RKE2ControlPlane: v1beta1 support EncryptionConfig

This commit adds RKE2ControlPlane.spec.serverConfig.secretsEncryption property.

This allows to specify provider type (aescbc or secretbox) and load encryption key
from a secret.

Signed-off-by: Dinar Valeev <k0da@opensuse.org>

Author: k0da

controlplane/api/v1alpha1/rke2controlplane_types.go

@@ -132,6 +132,10 @@ type RKE2ServerConfig struct {
 	//+optional
 	Etcd EtcdConfig `json:"etcd,omitempty"`
 
+	// SecretsEncrytion defines encryption at rest configuration
+	//+optional
+	SecretsEncryptionProvider *SecretsEncryption `json:"secretsEncryption,omitempty"`
+
 	// KubeAPIServer defines optional custom configuration of the Kube API Server.
 	//+optional
 	KubeAPIServer *bootstrapv1alpha1.ComponentConfig `json:"kubeAPIServer,omitempty"`
@@ -202,6 +206,15 @@ type RKE2ControlPlaneStatus struct {
 	AvailableServerIPs []string `json:"availableServerIPs,omitempty"`
 }
 
+// SecretsEncryption defines encryption configuration.
+type SecretsEncryption struct {
+	// EncyptionKey secret reference
+	EncryptionKeySecret *corev1.ObjectReference `json:"encryptionKeySecret,omitempty"`
+	// Encryption provider
+	// +kubebuilder:validation:Enum=aescbc;secretbox
+	Provider string `json:"provider,omitempty"`
+}
+
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status
 

controlplane/api/v1alpha1/zz_generated.conversion.go

@@ -211,6 +211,10 @@ type RKE2ServerConfig struct {
 	//+optional
 	Etcd EtcdConfig `json:"etcd,omitempty"`
 
+	// SecretsEncrytion defines encryption at rest configuration
+	//+optional
+	SecretsEncryptionProvider *SecretsEncryption `json:"secretsEncryption,omitempty"`
+
 	// KubeAPIServer defines optional custom configuration of the Kube API Server.
 	//+optional
 	KubeAPIServer *bootstrapv1.ComponentConfig `json:"kubeAPIServer,omitempty"`
@@ -402,6 +406,15 @@ type EtcdS3 struct {
 	Folder string `json:"folder,omitempty"`
 }
 
+// SecretsEncryption defines encryption configuration.
+type SecretsEncryption struct {
+	// EncyptionKey secret reference
+	EncryptionKeySecret *corev1.ObjectReference `json:"encryptionKeySecret,omitempty"`
+	// Encryption provider
+	// +kubebuilder:validation:Enum=aescbc;secretbox
+	Provider string `json:"provider,omitempty"`
+}
+
 // CNI defines the Cni options for deploying RKE2.
 type CNI string
 

controlplane/api/v1alpha1/zz_generated.deepcopy.go

@@ -1113,6 +1113,59 @@ spec:
                   pauseImage:
                     description: PauseImage Override image to use for pause.
                     type: string
+                  secretsEncryption:
+                    description: SecretsEncrytion defines encryption at rest configuration
+                    properties:
+                      encryptionKeySecret:
+                        description: EncyptionKey secret reference
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: |-
+                              If referring to a piece of an object instead of an entire object, this string
+                              should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container within a pod, this would take on a value like:
+                              "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                              the event) or if no container name is specified "spec.containers[2]" (container with
+                              index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                              referencing a part of an object.
+                            type: string
+                          kind:
+                            description: |-
+                              Kind of the referent.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                            type: string
+                          name:
+                            description: |-
+                              Name of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            type: string
+                          namespace:
+                            description: |-
+                              Namespace of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                            type: string
+                          resourceVersion:
+                            description: |-
+                              Specific resourceVersion to which this reference is made, if any.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                            type: string
+                          uid:
+                            description: |-
+                              UID of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
+                      provider:
+                        description: Encryption provider
+                        enum:
+                        - aescbc
+                        - secretbox
+                        type: string
+                    type: object
                   serviceNodePortRange:
                     description: 'ServiceNodePortRange is the port range to reserve
                       for services with NodePort visibility (default: "30000-32767").'
@@ -2557,6 +2610,59 @@ spec:
                   pauseImage:
                     description: PauseImage Override image to use for pause.
                     type: string
+                  secretsEncryption:
+                    description: SecretsEncrytion defines encryption at rest configuration
+                    properties:
+                      encryptionKeySecret:
+                        description: EncyptionKey secret reference
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: |-
+                              If referring to a piece of an object instead of an entire object, this string
+                              should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container within a pod, this would take on a value like:
+                              "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                              the event) or if no container name is specified "spec.containers[2]" (container with
+                              index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                              referencing a part of an object.
+                            type: string
+                          kind:
+                            description: |-
+                              Kind of the referent.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                            type: string
+                          name:
+                            description: |-
+                              Name of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            type: string
+                          namespace:
+                            description: |-
+                              Namespace of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                            type: string
+                          resourceVersion:
+                            description: |-
+                              Specific resourceVersion to which this reference is made, if any.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                            type: string
+                          uid:
+                            description: |-
+                              UID of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
+                      provider:
+                        description: Encryption provider
+                        enum:
+                        - aescbc
+                        - secretbox
+                        type: string
+                    type: object
                   serviceNodePortRange:
                     description: 'ServiceNodePortRange is the port range to reserve
                       for services with NodePort visibility (default: "30000-32767").'

controlplane/api/v1beta1/rke2controlplane_types.go

@@ -1414,6 +1414,60 @@ spec:
                           pauseImage:
                             description: PauseImage Override image to use for pause.
                             type: string
+                          secretsEncryption:
+                            description: SecretsEncrytion defines encryption at rest
+                              configuration
+                            properties:
+                              encryptionKeySecret:
+                                description: EncyptionKey secret reference
+                                properties:
+                                  apiVersion:
+                                    description: API version of the referent.
+                                    type: string
+                                  fieldPath:
+                                    description: |-
+                                      If referring to a piece of an object instead of an entire object, this string
+                                      should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                                      For example, if the object reference is to a container within a pod, this would take on a value like:
+                                      "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                                      the event) or if no container name is specified "spec.containers[2]" (container with
+                                      index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                                      referencing a part of an object.
+                                    type: string
+                                  kind:
+                                    description: |-
+                                      Kind of the referent.
+                                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                                    type: string
+                                  name:
+                                    description: |-
+                                      Name of the referent.
+                                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    type: string
+                                  namespace:
+                                    description: |-
+                                      Namespace of the referent.
+                                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                                    type: string
+                                  resourceVersion:
+                                    description: |-
+                                      Specific resourceVersion to which this reference is made, if any.
+                                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                                    type: string
+                                  uid:
+                                    description: |-
+                                      UID of the referent.
+                                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                                    type: string
+                                type: object
+                                x-kubernetes-map-type: atomic
+                              provider:
+                                description: Encryption provider
+                                enum:
+                                - aescbc
+                                - secretbox
+                                type: string
+                            type: object
                           serviceNodePortRange:
                             description: 'ServiceNodePortRange is the port range to
                               reserve for services with NodePort visibility (default: