feat: API for encryption at-rest

Author: supershal

api/v1alpha1/clusterconfig_types.go

@@ -190,6 +190,9 @@ type GenericClusterConfigSpec struct {
 
 	// +optional
 	Users []User `json:"users,omitempty"`
+
+	// +optional
+	Encryption *Encryption `json:"encryption,omitempty"`
 }
 
 type Image struct {
@@ -266,6 +269,18 @@ type User struct {
 	Sudo string `json:"sudo,omitempty"`
 }
 
+// Encryption defines the configuration to enable encryption at REST
+// This configuration is used by API server to encrypt data before storing it in ETCD.
+// Currently the encryption only enabled for secrets and configmaps.
+type Encryption struct {
+	// Encryption providers
+	// +kubebuilder:validation:UniqueItems=true
+	// +kubebuilder:validation:Enum=aescbc;aesgcm
+	// +kubebuilder:default=aescbc
+	// +optional
+	Providers []string `json:"providers"`
+}
+
 func init() {
 	SchemeBuilder.Register(
 		&AWSClusterConfig{},

api/v1alpha1/crds/caren.nutanix.com_awsclusterconfigs.yaml

@@ -298,6 +298,23 @@ spec:
                         type: string
                     type: object
                 type: object
+              encryption:
+                description: |-
+                  Encryption defines the configuration to enable encryption at REST
+                  This configuration is used by API server to encrypt data before storing it in ETCD.
+                  Currently the encryption only enabled for secrets and configmaps.
+                properties:
+                  providers:
+                    default: aescbc
+                    description: Encryption providers
+                    enum:
+                    - aescbc
+                    - aesgcm
+                    items:
+                      type: string
+                    type: array
+                    uniqueItems: true
+                type: object
               etcd:
                 properties:
                   image:

api/v1alpha1/crds/caren.nutanix.com_dockerclusterconfigs.yaml

@@ -217,6 +217,23 @@ spec:
                 type: object
               docker:
                 type: object
+              encryption:
+                description: |-
+                  Encryption defines the configuration to enable encryption at REST
+                  This configuration is used by API server to encrypt data before storing it in ETCD.
+                  Currently the encryption only enabled for secrets and configmaps.
+                properties:
+                  providers:
+                    default: aescbc
+                    description: Encryption providers
+                    enum:
+                    - aescbc
+                    - aesgcm
+                    items:
+                      type: string
+                    type: array
+                    uniqueItems: true
+                type: object
               etcd:
                 properties:
                   image:

api/v1alpha1/crds/caren.nutanix.com_nutanixclusterconfigs.yaml

@@ -365,6 +365,23 @@ spec:
                     - machineDetails
                     type: object
                 type: object
+              encryption:
+                description: |-
+                  Encryption defines the configuration to enable encryption at REST
+                  This configuration is used by API server to encrypt data before storing it in ETCD.
+                  Currently the encryption only enabled for secrets and configmaps.
+                properties:
+                  providers:
+                    default: aescbc
+                    description: Encryption providers
+                    enum:
+                    - aescbc
+                    - aesgcm
+                    items:
+                      type: string
+                    type: array
+                    uniqueItems: true
+                type: object
               etcd:
                 properties:
                   image: