CNTRLPLANE-3361: make transitMount required

[flavianmissi]

also update the tests, and rephrase secret and configmap reference godocs.

background: the vault team is going to make this field required in their plugin (while also removing the default).

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@flavianmissi: This pull request references CNTRLPLANE-3361 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

also update the tests, and rephrase secret and configmap reference godocs.

background: the vault team is going to make this field required in their plugin (while also removing the default).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Hello @flavianmissi! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 029b8e46-2662-4d26-b8d5-31697523b119

📥 Commits

Reviewing files that changed from the base of the PR and between 9c028d0 and 086efcd.

⛔ Files ignored due to path filters (7)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (6)

• config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml
• config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml
• config/v1/types_kmsencryption.go
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml

🚧 Files skipped from review as they are similar to previous changes (6)

• config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• config/v1/types_kmsencryption.go
• config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml

---

📝 Walkthrough

Walkthrough

This PR updates the Vault KMS encryption configuration in OpenShift to enforce transitMount as a required field instead of optional. The change affects the Go source type definitions in config/v1/types_kmsencryption.go and propagates to all three APIServer CRD variant schemas. Documentation is clarified to specify that AppRole authentication secrets must contain role-id and secret-id keys, and that TLS CA bundles must reference the ca-bundle.crt key within ConfigMaps. Paragraphs describing default behavior when transitMount was omitted are removed.

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	Test framework has multiple Expect() calls lacking meaningful assertion messages in generator.go (lines 137, 178, 235, 270, 298, 332) and suite_test.go, violating the assertion message requirement.	Add failure messages to Expect calls missing them. E.g., Expect(k8sClient.DeleteAllOf(...)) → Expect(k8sClient.DeleteAllOf(...), "failed to cleanup test resources"). Apply throughout generator.go and suite_test.go.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: making the transitMount field required in the Vault KMS configuration.
Description check	✅ Passed	The description is directly related to the changeset, explaining the main change (making transitMount required), test updates, and the background context from the Vault team.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Test names are stable and deterministic. Test fixtures use only static descriptive names without dynamic values, UUIDs, timestamps, or runtime-specific identifiers.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added. PR only modifies Go types, CRD schemas, and test fixture data files. The custom check is not applicable as it targets new Ginkgo test code only.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No OpenShift e2e tests added. Unit-level tests only (CRD validation framework and feature gate tooling). No multi-node assumptions detected.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR makes transitMount required in Vault KMS configuration via schema/CRD changes and test updates. No deployment manifests, operator code, or scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies only type definitions and test fixture data. No executable OTE binary code, test suite setup functions, or stdout writes detected. Check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not add new Ginkgo e2e tests. Changes are limited to CRD type definitions and test fixtures for a schema validation framework. No IPv4 or external connectivity issues apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

config/v1/types_kmsencryption.go (1)

194-208: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Align transitMount docs with required semantics.

Line 196 still says “when specified”, but Line 207 marks transitMount as required. Please update the field comment to explicitly state it is required, then regenerate CRDs so descriptions remain consistent.

✏️ Proposed fix

  // transitMount specifies the mount path of the Vault Transit engine.
+ // This field is required.
  //
- // The transit mount must be between 1 and 1024 characters when specified, cannot start or
+ // The transit mount must be between 1 and 1024 characters, cannot start or
  // end with a forward slash, cannot contain consecutive forward slashes, and must only contain

As per coding guidelines, "All kubebuilder validation markers must be documented in the field's comment, including field optionality, length constraints, value constraints, and advanced validation rules."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/v1/types_kmsencryption.go` around lines 194 - 208, Update the
TransitMount field comment to remove "when specified" and explicitly state that
transitMount is required, and document all kubebuilder validation markers
(MinLength, MaxLength, XValidation rules and the +required marker) in the
comment to reflect length and value constraints and advanced validation; then
regenerate the CRDs so the field description in the CRD matches the updated
comment. Refer to the TransitMount field and its kubebuilder markers in
types_kmsencryption.go when making these changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@config/v1/types_kmsencryption.go`:
- Around line 194-208: Update the TransitMount field comment to remove "when
specified" and explicitly state that transitMount is required, and document all
kubebuilder validation markers (MinLength, MaxLength, XValidation rules and the
+required marker) in the comment to reflect length and value constraints and
advanced validation; then regenerate the CRDs so the field description in the
CRD matches the updated comment. Refer to the TransitMount field and its
kubebuilder markers in types_kmsencryption.go when making these changes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8f5d80e7-6ad3-4c1b-a755-461b2d82982a

📥 Commits

Reviewing files that changed from the base of the PR and between 73d7ca9 and e196426.

⛔ Files ignored due to path filters (7)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (4)

• config/v1/types_kmsencryption.go
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml

[flavianmissi]

verify-crd-schema and verify-crdify tests are breaking because I'm making an optional field required, hopefully we can them.

[ardaguclu]

From KMS feature team POV, changes look good to me

[everettraven]

background: the vault team is going to make this field required in their plugin (while also removing the default)

Just to make sure, regardless of what the vault team is doing behind the scenes, we believe that making this field required is the most reasonable for our API?

Just because vault is going to make the field required doesn't mean that we have to as well.

[flavianmissi]

Yes, I think this makes sense for us. If transitMount isn't required, then we must have a default, and this default must match vault's (vault enterprise, not the kms plugin) default. While not a big deal, I think it's more resilient to simply require a value be set by the user.

What do y'all think?

[everettraven]

I don't have a strong opinion, just wanted to make sure we want to do that regardless of what vault is doing.

/lgtm
/approve

/override ci/prow/verify-crd-schema
/override ci/prow/verify-crdify

[openshift-ci]

@everettraven: Overrode contexts on behalf of everettraven: ci/prow/verify-crd-schema, ci/prow/verify-crdify

Details

In response to this:

I don't have a strong opinion, just wanted to make sure we want to do that regardless of what vault is doing.

/lgtm
/approve

/override ci/prow/verify-crd-schema
/override ci/prow/verify-crdify

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change
/test minor-e2e-upgrade-minor

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: everettraven

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [everettraven]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@flavianmissi: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-serial-techpreview-2of2	086efcd	link	true	/test e2e-aws-serial-techpreview-2of2

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[flavianmissi]

/retest-required

[tjungblu]

/verified by the-feature-team

[openshift-ci-robot]

@tjungblu: This PR has been marked as verified by the-feature-team.

Details

In response to this:

/verified by the-feature-team

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.