test/encryption: add InvalidConfigRecoveryScenario for KMS plugin image

[gangwgr]

test/encryption: add InvalidImageRecoveryScenario for KMS plugin image

Summary by CodeRabbit

• Tests
  • Added new encryption recovery test scenarios for validating system behavior during invalid configuration states and recovery processes.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR adds a new test scenario and helper function to validate encryption recovery workflows. The InvalidImageRecoveryScenario type extends the base BasicScenario with fields for a valid KMS provider and a degradation wait callback. The TestEncryptionInvalidImageRecovery function orchestrates a recovery flow: it waits for the operator to enter a degraded state, asserts encryption remains on KMS during degradation, then switches to a valid KMS provider using existing encryption helpers.

Changes

Invalid Image Recovery Test Scenario

Layer / File(s)	Summary
InvalidImageRecoveryScenario type and test function test/library/encryption/scenarios.go	Imports k8s.io/apimachinery/pkg/runtime/schema, introduces InvalidImageRecoveryScenario type with ValidImageProvider and WaitForDegraded fields, and implements TestEncryptionInvalidImageRecovery to validate required fields, wait for operator degradation, assert KMS encryption persists during degradation, and apply a valid KMS provider to complete recovery.

🎯 2 (Simple) | ⏱️ ~8 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 3 warnings)

Check name	Status	Explanation	Resolution
Container-Privileges	❌ Error	PR adds DaemonSet manifest with privileged: true in two containers without inline justification; justification exists only in separate rolebinding comment.	Add inline comments in k8s_mock_kms_plugin_daemonset.yaml explaining why privileged: true is required for Unix socket creation on host filesystem.
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Missing post-recovery validation of operator readiness. SetAndWaitForEncryptionType only ensures encryption key migration, not that operator degradation is cleared.	Add explicit post-recovery assertion/wait to verify operator is no longer degraded, symmetric to WaitForDegraded callback.
Title check	⚠️ Warning	The PR title mentions 'InvalidConfigRecoveryScenario' but the actual added type is 'InvalidImageRecoveryScenario', creating a naming mismatch.	Update the PR title to 'test/encryption: add InvalidImageRecoveryScenario for KMS plugin image' to match the actual exported type name added in the changeset.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	New code has no Ginkgo test definitions and uses only static strings in logging, with no dynamic values that could vary between test runs.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests (It/Describe/Context/When) added. Changes add helper functions in test/library/, not e2e tests. MicroShift check applies to e2e tests, not helpers.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Code is test helper library in test/library/encryption/scenarios.go with no Ginkgo test declarations (It(), Describe(), etc.), so SNO compatibility check does not apply to infrastructure library code.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies only test code (test/library/encryption/scenarios.go), not deployment manifests, operator code, or controllers. The custom check explicitly applies only to those categories.
Ote Binary Stdout Contract	✅ Passed	No process-level stdout writes detected. Code is library package with test helper using only t.Log (test-safe), no fmt.Print or klog at process level.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The added code is a helper library (not Ginkgo e2e test) with no IPv4 hardcoded addresses, external connectivity requirements, or IPv6-unsafe patterns.
No-Weak-Crypto	✅ Passed	PR adds test scenario code with no weak crypto algorithms, custom crypto implementations, or insecure secret comparisons detected.
No-Sensitive-Data-In-Logs	✅ Passed	All logging statements use constant string literals describing test steps. No sensitive data (passwords, tokens, keys, PII, hostnames, credentials) is logged.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/library/encryption/scenarios.go`:
- Around line 334-344: After scenario.WaitForDegraded(ctx, e) add an explicit
assertion that the cluster is still using KMS before performing recovery: fetch
the current encryption provider/mode from the test environment (using the
existing test env variable e / scenario helpers) and assert it equals the KMS
provider (e.g., compare against the expected KMS string or enum used elsewhere
in tests), then only proceed to call SetAndWaitForEncryptionType(...). Place
this check immediately after WaitForDegraded(ctx, e) so the test explicitly
verifies the rollout remained stuck on KMS prior to applying the valid KMS
image.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3e514184-6cde-4c92-a790-09007c2462a2

📥 Commits

Reviewing files that changed from the base of the PR and between c7d4322 and 7099f22.

📒 Files selected for processing (3)

• test/library/encryption/helpers.go
• test/library/encryption/kms/vault.go
• test/library/encryption/scenarios.go

[ardaguclu]

We don't need to define a new variable for this. We can just an invalid image where we need it.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/library/encryption/scenarios.go`:
- Around line 306-309: The test calls scenario.AssertFunc(...) without checking
it; add a nil-guard before invoking it to avoid panics. Update the test near the
existing preconditions (where WaitForDegraded, InvalidImageProvider.Type and
ValidImageProvider.Type are asserted) to assert or check that
scenario.AssertFunc is not nil (e.g. require.NotNil(t, scenario.AssertFunc,
"...") or if scenario.AssertFunc != nil { ... }) and then call
scenario.AssertFunc, ensuring the call only happens when AssertFunc is present.
- Around line 323-337: The test asserts the cluster stayed on KMS without first
exercising the AESCBC switch attempt; insert a call that triggers the AESCBC
switch attempt (the helper used in the scenario flow to start a switch to
AESCBC) immediately after scenario.WaitForDegraded(...) and before
scenario.AssertFunc(...), so the test actually attempts the switch path and then
verifies KMS stickiness; keep the final recovery call to
SetAndWaitForEncryptionType(...) as-is.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 599ae865-8045-47c1-9b17-fb860b6458d4

📥 Commits

Reviewing files that changed from the base of the PR and between 7099f22 and 105508c.

📒 Files selected for processing (3)

• test/library/encryption/helpers.go
• test/library/encryption/kms/vault.go
• test/library/encryption/scenarios.go

🚧 Files skipped from review as they are similar to previous changes (2)

• test/library/encryption/helpers.go
• test/library/encryption/kms/vault.go

[ardaguclu]

Do we really need this?. We can use the current valid encryption provider. After that we can modify it with invalid image.

[ardaguclu]

I think we don't need this. We can use the current Vault definition.

[ardaguclu]

That is too specific error to be waiting. When kms plugin is unreachable, I'd expect that operator goes degraded. We should wait for the degradation instead of pod's specific condition. Because since apiserver can not communicate with the plugin, it should report unhealthy.

What is the result of your tests?. It didn't go degraded?.

[ardaguclu]

Also noone uses this function currently

[gangwgr]

In our tests, the operator does not go Degraded when the KMS plugin image is invalid. It just stays stuck in Progressing (NodeInstallerProgressing) because the static pod revision can never complete. The apiserver never actually starts with the bad plugin, so it never gets a chance to report unhealthy, the image pull fails before the pod runs.

[gangwgr]

if we are planning to fix that, so i removed imagepull func

[ardaguclu]

I think we don't need this.

[ardaguclu]

That should be sufficient instead of waiting for imagepullerr

[gangwgr]

not sure it is sufficient, same reason #2249 (comment)

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/library/encryption/scenarios.go`:
- Around line 309-320: TestEncryptionInvalidImageRecovery currently fixes the
invalid image by calling SetAndWaitForEncryptionType (which may only call
waitForNoNewEncryptionKey) but never asserts that the operator cleared its
degraded state or that the plugin rollout completed; add a post-recovery
wait/assert symmetric to WaitForDegraded: after SetAndWaitForEncryptionType in
TestEncryptionInvalidImageRecovery call a helper (or extend helpers.go) such as
WaitForNotDegraded / WaitForOperatorAvailable that checks the operator's
Degraded condition is cleared and the plugin deployment(s) reached desired
rollout (no failing pods, available replicas) — use the same client helpers used
by WaitForDegraded and reference SetAndWaitForEncryptionType, WaitForDegraded,
and waitForNoNewEncryptionKey when implementing the new post-recovery assertion
so the test only passes once the operator is healthy and the plugin rollout
finished.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e90f5601-4663-4ad5-9a30-a1126553b141

📥 Commits

Reviewing files that changed from the base of the PR and between cd32cc3 and e11492b.

📒 Files selected for processing (1)

• test/library/encryption/scenarios.go

[ardaguclu]

Where is the implementation of this function?

[ardaguclu]

It will be assigned by the caller?

[gangwgr]

Yes, it's assigned by the caller in kas-o

[ardaguclu]

We haven't set invalid image yet?

[gangwgr]

we can set the invalid image by call in test

[ardaguclu]

Due to the nature of this Scenario, in my opinion we should set it here to be explicit about it.

[gangwgr]

we can add invalid image setup in library-go also, both works
do we need add here or keep it in caller?

[ardaguclu]

I think, we should have it here. This is the core part of the scenario

[gangwgr]

added

[gangwgr]

/test unit

[ardaguclu]

@gangwgr you are right. It is not degrading, it stuck in progressing;

$ oc get co
NAME                                       VERSION                                                AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication                             4.23.0-0-2026-06-01-074800-test-ci-ln-iqf6b22-latest   True        True          False      95m     APIServerDeploymentProgressing: deployment/apiserver.openshift-oauth-apiserver: 1/3 pods have been updated to the latest generation and 2/3 pods are available
kube-apiserver                             4.23.0-0-2026-06-01-074800-test-ci-ln-iqf6b22-latest   True        True          False      112m    NodeInstallerProgressing: 3 nodes are at revision 7; 0 nodes have achieved new revision 9
openshift-apiserver                        4.23.0-0-2026-06-01-074800-test-ci-ln-iqf6b22-latest   True        True          False      107m    APIServerDeploymentProgressing: deployment/apiserver.openshift-apiserver: 1/3 pods have been updated to the latest generation and 2/3 pods are available

but in reality pod is stuck in error;

$ oc get pods -n openshift-kube-apiserver
NAME                                                              READY   STATUS                  RESTARTS   AGE
kube-apiserver-ip-10-0-102-172.us-west-1.compute.internal         0/6     Init:ImagePullBackOff   0          8m11s
$ oc get pods -n openshift-apiserver
NAME                         READY   STATUS                  RESTARTS      AGE
apiserver-6c94754994-fks4q   0/3     Init:ImagePullBackOff   0             17m
$ oc get pods -n openshift-oauth-apiserver
NAME                         READY   STATUS                  RESTARTS   AGE
apiserver-65f95f8675-x77jh   0/2     Init:ImagePullBackOff   0          17m

So we should wait for ImagePullBackOff error as you did previously, after that patching with correct image and wait for the success.
/cc @p0lyn0mial

[ardaguclu]

BTW, it depends on the field we use for in-place field updates. Image field gets this error but there might be another field that causes degradation.

[p0lyn0mial]

wondering if we could create a more generic scenario that would accept an invalid configuration (not necessarily invalid image) and possibly inject the config at different stages: before encryption has been enabled, after encryption has been enabled, during migration etc.

WDYT ?

[ardaguclu]

I think, this is a good idea. Although currently we only have image field as in-place field (other fields in Vault are all trigerring migration), it would be better to have generic approach.

[gangwgr]

Yes, updated

[ardaguclu]

I think we can test the combinations in one scenario;

• Enable KMS with invalid image
• Update to aescbc and see that there is no switch to aescbc
• Patch KMS with correct image with previous configuration (because apiserver/cluster is on aescbc)
• See that everything works
• Patch again with invalid KMS image
• See that revision is stuck
• Patch with correct KMS image
• Immediately patch with incorrect KMS image -- during migration
• Patch with correct KMS image again

[gangwgr]

do we need multiple times invalid image? it will increase case duration

[ardaguclu]

I think we need to test all cases.

[gangwgr]

can we combine below also in one case?

1. Unreachable vault
2. Bad creds
3. invalid transit mount

[ardaguclu]

Unreachable vault

This can be tested, if this is caused by invalid configuration

Bad creds

Updating content of referenced Secrets hasn't been implemented yet. But when it is implemented, this can be a separate scenario.

Invalid transit mount

Invalid transit mount needs to be caught by preflight checker.

[ardaguclu]

@gangwgr I've implemented my suggested changes in #2265 for all the changes in this PR. Could you please take a look at?

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gangwgr
Once this PR has been reviewed and has the lgtm label, please assign p0lyn0mial for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• test/library/encryption/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@gangwgr: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.