nutanix-cloud-native · jimmidyson · May 15, 2024 · May 3, 2024 · May 7, 2024 · May 7, 2024
diff --git a/api/v1alpha1/clusterconfig_types.go b/api/v1alpha1/clusterconfig_types.go
@@ -200,6 +200,9 @@ type GenericClusterConfigSpec struct {
 
 	// +kubebuilder:validation:Optional
 	Users []User `json:"users,omitempty"`
+
+	// +optional
+	EncryptionAtRest *EncryptionAtRest `json:"encryptionAtRest,omitempty"`
 }
 
 type Image struct {
@@ -279,6 +282,28 @@ type User struct {
 	Sudo string `json:"sudo,omitempty"`
 }
 
+// EncryptionAtRest defines the configuration to enable encryption at REST
+// This configuration is used by API server to encrypt data before storing it in ETCD.
+// Currently the encryption only enabled for secrets and configmaps.
+type EncryptionAtRest struct {
+	// Encryption providers
+	// +kubebuilder:default={{aescbc:{}}}
+	// +kubebuilder:validation:MaxItems=1
+	// +kubebuilder:validation:Optional
+	Providers []EncryptionProviders `json:"providers,omitempty"`
+}
+
+type EncryptionProviders struct {
+	// +kubebuilder:validation:Optional
+	AESCBC *AESConfiguration `json:"aescbc,omitempty"`
+	// +kubebuilder:validation:Optional
+	Secretbox *SecretboxConfiguration `json:"secretbox,omitempty"`
+}
+
+type AESConfiguration struct{}
+
+type SecretboxConfiguration struct{}
+
 func init() {
 	SchemeBuilder.Register(
 		&AWSClusterConfig{},

diff --git a/api/v1alpha1/crds/caren.nutanix.com_awsclusterconfigs.yaml b/api/v1alpha1/crds/caren.nutanix.com_awsclusterconfigs.yaml
@@ -322,6 +322,26 @@ spec:
                         type: string
                     type: object
                 type: object
+              encryptionAtRest:
+                description: |-
+                  EncryptionAtRest defines the configuration to enable encryption at REST
+                  This configuration is used by API server to encrypt data before storing it in ETCD.
+                  Currently the encryption only enabled for secrets and configmaps.
+                properties:
+                  providers:
+                    default:
+                    - aescbc: {}
+                    description: Encryption providers
+                    items:
+                      properties:
+                        aescbc:
+                          type: object
+                        secretbox:
+                          type: object
+                      type: object
+                    maxItems: 1
+                    type: array
+                type: object
               etcd:
                 properties:
                   image:

diff --git a/api/v1alpha1/crds/caren.nutanix.com_dockerclusterconfigs.yaml b/api/v1alpha1/crds/caren.nutanix.com_dockerclusterconfigs.yaml
@@ -239,6 +239,26 @@ spec:
                 type: object
               docker:
                 type: object
+              encryptionAtRest:
+                description: |-
+                  EncryptionAtRest defines the configuration to enable encryption at REST
+                  This configuration is used by API server to encrypt data before storing it in ETCD.
+                  Currently the encryption only enabled for secrets and configmaps.
+                properties:
+                  providers:
+                    default:
+                    - aescbc: {}
+                    description: Encryption providers
+                    items:
+                      properties:
+                        aescbc:
+                          type: object
+                        secretbox:
+                          type: object
+                      type: object
+                    maxItems: 1
+                    type: array
+                type: object
               etcd:
                 properties:
                   image:

diff --git a/api/v1alpha1/crds/caren.nutanix.com_genericclusterconfigs.yaml b/api/v1alpha1/crds/caren.nutanix.com_genericclusterconfigs.yaml
@@ -233,6 +233,26 @@ spec:
                     - provider
                     type: object
                 type: object
+              encryptionAtRest:
+                description: |-
+                  EncryptionAtRest defines the configuration to enable encryption at REST
+                  This configuration is used by API server to encrypt data before storing it in ETCD.
+                  Currently the encryption only enabled for secrets and configmaps.
+                properties:
+                  providers:
+                    default:
+                    - aescbc: {}
+                    description: Encryption providers
+                    items:
+                      properties:
+                        aescbc:
+                          type: object
+                        secretbox:
+                          type: object
+                      type: object
+                    maxItems: 1
+                    type: array
+                type: object
               etcd:
                 properties:
                   image:

diff --git a/api/v1alpha1/crds/caren.nutanix.com_nutanixclusterconfigs.yaml b/api/v1alpha1/crds/caren.nutanix.com_nutanixclusterconfigs.yaml
@@ -410,6 +410,26 @@ spec:
                     - machineDetails
                     type: object
                 type: object
+              encryptionAtRest:
+                description: |-
+                  EncryptionAtRest defines the configuration to enable encryption at REST
+                  This configuration is used by API server to encrypt data before storing it in ETCD.
+                  Currently the encryption only enabled for secrets and configmaps.
+                properties:
+                  providers:
+                    default:
+                    - aescbc: {}
+                    description: Encryption providers
+                    items:
+                      properties:
+                        aescbc:
+                          type: object
+                        secretbox:
+                          type: object
+                      type: object
+                    maxItems: 1
+                    type: array
+                type: object
               etcd:
                 properties:
                   image:

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/common/pkg/k8s/client/create.go b/common/pkg/k8s/client/create.go
@@ -0,0 +1,30 @@
+// Copyright 2024 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package client
+
+import (
+	"context"
+	"fmt"
+
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+func Create(
+	ctx context.Context,
+	c ctrlclient.Client,
+	obj ctrlclient.Object,
+	opts ...ctrlclient.CreateOption,
+) error {
+	options := []ctrlclient.CreateOption{ctrlclient.FieldOwner(FieldOwner)}
+	options = append(options, opts...)
+	err := c.Create(
+		ctx,
+		obj,
+		options...,
+	)
+	if err != nil {
+		return fmt.Errorf("create object failed: %w", err)
+	}
+	return nil
+}
diff --git a/pkg/handlers/generic/mutation/encryptionatrest/encryptionprovider_test.go b/pkg/handlers/generic/mutation/encryptionatrest/encryptionprovider_test.go
@@ -0,0 +1,87 @@
+// Copyright 2024 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package encryptionatrest
+
+import (
+	"encoding/base64"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	apiserverv1 "k8s.io/apiserver/pkg/apis/config/v1"
+
+	carenv1 "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/v1alpha1"
+)
+
+func Test_encryptionConfigForSecretsAndConfigMaps(t *testing.T) {
+	testcases := []struct {
+		name      string
+		providers *carenv1.EncryptionProviders
+		wantErr   error
+		want      *apiserverv1.ResourceConfiguration
+	}{
+		{
+			name: "encryption configuration using all providers",
+			providers: &carenv1.EncryptionProviders{
+				AESCBC:    &carenv1.AESConfiguration{},
+				Secretbox: &carenv1.SecretboxConfiguration{},
+			},
+			wantErr: nil,
+			want: &apiserverv1.ResourceConfiguration{
+				Resources: []string{"secrets", "configmaps"},
+				Providers: []apiserverv1.ProviderConfiguration{
+					{
+						AESCBC: &apiserverv1.AESConfiguration{
+							Keys: []apiserverv1.Key{
+								{
+									Name:   "key1",
+									Secret: base64.StdEncoding.EncodeToString([]byte(testToken)),
+								},
+							},
+						},
+						Secretbox: &apiserverv1.SecretboxConfiguration{
+							Keys: []apiserverv1.Key{
+								{
+									Name:   "key1",
+									Secret: base64.StdEncoding.EncodeToString([]byte(testToken)),
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "encryption configuration using single provider",
+			providers: &carenv1.EncryptionProviders{
+				AESCBC: &carenv1.AESConfiguration{},
+			},
+			wantErr: nil,
+			want: &apiserverv1.ResourceConfiguration{
+				Resources: []string{"secrets", "configmaps"},
+				Providers: []apiserverv1.ProviderConfiguration{
+					{
+						AESCBC: &apiserverv1.AESConfiguration{
+							Keys: []apiserverv1.Key{
+								{
+									Name:   "key1",
+									Secret: base64.StdEncoding.EncodeToString([]byte(testToken)),
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range testcases {
+		t.Run(tt.name, func(t *testing.T) {
+			got, gErr := defaultEncryptionConfiguration(
+				tt.providers,
+				testTokenGenerator)
+			assert.Equal(t, tt.wantErr, gErr)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}