CNTRLPLANE-3363: Add KMS plugin health reporter design

[ibihim]

What

A health reporter sidecar runs alongside every API server pod replica when KMS is enabled. It probes the colocated KMS plugin(s) and writes a single advisory KMSHealthReporter_<nodeName> condition per node on the apiserver operator CR.

Why

Exposes plugin health state through the operator CRs and onward into the ClusterOperator's Degraded condition, so a misbehaving KMS plugin is visible in oc get co rather than silently waiting until KAS encryption fails.

Supports future key rotation: per-plugin keyID in the reporter's Message lets a rotation controller verify all nodes agree on the active key before initiating rotation.

[openshift-ci-robot]

@ibihim: This pull request references CNTRLPLANE-3363 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

What

A health reporter sidecar runs alongside every API server pod replica when KMS is enabled. It probes the colocated KMS plugin(s) and writes a single advisory KMSHealthReporter_<nodeName> condition per node on the apiserver operator CR. A separate aggregator controller reads those conditions and emits a single KMSPluginsDegraded rollup; library-go's StatusSyncer propagates the _Degraded suffix into the ClusterOperator's Degraded condition. The Message field on each per-node condition is structured input for the aggregator: one key=value line per probed plugin, carrying keyID, status, lastChecked, and an optional trailing detail.

Why

Exposes plugin health state through the operator CRs and onward into the ClusterOperator's Degraded condition, so a misbehaving KMS plugin is visible in oc get co rather than silently waiting until KAS encryption fails.

Supports future key rotation: per-plugin keyID in the reporter's Message lets a rotation controller verify all nodes agree on the active key before initiating rotation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign benluddy for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@ibihim: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.