[WIP] CNTRLPLANE-2711: add vault kms plug configuration api by flavianmissi · Pull Request #2805 · openshift/api

flavianmissi · 2026-04-15T14:44:05Z

No description provided.

openshift-ci-robot · 2026-04-15T14:44:10Z

@flavianmissi: This pull request references CNTRLPLANE-2711 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci · 2026-04-15T14:44:15Z

Hello @flavianmissi! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

coderabbitai · 2026-04-15T14:44:23Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

📝 Walkthrough

Walkthrough

Removed the KMSEncryptionProvider feature gate and its test YAML and feature-gate registration entries. Replaced AWS-specific KMS configuration with a Vault-based provider: added spec.encryption.kms.type: "Vault" and spec.encryption.kms.vault (fields include vaultAddress, kmsPluginImage, approleSecretRef, transitKey, optional tls and transitMount/vaultNamespace). Updated Go API annotations and CRD validations to reference the KMSEncryption feature gate and adjusted payload feature-gate manifests to remove KMSEncryptionProvider entries.

🚥 Pre-merge checks | ✅ 9 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to evaluate relevance to the changeset.	Add a meaningful pull request description explaining the purpose, motivation, and scope of the Vault KMS plugin configuration API changes.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding a Vault KMS plugin configuration API, which aligns with the core content of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo test files with dynamic test names; all YAML test cases use static, deterministic names.
Test Structure And Quality	✅ Passed	This pull request does not introduce or modify any Ginkgo test code, making this check not applicable. The PR only modifies YAML test specification data files.
Microshift Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. Changes consist of API type definitions, YAML test fixtures, CRD manifests, and feature gate configurations only.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Pull request contains no new Ginkgo e2e tests, only API configuration and validation test updates.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only API schema and feature gate configuration changes with no deployment manifests, operator controllers, or pod scheduling specifications.
Ote Binary Stdout Contract	✅ Passed	PR modifies API definitions, feature gates, and CRD manifests with no process-level entry points or OTE test runners introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This pull request does not add any new Ginkgo e2e tests. The changes consist entirely of Go type definitions, API CRD manifests, feature gate registrations, and test configuration YAML files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci · 2026-04-15T14:44:38Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

coderabbitai

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/v1/types_kmsencryption.go`:
- Around line 67-73: Add explicit Kubernetes validation markers to enforce the
documented bounds: annotate VaultNamespace, TransitMount, and TransitKey with
kubebuilder validation comments before each field (e.g. //
+kubebuilder:validation:MinLength=1 and //
+kubebuilder:validation:MaxLength=256) and keep the existing json tag
(json:"...,omitempty"). This ensures the CRD rejects empty strings and overly
long values for the VaultNamespace, TransitMount, and TransitKey fields.
- Around line 57-65: The VaultAddress field currently allows both http and
https; update its validation to require HTTPS only by changing the kubebuilder
XValidation rule on VaultAddress to match '^https://', update the validation
message to say "vaultAddress must be a valid URL starting with 'https://'...",
and ensure the example and any documentation reference use https (e.g.,
'https://vault.example.com:8200'); modify the comment and the
+kubebuilder:validation:XValidation line for VaultAddress in
types_kmsencryption.go accordingly.
- Around line 5-24: The change removed AWS KMS support and will break upgrades
for clusters with persisted AWS configs; restore backward compatibility by
either reintroducing AWS as a deprecated union member on KMSConfig (add
AWSKMSProvider value to KMSProviderType and an AWSKMSConfig struct as a
+unionMember with deprecation tags) and implement conversion logic in the API
conversion/webhook handlers to migrate existing AWSKMSConfig to the new model,
or implement and wire a documented controller migration path that detects
existing KMSConfig entries with AWS data and converts them to the new Vault-only
shape (or marks them as exempt) during upgrade; touch KMSConfig,
KMSProviderType, VaultKMSConfig, and add AWSKMSConfig/AWSKMSProvider identifiers
and ensure feature-gate annotations and validation rules account for
preserved/deprecated AWS entries.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 31c84276-1bd6-44d1-aef1-c88652b3bb69

📥 Commits

Reviewing files that changed from the base of the PR and between 464776f and 0e6ccdb.

⛔ Files ignored due to path filters (10)

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
config/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (17)

config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml
config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
config/v1/types_apiserver.go
config/v1/types_kmsencryption.go
features.md
features/features.go
payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml

💤 Files with no reviewable changes (12)

config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
features/features.go
payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
features.md
config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (2)

config/v1/types_kmsencryption.go (2)

67-73: ⚠️ Potential issue | 🟠 Major

Add the length validators promised by the API contract.

The documentation states bounds for vaultNamespace (1-256), transitMount (1-128), and transitKey (1-128), but the kubebuilder markers are missing. This allows empty strings and arbitrarily long values to pass schema validation, causing runtime failures instead of admission-time rejection.

Suggested fix for vaultNamespace (lines 67-73)

 	// vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted.
 	// This is only applicable for Vault Enterprise installations.
 	// The value can be between 1 and 256 characters.
 	// When this field is not set, no namespace is used.
 	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
 	// +optional
 	VaultNamespace string `json:"vaultNamespace,omitempty"`

Suggested fix for transitMount (lines 128-134)

 	// transitMount specifies the mount path of the Vault Transit engine.
 	// The value can be between 1 and 128 characters.
 	// When this field is not set, it defaults to "transit".
 	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=128
 	// +kubebuilder:default="transit"
 	// +optional
 	TransitMount string `json:"transitMount,omitempty"`

Suggested fix for transitKey (lines 136-141)

 	// transitKey specifies the name of the encryption key in Vault's Transit engine.
 	// This key is used to encrypt and decrypt data.
 	// The value must be between 1 and 128 characters.
 	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=128
 	// +required
 	TransitKey string `json:"transitKey,omitempty"`

Also applies to: 128-141

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/v1/types_kmsencryption.go` around lines 67 - 73, Add kubebuilder
validation markers to enforce the documented length bounds on the three Vault
fields: annotate VaultNamespace with +kubebuilder:validation:MinLength=1 and
+kubebuilder:validation:MaxLength=256, annotate TransitMount with
+kubebuilder:validation:MinLength=1 and +kubebuilder:validation:MaxLength=128,
and annotate TransitKey with +kubebuilder:validation:MinLength=1 and
+kubebuilder:validation:MaxLength=128 so the API server rejects empty or overly
long values at admission time; ensure the markers appear immediately above the
corresponding struct fields VaultNamespace, TransitMount, and TransitKey.

57-65: ⚠️ Potential issue | 🟠 Major

Require HTTPS for the Vault endpoint.

Allowing http:// enables cleartext transmission of AppRole credentials and KMS traffic. The tlsVerify: SkipVerify option already covers insecure testing scenarios without disabling transport encryption entirely.

Suggested fix

-	// vaultAddress specifies the address of the HashiCorp Vault instance.
-	// The value must be a valid URL with scheme (http:// or https://) and can be up to 512 characters.
+	// vaultAddress specifies the address of the HashiCorp Vault instance.
+	// The value must be a valid HTTPS URL and can be up to 512 characters.
 	// Example: https://vault.example.com:8200
 	//
-	// +kubebuilder:validation:XValidation:rule="self.matches(r'^https?://')",message="vaultAddress must be a valid URL starting with 'http://' or 'https://' (e.g., 'https://vault.example.com:8200')."
+	// +kubebuilder:validation:XValidation:rule="self.matches(r'^https://')",message="vaultAddress must be a valid HTTPS URL (e.g., 'https://vault.example.com:8200')."
 	// +kubebuilder:validation:MaxLength=512
 	// +kubebuilder:validation:MinLength=1
 	// +required
 	VaultAddress string `json:"vaultAddress,omitempty"`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/v1/types_kmsencryption.go` around lines 57 - 65, The VaultAddress
field currently allows both http and https; change its validation to require
HTTPS only by updating the kubebuilder XValidation rule for VaultAddress
(symbol: VaultAddress) to match r'^https://', adjust the validation message to
state "vaultAddress must be a valid HTTPS URL starting with 'https://'" and keep
the MaxLength/MinLength/required tags intact so the API rejects non-HTTPS Vault
endpoints.

🧹 Nitpick comments (2)

payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)
342-346: Validation message references KMSEncryption feature gate but rule doesn't enforce it.

The message says "kms config is required when encryption type is KMS and KMSEncryption feature gate is enabled" but the CEL rule itself doesn't check the feature gate state—it just validates kms presence based on type == 'KMS'. This is likely correct behavior (the feature gate controls schema presence, not this runtime rule), but the message is potentially misleading.

Consider simplifying the message to match the actual rule behavior:
-- message: kms config is required when encryption type is KMS and
-    KMSEncryption feature gate is enabled, and forbidden otherwise
+- message: kms config is required when encryption type is KMS, and forbidden otherwise
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml`
around lines 342 - 346, The validation message is misleading because it mentions
the KMSEncryption feature gate while the CEL rule only checks self.type and
self.kms; update the x-kubernetes-validations.message to reflect the actual rule
(e.g., "kms config is required when encryption type is 'KMS' and forbidden
otherwise") so it matches the rule for x-kubernetes-validations.rule that
evaluates has(self.type) && self.type == 'KMS' ? has(self.kms) : !has(self.kms);
adjust only the message string associated with that rule.
payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1)
342-346: Same validation message inconsistency as CustomNoUpgrade CRD.

The message mentions "KMSEncryption feature gate is enabled" but the CEL rule doesn't actually check feature gate state. Consider the same simplification suggested for the CustomNoUpgrade variant.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml`
around lines 342 - 346, The validation message for the x-kubernetes-validations
entry in the apiservers-TechPreviewNoUpgrade CRD is inconsistent with the CEL
rule: the message references "KMSEncryption feature gate is enabled" but the
rule only checks self.type and self.kms. Update the message to match the rule
(e.g., "kms config is required when encryption type is KMS and forbidden
otherwise") or, if you intend to gate on a feature flag, modify the CEL rule to
include that feature check; edit the x-kubernetes-validations -> message and/or
the rule that uses has(self.type) && self.type == 'KMS' ? has(self.kms) :
!has(self.kms) so they are consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/v1/types_kmsencryption.go`:
- Around line 48-55: The validation regex for VaultKMSPluginImage rejects
repository names containing underscores; update the kubebuilder XValidation rule
on VaultKMSPluginImage to allow underscores in the repository path by changing
the character class for the path portion from [a-zA-Z0-9./-]+ to include
underscores (e.g., [a-zA-Z0-9._/-]+) so OCI-compliant names like
"registry.example.com/my_project/vault_plugin@sha256:..." pass validation while
preserving the rest of the pattern and MinLength/MaxLength constraints.

---

Duplicate comments:
In `@config/v1/types_kmsencryption.go`:
- Around line 67-73: Add kubebuilder validation markers to enforce the
documented length bounds on the three Vault fields: annotate VaultNamespace with
+kubebuilder:validation:MinLength=1 and +kubebuilder:validation:MaxLength=256,
annotate TransitMount with +kubebuilder:validation:MinLength=1 and
+kubebuilder:validation:MaxLength=128, and annotate TransitKey with
+kubebuilder:validation:MinLength=1 and +kubebuilder:validation:MaxLength=128 so
the API server rejects empty or overly long values at admission time; ensure the
markers appear immediately above the corresponding struct fields VaultNamespace,
TransitMount, and TransitKey.
- Around line 57-65: The VaultAddress field currently allows both http and
https; change its validation to require HTTPS only by updating the kubebuilder
XValidation rule for VaultAddress (symbol: VaultAddress) to match r'^https://',
adjust the validation message to state "vaultAddress must be a valid HTTPS URL
starting with 'https://'" and keep the MaxLength/MinLength/required tags intact
so the API rejects non-HTTPS Vault endpoints.

---

Nitpick comments:
In
`@payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml`:
- Around line 342-346: The validation message is misleading because it mentions
the KMSEncryption feature gate while the CEL rule only checks self.type and
self.kms; update the x-kubernetes-validations.message to reflect the actual rule
(e.g., "kms config is required when encryption type is 'KMS' and forbidden
otherwise") so it matches the rule for x-kubernetes-validations.rule that
evaluates has(self.type) && self.type == 'KMS' ? has(self.kms) : !has(self.kms);
adjust only the message string associated with that rule.

In
`@payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml`:
- Around line 342-346: The validation message for the x-kubernetes-validations
entry in the apiservers-TechPreviewNoUpgrade CRD is inconsistent with the CEL
rule: the message references "KMSEncryption feature gate is enabled" but the
rule only checks self.type and self.kms. Update the message to match the rule
(e.g., "kms config is required when encryption type is KMS and forbidden
otherwise") or, if you intend to gate on a feature flag, modify the CEL rule to
include that feature check; edit the x-kubernetes-validations -> message and/or
the rule that uses has(self.type) && self.type == 'KMS' ? has(self.kms) :
!has(self.kms) so they are consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 3b8d09f5-f990-4d5b-8bf2-27856efe1d7c

📥 Commits

Reviewing files that changed from the base of the PR and between 0e6ccdb and 9204eb8.

⛔ Files ignored due to path filters (8)

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
config/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (12)

config/v1/types_kmsencryption.go
payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml

💤 Files with no reviewable changes (8)

payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml

✅ Files skipped from review due to trivial changes (1)

payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (1)

config/v1/types_kmsencryption.go (1)
5-24: ⚠️ Potential issue | 🔴 Critical

Preserve an upgrade path for existing aws KMS configs.

This change removes aws from the public kms union and provider enum without a deprecated member or any migration path in the API surface. Clusters that already persisted spec.encryption.kms.aws under the previous gate will be rejected on upgrade once this validation becomes authoritative.

Also applies to: 27-33
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@config/v1/types_kmsencryption.go` around lines 5 - 24, The KMS union removed
the previously allowed "aws" provider with no migration or deprecated field,
which will reject clusters that already have spec.encryption.kms.aws; restore
backward compatibility by reintroducing a deprecated/hidden union member for the
AWS provider (e.g. add an Aws *AWSKMSConfig `json:"aws,omitempty"` with
appropriate +optional and +deprecated markers or a FeatureGate-aware validation
exception) and keep the union discriminator Type KMSProviderType accepting the
old "aws" enum value (or add a deprecated enum entry) so existing persisted
KMSConfig objects with Type == "AWS" and the Aws member continue to validate
during upgrade while new API users are prevented from creating new AWS configs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/v1/types_kmsencryption.go`:
- Around line 37-79: The CRD manifests are out of sync with the VaultKMSConfig
Go type: the Go struct now uses kmsPluginImage and a nested TLS struct
(VaultTLSConfig with caBundle and serverName) but the published CRDs still
expose vaultKMSPluginImage, flat tlsCA/tlsServerName/tlsVerify and old
http:///length validations; update the CRD schema to match the Go API by
renaming fields (vaultKMSPluginImage -> kmsPluginImage), nesting TLS under tls
with caBundle and serverName fields, removing the old http:// rule and
correcting MinLength/MaxLength rules to match KMSPluginImage and VaultAddress,
then regenerate the CRD manifests (e.g., run your controller-gen/CRD generation
or project make target) so the published YAML matches VaultKMSConfig,
KMSPluginImage, VaultAddress and TLS/VaultTLSConfig definitions.

---

Duplicate comments:
In `@config/v1/types_kmsencryption.go`:
- Around line 5-24: The KMS union removed the previously allowed "aws" provider
with no migration or deprecated field, which will reject clusters that already
have spec.encryption.kms.aws; restore backward compatibility by reintroducing a
deprecated/hidden union member for the AWS provider (e.g. add an Aws
*AWSKMSConfig `json:"aws,omitempty"` with appropriate +optional and +deprecated
markers or a FeatureGate-aware validation exception) and keep the union
discriminator Type KMSProviderType accepting the old "aws" enum value (or add a
deprecated enum entry) so existing persisted KMSConfig objects with Type ==
"AWS" and the Aws member continue to validate during upgrade while new API users
are prevented from creating new AWS configs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 6481d801-9501-491c-91d0-022980739a42

📥 Commits

Reviewing files that changed from the base of the PR and between 9204eb8 and adcbfe4.

⛔ Files ignored due to path filters (8)

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
config/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (12)

config/v1/types_kmsencryption.go
payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml

💤 Files with no reviewable changes (8)

payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml

coderabbitai

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/v1/types_kmsencryption.go`:
- Around line 56-60: The XValidation on vaultAddress (self.matches('^https://'))
only enforces the prefix and allows invalid values like "https://"; update the
validation to either enforce a full URL shape (replace the XValidation rule with
a stronger regex/pattern that requires a host and optional port/path, e.g.
require at least "https://<host>" semantics) or, if you prefer the lighter
check, change the documentation/message to state "must start with 'https://'" to
match the current rule; update the kubebuilder:XValidation rule and the
vaultAddress comment/message accordingly so they are consistent (referencing the
vaultAddress field and its XValidation rule).
- Line 50: The XValidation message still references the old field name
vaultKMSPluginImage; update the validation annotation on the kmsPluginImage
field so the message uses the new field name (kmsPluginImage) and keep the rest
of the guidance unchanged. Locate the kubebuilder XValidation tag shown and
replace "vaultKMSPluginImage" in the message with "kmsPluginImage" so admission
errors point to the correct field.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 55d2598e-91dd-493c-9853-e17140c344fb

📥 Commits

Reviewing files that changed from the base of the PR and between 42d4c42 and bd0b2a0.

⛔ Files ignored due to path filters (8)

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
config/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (12)

config/v1/types_kmsencryption.go
payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml

💤 Files with no reviewable changes (8)

payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml

openshift-ci · 2026-04-17T12:01:04Z

@flavianmissi: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify-crdify	`4e09913`	link	true	`/test verify-crdify`
ci/prow/integration	`4e09913`	link	true	`/test integration`
ci/prow/verify-crd-schema	`4e09913`	link	true	`/test verify-crd-schema`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

everettraven · 2026-04-21T11:16:56Z


 // APIServerEncryption is used to encrypt sensitive resources on the cluster.
-// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="has(self.type) && self.type == 'KMS' ?  has(self.kms) : !has(self.kms)",message="kms config is required when encryption type is KMS, and forbidden otherwise"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryption,rule="has(self.type) && self.type == 'KMS' ?  has(self.kms) : !has(self.kms)",message="kms config is required when encryption type is KMS and KMSEncryption feature gate is enabled, and forbidden otherwise"


We don't need to include and KMSEncryption feature gate is enabled in the message - this validation will only be present when the KMSEncryption feature gate is enabled.

everettraven · 2026-04-21T11:26:21Z

-// that will be used with KMSEncryptionProvider encryption
-// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'AWS' ?  has(self.aws) : !has(self.aws)",message="aws config is required when kms provider type is AWS, and forbidden otherwise"
+// that will be used with KMS encryption
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryption,rule="has(self.type) && self.type == 'Vault' ?  (has(self.vault) && self.vault.vaultAddress != \"\") : !has(self.vault)",message="vault config is required when kms provider type is Vault, and forbidden otherwise"


A couple things here:

This validation doesn't need to be feature gated because the type itself is only referenced in an already feature gated field

This expression can be self.type == 'Vault' ? has(self.vault) : !has(self.vault) to simplify the constraint to ensuring that the vault field is required when type is Vault and forbidden otherwise. You don't need the has(self.type) because the type field is already required which means it will fail validation if it is omitted - which I believe is a short-circuiting validation. I assume the self.vault.vaultAddress != "" is meant to ensure the vault address is not empty, which should be enforced by making that child field required.

everettraven · 2026-04-21T11:29:04Z

+	// Valid values are:
+	// - "Vault": HashiCorp Vault KMS (available when KMSEncryption feature gate is enabled)


Nit: In general, we recommend a format like:

type defines the kind of platform for the KMS provider.
Allowed values are Vault.
When set to Vault, {description}.

This is because list notation can sometimes render weirdly in various contexts that display the documentation generated from the GoDoc. Using plain English sentences avoids that problem altogether.

everettraven · 2026-04-21T11:33:39Z

+	// +openshift:enable:FeatureGate=KMSEncryption
 	// +unionMember
 	// +optional
-	AWS *AWSKMSConfig `json:"aws,omitempty"`


I think you will have to tombstone this field instead of removing it entirely. This is to prevent us from ever re-using the serialized field name of aws because older clients that previously read this API with this field would still attempt to unmarshal the field in the same way but the underlying API shape may be different causing read issues.

Do you intend to support an AWS KMS provider in the near-ish future?

Do you intend to support an AWS KMS provider in the near-ish future?

We'll probably need to support AWS in the future, since it's already officially supported by Hypershift.

This is to prevent us from ever re-using the serialized field

Others can correct me if I'm wrong, but we never had any clients using this field. IIUC this API type was prematurely added without any consumers. Removing this would make things cleaner and allow us to make better design decisions in the future.

I think it's safe to remove it, but I'd like to hear form @ardaguclu as well.

Others can correct me if I'm wrong, but we never had any clients using this field. IIUC this API type was prematurely added without any consumers. Removing this would make things cleaner and allow us to make better design decisions in the future.

I think it's safe to remove it, but I'd like to hear form @ardaguclu as well.

I was asked to tombstone as well #2622 (comment). I think it might make sense tombstoning it.

We'll probably need to support AWS in the future, since Hypershift supports it already.

We probably won't support AWS in the foreseeable future.

As Fabio said, there are no clients using this.

While we have no plans to support AWS, I think it's quite safe to assume that customers will eventually ask this from us.
Would tombstoning the field mean that we would not be able to add it back if needed?

everettraven · 2026-04-21T11:34:13Z

-// AWSKMSConfig defines the KMS config specific to AWS KMS provider
-type AWSKMSConfig struct {


If we tombstone the field, we will also need to tombstone this type.

everettraven · 2026-04-21T12:19:19Z

+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=1024
+	// +default="transit"


For configuration APIs, we normally try to avoid setting default values in this way.

Instead, we make omission of the field mean "no opinion" and have a standard terminology we use like

api/config/v1/types_ingress.go

Lines 126 to 127 in 34e6087

// When omitted, this means the user has no opinion and the platform is left

// to choose reasonable defaults. These defaults are subject to change over time.

This allows us to modify the underlying default behavior as needed without being contractually tied to a default value.

everettraven · 2026-04-21T12:19:50Z

+	ApproleSecret *SecretNameReference `json:"approleSecret,omitempty"`
+
+	// transitMount specifies the mount path of the Vault Transit engine.
+	// The value can be between 1 and 1024 characters.


Are there any other reasonable constraints we can enforce related to formatting here?

everettraven · 2026-04-21T12:20:57Z

+
+	// transitKey specifies the name of the encryption key in Vault's Transit engine.
+	// This key is used to encrypt and decrypt data.
+	// The value must be between 1 and 512 characters.


Are there any additional constraints that we can enforce here related to formatting of the input?

everettraven · 2026-04-21T12:22:44Z

+	//       -----END CERTIFICATE-----
+	//
+	// +optional
+	CABundle *ConfigMapNameReference `json:"caBundle,omitempty"`


Similar to my comment on SecretNameReference usage, I'd recommend against re-using this type because it does not have any validations on the input.

everettraven · 2026-04-21T12:23:34Z

+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:MinLength=1


Any other formatting constraints we can enforce here? Presumably this needs to be a valid hostname?

flavianmissi added 2 commits April 15, 2026 16:03

regenerate openapi

015b757

remove KMSEncryptionProvider feature flag

9da0538

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Apr 15, 2026

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 15, 2026

openshift-ci bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Apr 15, 2026

openshift-ci bot requested review from JoelSpeed and everettraven April 15, 2026 14:44

flavianmissi force-pushed the CNTRLPLANE-2711-kms-api-2 branch from 0e6ccdb to 9204eb8 Compare April 15, 2026 14:50

coderabbitai bot reviewed Apr 15, 2026

View reviewed changes

Comment thread config/v1/types_kmsencryption.go Outdated

Comment thread config/v1/types_kmsencryption.go

Comment thread config/v1/types_kmsencryption.go

coderabbitai bot reviewed Apr 15, 2026

View reviewed changes

Comment thread config/v1/types_kmsencryption.go Outdated

flavianmissi force-pushed the CNTRLPLANE-2711-kms-api-2 branch from 9204eb8 to adcbfe4 Compare April 16, 2026 12:16

coderabbitai bot reviewed Apr 16, 2026

View reviewed changes

Comment thread config/v1/types_kmsencryption.go Outdated

flavianmissi force-pushed the CNTRLPLANE-2711-kms-api-2 branch 2 times, most recently from 42d4c42 to bd0b2a0 Compare April 17, 2026 10:05

coderabbitai bot reviewed Apr 17, 2026

View reviewed changes

Comment thread config/v1/types_kmsencryption.go Outdated

Comment thread config/v1/types_kmsencryption.go Outdated

flavianmissi added 2 commits April 17, 2026 12:43

add config api for vault kms plugin

5d59b6f

regenerate files

4e09913

flavianmissi force-pushed the CNTRLPLANE-2711-kms-api-2 branch from bd0b2a0 to 4e09913 Compare April 17, 2026 10:53

everettraven reviewed Apr 21, 2026

View reviewed changes

		// Valid values are:
		// - "Vault": HashiCorp Vault KMS (available when KMSEncryption feature gate is enabled)

		// AWSKMSConfig defines the KMS config specific to AWS KMS provider
		type AWSKMSConfig struct {

	// When omitted, this means the user has no opinion and the platform is left
	// to choose reasonable defaults. These defaults are subject to change over time.

		// +kubebuilder:validation:MaxLength=253
		// +kubebuilder:validation:MinLength=1

Conversation

flavianmissi commented Apr 15, 2026

Uh oh!

openshift-ci-robot commented Apr 15, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci bot commented Apr 15, 2026

Uh oh!

coderabbitai bot commented Apr 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

❌ Failed checks (1 inconclusive)

Uh oh!

openshift-ci bot commented Apr 15, 2026

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

openshift-ci bot commented Apr 17, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

bertinatto Apr 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

openshift-ci-robot commented Apr 15, 2026 •

edited by openshift-ci bot

Loading

coderabbitai bot commented Apr 15, 2026 •

edited

Loading

bertinatto Apr 21, 2026 •

edited

Loading