feat: add several fields to manage state of database encryption update

Google APIs · copybara-github · commit cf1b61cc1a2f · 2024-03-26T12:23:57.000-07:00
PiperOrigin-RevId: 619273826
diff --git a/google/container/v1beta1/cluster_service.proto b/google/container/v1beta1/cluster_service.proto
@@ -5265,12 +5265,68 @@ message DatabaseEncryption {
     DECRYPTED = 2;
   }
 
+  // Current State of etcd encryption.
+  enum CurrentState {
+    // Should never be set
+    CURRENT_STATE_UNSPECIFIED = 0;
+
+    // Secrets in etcd are encrypted.
+    CURRENT_STATE_ENCRYPTED = 7;
+
+    // Secrets in etcd are stored in plain text (at etcd level) - this is
+    // unrelated to Compute Engine level full disk encryption.
+    CURRENT_STATE_DECRYPTED = 2;
+
+    // Encryption (or re-encryption with a different CloudKMS key)
+    // of Secrets is in progress.
+    CURRENT_STATE_ENCRYPTION_PENDING = 3;
+
+    // Encryption (or re-encryption with a different CloudKMS key) of Secrets in
+    // etcd encountered an error.
+    CURRENT_STATE_ENCRYPTION_ERROR = 4;
+
+    // De-crypting Secrets to plain text in etcd is in progress.
+    CURRENT_STATE_DECRYPTION_PENDING = 5;
+
+    // De-crypting Secrets to plain text in etcd encountered an error.
+    CURRENT_STATE_DECRYPTION_ERROR = 6;
+  }
+
+  // OperationError records errors seen from CloudKMS keys
+  // encountered during updates to DatabaseEncryption configuration.
+  message OperationError {
+    // CloudKMS key resource that had the error.
+    string key_name = 1;
+
+    // Description of the error seen during the operation.
+    string error_message = 2;
+
+    // Time when the CloudKMS error was seen.
+    google.protobuf.Timestamp timestamp = 3;
+  }
+
   // Name of CloudKMS key to use for the encryption of secrets in etcd.
   // Ex. projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key
   string key_name = 1;
 
   // The desired state of etcd encryption.
   State state = 2;
+
+  // Output only. The current state of etcd encryption.
+  optional CurrentState current_state = 3
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. Keys in use by the cluster for decrypting
+  // existing objects, in addition to the key in `key_name`.
+  //
+  // Each item is a CloudKMS key resource.
+  repeated string decryption_keys = 4
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. Records errors seen during DatabaseEncryption update
+  // operations.
+  repeated OperationError last_operation_errors = 5
+      [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // Configuration for exporting cluster resource usages.
