CNTRLPLANE-3070: Support KMS on self-managed Azure without affecting ARO HCP

[bryan-cox]

What this PR does / why we need it:

Enables Azure Key Vault KMS encryption (etcd encryption at rest) for self-managed Azure HyperShift clusters using workload identity federation, without breaking the existing ARO HCP (managed Azure) KMS path that uses managed identities with CSI secret store volumes.

Key Changes

API: Added SelfManagedKMS field (type SelfManagedAzureKMS) to AzureKMSSpec with a ClientID for the workload identity that has Key Vault Crypto User role on the Key Vault. CEL validation rules enforce mutual exclusivity between kms (managed) and selfManagedKMS (self-managed), and immutability once set.

Control Plane Operator:

• Azure KMS provider now supports both ARO HCP and self-managed paths
• ARO HCP: CSI secret store volume for managed identity (unchanged)
• Self-managed: token-minter sidecar + emptyDir cloud token volume for workload identity federation
• KMS cloud config secret sets federated identity fields (UseWorkloadIdentityExtension) for self-managed

HyperShift Operator:

• KMS config secret reconciliation branches on managed vs self-managed, returning an error when neither credential is configured
• Credential reconciliation for self-managed Azure workload identities

CLI:

• create cluster azure: Only sets ManagedIdentity KMS creds for managed Azure; self-managed uses AzureKMSSpec.SelfManagedKMS
• create iam azure: Creates KMS workload identity with federated credential for kms-provider service account

E2E: Updated TestCreateClusterCustomConfig to handle self-managed Azure KMS assertions. Added envtest coverage for CEL validation rules (mutual exclusivity, immutability).

Documentation: Added KMS encryption section to self-managed Azure cluster guide with Key Vault setup and workload identity federation instructions.

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-3070

Special notes for your reviewer:

The self-managed Azure KMS authentication pattern follows the same approach used by Cloud Controller Manager (CCM) and Azure CSI storage drivers, which already support self-managed Azure with workload identity federation.

The token-minter sidecar mints OIDC tokens for the kms-provider service account in kube-system namespace, matching the pattern used by AWS KMS.

kms and selfManagedKMS are mutually exclusive and immutable once set — switching between managed and self-managed KMS auth after cluster creation is not supported.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@bryan-cox: This pull request references CNTRLPLANE-3070 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Enables Azure Key Vault KMS encryption (etcd encryption at rest) for self-managed Azure HyperShift clusters using workload identity federation, without breaking the existing ARO HCP (managed Azure) KMS path that uses managed identities with CSI secret store volumes.

Key Changes

API: Added optional KMS field to AzureWorkloadIdentities for specifying a workload identity client ID that has Key Vault Crypto User role on the Key Vault.

Control Plane Operator:

• Azure KMS provider now supports both ARO HCP and self-managed paths
• ARO HCP: CSI secret store volume for managed identity (unchanged)
• Self-managed: token-minter sidecar + emptyDir cloud token volume for workload identity federation
• KMS cloud config secret sets federated identity fields (UseFederatedWorkloadIdentityExtension, AADClientID, AADFederatedTokenFile) for self-managed

HyperShift Operator:

• KMS config secret reconciliation branches on managed vs self-managed
• HCP controller validates KMS config for self-managed (sets condition True with runtime validation note since CPO lacks KMS identity credentials)

CLI:

• create cluster azure: Only sets ManagedIdentity KMS creds for managed Azure; self-managed uses WorkloadIdentities.KMS
• create iam azure: Creates KMS workload identity with federated credential for kms-provider service account

E2E: Updated TestCreateClusterCustomConfig to handle self-managed Azure KMS assertions.

Documentation: Added KMS encryption section to self-managed Azure cluster guide with Key Vault setup instructions.

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-3070

Special notes for your reviewer:

The self-managed Azure KMS authentication pattern follows the same approach used by Cloud Controller Manager (CCM) and Azure CSI storage drivers, which already support self-managed Azure with workload identity federation.

The token-minter sidecar mints OIDC tokens for the kms-provider service account in kube-system namespace, matching the pattern used by AWS KMS.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

---

🤖 Generated with Claude Code via /jira:solve [CNTRLPLANE-3070](https://redhat.atlassian.net/browse/CNTRLPLANE-3070)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This pull request adds support for self-managed Azure KMS encryption at rest and wiring for KMS workload identities. Changes include making AzureKMSSpec.KMS optional and adding a mutually-exclusive SelfManagedKMS; adding --enable-kms to IAM creation and plumbing kmsClientID through IAM/infra outputs; conditionally including a kms workload identity; control-plane/operator changes to detect self-managed Azure and render token-minter/cloud-token or managed secret-store CSI volumes accordingly; centralizing the cloud token mount path with CloudTokenMountPath; and extensive tests and docs for both managed and self-managed Azure KMS flows.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant CLI as CLI/IAM Cmd
    participant WI as Workload Identity Mgr
    participant Infra as Infra Manager
    participant Secret as K8s Secrets

    User->>CLI: hypershift create iam azure --enable-kms
    CLI->>WI: CreateWorkloadIdentitiesFromIAMOptions(enableKMS=true)
    WI->>WI: GetWorkloadIdentityDefinitions(opts={IncludeKMS:true})
    WI->>Infra: Create Azure identities (includes kms)
    Infra->>Infra: Assign roles (if applicable)
    Infra-->>WI: Return identities + kmsClientID
    WI-->>CLI: Return IAM output with kmsClientID
    CLI->>Secret: Write workload-identities.json (includes kmsClientID)

Loading

sequenceDiagram
    participant User
    participant Cluster as Cluster Create
    participant Infra as Infra Extract
    participant CPO as Control Plane Operator
    participant KMS as KMS Provider

    User->>Infra: Load workload-identities.json
    Infra->>Infra: Extract kmsClientID from JSON
    Infra-->>Cluster: Pass infra output (kmsClientID)
    User->>Cluster: hypershift create cluster azure --encryption-key-id=<key>
    Cluster->>Cluster: Build AzureKMSSpec (SelfManagedKMS if kmsClientID present else KMS)
    Cluster-->>CPO: Apply SecretEncryption with AzureKMSSpec
    CPO->>CPO: Detect self-managed vs managed
    alt Self-Managed
        CPO->>KMS: Add token-minter container + cloud-token volume
        CPO->>KMS: Set AZURE_CLIENT_ID/AZURE_TENANT_ID and federated token file
        KMS->>KMS: Mint federated token at runtime and authenticate to Key Vault
    else Managed
        CPO->>KMS: Mount credentials secret via Secret Store CSI
        KMS->>KMS: Use credentials secret to authenticate to Key Vault
    end

Loading

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❌ Error	Found violation: TestGenerateKMSPodConfig_LivenessProbe uses fmt.Sprintf to construct test name at line 536 of azure_test.go. Test names must be static, never dynamically constructed.	Replace fmt.Sprintf("When %s is created...", tc.name) with static test names for each case.
Docstring Coverage	⚠️ Warning	Docstring coverage is 17.65% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main objective: adding KMS support for self-managed Azure clusters while preserving ARO HCP functionality.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Test Structure And Quality	✅ Passed	Custom check reviews Ginkgo test code (Describe/Context/It blocks), but this PR contains only traditional Go testing.T tests. Check is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added. PR contains only standard Go unit tests (testing.T) and modifications to existing standard Go e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. All new tests are unit tests using standard Go testing package, not Ginkgo patterns (It, Describe, Context, When).
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds Azure KMS encryption with sidecars and token-minter. No topology issues: no required anti-affinity, spread constraints, control-plane nodeSelectors, or problematic tolerations detected.
Ote Binary Stdout Contract	✅ Passed	All modified test files use standard Go testing.T pattern. No process-level stdout writes detected. No init(), TestMain(), BeforeSuite(), or OTE suite patterns found.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests (Describe/Context/It/When) were added in this PR. All test modifications are to standard Go testing.T tests. Custom check is not applicable.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@bryan-cox: This pull request references CNTRLPLANE-3070 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Enables Azure Key Vault KMS encryption (etcd encryption at rest) for self-managed Azure HyperShift clusters using workload identity federation, without breaking the existing ARO HCP (managed Azure) KMS path that uses managed identities with CSI secret store volumes.

Key Changes

API: Added optional KMS field to AzureWorkloadIdentities for specifying a workload identity client ID that has Key Vault Crypto User role on the Key Vault.

Control Plane Operator:

• Azure KMS provider now supports both ARO HCP and self-managed paths
• ARO HCP: CSI secret store volume for managed identity (unchanged)
• Self-managed: token-minter sidecar + emptyDir cloud token volume for workload identity federation
• KMS cloud config secret sets federated identity fields (UseFederatedWorkloadIdentityExtension, AADClientID, AADFederatedTokenFile) for self-managed

HyperShift Operator:

• KMS config secret reconciliation branches on managed vs self-managed
• HCP controller validates KMS config for self-managed (sets condition True with runtime validation note since CPO lacks KMS identity credentials)

CLI:

• create cluster azure: Only sets ManagedIdentity KMS creds for managed Azure; self-managed uses WorkloadIdentities.KMS
• create iam azure: Creates KMS workload identity with federated credential for kms-provider service account

E2E: Updated TestCreateClusterCustomConfig to handle self-managed Azure KMS assertions.

Documentation: Added KMS encryption section to self-managed Azure cluster guide with Key Vault setup instructions.

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-3070

Special notes for your reviewer:

The self-managed Azure KMS authentication pattern follows the same approach used by Cloud Controller Manager (CCM) and Azure CSI storage drivers, which already support self-managed Azure with workload identity federation.

The token-minter sidecar mints OIDC tokens for the kms-provider service account in kube-system namespace, matching the pattern used by AWS KMS.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

---

🤖 Generated with Claude Code via /jira:solve [CNTRLPLANE-3070](https://redhat.atlassian.net/browse/CNTRLPLANE-3070)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bryan-cox
Once this PR has been reviewed and has the lgtm label, please assign enxebre for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox]
• api/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

❌ Patch coverage is 62.44131% with 80 lines in your changes missing coverage. Please review.
✅ Project coverage is 40.24%. Comparing base (76bbefc) to head (802baac).
⚠️ Report is 24 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/cluster/azure/create.go	0.00%	23 Missing ⚠️
cmd/infra/azure/identities.go	44.11%	19 Missing ⚠️
...ostedcontrolplane/hostedcontrolplane_controller.go	0.00%	15 Missing ⚠️
cmd/infra/azure/create.go	0.00%	6 Missing ⚠️
...rator/controllers/hostedcontrolplane/v2/kas/kms.go	57.14%	5 Missing and 1 partial ⚠️
...ers/hostedcluster/internal/platform/azure/azure.go	68.75%	5 Missing ⚠️
cmd/infra/azure/create_iam.go	0.00%	4 Missing ⚠️
...or/controllers/hostedcontrolplane/manifests/kas.go	0.00%	1 Missing ⚠️
...ontrollers/hostedcontrolplane/v2/kas/deployment.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8088      +/-   ##
==========================================
+ Coverage   40.00%   40.24%   +0.24%     
==========================================
  Files         751      751              
  Lines       92838    93012     +174     
==========================================
+ Hits        37137    37431     +294     
+ Misses      53014    52885     -129     
- Partials     2687     2696       +9     

Files with missing lines	Coverage Δ
...r/controllers/hostedcontrolplane/v2/kas/kms/aws.go	92.26% <100.00%> (ø)
...controllers/hostedcontrolplane/v2/kas/kms/azure.go	97.56% <100.00%> (+90.37%)	⬆️
support/azureutil/azureutil.go	44.23% <100.00%> (+1.37%)	⬆️
...t/controlplane-component/token-minter-container.go	89.09% <100.00%> (ø)
...or/controllers/hostedcontrolplane/manifests/kas.go	0.00% <0.00%> (ø)
...ontrollers/hostedcontrolplane/v2/kas/deployment.go	26.78% <0.00%> (ø)
cmd/infra/azure/create_iam.go	16.66% <0.00%> (-0.23%)	⬇️
...ers/hostedcluster/internal/platform/azure/azure.go	29.86% <68.75%> (+7.70%)	⬆️
cmd/infra/azure/create.go	7.69% <0.00%> (-0.17%)	⬇️
...rator/controllers/hostedcontrolplane/v2/kas/kms.go	33.33% <57.14%> (+9.52%)	⬆️
... and 3 more

... and 1 file with indirect coverage changes

Flag	Coverage Δ
cmd-support	34.11% <30.66%> (+0.01%)	⬆️
cpo-hostedcontrolplane	41.74% <81.14%> (+1.18%)	⬆️
cpo-other	40.14% <ø> (ø)
hypershift-operator	50.63% <68.75%> (+0.10%)	⬆️
other	31.54% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@control-plane-operator/controllers/hostedcontrolplane/v2/kas/kms/azure_test.go`:
- Around line 326-351: The test "When self-managed backup key is specified..."
is missing an assertion that the self-managed backup container includes the
workload identity env var; update the test that creates provider via
NewAzureKMSProvider(..., AzureKMSProviderOptions{IsSelfManaged: true, ...}) and
calls provider.GenerateKMSPodConfig() to also assert that the container named
"azure-kms-provider-backup" has an env var "AZURE_FEDERATED_TOKEN_FILE" (e.g.,
add g.Expect(envMap).To(HaveKey("AZURE_FEDERATED_TOKEN_FILE")) or equivalent)
alongside the existing AZURE_CLIENT_ID and AZURE_TENANT_ID checks.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6f0668f7-58fc-46fd-b431-e87da9dc6e2a

📥 Commits

Reviewing files that changed from the base of the PR and between 559fe15 and 98156ae.

⛔ Files ignored due to path filters (18)

• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.kms.testsuite.yaml is excluded by !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• docs/content/reference/aggregated-docs.md is excluded by !docs/content/reference/aggregated-docs.md

📒 Files selected for processing (6)

• api/hypershift/v1beta1/azure.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/kms/azure_test.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/secretencryption_test.go
• docs/content/how-to/azure/azure-workload-identity-setup.md
• docs/content/how-to/azure/create-self-managed-azure-cluster.md
• test/e2e/create_cluster_test.go

✅ Files skipped from review due to trivial changes (2)

• test/e2e/create_cluster_test.go
• api/hypershift/v1beta1/azure.go

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@control-plane-operator/controllers/hostedcontrolplane/v2/kas/kms/azure.go`:
- Around line 78-83: The constructor NewAzureKMSProvider currently validates
kmsSpec and client/tenant IDs for opts.IsSelfManaged but does not check
opts.TokenMinterImage; add a validation that when opts.IsSelfManaged is true
then opts.TokenMinterImage must be non-empty and return a clear error (e.g.,
"tokenMinterImage is required for self-managed Azure KMS") so the provider fails
fast instead of rendering a pod with an invalid sidecar image; update the
validation block that checks opts.IsSelfManaged (referencing
NewAzureKMSProvider, opts.IsSelfManaged, and opts.TokenMinterImage) to perform
this check and return an error when missing.

In `@docs/content/how-to/azure/create-self-managed-azure-cluster.md`:
- Around line 279-290: The snippet uses --infra-id "$INFRA_ID" but INFRA_ID is
never defined; add a preceding step that defines/exports INFRA_ID (the cluster
infra identifier used by Hypershift) before the hypershift create iam azure
command so copy-paste works—e.g., insert a short instruction to set INFRA_ID to
your cluster's infra ID and reference that variable before running hypershift
create iam azure (the command shown) so the generated ./workload-identities.json
and subsequent KMS identity lookup are accurate.

In
`@hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure_test.go`:
- Around line 488-494: Remove the table-driven test case whose name is "When
self-managed Azure without workload identities it should not set identity
fields" (the entry that sets hc: baseHC() and a validate func) because it
constructs an AzureKMSSpec with neither kms nor selfManagedKMS which is now
rejected by the API; delete that case from the test table and replace it with a
negative test that builds the same AzureKMSSpec and asserts validation/creation
fails (i.e., expect an error) or simply remove the entry entirely so tests only
exercise valid API shapes; reference AzureKMSSpec, baseHC(), and the validate
closure to locate the code to change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a3872fcd-2af6-4cdb-8fb6-e22dbe00b3a1

📥 Commits

Reviewing files that changed from the base of the PR and between 98156ae and e10028b.

⛔ Files ignored due to path filters (42)

• api/hypershift/v1beta1/zz_generated.deepcopy.go is excluded by !**/zz_generated*.go, !**/zz_generated*
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• client/applyconfiguration/hypershift/v1beta1/azurekmsspec.go is excluded by !client/**
• client/applyconfiguration/hypershift/v1beta1/selfmanagedazurekms.go is excluded by !client/**
• client/applyconfiguration/utils.go is excluded by !client/**
• cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.kms.testsuite.yaml is excluded by !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/AROSwift/zz_fixture_TestControlPlaneComponents_managed_azure_kms_secretproviderclass.yaml is excluded by !**/testdata/**
• docs/content/reference/aggregated-docs.md is excluded by !docs/content/reference/aggregated-docs.md
• docs/content/reference/api.md is excluded by !docs/content/reference/api.md
• vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*.go, !**/zz_generated*

📒 Files selected for processing (27)

• api/hypershift/v1beta1/azure.go
• cmd/cluster/azure/create.go
• cmd/infra/azure/create.go
• cmd/infra/azure/create_iam.go
• cmd/infra/azure/identities.go
• cmd/infra/azure/identities_test.go
• cmd/infra/azure/types.go
• cmd/util/azure_flag_descriptions.go
• control-plane-operator/controllers/hostedcontrolplane/cloud/azure/providerconfig.go
• control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go
• control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller_test.go
• control-plane-operator/controllers/hostedcontrolplane/manifests/kas.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/deployment.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/kms.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/kms/aws.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/kms/azure.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/kms/azure_test.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/secretencryption_test.go
• docs/content/how-to/azure/azure-workload-identity-setup.md
• docs/content/how-to/azure/create-self-managed-azure-cluster.md
• hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go
• hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure_test.go
• support/azureutil/azureutil.go
• support/config/constants.go
• support/controlplane-component/token-minter-container.go
• support/controlplane-component/token-minter-container_test.go
• test/e2e/create_cluster_test.go

✅ Files skipped from review due to trivial changes (12)

• control-plane-operator/controllers/hostedcontrolplane/cloud/azure/providerconfig.go
• support/config/constants.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/deployment.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/kms/aws.go
• cmd/cluster/azure/create.go
• control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go
• support/controlplane-component/token-minter-container.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/kms.go
• support/controlplane-component/token-minter-container_test.go
• cmd/infra/azure/create_iam.go
• hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go
• control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller_test.go

🚧 Files skipped from review as they are similar to previous changes (8)

• cmd/infra/azure/types.go
• support/azureutil/azureutil.go
• cmd/infra/azure/identities_test.go
• cmd/infra/azure/identities.go
• test/e2e/create_cluster_test.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/secretencryption_test.go
• cmd/infra/azure/create.go
• control-plane-operator/controllers/hostedcontrolplane/v2/kas/kms/azure_test.go

[hypershift-jira-solve-ci]

I now have all the evidence needed. Here is the analysis:

Test Failure Analysis Complete

Job Information

• Prow Job: envtest-ocp / Conclusion (GitHub Actions workflow Envtest OCP API Validation)
• Build ID: Run 25752540802 / Job 75635734788
• PR: #8088 — CNTRLPLANE-3070: Support KMS on self-managed Azure without affecting ARO HCP
• Commit: 58054b71c797d74af942e630e511d8598f0ab6fb
• All 6 Envtest OCP matrix jobs: Cancelled (hit 15-minute timeout)

Test Failure Analysis

Error

Envtest jobs failed: cancelled
##[error]The operation was canceled.
Terminate orphan process: pid (278) (make)
Terminate orphan process: pid (10146) (envtest.test)

Summary

All six envtest-ocp matrix jobs (K8s 1.30–1.35) were cancelled after exceeding the 15-minute timeout-minutes configured in .github/workflows/envtest-ocp-reusable.yaml. On the main branch, the same test suite completes in ~403 seconds (~6.7 minutes), well within the limit. This PR adds a new CRD envtest test suite file (stable.hostedclusters.kms.testsuite.yaml) with 5 test cases across 3 CRD variants, which more than doubles total execution time past the 15-minute wall-clock limit due to the expensive per-variant CRD install/uninstall cycles against the 526KB HostedCluster CRD.

Root Cause

The PR introduces a new envtest test suite file cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.kms.testsuite.yaml containing 5 test cases (3 onCreate + 2 onUpdate) that validate the new AzureKMSSpec CEL validation rules (kms/selfManagedKMS mutual exclusivity, required-one-of, and immutability via oldSelf transition rule).

The envtest framework (test/envtest/generator.go) runs each test suite against every matching CRD variant. Since the new suite specifies crdName: hostedclusters.hypershift.openshift.io with no feature gates, it matches all 3 generated CRD files (Default, CustomNoUpgrade, TechPreviewNoUpgrade). For each variant, the framework performs:

1. CRD installation — installs the 526KB HostedCluster CRD with all CEL validation rules (58 oldSelf transition rules) and waits up to 120s for it to be ready
2. Test execution — runs the 5 test cases
3. CRD uninstallation — deletes the CRD and waits up to 120s for full removal

This adds 3 additional install/uninstall cycles to the existing ~30 cycles from the 11 pre-existing test suites. The HostedCluster CRD is one of the largest and most complex CRDs in the project (526KB with extensive CEL validation), making each install/uninstall cycle expensive. The combined effect pushes total test execution from ~403s on main to >876s (14.6+ minutes of test execution alone), exceeding the 15-minute job timeout.

The CRD schema changes themselves (new selfManagedKMS field, omitzero tag change on kms, and 1 new oldSelf transition rule) are minimal in schema size impact (+2,338 bytes, 0.4%). The timeout is caused by the additional CRD lifecycle overhead of the new test suite, not by the schema changes making individual operations slower.

Recommendations

1. Increase the CI timeout — Change timeout-minutes: 15 to timeout-minutes: 25 in .github/workflows/envtest-ocp-reusable.yaml. The test suite on main already uses ~6.7 minutes of the 15-minute budget, and the trajectory of new test suites will continue to push execution time upward. A 25-minute budget provides adequate headroom.

2. Alternative: Optimize CRD lifecycle overhead — Consider modifying the envtest framework to share CRD installations across test suites that test the same CRD. Currently each suite independently installs and uninstalls the same 526KB HostedCluster CRD, which is the dominant time cost. A shared fixture pattern (install once, run all suites, uninstall once) would dramatically reduce execution time.

3. Short-term workaround — If increasing the timeout requires a separate approval process, consider temporarily reducing the new KMS test suite to target only 1 CRD variant (e.g., by specifying featureGates to limit matching) while the timeout increase is merged.

Evidence

Evidence	Detail
Main branch test duration	402.934s (~6.7 min) — ok github.com/openshift/hypershift/test/envtest 402.934s
PR branch test duration	>876s (14.6+ min, cancelled by timeout)
CI job timeout	timeout-minutes: 15 in .github/workflows/envtest-ocp-reusable.yaml
New test suite file	stable.hostedclusters.kms.testsuite.yaml — 412 lines, 5 test cases (3 onCreate + 2 onUpdate)
CRD variant count	3 (Default, CustomNoUpgrade, TechPreviewNoUpgrade) — all matched because no featureGates filter
HostedCluster CRD size	526KB (main: 524KB) — only +2,338 bytes from schema changes
oldSelf transition rules	58 (main: 57) — only 1 new rule
Cancellation evidence	##[error]The operation was canceled. at 18:15:00–18:15:56 across all 6 K8s version jobs
Orphan process evidence	Terminate orphan process: pid (10146) (envtest.test) — test was still executing when killed
Main branch success	Run 25745727041 — all 6 K8s versions passed in 8–9 min total job time

---

[bryan-cox]

/test e2e-aks

[bryan-cox]

/test e2e-azure-self-managed

[bryan-cox]

I verified this works and the report verification report is located here - https://redhat.atlassian.net/browse/CNTRLPLANE-3070?focusedCommentId=16980328

[openshift-ci]

@bryan-cox: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.