From 4a3e977ef9cc0f839f6ac8511490370a65ce67d2 Mon Sep 17 00:00:00 2001
From: barbacbd <barbacbd@gmail.com>
Date: Thu, 16 Apr 2026 08:38:35 -0400
Subject: [PATCH] CORS-4405: Add GCPKMSEncryptionInstall feature gate

Introduces a new feature gate to enable GCP KMS encryption during cluster installation.
The gate is enabled in TechPreviewNoUpgrade and DevPreviewNoUpgrade feature sets for both
Hypershift and SelfManagedHA cluster profiles.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 features.md                                               | 1 +
 features/features.go                                      | 8 ++++++++
 .../featuregates/featureGate-4-10-Hypershift-Default.yaml | 3 +++
 .../featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml  | 3 +++
 .../featuregates/featureGate-4-10-Hypershift-OKD.yaml     | 3 +++
 .../featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml | 3 +++
 .../featureGate-4-10-SelfManagedHA-Default.yaml           | 3 +++
 ...eatureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml | 3 +++
 .../featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml  | 3 +++
 ...atureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml | 3 +++
 10 files changed, 33 insertions(+)

diff --git a/features.md b/features.md
index 8112c57f728..adcd6b11b4a 100644
--- a/features.md
+++ b/features.md
@@ -62,6 +62,7 @@
 | GCPCustomAPIEndpoints| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | GCPCustomAPIEndpointsInstall| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | GCPDualStackInstall| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| GCPKMSEncryptionInstall| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | HyperShiftOnlyDynamicResourceAllocation| <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span> |  |
 | ImageModeStatusReporting| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | IngressControllerDynamicConfigurationManager| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
diff --git a/features/features.go b/features/features.go
index 5d148165cc5..314a4b5d658 100644
--- a/features/features.go
+++ b/features/features.go
@@ -872,6 +872,14 @@ var (
 					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
+	FeatureGateGCPKMSEncryptionInstall = newFeatureGate("GCPKMSEncryptionInstall").
+						reportProblemsToJiraComponent("Installer").
+						contactPerson("barbacbd").
+						productScope(ocpSpecific).
+						enhancementPR("https://github.com/openshift/enhancements/pull/1975").
+						enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
+						mustRegister()
+
 	FeatureCBORServingAndStorage = newFeatureGate("CBORServingAndStorage").
 					reportProblemsToJiraComponent("kube-apiserver").
 					contactPerson("benluddy").
diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
index c1d43a43bc4..cab2d977a1c 100644
--- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
@@ -161,6 +161,9 @@
                     {
                         "name": "GCPDualStackInstall"
                     },
+                    {
+                        "name": "GCPKMSEncryptionInstall"
+                    },
                     {
                         "name": "ImageModeStatusReporting"
                     },
diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
index d407d6bea75..7059d5acb40 100644
--- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
@@ -225,6 +225,9 @@
                     {
                         "name": "GCPDualStackInstall"
                     },
+                    {
+                        "name": "GCPKMSEncryptionInstall"
+                    },
                     {
                         "name": "GatewayAPIWithoutOLM"
                     },
diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
index 8c603acea37..5c02ae07a5f 100644
--- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
@@ -163,6 +163,9 @@
                     {
                         "name": "GCPDualStackInstall"
                     },
+                    {
+                        "name": "GCPKMSEncryptionInstall"
+                    },
                     {
                         "name": "ImageModeStatusReporting"
                     },
diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
index 2e4864797f3..e2f09338867 100644
--- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
@@ -240,6 +240,9 @@
                     {
                         "name": "GCPDualStackInstall"
                     },
+                    {
+                        "name": "GCPKMSEncryptionInstall"
+                    },
                     {
                         "name": "GatewayAPIWithoutOLM"
                     },
diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
index 4f43aef34ef..19d80723fb2 100644
--- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
@@ -158,6 +158,9 @@
                     {
                         "name": "GCPDualStackInstall"
                     },
+                    {
+                        "name": "GCPKMSEncryptionInstall"
+                    },
                     {
                         "name": "HyperShiftOnlyDynamicResourceAllocation"
                     },
diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
index c69db071a71..facb0968902 100644
--- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
@@ -204,6 +204,9 @@
                     {
                         "name": "GCPDualStackInstall"
                     },
+                    {
+                        "name": "GCPKMSEncryptionInstall"
+                    },
                     {
                         "name": "GatewayAPIWithoutOLM"
                     },
diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
index 596cc8ad492..27797cd8312 100644
--- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
@@ -160,6 +160,9 @@
                     {
                         "name": "GCPDualStackInstall"
                     },
+                    {
+                        "name": "GCPKMSEncryptionInstall"
+                    },
                     {
                         "name": "HyperShiftOnlyDynamicResourceAllocation"
                     },
diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
index 11c4f83aaf1..e0a7acb868a 100644
--- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
@@ -219,6 +219,9 @@
                     {
                         "name": "GCPDualStackInstall"
                     },
+                    {
+                        "name": "GCPKMSEncryptionInstall"
+                    },
                     {
                         "name": "GatewayAPIWithoutOLM"
                     },