Merge pull request #3774 from openshift-cherrypick-robot/cherry-pick-…

…3760-to-release-4.15 [release-4.15] OCPBUGS-31064: ibmcloud KMS: remove breaking image check and enable KMS v2 support
openshift · Mar 27, 2024 · 3e3729d · 3e3729d
2 parents 4a173bf + 68e09ae
commit 3e3729d
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/control-plane-operator/controllers/hostedcontrolplane/kas/kms/ibmcloud.go b/control-plane-operator/controllers/hostedcontrolplane/kas/kms/ibmcloud.go
@@ -49,7 +49,7 @@ type ibmCloudKMSProvider struct {
 }
 
 func NewIBMCloudKMSProvider(ibmCloud *hyperv1.IBMCloudKMSSpec, kmsImage string) (*ibmCloudKMSProvider, error) {
-	if ibmCloud == nil || len(ibmCloud.KeyList) == 0 || len(ibmCloud.Region) == 0 || len(kmsImage) == 0 {
+	if ibmCloud == nil || len(ibmCloud.KeyList) == 0 || len(ibmCloud.Region) == 0 {
 		return nil, fmt.Errorf("ibmcloud kms metadata not specified")
 	}
 	return &ibmCloudKMSProvider{
@@ -65,7 +65,19 @@ func (p *ibmCloudKMSProvider) GenerateKMSEncryptionConfig() (*v1.EncryptionConfi
 		keys = append(keys, k)
 	}
 	sort.Ints(keys)
-	var providerConfiguration []v1.ProviderConfiguration
+
+	// KMS v2 should be first in the list
+	providerConfiguration := []v1.ProviderConfiguration{
+		{
+			KMS: &v1.KMSConfiguration{
+				APIVersion: "v2",
+				Name:       fmt.Sprintf("%s%s", ibmKeyNamePrefix, "v2"),
+				Endpoint:   ibmCloudKMSUnixSocket,
+				Timeout:    &metav1.Duration{Duration: 35 * time.Second},
+			},
+		},
+	}
+
 	// iterate in reverse because highest version key should be used for new secret encryption
 	for i := len(keys) - 1; i >= 0; i-- {
 		configEntry := v1.ProviderConfiguration{
@@ -311,5 +323,6 @@ func (p *ibmCloudKMSProvider) ApplyKMSConfig(podSpec *corev1.PodSpec) error {
 	}
 	container.VolumeMounts = append(container.VolumeMounts,
 		ibmCloudKMSVolumeMounts.ContainerMounts(KasMainContainerName)...)
+	container.Args = append(container.Args, "--encryption-provider-config-automatic-reload=false")
 	return nil
 }