fix: use array type for encryption providers

Author: supershal

api/v1alpha1/clusterconfig_types.go

@@ -202,7 +202,7 @@ type GenericClusterConfigSpec struct {
 	Users []User `json:"users,omitempty"`
 
 	// +optional
-	Encryption *Encryption `json:"encryption,omitempty"`
+	EncryptionAtRest *EncryptionAtRest `json:"encryptionAtRest,omitempty"`
 }
 
 type Image struct {
@@ -282,14 +282,15 @@ type User struct {
 	Sudo string `json:"sudo,omitempty"`
 }
 
-// Encryption defines the configuration to enable encryption at REST
+// EncryptionAtRest defines the configuration to enable encryption at REST
 // This configuration is used by API server to encrypt data before storing it in ETCD.
 // Currently the encryption only enabled for secrets and configmaps.
-type Encryption struct {
+type EncryptionAtRest struct {
 	// Encryption providers
-	// +kubebuilder:default={aescbc:{}}
+	// +kubebuilder:default={{aescbc:{}}}
+	// +kubebuilder:validation:MaxItems=1
 	// +kubebuilder:validation:Optional
-	Providers *EncryptionProviders `json:"providers"`
+	Providers []EncryptionProviders `json:"providers"`
 }
 
 type EncryptionProviders struct {

api/v1alpha1/crds/caren.nutanix.com_awsclusterconfigs.yaml

@@ -322,22 +322,25 @@ spec:
                         type: string
                     type: object
                 type: object
-              encryption:
+              encryptionAtRest:
                 description: |-
-                  Encryption defines the configuration to enable encryption at REST
+                  EncryptionAtRest defines the configuration to enable encryption at REST
                   This configuration is used by API server to encrypt data before storing it in ETCD.
                   Currently the encryption only enabled for secrets and configmaps.
                 properties:
                   providers:
                     default:
-                      aescbc: {}
+                    - aescbc: {}
                     description: Encryption providers
-                    properties:
-                      aescbc:
-                        type: object
-                      secretbox:
-                        type: object
-                    type: object
+                    items:
+                      properties:
+                        aescbc:
+                          type: object
+                        secretbox:
+                          type: object
+                      type: object
+                    maxItems: 1
+                    type: array
                 type: object
               etcd:
                 properties:

api/v1alpha1/crds/caren.nutanix.com_dockerclusterconfigs.yaml

@@ -239,22 +239,25 @@ spec:
                 type: object
               docker:
                 type: object
-              encryption:
+              encryptionAtRest:
                 description: |-
-                  Encryption defines the configuration to enable encryption at REST
+                  EncryptionAtRest defines the configuration to enable encryption at REST
                   This configuration is used by API server to encrypt data before storing it in ETCD.
                   Currently the encryption only enabled for secrets and configmaps.
                 properties:
                   providers:
                     default:
-                      aescbc: {}
+                    - aescbc: {}
                     description: Encryption providers
-                    properties:
-                      aescbc:
-                        type: object
-                      secretbox:
-                        type: object
-                    type: object
+                    items:
+                      properties:
+                        aescbc:
+                          type: object
+                        secretbox:
+                          type: object
+                      type: object
+                    maxItems: 1
+                    type: array
                 type: object
               etcd:
                 properties:

api/v1alpha1/crds/caren.nutanix.com_genericclusterconfigs.yaml

@@ -233,22 +233,25 @@ spec:
                     - provider
                     type: object
                 type: object
-              encryption:
+              encryptionAtRest:
                 description: |-
-                  Encryption defines the configuration to enable encryption at REST
+                  EncryptionAtRest defines the configuration to enable encryption at REST
                   This configuration is used by API server to encrypt data before storing it in ETCD.
                   Currently the encryption only enabled for secrets and configmaps.
                 properties:
                   providers:
                     default:
-                      aescbc: {}
+                    - aescbc: {}
                     description: Encryption providers
-                    properties:
-                      aescbc:
-                        type: object
-                      secretbox:
-                        type: object
-                    type: object
+                    items:
+                      properties:
+                        aescbc:
+                          type: object
+                        secretbox:
+                          type: object
+                      type: object
+                    maxItems: 1
+                    type: array
                 type: object
               etcd:
                 properties:

api/v1alpha1/crds/caren.nutanix.com_nutanixclusterconfigs.yaml

@@ -410,22 +410,25 @@ spec:
                     - machineDetails
                     type: object
                 type: object
-              encryption:
+              encryptionAtRest:
                 description: |-
-                  Encryption defines the configuration to enable encryption at REST
+                  EncryptionAtRest defines the configuration to enable encryption at REST
                   This configuration is used by API server to encrypt data before storing it in ETCD.
                   Currently the encryption only enabled for secrets and configmaps.
                 properties:
                   providers:
                     default:
-                      aescbc: {}
+                    - aescbc: {}
                     description: Encryption providers
-                    properties:
-                      aescbc:
-                        type: object
-                      secretbox:
-                        type: object
-                    type: object
+                    items:
+                      properties:
+                        aescbc:
+                          type: object
+                        secretbox:
+                          type: object
+                      type: object
+                    maxItems: 1
+                    type: array
                 type: object
               etcd:
                 properties:

api/v1alpha1/zz_generated.deepcopy.go

@@ -77,7 +77,9 @@ func Test_encryptionConfigForSecretsAndConfigMaps(t *testing.T) {
 
 	for _, tt := range testcases {
 		t.Run(tt.name, func(t *testing.T) {
-			got, gErr := encryptionConfigForSecretsAndConfigMaps(tt.providers, testTokenGenerator)
+			got, gErr := encryptionConfigForSecretsAndConfigMaps(
+				tt.providers,
+				testTokenGenerator)
 			assert.Equal(t, tt.wantErr, gErr)
 			assert.Equal(t, tt.want, got)
 		})

pkg/handlers/generic/mutation/encryption/encryptionprovider_test.go

@@ -36,10 +36,10 @@ import (
 
 const (
 	// VariableName is the external patch variable name.
-	VariableName                        = "encryption"
+	VariableName                        = "encryptionAtRest"
 	SecretKeyForEtcdEncryption          = "config"
 	defaultEncryptionSecretNameTemplate = "%s-encryption-config" //nolint:gosec // Does not contain hard coded credentials.
-	encryptionConfigurationOnRemote     = "/etc/kubernetes/encryptionconfig.yaml"
+	encryptionConfigurationOnRemote     = "/etc/kubernetes/pki/encryptionconfig.yaml"
 	apiServerEncryptionConfigArg        = "encryption-provider-config"
 )
 
@@ -69,7 +69,7 @@ func (h *encryptionPatchHandler) Mutate(
 ) error {
 	log := ctrl.LoggerFrom(ctx, "holderRef", holderRef)
 
-	encryptionVariable, err := variables.Get[carenv1.Encryption](
+	encryptionVariable, err := variables.Get[carenv1.EncryptionAtRest](
 		vars,
 		h.variableName,
 		h.variableFieldPath...,
@@ -91,45 +91,39 @@ func (h *encryptionPatchHandler) Mutate(
 		encryptionVariable,
 	)
 
-	cluster, err := clusterGetter(ctx)
-	if err != nil {
-		log.Error(err, "failed to get cluster from encryption mutation handler")
-		return err
-	}
-
-	found, err := h.DefaultEncryptionSecretExists(ctx, cluster)
-	if err != nil {
-		log.WithValues(
-			"defaultEncryptionSecret", defaultEncryptionSecretName(cluster.Name),
-		).Error(err, "failed to find default encryption configuration secret")
-		return err
-	}
-	// we do not rotate or override the secret keys for encryption configuration
-	if found {
-		log.V(5).WithValues(
-			"defaultEncryptionSecret", defaultEncryptionSecretName(cluster.Name),
-		).Info(
-			"skip generating encryption configuration. Default encryption configuration secret exists",
-			defaultEncryptionSecretName(cluster.Name))
-		return nil
-	}
-
 	return patches.MutateIfApplicable(
 		obj, vars, &holderRef, selectors.ControlPlane(), log,
 		func(obj *controlplanev1.KubeadmControlPlaneTemplate) error {
-			log.WithValues(
-				"patchedObjectKind", obj.GetObjectKind().GroupVersionKind().String(),
-				"patchedObjectName", ctrlclient.ObjectKeyFromObject(obj),
-			).Info("adding encryption configuration files and API server extra args in control plane kubeadm config spec")
-			encConfig, err := h.generateEncryptionConfiguration(encryptionVariable.Providers)
+			cluster, err := clusterGetter(ctx)
 			if err != nil {
+				log.Error(err, "failed to get cluster from encryption mutation handler")
 				return err
 			}
 
-			if err := h.CreateEncryptionConfigurationSecret(ctx, encConfig, cluster); err != nil {
+			found, err := h.DefaultEncryptionSecretExists(ctx, cluster)
+			if err != nil {
+				log.WithValues(
+					"defaultEncryptionSecret", defaultEncryptionSecretName(cluster.Name),
+				).Error(err, "failed to find default encryption configuration secret")
 				return err
 			}
 
+			// we do not rotate or override the secret keys for encryption configuration
+			if !found {
+				encConfig, err := h.generateEncryptionConfiguration(encryptionVariable.Providers)
+				if err != nil {
+					return err
+				}
+				if err := h.CreateEncryptionConfigurationSecret(ctx, encConfig, cluster); err != nil {
+					return err
+				}
+			}
+
+			log.WithValues(
+				"patchedObjectKind", obj.GetObjectKind().GroupVersionKind().String(),
+				"patchedObjectName", ctrlclient.ObjectKeyFromObject(obj),
+			).Info("adding encryption configuration files and API server extra args in control plane kubeadm config spec")
+
 			// Create kubadm config file for encryption config
 			obj.Spec.Template.Spec.KubeadmConfigSpec.Files = append(
 				obj.Spec.Template.Spec.KubeadmConfigSpec.Files,
@@ -159,29 +153,33 @@ func generateEncryptionCredentialsFile(cluster *clusterv1.Cluster) cabpkv1.File
 				Key:  SecretKeyForEtcdEncryption,
 			},
 		},
-		Permissions: "0600",
+		Permissions: "0640",
 	}
 }
 
 func (h *encryptionPatchHandler) generateEncryptionConfiguration(
-	providers *carenv1.EncryptionProviders,
+	providers []carenv1.EncryptionProviders,
 ) (*apiserverv1.EncryptionConfiguration, error) {
-	// We only support encryption for "secrets" and "configmaps" using "aescbc" provider.
-	resourceConfig, err := encryptionConfigForSecretsAndConfigMaps(
-		providers,
-		h.keyGenerator,
-	)
-	if err != nil {
-		return nil, err
+	resourceConfigs := []apiserverv1.ResourceConfiguration{}
+	for _, encProvider := range providers {
+		provider := encProvider
+		resourceConfig, err := encryptionConfigForSecretsAndConfigMaps(
+			&provider,
+			h.keyGenerator,
+		)
+		if err != nil {
+			return nil, err
+		}
+		resourceConfigs = append(resourceConfigs, *resourceConfig)
 	}
+	// We only support encryption for "secrets" and "configmaps" using "aescbc" provider.
+
 	return &apiserverv1.EncryptionConfiguration{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: apiserverv1.SchemeGroupVersion.String(),
 			Kind:       "EncryptionConfiguration",
 		},
-		Resources: []apiserverv1.ResourceConfiguration{
-			*resourceConfig,
-		},
+		Resources: resourceConfigs,
 	}, nil
 }