WIP: CNTRLPLANE-3237: Introduce KMSProviderConfig

[ardaguclu]

This is continuation of #2161 for the work that is described openshift/enhancements#1960

This PR introduces KMSProviderConfig which will be used as the internal representation of the API fields. This field will be serialized and carried from key_controller -> state_controller -> plugin lifecycle.

Summary by CodeRabbit

• Bug Fixes

  • KMS configuration is now stored in secret data fields (not annotations) for more reliable encryption-key handling.

• Features

  • Per-key KMS socket endpoints so each key can use its own KMS socket.
  • Per-key KMS provider configs (including Vault provider settings) baked into secrets to support provider-specific options.

• Tests

  • Expanded unit and e2e tests to validate per-key endpoints and provider-config data in secrets.

• Chores

  • Test KMS mock updated to run dedicated per-socket plugin instances.

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-3237 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

This is continuation of #2161 for the work that is described openshift/enhancements#1960

This PR introduces KMSProviderConfig which will be used as the internal representation of the API fields. This field will be serialized and carried from key_controller -> state_controller -> plugin lifecycle.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Move KMS config from secret annotations into secret Data, add per-key KMS socket endpoints and KMS provider config types, propagate provider configs into generated encryption-config secrets, update controllers/tests to handle the new keys, and expand the mock KMS DaemonSet to per-key plugin containers.

Changes

Cohort / File(s)	Summary
Types & constants pkg/operator/encryption/state/types.go, pkg/operator/encryption/secrets/types.go	Rename KMSConfiguration → KMSEncryptionConfig, add KMSProviderConfig and VaultProviderConfig types, remove annotation constant and add EncryptionSecretKMSEncryptionConfig and EncryptionSecretKMSProviderConfig.
Secret (de)serialization pkg/operator/encryption/secrets/secrets.go, pkg/operator/encryption/secrets/secrets_test.go	Read/write KMS encryption and provider configs from/to Secret.Data keys instead of an annotation; update marshaling/unmarshaling and error messages.
Encryption-config secret generation pkg/operator/encryption/encryptionconfig/secret.go, pkg/operator/encryption/encryptionconfig/config.go, pkg/operator/encryption/encryptionconfig/config_test.go	Extend ToSecret signature to accept kmsProviderConfigs and write provider configs into Secret.Data; use KMSEncryptionConfig when building providers; tests updated for per-key endpoints.
Controllers & key handling pkg/operator/encryption/controllers/key_controller.go, pkg/operator/encryption/controllers/state_controller.go, pkg/operator/encryption/controllers/key_controller_test.go, pkg/operator/encryption/controllers/state_controller_test.go, pkg/operator/encryption/controllers/helpers_test.go	Key controller builds per-key KMS endpoints and sets KMSProviderConfig; state controller collects provider configs (collectKMSProviderConfigs) and passes them into applyEncryptionConfigSecret → ToSecret; tests adjusted to validate Secret.Data keys for both encryption and provider configs.
State machine & transition tests pkg/operator/encryption/statemachine/transition_test.go	Update expected per-key KMS socket endpoints in transition tests to match key-derived socket names.
Test helpers & fixtures pkg/operator/encryption/testing/helpers.go, pkg/operator/encryption/deployer/unionrevisionedpod_test.go, pkg/operator/encryption/observer/observe_encryption_config_test.go, pkg/operator/encryption/controllers/helpers_test.go	Test helpers now populate Data keys for encryption/provider configs and derive per-key socket paths; updated ToSecret callsites in tests to pass new kmsProviderConfigs arg (often nil).
Apply flow & state controller tests pkg/operator/encryption/controllers/state_controller.go, pkg/operator/encryption/controllers/state_controller_test.go	applyEncryptionConfigSecret signature extended to accept kmsProviderConfigs; new collectKMSProviderConfigs helper added; tests updated to assert provider-config presence.
Deployer / e2e test/e2e-encryption/encryption_test.go	E2E test now verifies provider-config presence in both key and encryption-config secrets for migrated keys.
Mock KMS DaemonSet test/library/encryption/kms/assets/k8s_mock_kms_plugin_daemonset.yaml	DaemonSet expanded to multiple kms-plugin-# containers (1..10), each exposing a distinct unix socket (/var/run/kmsplugin/kms-<n>.sock) with matching cleanup/listen args.
Minor tests & callsite tweaks pkg/operator/encryption/deployer/..., pkg/operator/encryption/observer/..., pkg/operator/encryption/controllers/helpers_test.go, pkg/operator/encryption/deployer/unionrevisionedpod_test.go	Minor updates to pass the additional ToSecret parameter and adjust expectations for Data keys where applicable.

Sequence Diagram(s)

sequenceDiagram
    participant SC as StateController
    participant KC as KeyController
    participant EC as encryptionconfig.ToSecret
    participant K8s as Kubernetes Secrets
    participant KMS as KMS Plugin

    SC->>KC: compute desired keys (per-key KMS mode)
    KC->>SC: return per-key KMSEncryptionConfig + KMSProviderConfig
    SC->>EC: call ToSecret(encryptionCfg, kmsProviderConfigs)
    EC->>K8s: write encryption-config Secret Data (encryption payload + provider-config-<keyID>)
    KMS->>K8s: KMS plugin listens on /var/run/kmsplugin/kms-<keyID>.sock (apiserver consumes socket)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 8 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 22.73% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Topology-Aware Scheduling Compatibility	⚠️ Warning	DaemonSet uses nodeSelector targeting control-plane nodes, causing scheduling failures on HyperShift where no control-plane nodes exist in-cluster, and wildcard toleration schedules privileged workloads to resource-constrained arbiter nodes.	Remove nodeSelector targeting control-plane nodes or implement topology-aware scheduling by checking infrastructure.Status.ControlPlaneTopology, and replace wildcard toleration with specific taints excluding arbiter nodes.

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references introducing KMSProviderConfig, which aligns with a significant feature in the changeset (new KMSProviderConfig types and their propagation), but it is marked as WIP and does not fully capture the scope of changes which also include renaming KMSConfiguration to KMSEncryptionConfig throughout the codebase.
Stable And Deterministic Test Names	✅ Passed	PR uses standard Go testing framework (testing.T) with static test function names (TestKeyController, TestStateController, etc.), not Ginkgo with dynamic It() declarations.
Test Structure And Quality	✅ Passed	The custom check requires reviewing Ginkgo test code quality, but this PR does not modify any Ginkgo tests—only standard Go table-driven tests.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added. The PR contains only standard Go unit and integration tests without Ginkgo syntax.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The pull request does not add any new Ginkgo e2e tests. All tests use standard Go testing with the func Test... pattern and use fake/mock Kubernetes clients, so SNO compatibility is not applicable.
Ote Binary Stdout Contract	✅ Passed	The fmt.Printf calls in fmtLogger are instantiated and invoked only within the TestEncryptionIntegration test function, not in process-level setup code like main(), init(), or TestMain().
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR introduces unit tests using standard Go framework, not Ginkgo e2e tests. No IPv4 assumptions or external connectivity requirements in new test code.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ardaguclu
Once this PR has been reviewed and has the lgtm label, please assign p0lyn0mial for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/operator/encryption/OWNERS
• test/e2e-encryption/OWNERS
• test/library/encryption/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-3237 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

This is continuation of #2161 for the work that is described openshift/enhancements#1960

This PR introduces KMSProviderConfig which will be used as the internal representation of the API fields. This field will be serialized and carried from key_controller -> state_controller -> plugin lifecycle.

Summary by CodeRabbit

• Bug Fixes

• Improved KMS encryption configuration storage to use dedicated secret data fields instead of annotations for better reliability.

• Features

• Added support for per-key KMS socket endpoints, enabling more flexible KMS instance management.

• Enhanced KMS provider configuration with explicit Vault integration settings for improved security controls.

• Tests

• Extended test coverage for KMS configuration handling and provider setup validation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (4)

test/library/encryption/kms/assets/k8s_mock_kms_plugin_daemonset.yaml (2)

54-253: Consider templating to reduce duplication in the test asset.

The 10 nearly-identical container definitions differ only in the container name and socket path number. While this is a test asset and correctness is not affected, this repetition is error-prone to maintain.

If the templating system supports it (Go templates are used based on {{ .Image }}), consider generating the containers programmatically:

{{- range $i := seq 1 10 }}
        - name: kms-plugin-{{ $i }}
          image: {{ $.Image }}
          ...
          args:
            - |
              rm -f /var/run/kmsplugin/kms-{{ $i }}.sock
              exec /usr/local/bin/mock-kms-plugin -listen-addr=unix:///var/run/kmsplugin/kms-{{ $i }}.sock -config-file-path=/etc/softhsm-config.json
{{- end }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/library/encryption/kms/assets/k8s_mock_kms_plugin_daemonset.yaml` around
lines 54 - 253, Replace the ten near-identical container blocks (names like
kms-plugin-1..kms-plugin-10 and socket paths /var/run/kmsplugin/kms-#.sock) with
a Go-template range loop that iterates from 1 to 10, uses the loop index for the
container name and socket filename, and references the image as $.Image; keep
the same securityContext, command, args (but with the index substituted), and
volumeMounts (socket, softhsm-config with subPath, softhsm-tokens) inside the
loop so the behavior remains identical while removing duplication.

---

57-58: Consider replacing privileged: true with specific capabilities or removing it if unnecessary.

All 10 plugin containers and the init container use privileged: true, but their operations—listening on Unix sockets, reading configuration files, and accessing mounted volumes—do not require privileged mode. For a test environment, replacing this with specific capabilities (e.g., CAP_CHOWN) or a non-privileged security context would align with least-privilege principles. If socket creation and file access work without elevated privileges, remove the securityContext entirely.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/library/encryption/kms/assets/k8s_mock_kms_plugin_daemonset.yaml` around
lines 57 - 58, The DaemonSet uses securityContext with privileged: true for the
init container and all plugin containers; change this to follow least-privilege
by removing the privileged setting or replacing it with narrow POSIX
capabilities (e.g., add a securityContext.capabilities.add list with only needed
capabilities like CAP_CHOWN) or a readOnlyRootFilesystem / runAsNonRoot setup if
possible; update the initContainer and container specs (look for securityContext
and privileged: true entries) to either remove the entire securityContext when
not needed or explicitly list minimal capabilities and non-root settings so
sockets and file access still work without full privileged mode.

pkg/operator/encryption/testing/helpers.go (1)

24-29: Test constants duplicate production constants.

These local constants duplicate values from pkg/operator/encryption/secrets/types.go. While this avoids import cycles, it creates a maintenance burden if the values change.

Consider adding a comment noting these must stay in sync with secrets.EncryptionSecretKMSEncryptionConfig and secrets.EncryptionSecretKMSProviderConfig.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/encryption/testing/helpers.go` around lines 24 - 29, The test
constants (encryptionSecretKeyDataForTest,
encryptionSecretMigratedTimestampForTest,
encryptionSecretMigratedResourcesForTest,
encryptionSecretKMSEncryptionConfigForTest,
encryptionSecretKMSProviderConfigForTest) duplicate production values; add a
clear comment above these declarations stating they must remain in sync with the
production symbols in pkg/operator/encryption/secrets (specifically
secrets.EncryptionSecretKMSEncryptionConfig and
secrets.EncryptionSecretKMSProviderConfig) to avoid drift and explain why the
duplication exists (to avoid import cycles).

pkg/operator/encryption/controllers/key_controller.go (1)

280-289: Hardcoded KMS provider configuration noted.

The TODO comment indicates these values will be replaced by API when ready. For Tech Preview, this is acceptable, but consider:

1. These hardcoded values will need to be parameterized before GA
2. The image reference uses a personal/support account registry path which may not be suitable for production

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/encryption/controllers/key_controller.go` around lines 280 -
289, The code currently assigns hardcoded KMS values in ks.KMSProviderConfig
using state.KMSProviderConfig and state.VaultProviderConfig (fields Image,
VaultAddress, VaultNamespace, TransitKey, TransitMount); replace these hardcoded
literals with configurable sources (e.g., read from controller config, CR spec,
environment variables or a ConfigMap/Secret) and fall back to safe defaults only
for Tech Preview, ensure the image string is not a personal registry (make it
configurable and validate it) and update/remove the TODO accordingly so the
values are injected rather than baked into the key_controller.go logic.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/operator/encryption/controllers/key_controller.go`:
- Around line 280-289: The code currently assigns hardcoded KMS values in
ks.KMSProviderConfig using state.KMSProviderConfig and state.VaultProviderConfig
(fields Image, VaultAddress, VaultNamespace, TransitKey, TransitMount); replace
these hardcoded literals with configurable sources (e.g., read from controller
config, CR spec, environment variables or a ConfigMap/Secret) and fall back to
safe defaults only for Tech Preview, ensure the image string is not a personal
registry (make it configurable and validate it) and update/remove the TODO
accordingly so the values are injected rather than baked into the
key_controller.go logic.

In `@pkg/operator/encryption/testing/helpers.go`:
- Around line 24-29: The test constants (encryptionSecretKeyDataForTest,
encryptionSecretMigratedTimestampForTest,
encryptionSecretMigratedResourcesForTest,
encryptionSecretKMSEncryptionConfigForTest,
encryptionSecretKMSProviderConfigForTest) duplicate production values; add a
clear comment above these declarations stating they must remain in sync with the
production symbols in pkg/operator/encryption/secrets (specifically
secrets.EncryptionSecretKMSEncryptionConfig and
secrets.EncryptionSecretKMSProviderConfig) to avoid drift and explain why the
duplication exists (to avoid import cycles).

In `@test/library/encryption/kms/assets/k8s_mock_kms_plugin_daemonset.yaml`:
- Around line 54-253: Replace the ten near-identical container blocks (names
like kms-plugin-1..kms-plugin-10 and socket paths /var/run/kmsplugin/kms-#.sock)
with a Go-template range loop that iterates from 1 to 10, uses the loop index
for the container name and socket filename, and references the image as $.Image;
keep the same securityContext, command, args (but with the index substituted),
and volumeMounts (socket, softhsm-config with subPath, softhsm-tokens) inside
the loop so the behavior remains identical while removing duplication.
- Around line 57-58: The DaemonSet uses securityContext with privileged: true
for the init container and all plugin containers; change this to follow
least-privilege by removing the privileged setting or replacing it with narrow
POSIX capabilities (e.g., add a securityContext.capabilities.add list with only
needed capabilities like CAP_CHOWN) or a readOnlyRootFilesystem / runAsNonRoot
setup if possible; update the initContainer and container specs (look for
securityContext and privileged: true entries) to either remove the entire
securityContext when not needed or explicitly list minimal capabilities and
non-root settings so sockets and file access still work without full privileged
mode.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 74d7db0f-ae9d-4fe6-adb1-90b5bb8f25cc

📥 Commits

Reviewing files that changed from the base of the PR and between d2db42c and d9bafe1.

📒 Files selected for processing (18)

• pkg/operator/encryption/controllers/helpers_test.go
• pkg/operator/encryption/controllers/key_controller.go
• pkg/operator/encryption/controllers/key_controller_test.go
• pkg/operator/encryption/controllers/state_controller.go
• pkg/operator/encryption/controllers/state_controller_test.go
• pkg/operator/encryption/deployer/unionrevisionedpod_test.go
• pkg/operator/encryption/encryptionconfig/config.go
• pkg/operator/encryption/encryptionconfig/config_test.go
• pkg/operator/encryption/encryptionconfig/secret.go
• pkg/operator/encryption/observer/observe_encryption_config_test.go
• pkg/operator/encryption/secrets/secrets.go
• pkg/operator/encryption/secrets/secrets_test.go
• pkg/operator/encryption/secrets/types.go
• pkg/operator/encryption/state/types.go
• pkg/operator/encryption/statemachine/transition_test.go
• pkg/operator/encryption/testing/helpers.go
• test/e2e-encryption/encryption_test.go
• test/library/encryption/kms/assets/k8s_mock_kms_plugin_daemonset.yaml

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-3237 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

This is continuation of #2161 for the work that is described openshift/enhancements#1960

This PR introduces KMSProviderConfig which will be used as the internal representation of the API fields. This field will be serialized and carried from key_controller -> state_controller -> plugin lifecycle.

Summary by CodeRabbit

• Bug Fixes

• KMS configuration now stored in secret data fields (not annotations) for more reliable encryption-key handling.

• Features

• Per-key KMS socket endpoints enabling distinct KMS endpoints per key.

• Per-key KMS provider configs added, including Vault provider settings to support provider-specific configuration.

• Tests

• Expanded unit and e2e tests to validate per-key endpoints and provider-config data written into secrets.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/operator/encryption/secrets/secrets.go`:
- Around line 66-75: The new code drops the legacy annotation-backed KMS secret
read path, causing migration breakage; update the ToKeyState logic in secrets.go
so that after attempting to unmarshal EncryptionSecretKMSEncryptionConfig from
s.Data it falls back to checking the legacy annotation (the previous KMS
encryption config stored on the Secret's annotations), unmarshal that into
apiserverconfigv1.KMSConfiguration and set key.KMSEncryptionConfig, and only
return the "KMSEncryptionConfig can not be nil" error if both the Data field and
the legacy annotation are absent or both fail to parse; reference the
EncryptionSecretKMSEncryptionConfig symbol, s.Data / s.Annotations,
key.KMSEncryptionConfig and state.KeyState when making the change.
- Around line 135-149: FromKeyState currently allows serializing a key secret
with ks.Mode == state.KMS even when ks.KMSEncryptionConfig is nil, which breaks
round-trip with ToKeyState; update FromKeyState to validate and reject invalid
KMS states before writing: if ks.Mode == state.KMS and ks.KMSEncryptionConfig ==
nil return a clear error instead of producing a secret, and keep the existing
serialization of KMSEncryptionConfig and KMSProviderConfig
(EncryptionSecretKMSEncryptionConfig, EncryptionSecretKMSProviderConfig) only
when those fields are non-nil; reference the FromKeyState function, ks.Mode,
KMSEncryptionConfig, KMSProviderConfig, and the constants used for secret keys
when implementing the check and error return.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 446c51cf-2cc5-43fb-8ddc-4a15e21f75ff

📥 Commits

Reviewing files that changed from the base of the PR and between d9bafe1 and 585e22b.

📒 Files selected for processing (13)

• pkg/operator/encryption/controllers/helpers_test.go
• pkg/operator/encryption/controllers/key_controller.go
• pkg/operator/encryption/controllers/key_controller_test.go
• pkg/operator/encryption/controllers/state_controller.go
• pkg/operator/encryption/controllers/state_controller_test.go
• pkg/operator/encryption/deployer/unionrevisionedpod_test.go
• pkg/operator/encryption/encryptionconfig/secret.go
• pkg/operator/encryption/observer/observe_encryption_config_test.go
• pkg/operator/encryption/secrets/secrets.go
• pkg/operator/encryption/secrets/types.go
• pkg/operator/encryption/state/types.go
• pkg/operator/encryption/testing/helpers.go
• test/e2e-encryption/encryption_test.go

✅ Files skipped from review due to trivial changes (4)

• pkg/operator/encryption/deployer/unionrevisionedpod_test.go
• pkg/operator/encryption/controllers/helpers_test.go
• test/e2e-encryption/encryption_test.go
• pkg/operator/encryption/controllers/key_controller_test.go

🚧 Files skipped from review as they are similar to previous changes (6)

• pkg/operator/encryption/observer/observe_encryption_config_test.go
• pkg/operator/encryption/controllers/key_controller.go
• pkg/operator/encryption/encryptionconfig/secret.go
• pkg/operator/encryption/controllers/state_controller_test.go
• pkg/operator/encryption/state/types.go
• pkg/operator/encryption/testing/helpers.go

[ardaguclu]

KMS e2e jobs passed;

• cluster-kube-apiserver-operator
• cluster-openshift-apiserver-operator
• cluster-authentication-operator

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-3237 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

This is continuation of #2161 for the work that is described openshift/enhancements#1960

This PR introduces KMSProviderConfig which will be used as the internal representation of the API fields. This field will be serialized and carried from key_controller -> state_controller -> plugin lifecycle.

Summary by CodeRabbit

• Bug Fixes

• KMS configuration is now stored in secret data fields (not annotations) for more reliable encryption-key handling.

• Features

• Per-key KMS socket endpoints so each key can use its own KMS socket.

• Per-key KMS provider configs (including Vault provider settings) baked into secrets to support provider-specific options.

• Tests

• Expanded unit and e2e tests to validate per-key endpoints and provider-config data in secrets.

• Chores

• Test KMS mock updated to run dedicated per-socket plugin instances.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

♻️ Duplicate comments (1)

pkg/operator/encryption/secrets/secrets.go (1)

135-149: ⚠️ Potential issue | 🟠 Major

Reject invalid KMS key states before writing the secret.

ToKeyState rejects KMS secrets without KMSEncryptionConfig (lines 73-75), but FromKeyState still serializes ks.Mode == state.KMS with that field potentially unset. This makes the conversion non-round-trippable and lets callers persist a secret this package cannot read back.

🛡️ Proposed fix

+	if ks.Mode == state.KMS && ks.KMSEncryptionConfig == nil {
+		return nil, fmt.Errorf("KMSEncryptionConfig cannot be nil when mode is KMS")
+	}
+
 	if ks.KMSEncryptionConfig != nil {
 		kmsEncCfgJSON, err := json.Marshal(ks.KMSEncryptionConfig)
 		if err != nil {
 			return nil, err
 		}
 		s.Data[EncryptionSecretKMSEncryptionConfig] = kmsEncCfgJSON
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/encryption/secrets/secrets.go` around lines 135 - 149,
FromKeyState currently allows serializing ks with ks.Mode == state.KMS even when
ks.KMSEncryptionConfig is nil, producing secrets that ToKeyState cannot read
back; update FromKeyState to validate and reject invalid KMS states before
writing the secret by returning an error when ks.Mode == state.KMS and
ks.KMSEncryptionConfig == nil (and likewise validate any other required KMS
fields such as KMSProviderConfig if your domain requires it) instead of
proceeding to marshal and set
EncryptionSecretKMSEncryptionConfig/EncryptionSecretKMSProviderConfig in s.Data.

🧹 Nitpick comments (1)

test/library/encryption/kms/assets/k8s_mock_kms_plugin_daemonset.yaml (1)

54-253: Consider templating the repeated container definitions.

The 10 container blocks are nearly identical, differing only in the container name and socket index. While acceptable for a test asset, this creates maintenance burden if you need to change shared parameters (image, volumeMounts, securityContext).

Since this YAML already uses Go templating ({{ .Index }}, {{ .Image }}), you could reduce duplication by templating the containers as well:

♻️ Proposed refactor using Go range template

       containers:
-        - name: kms-plugin-1
-          image: {{ .Image }}
-          imagePullPolicy: IfNotPresent
-          securityContext:
-            privileged: true
-          command:
-            - /bin/sh
-            - -c
-          args:
-            - |
-              rm -f /var/run/kmsplugin/kms-1.sock
-              exec /usr/local/bin/mock-kms-plugin -listen-addr=unix:///var/run/kmsplugin/kms-1.sock -config-file-path=/etc/softhsm-config.json
-          volumeMounts:
-            - name: socket
-              mountPath: /var/run/kmsplugin
-            - name: softhsm-config
-              mountPath: /etc/softhsm-config.json
-              subPath: softhsm-config.json
-            - name: softhsm-tokens
-              mountPath: /var/lib/softhsm/tokens
-        - name: kms-plugin-2
-        ... (repeat for 3-10)
+{{- range $i := list 1 2 3 4 5 6 7 8 9 10 }}
+        - name: kms-plugin-{{ $i }}
+          image: {{ $.Image }}
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            privileged: true
+          command:
+            - /bin/sh
+            - -c
+          args:
+            - |
+              rm -f /var/run/kmsplugin/kms-{{ $i }}.sock
+              exec /usr/local/bin/mock-kms-plugin -listen-addr=unix:///var/run/kmsplugin/kms-{{ $i }}.sock -config-file-path=/etc/softhsm-config.json
+          volumeMounts:
+            - name: socket
+              mountPath: /var/run/kmsplugin
+            - name: softhsm-config
+              mountPath: /etc/softhsm-config.json
+              subPath: softhsm-config.json
+            - name: softhsm-tokens
+              mountPath: /var/lib/softhsm/tokens
+{{- end }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/library/encryption/kms/assets/k8s_mock_kms_plugin_daemonset.yaml` around
lines 54 - 253, Refactor the repeated kms-plugin-* container blocks into a Go
template range to eliminate duplication: create a slice (e.g., .Plugins or
.NumPlugins) and iterate (range) to render each container using a template body
that sets name as "kms-plugin-{{index}}" and socket paths like
/var/run/kmsplugin/kms-{{index}}. Keep shared fields (image / Image,
imagePullPolicy, securityContext, command, args, volumeMounts, softhsm-config
subPath) inside the templated block so one change updates all; update any
references to container names or sockets (e.g., kms-plugin-1..kms-plugin-10 and
-listen-addr=unix:///var/run/kmsplugin/kms-<index>.sock) to use the template
index variable.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@pkg/operator/encryption/secrets/secrets.go`:
- Around line 135-149: FromKeyState currently allows serializing ks with ks.Mode
== state.KMS even when ks.KMSEncryptionConfig is nil, producing secrets that
ToKeyState cannot read back; update FromKeyState to validate and reject invalid
KMS states before writing the secret by returning an error when ks.Mode ==
state.KMS and ks.KMSEncryptionConfig == nil (and likewise validate any other
required KMS fields such as KMSProviderConfig if your domain requires it)
instead of proceeding to marshal and set
EncryptionSecretKMSEncryptionConfig/EncryptionSecretKMSProviderConfig in s.Data.

---

Nitpick comments:
In `@test/library/encryption/kms/assets/k8s_mock_kms_plugin_daemonset.yaml`:
- Around line 54-253: Refactor the repeated kms-plugin-* container blocks into a
Go template range to eliminate duplication: create a slice (e.g., .Plugins or
.NumPlugins) and iterate (range) to render each container using a template body
that sets name as "kms-plugin-{{index}}" and socket paths like
/var/run/kmsplugin/kms-{{index}}. Keep shared fields (image / Image,
imagePullPolicy, securityContext, command, args, volumeMounts, softhsm-config
subPath) inside the templated block so one change updates all; update any
references to container names or sockets (e.g., kms-plugin-1..kms-plugin-10 and
-listen-addr=unix:///var/run/kmsplugin/kms-<index>.sock) to use the template
index variable.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 04563983-6d64-435c-b21a-0f1e31caf275

📥 Commits

Reviewing files that changed from the base of the PR and between 585e22b and e143c1e.

📒 Files selected for processing (18)

• pkg/operator/encryption/controllers/helpers_test.go
• pkg/operator/encryption/controllers/key_controller.go
• pkg/operator/encryption/controllers/key_controller_test.go
• pkg/operator/encryption/controllers/state_controller.go
• pkg/operator/encryption/controllers/state_controller_test.go
• pkg/operator/encryption/deployer/unionrevisionedpod_test.go
• pkg/operator/encryption/encryptionconfig/config.go
• pkg/operator/encryption/encryptionconfig/config_test.go
• pkg/operator/encryption/encryptionconfig/secret.go
• pkg/operator/encryption/observer/observe_encryption_config_test.go
• pkg/operator/encryption/secrets/secrets.go
• pkg/operator/encryption/secrets/secrets_test.go
• pkg/operator/encryption/secrets/types.go
• pkg/operator/encryption/state/types.go
• pkg/operator/encryption/statemachine/transition_test.go
• pkg/operator/encryption/testing/helpers.go
• test/e2e-encryption/encryption_test.go
• test/library/encryption/kms/assets/k8s_mock_kms_plugin_daemonset.yaml

✅ Files skipped from review due to trivial changes (3)

• pkg/operator/encryption/controllers/helpers_test.go
• pkg/operator/encryption/deployer/unionrevisionedpod_test.go
• pkg/operator/encryption/statemachine/transition_test.go

🚧 Files skipped from review as they are similar to previous changes (10)

• pkg/operator/encryption/encryptionconfig/config_test.go
• pkg/operator/encryption/observer/observe_encryption_config_test.go
• pkg/operator/encryption/secrets/types.go
• pkg/operator/encryption/encryptionconfig/config.go
• pkg/operator/encryption/controllers/key_controller_test.go
• test/e2e-encryption/encryption_test.go
• pkg/operator/encryption/controllers/state_controller.go
• pkg/operator/encryption/encryptionconfig/secret.go
• pkg/operator/encryption/testing/helpers.go
• pkg/operator/encryption/controllers/key_controller.go

[ardaguclu]

/retest

[openshift-ci]

@ardaguclu: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.