EncryptionConfig: use standard method for parsing config file

[php-coder]

Is this a BUG REPORT or FEATURE REQUEST?:
/kind feature
/sig auth

What happened:
Currently encryption config parsing uses a non-standard parsing method that pays no attention to the version of the config:

kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go

Lines 67 to 79 in dce1b88

	var config EncryptionConfig
	err = yaml.Unmarshal(configFileContents, &config)
	if err != nil {
	return nil, fmt.Errorf("error while parsing file: %v", err)
	}
	if config.Kind == "" {
	return nil, fmt.Errorf("invalid configuration file, missing Kind")
	}
	if config.Kind != "EncryptionConfig" {
	return nil, fmt.Errorf("invalid configuration kind %q provided", config.Kind)
	}
	// TODO config.APIVersion is unchecked

What you expected to happen:

• the types must change to use standard methods for including kind/apiVersion (inlining metav1.TypeMeta like all other objects)
• define a versioned config (we can promote straight to v1beta1 if we don't require any structural changes)
• parsing must require well-formed config files

Anything else we need to know?:
Requested by @liggitt and extracted from #61592 (comment)

Steps to be done:

• fix type definition to actually be a runtime object, inline TypeMeta, etc
• define v1beta1 API types, generate conversions/defaults
• define scheme/codecs that have the external (v1beta1) and internal (existing) types registered
• use that scheme/codec to load the config (handles decoding the v1beta1 version, conversion to internal version)

CC @marrrvin

[php-coder]

@kubernetes/sig-auth-feature-requests

define v1beta1 API types, generate conversions/defaults

That's not so clear to me.. API types should belong to some API Group, correct? What API group should we use for that config?

Right now the config is:

apiVersion: v1
kind: EncryptionConfig
resources:
  - resources:
	- secrets
	providers:
	- identity: {}

How it will look like after this change?

apiVersion: apiserver.config.k8s.io/v1beta1
kind: EncryptionConfiguration
resources:
  - resources:
	- secrets
	providers:
	- identity: {}

[liggitt]

ah, didn't realize the documentation was already using v1. unfortunate the version is completely ignored by the loader.

we can discuss whether the config is ready to promote to v1. I don't see a particular reason it wouldn't be

yes, I'd expect the group to be apiserver.config.k8s.io

[php-coder]

The current state: @marrrvin is going to prepare PR for that.

Assigning to myself, because I can't assign it to Sergey directly.

/assign

[mikedanese]

cc @immutableT

[php-coder]

@marrrvin What is the current state of the issue? Do you need help on that?

[ericchiang]

bump @marrrvin

[php-coder]

@ericchiang I've submitted #63032 You may review it, if you're interested in it.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[php-coder]

/remove-lifecycle stale