -0,0 +1,30 @@
+// Copyright 2024 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package client
+
+import (
+	"context"
+	"fmt"
+
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+func Create(
+	ctx context.Context,
+	c ctrlclient.Client,
+	obj ctrlclient.Object,
+	opts ...ctrlclient.CreateOption,
+) error {
+	options := []ctrlclient.CreateOption{ctrlclient.FieldOwner(FieldOwner)}
+	options = append(options, opts...)
+	err := c.Create(
+		ctx,
+		obj,
+		options...,
+	)
+	if err != nil {
+		return fmt.Errorf("create object failed: %w", err)
+	}
+	return nil
+}

pkg/handlers/generic/mutation/encryption/encryptionprovider_test.go

@@ -0,0 +1,67 @@
+// Copyright 2024 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package encryption
+
+import (
+	"encoding/base64"
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	apiserverv1 "k8s.io/apiserver/pkg/apis/config/v1"
+
+	carenv1 "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/v1alpha1"
+)
+
+func Test_encryptionConfigForSecretsAndConfigMaps(t *testing.T) {
+	testcases := []struct {
+		name      string
+		providers []carenv1.EncryptionProvider
+		wantErr   error
+		want      *apiserverv1.ResourceConfiguration
+	}{
+		{
+			name:      "encryption configuration using aescbc and secretbox providers",
+			providers: []carenv1.EncryptionProvider{carenv1.AESCBC, carenv1.SecretBox},
+			wantErr:   nil,
+			want: &apiserverv1.ResourceConfiguration{
+				Resources: []string{"secrets", "configmaps"},
+				Providers: []apiserverv1.ProviderConfiguration{
+					{
+						AESCBC: &apiserverv1.AESConfiguration{
+							Keys: []apiserverv1.Key{
+								{
+									Name:   "key1",
+									Secret: base64.StdEncoding.EncodeToString([]byte(testToken)),
+								},
+							},
+						},
+						Secretbox: &apiserverv1.SecretboxConfiguration{
+							Keys: []apiserverv1.Key{
+								{
+									Name:   "key1",
+									Secret: base64.StdEncoding.EncodeToString([]byte(testToken)),
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:      "unsupported encryption provider",
+			providers: []carenv1.EncryptionProvider{carenv1.EncryptionProvider("kmsv2")},
+			wantErr:   errors.New("unknown encryption provider: kmsv2"),
+			want:      nil,
+		},
+	}
+
+	for _, tt := range testcases {
+		t.Run(tt.name, func(t *testing.T) {
+			got, gErr := encryptionConfigForSecretsAndConfigMaps(tt.providers, testTokenGenerator)
+			assert.Equal(t, tt.wantErr, gErr)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}