feat: [container] add several fields to manage state of database encr…

…yption update (#5184)

* feat: add several fields to manage state of database encryption update

PiperOrigin-RevId: 619273826

Source-Link: googleapis/googleapis@cf1b61c

Source-Link: googleapis/googleapis-gen@6a32e3c
Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNvbnRhaW5lci8uT3dsQm90LnlhbWwiLCJoIjoiNmEzMmUzY2ViNmVkZGE0OTQxNmI3OGE3MGRlNzhjNTUzYmNhN2EzYiJ9

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* feat: add several fields to manage state of database encryption update

PiperOrigin-RevId: 619289281

Source-Link: googleapis/googleapis@3a7c334

Source-Link: googleapis/googleapis-gen@6a8c733
Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNvbnRhaW5lci8uT3dsQm90LnlhbWwiLCJoIjoiNmE4YzczMzA2MmQ4MzNkMTFjNTI0NWVkYTUwZjUxMDhlMGU1NTMyNCJ9

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>

packages/google-container/protos/google/container/v1/cluster_service.proto

@@ -4719,12 +4719,68 @@ message DatabaseEncryption {
     DECRYPTED = 2;
   }
 
+  // Current State of etcd encryption.
+  enum CurrentState {
+    // Should never be set
+    CURRENT_STATE_UNSPECIFIED = 0;
+
+    // Secrets in etcd are encrypted.
+    CURRENT_STATE_ENCRYPTED = 7;
+
+    // Secrets in etcd are stored in plain text (at etcd level) - this is
+    // unrelated to Compute Engine level full disk encryption.
+    CURRENT_STATE_DECRYPTED = 2;
+
+    // Encryption (or re-encryption with a different CloudKMS key)
+    // of Secrets is in progress.
+    CURRENT_STATE_ENCRYPTION_PENDING = 3;
+
+    // Encryption (or re-encryption with a different CloudKMS key) of Secrets in
+    // etcd encountered an error.
+    CURRENT_STATE_ENCRYPTION_ERROR = 4;
+
+    // De-crypting Secrets to plain text in etcd is in progress.
+    CURRENT_STATE_DECRYPTION_PENDING = 5;
+
+    // De-crypting Secrets to plain text in etcd encountered an error.
+    CURRENT_STATE_DECRYPTION_ERROR = 6;
+  }
+
+  // OperationError records errors seen from CloudKMS keys
+  // encountered during updates to DatabaseEncryption configuration.
+  message OperationError {
+    // CloudKMS key resource that had the error.
+    string key_name = 1;
+
+    // Description of the error seen during the operation.
+    string error_message = 2;
+
+    // Time when the CloudKMS error was seen.
+    google.protobuf.Timestamp timestamp = 3;
+  }
+
   // Name of CloudKMS key to use for the encryption of secrets in etcd.
   // Ex. projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key
   string key_name = 1;
 
   // The desired state of etcd encryption.
   State state = 2;
+
+  // Output only. The current state of etcd encryption.
+  optional CurrentState current_state = 3
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. Keys in use by the cluster for decrypting
+  // existing objects, in addition to the key in `key_name`.
+  //
+  // Each item is a CloudKMS key resource.
+  repeated string decryption_keys = 4
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. Records errors seen during DatabaseEncryption update
+  // operations.
+  repeated OperationError last_operation_errors = 5
+      [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // ListUsableSubnetworksRequest requests the list of usable subnetworks

packages/google-container/protos/google/container/v1beta1/cluster_service.proto

@@ -5265,12 +5265,68 @@ message DatabaseEncryption {
     DECRYPTED = 2;
   }
 
+  // Current State of etcd encryption.
+  enum CurrentState {
+    // Should never be set
+    CURRENT_STATE_UNSPECIFIED = 0;
+
+    // Secrets in etcd are encrypted.
+    CURRENT_STATE_ENCRYPTED = 7;
+
+    // Secrets in etcd are stored in plain text (at etcd level) - this is
+    // unrelated to Compute Engine level full disk encryption.
+    CURRENT_STATE_DECRYPTED = 2;
+
+    // Encryption (or re-encryption with a different CloudKMS key)
+    // of Secrets is in progress.
+    CURRENT_STATE_ENCRYPTION_PENDING = 3;
+
+    // Encryption (or re-encryption with a different CloudKMS key) of Secrets in
+    // etcd encountered an error.
+    CURRENT_STATE_ENCRYPTION_ERROR = 4;
+
+    // De-crypting Secrets to plain text in etcd is in progress.
+    CURRENT_STATE_DECRYPTION_PENDING = 5;
+
+    // De-crypting Secrets to plain text in etcd encountered an error.
+    CURRENT_STATE_DECRYPTION_ERROR = 6;
+  }
+
+  // OperationError records errors seen from CloudKMS keys
+  // encountered during updates to DatabaseEncryption configuration.
+  message OperationError {
+    // CloudKMS key resource that had the error.
+    string key_name = 1;
+
+    // Description of the error seen during the operation.
+    string error_message = 2;
+
+    // Time when the CloudKMS error was seen.
+    google.protobuf.Timestamp timestamp = 3;
+  }
+
   // Name of CloudKMS key to use for the encryption of secrets in etcd.
   // Ex. projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key
   string key_name = 1;
 
   // The desired state of etcd encryption.
   State state = 2;
+
+  // Output only. The current state of etcd encryption.
+  optional CurrentState current_state = 3
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. Keys in use by the cluster for decrypting
+  // existing objects, in addition to the key in `key_name`.
+  //
+  // Each item is a CloudKMS key resource.
+  repeated string decryption_keys = 4
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. Records errors seen during DatabaseEncryption update
+  // operations.
+  repeated OperationError last_operation_errors = 5
+      [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // Configuration for exporting cluster resource usages.