CNV-33847: KubeVirt: create the etcd encryption key secret, if missing

[nunnatsa]

What this PR does / why we need it:
To allow creating of KubeVirt hosted cluster using the hosted cluster API (rather than using the cli).

When creating the hosted cluster using the cli, the cli also creates the secret. But when creating the hosted cluster using the hosted cluster API, the secret is not created.

This PR changes hypershift so it now creates the etcd encryption key secret, if it is not already exist.

Which issue(s) this PR fixes:
Fixes #CNV-33847

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[nunnatsa]

/test e2e-aws
/test e2e-kubevirt-aws-ovn

[davidvossel]

I think much of this logic could be simplified using the createOrUpdate function. Below is a skeleton of how that might look along with some suggestions about things we should look out for when generating the secret

       if hc.Spec.SecretEncryption == nil ||
                     hc.Spec.SecretEncryption.Type == "" ||
                     (hc.Spec.SecretEncryption.Type == hyperv1.AESCBC && hc.Spec.SecretEncryption.AESCBC == nil) {

               ### Maybe add this function to hypershift-operator/controllers/manifests/manifests.go to be consistent with how other objects are created for hosted cluster?
               secret := manifests.GeneratedAESCBCSecret(hc.Namespace, hc.Name)

               ### use createOrUpdate function to handle the case where the secret was already created but we failed to apply the hostedCluster.spec change the first go around>
               if _, err := createOrUpdate(ctx, r.Client, secret, func() error {

                       ### don't override existing key just in case something weird happened >

                       _, exists := secret.Data[hyperv1.AESCBCKeySecretKey]
                       if exists {
                               return nil
                       }

                       ### If we generated the secret, then the secret needs to be cleaned up automatically when the HostedCluster is deleted>

                       ownerRef := config.OwnerRefFrom(hc)
                       ownerRef.ApplyTo(secret)

                       ### generate key and add to the secret's data
                 
                       return nil
               }); err != nil {
                       return fmt.Errorf("failed to generate ETCD SecretEncryption key for KubeVirt platform HostedCluster: %w", err)
               }

               ### apply new secret reference to hosted cluster
       }

[nunnatsa]

       if hc.Spec.SecretEncryption == nil ||
                     hc.Spec.SecretEncryption.Type == "" ||
                     (hc.Spec.SecretEncryption.Type == hyperv1.AESCBC && hc.Spec.SecretEncryption.AESCBC == nil) {

               ### Maybe add this function to hypershift-operator/controllers/manifests/manifests.go to be consistent with how other objects are created for hosted cluster?
               secret := manifests.GeneratedAESCBCSecret(hc.Namespace, hc.Name) // <<<< this is in a new etcd package, to be also used from api/fixtures. No code in api/fixtures uses manifests

               ### use createOrUpdate function to handle the case where the secret was already created but we failed to apply the hostedCluster.spec change the first go around>
               if _, err := createOrUpdate(ctx, r.Client, secret, func() error {

                       ### don't override existing key just in case something weird happened >

                       _, exists := secret.Data[hyperv1.AESCBCKeySecretKey] // not sure about this code. This is just created and we know the key was generated
                       if exists {
                               return nil
                       }

                       ### If we generated the secret, then the secret needs to be cleaned up automatically when the HostedCluster is deleted>

                       ownerRef := config.OwnerRefFrom(hc)
                       ownerRef.ApplyTo(secret)

                       ### generate key and add to the secret's data
                 
                       return nil
               }); err != nil {
                       return fmt.Errorf("failed to generate ETCD SecretEncryption key for KubeVirt platform HostedCluster: %w", err)
               }

               ### apply new secret reference to hosted cluster
       }

[openshift-ci]

@nunnatsa: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-ibmcloud-roks	180c1da	link	false	/test e2e-ibmcloud-roks
ci/prow/e2e-ibmcloud-iks	180c1da	link	false	/test e2e-ibmcloud-iks

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[davidvossel]

nice! I just had one really minor comment about that log object. other than that, this looks really good

[davidvossel]

is the log used?

also, you can get the logger from the ctx i believe

log := ctrl.LoggerFrom(ctx)

[davidvossel]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: davidvossel, nunnatsa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [davidvossel]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@nunnatsa: This pull request references CNV-33847 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.15.0" version, but no target version was set.

In response to this:

What this PR does / why we need it:
To allow creating of KubeVirt hosted cluster using the hosted cluster API (rather than using the cli).

When creating the hosted cluster using the cli, the cli also creates the secret. But when creating the hosted cluster using the hosted cluster API, the secret is not created.

This PR changes hypershift so it now creates the etcd encryption key secret, if it is not already exist.

Which issue(s) this PR fixes:
Fixes #CNV-33847

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.