Skip to content

CNTRLPLANE-3236: support deploying Vault mock KMS plugin#2146

Merged
openshift-merge-bot[bot] merged 3 commits into
openshift:mainfrom
bertinatto:kms-plugins-lifecycle-vault-mock
May 27, 2026
Merged

CNTRLPLANE-3236: support deploying Vault mock KMS plugin#2146
openshift-merge-bot[bot] merged 3 commits into
openshift:mainfrom
bertinatto:kms-plugins-lifecycle-vault-mock

Conversation

@bertinatto

@bertinatto bertinatto commented May 8, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • Chores

    • Updated OpenShift API and client libraries to newer pinned versions.
    • Adjusted module replace overrides for external libraries.
  • Refactor

    • Controller now persists and uses secret access when mutating pod specs to add an encryption KMS plugin sidecar (behavioral change; no public API changes).

@openshift-ci

openshift-ci Bot commented May 8, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 8, 2026
@coderabbitai

coderabbitai Bot commented May 8, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Updated Go module pins. Added secretLister to TargetConfigController and initialized it. createTargetConfig/managePods now pass a Secrets client; KMS sidecar injection uses pluginlifecycle.AddKMSPluginSidecarToPodSpec(...) with the Secrets client and feature-gate checks.

Changes

Dependency and target config controller update

Layer / File(s) Summary
Module dependency pins
go.mod
Updated require entries for github.com/openshift/api, github.com/openshift/client-go, and github.com/openshift/library-go to newer commit pins. The existing replace for github.com/onsi/ginkgo/v2 remains pinned to github.com/openshift/onsi-ginkgo/v2.
Import path switch for KMS plugin lifecycle
pkg/operator/targetconfigcontroller/targetconfigcontroller.go
Replaced previous encryptionkms import with the .../encryption/kms/pluginlifecycle package (import alias kmspluginlifecycle).
TargetConfigController struct and informer wiring
pkg/operator/targetconfigcontroller/targetconfigcontroller.go
Added field secretLister corev1listers.SecretLister to TargetConfigController and initialized it from kubeInformersForNamespaces.SecretLister() in NewTargetConfigController.
Runtime wiring: Secrets client passed into managePods
pkg/operator/targetconfigcontroller/targetconfigcontroller.go
createTargetConfig now passes c.kubeClient.CoreV1() (a coreclientv1.SecretsGetter) into managePods.
managePods signature and KMS injection change
pkg/operator/targetconfigcontroller/targetconfigcontroller.go
managePods signature updated to accept secretClient coreclientv1.SecretsGetter. KMS mutation now uses kmspluginlifecycle.AddKMSPluginSidecarToPodSpec(..., secretClient) guarded by featureGateAccessor.AreInitialFeatureGatesObserved() / CurrentFeatureGates(), and returns an error if injection fails.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

jira/valid-reference

Suggested reviewers

  • dinhxuanvu
  • p0lyn0mial
🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Microshift Test Compatibility ⚠️ Warning New Ginkgo e2e tests added that use [OCPFeatureGate:KMSEncryption] without proper MicroShift skip protection via [Skipped:MicroShift] or [apigroup:...] labels. Add [Skipped:MicroShift] labels or replace [OCPFeatureGate:...] with [apigroup:config.openshift.io] to skip on MicroShift. Or guard tests with exutil.IsMicroShiftCluster() check.
✅ Passed checks (10 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Ginkgo test names in the added test file are stable and deterministic with no dynamic values. Random operations only occur in test bodies, not titles.
Test Structure And Quality ✅ Passed This PR contains no Ginkgo test code. All test files use standard Go testing (func Test*), making the Ginkgo-specific check not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed This PR does not add any new Ginkgo e2e tests. It only modifies go.mod (dependency versions) and targetconfigcontroller.go (controller logic). The SNO test compatibility check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed No topology-breaking scheduling constraints added. KMS sidecar injection only adds containers/volumes, not affinity, anti-affinity, topology spread, nodeSelector, or replica modifications.
Ote Binary Stdout Contract ✅ Passed Tests-ext main uses klog.Fatal() outputting to stderr by default. TargetConfigController logging is in method bodies (not process-level). No fmt.Print* calls in process-level code to stdout.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests are added in this PR. Changes are limited to go.mod dependency updates and targetconfigcontroller.go implementation. The check is not applicable.
Title check ✅ Passed The title accurately describes the main change: adding support for deploying a Vault mock KMS plugin via the KMS plugin sidecar mechanism, which is reflected in the code changes that replace encryptionkms with kmspluginlifecycle.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 140: Remove the personal fork replace directive currently replacing
github.com/openshift/library-go with github.com/bertinatto/library-go (the
replace line in go.mod); delete that replace entry and restore/point to the
official github.com/openshift/library-go module (use an appropriate released
version or remove the replace so the go tool resolves the upstream tag) so the
dependency no longer references your personal fork.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 87628888-2677-494d-aa8c-cf27c567efad

📥 Commits

Reviewing files that changed from the base of the PR and between ee66dc7 and a373de0.

⛔ Files ignored due to path filters (8)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/migration_controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/state_controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptiondata/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/helpers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/plugins/vault.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/sidecar.go is excluded by !**/vendor/**, !vendor/**
  • vendor/modules.txt is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (3)
  • go.mod
  • pkg/operator/starter.go
  • pkg/operator/targetconfigcontroller/targetconfigcontroller.go
💤 Files with no reviewable changes (1)
  • pkg/operator/starter.go

Comment thread go.mod Outdated
Comment thread pkg/operator/targetconfigcontroller/targetconfigcontroller.go Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/operator/targetconfigcontroller/targetconfigcontroller.go`:
- Line 230: managePods currently receives secretLister but never reads it, so
either wire it into the pod-rendering logic or remove it to avoid a no-op;
update the managePods declaration and its internal logic to use the passed
secretLister (e.g., call secretLister.Secrets(namespace).Get(secretName) where
pod templates or credentials are resolved) and handle not-found/errors, or if
secrets are not needed, remove the secretLister parameter from managePods and
all its call sites (including the call from targetconfigcontroller where
managePods is invoked) to keep the signature consistent.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b328744a-15ff-4712-9324-cf6969c77150

📥 Commits

Reviewing files that changed from the base of the PR and between 06740d8 and 26bf24b.

⛔ Files ignored due to path filters (13)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/config/v1/types_kmsencryption.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/encoding/encoding.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptiondata/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptiondata/secret.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/helpers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/modules.txt is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (2)
  • go.mod
  • pkg/operator/targetconfigcontroller/targetconfigcontroller.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • go.mod

Comment thread pkg/operator/targetconfigcontroller/targetconfigcontroller.go Outdated
@bertinatto bertinatto force-pushed the kms-plugins-lifecycle-vault-mock branch from 26bf24b to a8a6f7f Compare May 12, 2026 20:27

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/operator/targetconfigcontroller/targetconfigcontroller.go`:
- Around line 335-337: Move the proxy env var application so it runs after the
KMS sidecar is injected: call encryptionkms.AddKMSPluginSidecarToPodSpec(ctx,
&required.Spec, ...) first, then iterate required.Spec.Containers (and
InitContainers if applicable) to add HTTP_PROXY/HTTPS_PROXY/NO_PROXY so the
newly appended sidecar also receives them; update the code around the
AddKMSPluginSidecarToPodSpec invocation and the proxy-env application logic
accordingly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e8403636-f71b-4d59-b494-868ddd3ea438

📥 Commits

Reviewing files that changed from the base of the PR and between 26bf24b and a8a6f7f.

⛔ Files ignored due to path filters (40)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/config/v1/types_cluster_operator.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/config/v1/types_image.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/config/v1/types_kmsencryption.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/console/v1/types_console_plugin.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/install.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverencryption.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kmspluginconfig.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/registrysources.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformspec.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorconfig.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexportercollectorsoftirqsconfig.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/key_controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/migration_controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/state_controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/encoding/encoding.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptiondata/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptiondata/secret.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/helpers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/vault.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/secrets/secrets.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/secrets/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/state/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/test/library/encryption/helpers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/modules.txt is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (2)
  • go.mod
  • pkg/operator/targetconfigcontroller/targetconfigcontroller.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • go.mod

Comment thread pkg/operator/targetconfigcontroller/targetconfigcontroller.go Outdated
@bertinatto bertinatto force-pushed the kms-plugins-lifecycle-vault-mock branch from a8a6f7f to 5f9e3a4 Compare May 13, 2026 13:21
@bertinatto bertinatto changed the title Proof https://github.com/openshift/library-go/pull/2209 CNTRLPLANE-3236: support deploying Vault mock KMS plugin May 13, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 13, 2026
@openshift-ci-robot

openshift-ci-robot commented May 13, 2026

Copy link
Copy Markdown

@bertinatto: This pull request references CNTRLPLANE-3236 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

  • Chores

  • Updated OpenShift API and client libraries to newer pinned versions.

  • Adjusted module replace overrides for external libraries.

  • Refactor

  • Controller now persists and uses secret access when mutating pod specs to add an encryption KMS plugin sidecar (behavioral change; no public API changes).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@bertinatto bertinatto force-pushed the kms-plugins-lifecycle-vault-mock branch 2 times, most recently from 0b3ee72 to 297c81b Compare May 13, 2026 14:13
@bertinatto bertinatto marked this pull request as ready for review May 13, 2026 14:15
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 13, 2026
@openshift-ci openshift-ci Bot requested review from ingvagabund and rh-roman May 13, 2026 14:16
@bertinatto

Copy link
Copy Markdown
Member Author

periodic-ci-openshift-release-main-ci-5.0-e2e-aws-ovn-techpreview

@bertinatto

Copy link
Copy Markdown
Member Author

/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-ovn-techpreview-serial
/payload-job periodic-ci-openshift-release-main-ci-5.0-e2e-aws-ovn-techpreview
/payload-job periodic-ci-openshift-release-main-ci-5.0-e2e-gcp-ovn-techpreview

@openshift-ci

openshift-ci Bot commented May 13, 2026

Copy link
Copy Markdown
Contributor

@bertinatto: trigger 3 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-ovn-techpreview-serial
  • periodic-ci-openshift-release-main-ci-5.0-e2e-aws-ovn-techpreview
  • periodic-ci-openshift-release-main-ci-5.0-e2e-gcp-ovn-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/f5ac7010-4ed7-11f1-9cb0-89c4ec005c5c-0

return nil, false, fmt.Errorf("failed to get feature gates: %w", err)
}
if featureGates.Enabled(features.FeatureGateKMSEncryption) {
err := kmspluginlifecycle.AddKMSPluginSidecarToPodSpec(ctx, &required.Spec, "kube-apiserver", "openshift-config-managed", "encryption-config-openshift-kube-apiserver", secretClient)

@p0lyn0mial p0lyn0mial May 13, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need to check if the ns is correct, i think the ns should be openshift-kube-apiserver, no ?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do encryption controllers sync to openshift-config-managed and then we revision from that ns ?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

xref:

operatorclient.TargetNamespace,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and it seems that the revision controller is working against openshift-kube-apiserver"

WithRevisionedResources(operatorclient.TargetNamespace, "kube-apiserver", RevisionConfigMaps, RevisionSecrets).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we also copy that secret to openshift-kube-apiserver and name it encryption-secret, which could be more appropriate

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that namespace should be openshift-kube-apiserver. Next question would be: Precondition validation will compare this with a secret under which namespace?

@bertinatto bertinatto May 13, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bertinatto bertinatto force-pushed the kms-plugins-lifecycle-vault-mock branch from 297c81b to 97bfb3e Compare May 13, 2026 15:56
Comment thread pkg/operator/targetconfigcontroller/targetconfigcontroller.go Outdated

if err := encryptionkms.AddKMSPluginVolumeAndMountToPodSpec(&required.Spec, "kube-apiserver", featureGateAccessor); err != nil {
return nil, false, fmt.Errorf("failed to add KMS encryption volumes: %w", err)
if featureGateAccessor.AreInitialFeatureGatesObserved() {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is what we do in the other places in this operator, right ? we don't rety controller when FG hasn't been observed, right ?

@bertinatto bertinatto May 13, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

besides KMS, the accessors are currently only used by config observers in this operator. When feature gates haven't been observed yet, they just report an empty config.

if the feature gates haven't been observed yet, we should probably keep the current behavior of non-TP clusters unchanged (the function inside the if clause reflects that)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, thanks.

@bertinatto bertinatto marked this pull request as draft May 14, 2026 16:20
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 14, 2026
@bertinatto bertinatto force-pushed the kms-plugins-lifecycle-vault-mock branch from 97bfb3e to ca69fff Compare May 14, 2026 16:21
@bertinatto

Copy link
Copy Markdown
Member Author

/test e2e-gcp-operator-encryption-kms

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label May 27, 2026
@openshift-ci

openshift-ci Bot commented May 27, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 27, 2026
@ardaguclu

Copy link
Copy Markdown
Member

/hold
we need openshift/library-go#2240

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 27, 2026
@ardaguclu

Copy link
Copy Markdown
Member

/hold cancel

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 27, 2026
@ardaguclu

Copy link
Copy Markdown
Member

/hold
this PR will be updated

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 27, 2026
@bertinatto bertinatto force-pushed the kms-plugins-lifecycle-vault-mock branch from 08d9005 to 99e50ec Compare May 27, 2026 15:44
@openshift-ci-robot openshift-ci-robot removed the verified Signifies that the PR passed pre-merge verification criteria label May 27, 2026
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label May 27, 2026
@ardaguclu

Copy link
Copy Markdown
Member

/hold cancel

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 27, 2026
@bertinatto bertinatto force-pushed the kms-plugins-lifecycle-vault-mock branch from 99e50ec to d2f42de Compare May 27, 2026 15:48
@tjungblu

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label May 27, 2026
@tjungblu

Copy link
Copy Markdown
Contributor

/verified by ci

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label May 27, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@tjungblu: This PR has been marked as verified by ci.

Details

In response to this:

/verified by ci

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

func TestPerfEncryption(tt *testing.T) {
operatorClient := operatorencryption.GetOperator(tt)
library.TestPerfEncryption(tt, library.PerfScenario{
library.TestPerfEncryption(tt.Context(), tt, library.PerfScenario{

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I recall tt.Context() is always empty. We should get ctx from TestPerfEncryption

librarykms.DeployUpstreamMockKMSPlugin(context.Background(), t, library.GetClients(t).Kube, librarykms.WellKnownUpstreamMockKMSPluginNamespace, librarykms.WellKnownUpstreamMockKMSPluginImage, librarykms.DefaultKMSPluginCount)
library.TestEncryptionProvidersMigration(t, library.ProvidersMigrationScenario{
func testKMSEncryptionProvidersMigration(ctx context.Context, t testing.TB) {
librarykms.DeployUpstreamMockKMSPlugin(ctx, t, library.GetClients(t).Kube, librarykms.WellKnownUpstreamMockKMSPluginNamespace, librarykms.WellKnownUpstreamMockKMSPluginImage, librarykms.DefaultKMSPluginCount)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need this anymore. But this can/should be handled in a separate PR.

// file
func TestEncryptionRotation(t *testing.T) {
library.TestEncryptionRotation(t, library.RotationScenario{
library.TestEncryptionRotation(t.Context(), t, library.RotationScenario{

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same?

@ardaguclu

Copy link
Copy Markdown
Member

/lgtm

@openshift-merge-bot openshift-merge-bot Bot merged commit d0f9b3c into openshift:main May 27, 2026
23 of 26 checks passed
@openshift-ci

openshift-ci Bot commented May 27, 2026

Copy link
Copy Markdown
Contributor

@bertinatto: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-operator-encryption-perf-single-node d2f42de link false /test e2e-gcp-operator-encryption-perf-single-node
ci/prow/e2e-gcp-operator-encryption-single-node d2f42de link false /test e2e-gcp-operator-encryption-single-node

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants