Add encryptionType: kms and kmsConfig in apiserver.config

* feature gated by TechPreviewNoUpgrade and KMSv2

Signed-off-by: Swarup Ghosh <[email protected]>

Author: swghosh

config/v1/types_apiserver.go

@@ -173,6 +173,9 @@ type APIServerNamedServingCert struct {
 	ServingCertificate SecretNameReference `json:"servingCertificate"`
 }
 
+// APIServerEncryption is used to encrypt sensitive resources on the cluster.
+//
+// +union
 type APIServerEncryption struct {
 	// type defines what encryption type should be used to encrypt resources at the datastore layer.
 	// When this field is unset (i.e. when it is set to the empty string), identity is implied.
@@ -191,9 +194,23 @@ type APIServerEncryption struct {
 	// +unionDiscriminator
 	// +optional
 	Type EncryptionType `json:"type,omitempty"`
+
+	// kms defines the configuration for the external KMS instance that manages the encryption keys,
+	// when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an
+	// externally configured KMS instance.
+	//
+	// The Key Management Service (KMS) instance provides symmetric encryption and is responsible for
+	// managing the lifecyle of the encryption keys outside of the control plane.
+	// This allows integration with an external provider to manage the data encryption keys securely.
+	//
+	// +openshift:enable:FeatureGate=KMSv2
+	// +unionMember
+	// +optional
+	KMS *KMSConfig `json:"kms,omitempty"`
 }
 
-// +kubebuilder:validation:Enum="";identity;aescbc;aesgcm
+// +openshift:validation:FeatureSetAwareEnum:featureSet=Default,enum="";identity;aescbc;aesgcm
+// +openshift:validation:FeatureSetAwareEnum:featureSet=TechPreviewNoUpgrade,enum="";identity;aescbc;aesgcm;kms
 type EncryptionType string
 
 const (
@@ -208,6 +225,13 @@ const (
 	// aesgcm refers to a type where AES-GCM with random nonce and a 32-byte key
 	// is used to perform encryption at the datastore layer.
 	EncryptionTypeAESGCM EncryptionType = "aesgcm"
+
+	// kms refers to a type of encryption where the encryption keys are managed
+	// outside the control plane in a Key Management Service instance,
+	// encryption is still performed at the datastore layer.
+	//
+	// +openshift:enable:FeatureGate=KMSv2
+	EncryptionTypeKMS EncryptionType = "kms"
 )
 
 type APIServerStatus struct {

config/v1/types_kmsencryption.go

@@ -0,0 +1,28 @@
+package v1
+
+// KMSConfig defines the configuration for the KMS instance
+// that will be used with KMSv2 encryption
+//
+// +openshift:enable:FeatureGate=KMSv2
+type KMSConfig struct {
+	// aws defines the key config for using an AWS KMS instance
+	// for the encryption. The AWS KMS instance is managed
+	// by the user outside the purview of the control plane.
+	//
+	// +optional
+	AWS *AWSKMSConfig `json:"aws,omitempty"`
+}
+
+// AWSKMSConfig defines the KMS config specific to AWS KMS provider
+//
+// +openshift:enable:FeatureGate=KMSv2
+type AWSKMSConfig struct {
+	// keyARN is the AWS ARN for the symmetric encryption KMS key
+	//
+	// +kubebuilder:validation:Pattern=`^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$`
+	KeyARN string `json:"keyARN"`
+	// region is the AWS region where the KMS instance exists
+	//
+	// +kubebuilder:validation:Pattern=`^[a-z]{2}-[a-z]+-\d{1,2}$`
+	Region string `json:"region"`
+}