config: add aesgcm to encryption config

Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
openshift · Feb 22, 2023 · ae90cb1 · ae90cb1
1 parent 42edf4f
commit ae90cb1
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/config/v1/0000_10_config-operator_01_apiserver.crd.yaml b/config/v1/0000_10_config-operator_01_apiserver.crd.yaml
@@ -97,10 +97,6 @@ spec:
                     type:
                       description: "type defines what encryption type should be used to encrypt resources at the datastore layer. When this field is unset (i.e. when it is set to the empty string), identity is implied. The behavior of unset can and will change over time.  Even if encryption is enabled by default, the meaning of unset may change to a different encryption type based on changes in best practices. \n When encryption is enabled, all sensitive resources shipped with the platform are encrypted. This list of sensitive resources can and will change over time.  The current authoritative list is: \n 1. secrets 2. configmaps 3. routes.route.openshift.io 4. oauthaccesstokens.oauth.openshift.io 5. oauthauthorizetokens.oauth.openshift.io"
                       type: string
-                      enum:
-                        - ""
-                        - identity
-                        - aescbc
                 servingCerts:
                   description: servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates will be used for serving secure traffic.
                   type: object

diff --git a/config/v1/types_apiserver.go b/config/v1/types_apiserver.go
@@ -184,7 +184,8 @@ type APIServerEncryption struct {
 	Type EncryptionType `json:"type,omitempty"`
 }
 
-// +kubebuilder:validation:Enum="";identity;aescbc
+// +openshift:validation:FeatureSetAwareEnum:featureSet=Default,enum="";identity;aescbc
+// +openshift:validation:FeatureSetAwareEnum:featureSet=TechPreviewNoUpgrade,enum="";identity;aescbc;aesgcm
 type EncryptionType string
 
 const (
@@ -195,6 +196,10 @@ const (
 	// aescbc refers to a type where AES-CBC with PKCS#7 padding and a 32-byte key
 	// is used to perform encryption at the datastore layer.
 	EncryptionTypeAESCBC EncryptionType = "aescbc"
+
+	// aesgcm refers to a type where AES-GCM with random nonce and a 32-byte key
+	// is used to perform encryption at the datastore layer.
+	EncryptionTypeAESGCM EncryptionType = "aesgcm"
 )
 
 type APIServerStatus struct {