Skip to content

OCPBUGS-68343: Introduce KMSEncryption feature gate #2669

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ardaguclu wants to merge 3 commits into
base: master
Choose a base branch
from
+510 −154
Open

OCPBUGS-68343: Introduce KMSEncryption feature gate #2669

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fe4267b
Introduce KMSEncryption feature gate
ardaguclu Jan 26, 2026
d7e760f
Move KMSEncryptionProvider FG to DevPreview
ardaguclu Jan 26, 2026
ec37c6e
Update tests for mutually exclusive feature gates
ardaguclu Jan 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 68 additions & 0 deletions config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
name: "APIServer"
crdName: apiservers.config.openshift.io
featureGates:
- KMSEncryption
- -KMSEncryptionProvider
tests:
onCreate:
- name: Should be able to create with KMS type without kms config
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: KMS
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: KMS
- name: Should be able to create with aescbc encryption
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: aescbc
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: aescbc
- name: Should be able to create with aesgcm encryption
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: aesgcm
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: aesgcm
- name: Should be able to create with identity encryption
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: identity
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: identity
4 changes: 2 additions & 2 deletions config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if w
name: "APIServer"
crdName: apiservers.config.openshift.io
featureGates:
- KMSEncryptionProvider
- KMSEncryptionProvider
tests:
onCreate:
- name: Should be able to create encrypt with KMS for AWS with valid values
Expand Down Expand Up @@ -64,7 +64,7 @@ tests:
type: KMS
kms: {}
expectedError: "spec.encryption.kms.type: Required value"
- name: Should fail to create with kms type AWS but without aws config
- name: Should fail to create with kms type AWS but without aws config
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
Expand Down
1 change: 1 addition & 0 deletions config/v1/types_apiserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,7 @@ type APIServerEncryption struct {

// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";identity;aescbc;aesgcm
// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryptionProvider,enum="";identity;aescbc;aesgcm;KMS
Copy link
Contributor

@p0lyn0mial p0lyn0mial Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

won't this flag also be on for TP ? If yes, will it allow for setting an empty KMSConfig ?

Copy link
Member Author

@ardaguclu ardaguclu Jan 26, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JoelSpeed on TP enabled cluster, won't this old feature gate be enabled too?. Won't this create conflicting behavior? i.e. KMSEncryption allows simply KMS enum but KMSEncryptionProvider does not allow it.

Copy link
Contributor

@p0lyn0mial p0lyn0mial Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JoelSpeed is there a way to write an integration / unit test that would enable these two FG ?

Copy link
Member Author

@ardaguclu ardaguclu Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or each feature gate needs to be explicitly enabled on the cluster. So that we would just assume that user will enable KMSEncryption but not KMSEncryptionProvider

Copy link
Contributor

@JoelSpeed JoelSpeed Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently yes, on a TP cluster you would see the old/existing behaviour. If you promoted the feature KMSEncyption to default, you would not be able to set the KMS field because it wouldn't exist.

If you are concerned about the interactions between them/testing both, you can either disable KMSEncryptionProvider from TechPreview and move it back to just DevPreview, or we can set up tests that require both gates, and just one gate, or, one gate that not the other. In the test files where you specify the gates, prefix with - to negate the inclusion

Copy link
Contributor

@JoelSpeed JoelSpeed Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Won't this create conflicting behavior? i.e. KMSEncryption allows simply KMS enum but KMSEncryptionProvider does not allow it.

You'd currently observe just the behaviour of the KMSEncryptionProvider feature gate, as it's a superset of the new gate.

Copy link
Member Author

@ardaguclu ardaguclu Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think, we are both fine to moving KMSEncryptionProvider to DevPreview.

Copy link
Member Author

@ardaguclu ardaguclu Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've moved KMSEncryptionProvider FG to DevPreview.

// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryption,enum="";identity;aescbc;aesgcm;KMS
type EncryptionType string

const (
Expand Down
68 changes: 0 additions & 68 deletions ...nerated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,69 +158,6 @@ spec:
description: encryption allows the configuration of encryption of
resources at the datastore layer.
properties:
kms:
description: |-
kms defines the configuration for the external KMS instance that manages the encryption keys,
when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an
externally configured KMS instance.
The Key Management Service (KMS) instance provides symmetric encryption and is responsible for
managing the lifecyle of the encryption keys outside of the control plane.
This allows integration with an external provider to manage the data encryption keys securely.
properties:
aws:
description: |-
aws defines the key config for using an AWS KMS instance
for the encryption. The AWS KMS instance is managed
by the user outside the purview of the control plane.
properties:
keyARN:
description: |-
keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
- `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
- `<account_id>` is a 12-digit numeric identifier for the AWS account.
- `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
maxLength: 128
minLength: 1
type: string
x-kubernetes-validations:
- message: keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`.
The account ID must be a 12 digit number and the region
and key ID should consist only of lowercase hexadecimal
characters and hyphens (-).
rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
region:
description: |-
region specifies the AWS region where the KMS instance exists, and follows the format
`<region-prefix>-<region-name>-<number>`, e.g.: `us-east-1`.
Only lowercase letters and hyphens followed by numbers are allowed.
maxLength: 64
minLength: 1
type: string
x-kubernetes-validations:
- message: region must be a valid AWS region, consisting
of lowercase characters, digits and hyphens (-) only.
rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$')
required:
- keyARN
- region
type: object
type:
description: |-
type defines the kind of platform for the KMS provider.
Available provider types are AWS only.
enum:
- AWS
type: string
required:
- type
type: object
x-kubernetes-validations:
- message: aws config is required when kms provider type is AWS,
and forbidden otherwise
rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws)
: !has(self.aws)'
type:
description: |-
type defines what encryption type should be used to encrypt resources at the datastore layer.
Expand All @@ -244,11 +181,6 @@ spec:
- KMS
type: string
type: object
x-kubernetes-validations:
- message: kms config is required when encryption type is KMS, and
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
Expand Down
1 change: 1 addition & 0 deletions config/v1/zz_generated.featuregated-crd-manifests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ apiservers.config.openshift.io:
Capability: ""
Category: ""
FeatureGates:
- KMSEncryption
- KMSEncryptionProvider
FilenameOperatorName: config-operator
FilenameOperatorOrdering: "01"
Expand Down
Loading