nutanix-cloud-native · supershal · May 13, 2024 · May 14, 2024 · May 14, 2024
diff --git a/api/v1alpha1/clusterconfig_types.go b/api/v1alpha1/clusterconfig_types.go
@@ -202,7 +202,7 @@ type GenericClusterConfigSpec struct {
 	Users []User `json:"users,omitempty"`
 
 	// +optional
-	Encryption *Encryption `json:"encryption,omitempty"`
+	EncryptionAtRest *EncryptionAtRest `json:"encryptionAtRest,omitempty"`
 }
 
 type Image struct {
@@ -282,14 +282,15 @@ type User struct {
 	Sudo string `json:"sudo,omitempty"`
 }
 
-// Encryption defines the configuration to enable encryption at REST
+// EncryptionAtRest defines the configuration to enable encryption at REST
 // This configuration is used by API server to encrypt data before storing it in ETCD.
 // Currently the encryption only enabled for secrets and configmaps.
-type Encryption struct {
+type EncryptionAtRest struct {
 	// Encryption providers
-	// +kubebuilder:default={aescbc:{}}
+	// +kubebuilder:default={{aescbc:{}}}
+	// +kubebuilder:validation:MaxItems=1
 	// +kubebuilder:validation:Optional
-	Providers *EncryptionProviders `json:"providers"`
+	Providers []EncryptionProviders `json:"providers"`
 }
 
 type EncryptionProviders struct {

diff --git a/api/v1alpha1/crds/caren.nutanix.com_awsclusterconfigs.yaml b/api/v1alpha1/crds/caren.nutanix.com_awsclusterconfigs.yaml
@@ -322,22 +322,25 @@ spec:
                         type: string
                     type: object
                 type: object
-              encryption:
+              encryptionAtRest:
                 description: |-
-                  Encryption defines the configuration to enable encryption at REST
+                  EncryptionAtRest defines the configuration to enable encryption at REST
                   This configuration is used by API server to encrypt data before storing it in ETCD.
                   Currently the encryption only enabled for secrets and configmaps.
                 properties:
                   providers:
                     default:
-                      aescbc: {}
+                    - aescbc: {}
                     description: Encryption providers
-                    properties:
-                      aescbc:
-                        type: object
-                      secretbox:
-                        type: object
-                    type: object
+                    items:
+                      properties:
+                        aescbc:
+                          type: object
+                        secretbox:
+                          type: object
+                      type: object
+                    maxItems: 1
+                    type: array
                 type: object
               etcd:
                 properties:

diff --git a/api/v1alpha1/crds/caren.nutanix.com_dockerclusterconfigs.yaml b/api/v1alpha1/crds/caren.nutanix.com_dockerclusterconfigs.yaml
@@ -239,22 +239,25 @@ spec:
                 type: object
               docker:
                 type: object
-              encryption:
+              encryptionAtRest:
                 description: |-
-                  Encryption defines the configuration to enable encryption at REST
+                  EncryptionAtRest defines the configuration to enable encryption at REST
                   This configuration is used by API server to encrypt data before storing it in ETCD.
                   Currently the encryption only enabled for secrets and configmaps.
                 properties:
                   providers:
                     default:
-                      aescbc: {}
+                    - aescbc: {}
                     description: Encryption providers
-                    properties:
-                      aescbc:
-                        type: object
-                      secretbox:
-                        type: object
-                    type: object
+                    items:
+                      properties:
+                        aescbc:
+                          type: object
+                        secretbox:
+                          type: object
+                      type: object
+                    maxItems: 1
+                    type: array
                 type: object
               etcd:
                 properties:

diff --git a/api/v1alpha1/crds/caren.nutanix.com_genericclusterconfigs.yaml b/api/v1alpha1/crds/caren.nutanix.com_genericclusterconfigs.yaml
@@ -233,22 +233,25 @@ spec:
                     - provider
                     type: object
                 type: object
-              encryption:
+              encryptionAtRest:
                 description: |-
-                  Encryption defines the configuration to enable encryption at REST
+                  EncryptionAtRest defines the configuration to enable encryption at REST
                   This configuration is used by API server to encrypt data before storing it in ETCD.
                   Currently the encryption only enabled for secrets and configmaps.
                 properties:
                   providers:
                     default:
-                      aescbc: {}
+                    - aescbc: {}
                     description: Encryption providers
-                    properties:
-                      aescbc:
-                        type: object
-                      secretbox:
-                        type: object
-                    type: object
+                    items:
+                      properties:
+                        aescbc:
+                          type: object
+                        secretbox:
+                          type: object
+                      type: object
+                    maxItems: 1
+                    type: array
                 type: object
               etcd:
                 properties:

diff --git a/api/v1alpha1/crds/caren.nutanix.com_nutanixclusterconfigs.yaml b/api/v1alpha1/crds/caren.nutanix.com_nutanixclusterconfigs.yaml
@@ -410,22 +410,25 @@ spec:
                     - machineDetails
                     type: object
                 type: object
-              encryption:
+              encryptionAtRest:
                 description: |-
-                  Encryption defines the configuration to enable encryption at REST
+                  EncryptionAtRest defines the configuration to enable encryption at REST
                   This configuration is used by API server to encrypt data before storing it in ETCD.
                   Currently the encryption only enabled for secrets and configmaps.
                 properties:
                   providers:
                     default:
-                      aescbc: {}
+                    - aescbc: {}
                     description: Encryption providers
-                    properties:
-                      aescbc:
-                        type: object
-                      secretbox:
-                        type: object
-                    type: object
+                    items:
+                      properties:
+                        aescbc:
+                          type: object
+                        secretbox:
+                          type: object
+                      type: object
+                    maxItems: 1
+                    type: array
                 type: object
               etcd:
                 properties:

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/docs/content/customization/generic/encryption.md b/docs/content/customization/generic/encryption.md
@@ -0,0 +1,55 @@
++++
+title = "Encryption At REST"
++++
+
+`encryptionAtRest` variable enables encrypting kubernetes resources at REST using provided encryption provider.
+When this variable is set, kuberntetes secrets and configmaps are encrypted before writing them at `etcd`.
+
+If the `encryptionAtRest` property is not specified, then
+the customization will be skipped. The secrets and configmaps will not be stored as encrypted in `etcd`.
+
+We support following encryption providers
+- aescbc
+- secretbox
+
+More information about encryption at REST: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
+
+## Example
+
+To encrypt configmaps and secrets for using `aescbc` and `secretbox` encryption providers:
+
+```yaml
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: <NAME>
+spec:
+  topology:
+    variables:
+      - name: clusterConfig
+        value:
+          encryptionAtRest:
+            providers:
+              - aescbc: {}
+              - secretbox: {}
+```
+
+Applying this configuration will result in `<CLUSTER_NAME>-encryption-config` secret generated and following value being set:
+
+- `KubeadmControlPlaneTemplate`:
+
+  - ```yaml
+    spec:
+      kubeadmConfigSpec:
+        clusterConfiguration:
+          apiServer:
+            extraArgs:
+              encryption-provider-config: /etc/kubernetes/pki/encryptionconfig.yaml
+      files:
+        - contentFrom:
+            secret:
+              key: config
+              name: my-cluster-encryption-config
+          path: /etc/kubernetes/pki/encryptionconfig.yaml
+          permissions: "0640"          
+    ```
diff --git a/examples/capi-quick-start/aws-cluster-calico-crs.yaml b/examples/capi-quick-start/aws-cluster-calico-crs.yaml
@@ -47,6 +47,9 @@ spec:
                 baseOS: ${AMI_LOOKUP_BASEOS}
                 format: ${AMI_LOOKUP_FORMAT}
                 org: "${AMI_LOOKUP_ORG}"
+        encryptionAtRest:
+          providers:
+          - aescbc: {}
     - name: workerConfig
       value:
         aws:

diff --git a/examples/capi-quick-start/aws-cluster-calico-helm-addon.yaml b/examples/capi-quick-start/aws-cluster-calico-helm-addon.yaml
@@ -47,6 +47,9 @@ spec:
                 baseOS: ${AMI_LOOKUP_BASEOS}
                 format: ${AMI_LOOKUP_FORMAT}
                 org: "${AMI_LOOKUP_ORG}"
+        encryptionAtRest:
+          providers:
+          - aescbc: {}
     - name: workerConfig
       value:
         aws:

diff --git a/examples/capi-quick-start/aws-cluster-cilium-crs.yaml b/examples/capi-quick-start/aws-cluster-cilium-crs.yaml
@@ -47,6 +47,9 @@ spec:
                 baseOS: ${AMI_LOOKUP_BASEOS}
                 format: ${AMI_LOOKUP_FORMAT}
                 org: "${AMI_LOOKUP_ORG}"
+        encryptionAtRest:
+          providers:
+          - aescbc: {}
     - name: workerConfig
       value:
         aws:

diff --git a/examples/capi-quick-start/aws-cluster-cilium-helm-addon.yaml b/examples/capi-quick-start/aws-cluster-cilium-helm-addon.yaml
@@ -47,6 +47,9 @@ spec:
                 baseOS: ${AMI_LOOKUP_BASEOS}
                 format: ${AMI_LOOKUP_FORMAT}
                 org: "${AMI_LOOKUP_ORG}"
+        encryptionAtRest:
+          providers:
+          - aescbc: {}
     - name: workerConfig
       value:
         aws:

diff --git a/examples/capi-quick-start/docker-cluster-calico-crs.yaml b/examples/capi-quick-start/docker-cluster-calico-crs.yaml
@@ -29,6 +29,9 @@ spec:
             strategy: ClusterResourceSet
           nfd:
             strategy: ClusterResourceSet
+        encryptionAtRest:
+          providers:
+          - aescbc: {}
     - name: workerConfig
       value: {}
     version: ${KUBERNETES_VERSION}

diff --git a/examples/capi-quick-start/docker-cluster-calico-helm-addon.yaml b/examples/capi-quick-start/docker-cluster-calico-helm-addon.yaml
@@ -29,6 +29,9 @@ spec:
             strategy: HelmAddon
           nfd:
             strategy: HelmAddon
+        encryptionAtRest:
+          providers:
+          - aescbc: {}
     - name: workerConfig
       value: {}
     version: ${KUBERNETES_VERSION}

diff --git a/examples/capi-quick-start/docker-cluster-cilium-crs.yaml b/examples/capi-quick-start/docker-cluster-cilium-crs.yaml
@@ -29,6 +29,9 @@ spec:
             strategy: ClusterResourceSet
           nfd:
             strategy: ClusterResourceSet
+        encryptionAtRest:
+          providers:
+          - aescbc: {}
     - name: workerConfig
       value: {}
     version: ${KUBERNETES_VERSION}

diff --git a/examples/capi-quick-start/docker-cluster-cilium-helm-addon.yaml b/examples/capi-quick-start/docker-cluster-cilium-helm-addon.yaml
@@ -29,6 +29,9 @@ spec:
             strategy: HelmAddon
           nfd:
             strategy: HelmAddon
+        encryptionAtRest:
+          providers:
+          - aescbc: {}
     - name: workerConfig
       value: {}
     version: ${KUBERNETES_VERSION}

diff --git a/examples/capi-quick-start/nutanix-cluster-calico-crs.yaml b/examples/capi-quick-start/nutanix-cluster-calico-crs.yaml
@@ -103,6 +103,9 @@ spec:
               systemDiskSize: 40Gi
               vcpuSockets: 2
               vcpusPerSocket: 1
+        encryptionAtRest:
+          providers:
+          - aescbc: {}
         imageRegistries:
         - credentials:
             secretRef:

diff --git a/examples/capi-quick-start/nutanix-cluster-calico-helm-addon.yaml b/examples/capi-quick-start/nutanix-cluster-calico-helm-addon.yaml
@@ -103,6 +103,9 @@ spec:
               systemDiskSize: 40Gi
               vcpuSockets: 2
               vcpusPerSocket: 1
+        encryptionAtRest:
+          providers:
+          - aescbc: {}
         imageRegistries:
         - credentials:
             secretRef:

diff --git a/examples/capi-quick-start/nutanix-cluster-cilium-crs.yaml b/examples/capi-quick-start/nutanix-cluster-cilium-crs.yaml
@@ -103,6 +103,9 @@ spec:
               systemDiskSize: 40Gi
               vcpuSockets: 2
               vcpusPerSocket: 1
+        encryptionAtRest:
+          providers:
+          - aescbc: {}
         imageRegistries:
         - credentials:
             secretRef:

diff --git a/examples/capi-quick-start/nutanix-cluster-cilium-helm-addon.yaml b/examples/capi-quick-start/nutanix-cluster-cilium-helm-addon.yaml
@@ -103,6 +103,9 @@ spec:
               systemDiskSize: 40Gi
               vcpuSockets: 2
               vcpusPerSocket: 1
+        encryptionAtRest:
+          providers:
+          - aescbc: {}
         imageRegistries:
         - credentials:
             secretRef:

diff --git a/hack/examples/bases/aws/cluster/kustomization.yaml.tmpl b/hack/examples/bases/aws/cluster/kustomization.yaml.tmpl
@@ -45,6 +45,9 @@ patches:
 - target:
     kind: Cluster
   path: ../../../patches/aws/config-var.yaml
+- target:
+    kind: Cluster
+  path: ../../../patches/encryption.yaml
 
 # Delete the clusterclass-specific resources.
 - target: