diff --git a/go.mod b/go.mod index 5030e2f8c5..3e421c1528 100644 --- a/go.mod +++ b/go.mod @@ -136,3 +136,5 @@ require ( ) replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 + +replace github.com/openshift/library-go => github.com/p0lyn0mial/library-go v0.0.0-20260427093740-115beeb42338 diff --git a/go.sum b/go.sum index 4a551f7e46..9d85fe018a 100644 --- a/go.sum +++ b/go.sum @@ -165,11 +165,11 @@ github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee h1:+S github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE= github.com/openshift/client-go v0.0.0-20260317180604-743f664b82d1 h1:Hr/R38eg5ZJXfbiaHumjJIN1buDZwhsm4ys4npVCXH0= github.com/openshift/client-go v0.0.0-20260317180604-743f664b82d1/go.mod h1:Za51LlH76ALiQ/aKGBYJXmyJNkA//IDJ+I///30CA2M= -github.com/openshift/library-go v0.0.0-20260420122951-18e793702c2d h1:qyb9W4WOZM2QFnEFzECG96sPjLyceqY9tdaa+8S0f8k= -github.com/openshift/library-go v0.0.0-20260420122951-18e793702c2d/go.mod h1:pQx73OLgJJtHR2WJVdkH0Zng/yywdL5hmPGw1QbGV/w= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0= +github.com/p0lyn0mial/library-go v0.0.0-20260427093740-115beeb42338 h1:NNNp4kmbB1z8/DDhOnnpWkQHNkWIaT0r2IOj/lCSFbA= +github.com/p0lyn0mial/library-go v0.0.0-20260427093740-115beeb42338/go.mod h1:pQx73OLgJJtHR2WJVdkH0Zng/yywdL5hmPGw1QbGV/w= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA= diff --git a/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/key_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/key_controller.go index d74cf91c7d..f5503069e7 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/key_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/key_controller.go @@ -39,7 +39,7 @@ import ( // greater than the last key's ID (the first key has a key ID of 1). const ( encryptionSecretMigrationInterval = time.Hour * 24 * 7 // one week - kmsEndpointFormat = "unix:///var/run/kmsplugin/kms-%d.sock" + defaultKMSEndpoint = "unix:///var/run/kmsplugin/kms-1.sock" defaultKMSTimeout = 10 * time.Second ) @@ -271,10 +271,10 @@ func (c *keyController) generateKeySecret(keyID uint64, currentMode state.Mode, ExternalReason: externalReason, } if currentMode == state.KMS { - ks.KMSEncryptionConfig = &apiserverv1.KMSConfiguration{ + ks.KMSConfiguration = &apiserverv1.KMSConfiguration{ APIVersion: "v2", Name: fmt.Sprintf("%d", keyID), - Endpoint: fmt.Sprintf(kmsEndpointFormat, keyID), + Endpoint: defaultKMSEndpoint, Timeout: &metav1.Duration{Duration: defaultKMSTimeout}, } } diff --git a/vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptionconfig/config.go b/vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptionconfig/config.go index 1b63026bc5..ccface2ef0 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptionconfig/config.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptionconfig/config.go @@ -209,12 +209,12 @@ func stateToProviders(resource string, desired state.GroupResourceState) []apise }, }) case state.KMS: - if key.KMSEncryptionConfig == nil { - klog.Infof("skipping key %s for %s in KMS mode as its KMSEncryptionConfig is nil", key.Key.Name, resource) + if key.KMSConfiguration == nil { + klog.Infof("skipping key %s for %s in KMS mode as its KMSConfiguration is nil", key.Key.Name, resource) continue // this should never happen } // In order to preserve the uniqueness, we should insert resource name - kmsCopy := key.KMSEncryptionConfig.DeepCopy() + kmsCopy := key.KMSConfiguration.DeepCopy() kmsCopy.Name = createKMSProviderName(key.Key.Name, resource) provider := apiserverconfigv1.ProviderConfiguration{ KMS: kmsCopy, diff --git a/vendor/github.com/openshift/library-go/pkg/operator/encryption/secrets/secrets.go b/vendor/github.com/openshift/library-go/pkg/operator/encryption/secrets/secrets.go index eccb06b32e..54aec75f2e 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/encryption/secrets/secrets.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/encryption/secrets/secrets.go @@ -58,21 +58,21 @@ func ToKeyState(s *corev1.Secret) (state.KeyState, error) { key.ExternalReason = v } + if v, ok := s.Annotations[EncryptionSecretKMSConfig]; ok && len(v) > 0 { + kmsConfiguration := &apiserverconfigv1.KMSConfiguration{} + if err := json.Unmarshal([]byte(v), kmsConfiguration); err != nil { + return state.KeyState{}, fmt.Errorf("secret %s/%s has invalid %s annotation: %v", s.Namespace, s.Name, EncryptionSecretKMSConfig, err) + } + key.KMSConfiguration = kmsConfiguration + } + keyMode := state.Mode(s.Annotations[encryptionSecretMode]) switch keyMode { case state.AESCBC, state.AESGCM, state.SecretBox, state.Identity: key.Mode = keyMode case state.KMS: - if v, ok := s.Data[EncryptionSecretKMSEncryptionConfig]; ok && len(v) > 0 { - kmsConfiguration := &apiserverconfigv1.KMSConfiguration{} - if err := json.Unmarshal(v, kmsConfiguration); err != nil { - return state.KeyState{}, fmt.Errorf("secret %s/%s has invalid %s data: %w", s.Namespace, s.Name, EncryptionSecretKMSEncryptionConfig, err) - } - key.KMSEncryptionConfig = kmsConfiguration - } else { - // encryption.apiserver.operator.openshift.io-kms-encryption-config data field is required for KMS - // encryption mode. - return state.KeyState{}, fmt.Errorf("%s can not be empty, when mode is KMS", EncryptionSecretKMSEncryptionConfig) + if key.KMSConfiguration == nil { + return state.KeyState{}, fmt.Errorf("KMSConfiguration can not be nil, when mode is KMS") } key.Mode = keyMode default: @@ -126,12 +126,12 @@ func FromKeyState(component string, ks state.KeyState) (*corev1.Secret, error) { s.Annotations[EncryptionSecretMigratedResources] = string(bs) } - if ks.KMSEncryptionConfig != nil { - kmsEncCfgJSON, err := json.Marshal(ks.KMSEncryptionConfig) + if ks.KMSConfiguration != nil { + ksJSON, err := json.Marshal(ks.KMSConfiguration) if err != nil { return nil, err } - s.Data[EncryptionSecretKMSEncryptionConfig] = kmsEncCfgJSON + s.Annotations[EncryptionSecretKMSConfig] = string(ksJSON) } return s, nil diff --git a/vendor/github.com/openshift/library-go/pkg/operator/encryption/secrets/types.go b/vendor/github.com/openshift/library-go/pkg/operator/encryption/secrets/types.go index ed7ba5e8ba..443c7975e1 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/encryption/secrets/types.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/encryption/secrets/types.go @@ -50,9 +50,8 @@ const ( // deletion of secrets by enforcing a two phase delete. EncryptionSecretFinalizer = "encryption.apiserver.operator.openshift.io/deletion-protection" - // EncryptionSecretKMSEncryptionConfig is the data field key that stores the serialized KMS - // encryption configuration for KMS mode in the encryption-key secret. - EncryptionSecretKMSEncryptionConfig = "encryption.apiserver.operator.openshift.io-kms-encryption-config" + // EncryptionSecretKMSConfig is the annotation that stores the encoded KMS configuration. + EncryptionSecretKMSConfig = "encryption.apiserver.operator.openshift.io/kms-config" ) // MigratedGroupResources is the data structured stored in the diff --git a/vendor/github.com/openshift/library-go/pkg/operator/encryption/state/types.go b/vendor/github.com/openshift/library-go/pkg/operator/encryption/state/types.go index d8b6fe605b..61313d745e 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/encryption/state/types.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/encryption/state/types.go @@ -40,8 +40,8 @@ type KeyState struct { InternalReason string // the user via unsupportConfigOverrides.encryption.reason triggered this key. ExternalReason string - // Encoded KMSEncryptionConfig that stores the KMS related fields - KMSEncryptionConfig *apiserverconfigv1.KMSConfiguration + // Encoded KMSConfiguration that stores the KMS related fields + KMSConfiguration *apiserverconfigv1.KMSConfiguration } type MigrationState struct { diff --git a/vendor/github.com/openshift/library-go/test/library/encryption/kms/k8s_mock_kms_plugin_deployer.go b/vendor/github.com/openshift/library-go/test/library/encryption/kms/k8s_mock_kms_plugin_deployer.go index 41a6e01cac..60aebe22dd 100644 --- a/vendor/github.com/openshift/library-go/test/library/encryption/kms/k8s_mock_kms_plugin_deployer.go +++ b/vendor/github.com/openshift/library-go/test/library/encryption/kms/k8s_mock_kms_plugin_deployer.go @@ -29,7 +29,7 @@ const ( WellKnownUpstreamMockKMSPluginNamespace = "k8s-mock-plugin" // WellKnownUpstreamMockKMSPluginImage is the pre-built mock KMS plugin image. - WellKnownUpstreamMockKMSPluginImage = "quay.io/openshifttest/mock-kms-plugin@sha256:998e1d48eba257f589ab86c30abd5043f662213e9aeff253e1c308301879d48a" + WellKnownUpstreamMockKMSPluginImage = "quay.io/openshifttest/mock-kms-plugin@sha256:76444d7e37d0d2d0f4dfae31893e937f766439ce07036bf19325050b594d2e2c" // DefaultKMSPluginCount is the default number of KMS plugin instances to deploy. DefaultKMSPluginCount = 10 @@ -55,6 +55,12 @@ type yamlTemplateData struct { Index int } +// ReadAsset reads the given embedded asset YAML template and renders it. +func ReadAsset(assetName string) ([]byte, error) { + assetFunc := wrapAssetWithTemplateDataFunc(yamlTemplateData{Namespace: "default"}) + return assetFunc(assetName) +} + // DeployUpstreamMockKMSPlugin deploys count instances of the upstream mock KMS v2 plugin func DeployUpstreamMockKMSPlugin(ctx context.Context, t testing.TB, kubeClient kubernetes.Interface, namespace, image string, count int) { t.Helper() diff --git a/vendor/modules.txt b/vendor/modules.txt index ed4fdc55a1..922c5ed22f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -406,7 +406,7 @@ github.com/openshift/client-go/security/informers/externalversions/internalinter github.com/openshift/client-go/security/informers/externalversions/security github.com/openshift/client-go/security/informers/externalversions/security/v1 github.com/openshift/client-go/security/listers/security/v1 -# github.com/openshift/library-go v0.0.0-20260420122951-18e793702c2d +# github.com/openshift/library-go v0.0.0-20260420122951-18e793702c2d => github.com/p0lyn0mial/library-go v0.0.0-20260427093740-115beeb42338 ## explicit; go 1.25.0 github.com/openshift/library-go/pkg/apiserver/jsonpatch github.com/openshift/library-go/pkg/assets @@ -1696,3 +1696,4 @@ sigs.k8s.io/structured-merge-diff/v6/value ## explicit; go 1.22 sigs.k8s.io/yaml # github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 +# github.com/openshift/library-go => github.com/p0lyn0mial/library-go v0.0.0-20260427093740-115beeb42338