WIP: Fake bump to get credentials in KMS plugin

[bertinatto]

Summary by CodeRabbit

• Chores

  • Updated dependency mapping to use pinned alternative sources for two third‑party modules to ensure reproducible builds.

• Bug Fixes

  • Improved KMS plugin sidecar injection for managed pods to enhance deployment reliability and correctness.

• Tests

  • e2e KMS encryption tests now exercise a real Vault-backed provider instead of the previous fake provider.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

Adds go.mod replace directives for ginkgo and library-go, changes managePods to use kmspluginlifecycle.AddKMSPluginSidecarToStaticPodSpec, and updates e2e KMS tests to use librarykms.DefaultVaultEncryptionProvider.

Changes

KMS sidecar + deps + tests

Layer / File(s)	Summary
Module replace directives go.mod	Adds replace directives: redirects github.com/onsi/ginkgo/v2 to github.com/openshift/onsi-ginkgo/v2 at v2.6.1-0.20251001123353-fd5b1fb35db1, and github.com/openshift/library-go to github.com/bertinatto/library-go at v0.0.0-20260529122804-e63c73d0ca68.
KMS plugin sidecar helper update pkg/operator/targetconfigcontroller/targetconfigcontroller.go	managePods now calls kmspluginlifecycle.AddKMSPluginSidecarToStaticPodSpec instead of AddKMSPluginSidecarToPodSpec, altering how required.Spec is modified to include the KMS sidecar.
E2E encryption KMS provider switch test/e2e-encryption-kms/encryption_kms.go	Replaces librarykms.DefaultFakeVaultEncryptionProvider with librarykms.DefaultVaultEncryptionProvider in the encryption on/off and provider-migration test scenarios.

Possibly related PRs

• openshift/cluster-kube-apiserver-operator#2167: Modifies the same e2e encryption KMS provider selection in tests.

Suggested reviewers

• benluddy
• gangwgr

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 4

❌ Failed checks (3 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Test comments mislead: lines 29 and 61 say "Deploys the mock KMS plugin" but code uses librarykms.DefaultVaultEncryptionProvider (Vault-backed, not mock).	Update lines 29 and 61 to replace "Deploys the mock KMS plugin" with "Configures the Vault-backed KMS provider".
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	New e2e tests TestKMSEncryptionOnOff and TestKMSEncryptionProvidersMigration lack SNO protection: no [Skipped:SingleReplicaTopology] label or IsSingleNode() checks.	Add [Skipped:SingleReplicaTopology] label to test names or use IsSingleNode() with g.Skip() in test bodies for SNO compatibility.
Title check	❓ Inconclusive	The title 'WIP: Fake bump to get credentials in KMS plugin' is vague and uses unclear language ('Fake bump'). While it mentions KMS plugin and credentials, the phrasing does not clearly convey the actual changes made in the changeset.	Revise the title to be more descriptive and clear. Consider: 'Update KMS plugin dependencies and switch encryption providers to vault' or similar, removing 'WIP:' and 'Fake bump' in favor of specific change description.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Both Ginkgo test names (TestKMSEncryptionOnOff, TestKMSEncryptionProvidersMigration) are static strings with no dynamic content, generated IDs, timestamps, or pod/namespace names.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added. Test modifications only switch EncryptionProvider values in existing tests (+2/-2 changes). Check applies only to newly added tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR changes (go.mod replacements, KMS sidecar injection call, and test provider updates) do not introduce deployment manifests or scheduling constraints affecting OpenShift topologies.
Ote Binary Stdout Contract	✅ Passed	No OTE stdout contract violations detected. Changes involve only dependency redirects, function call changes, and test configuration data with no process-level stdout writes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR—only existing tests are modified to use a different provider. Check only applies to newly added tests.
No-Weak-Crypto	✅ Passed	No weak cryptography patterns (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) detected. No custom crypto or unsafe secret comparisons introduced in changed files.
Container-Privileges	✅ Passed	No container privilege escalation issues found. PR changes only Go code and dependencies; no Kubernetes manifests, container specs, or privilege-related settings were added or modified.
No-Sensitive-Data-In-Logs	✅ Passed	No logging of sensitive data found. Changes include dependency updates, KMS function call replacement, and test provider switches. No passwords, tokens, keys, or credentials are logged.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 140: The PR introduces a direct module replacement "replace
github.com/openshift/library-go => github.com/bertinatto/library-go
v0.0.0-20260528185215-82202de1e3b1" in go.mod (also mirrored in
vendor/modules.txt) without documented provenance or supply-chain controls;
either revert that replace to restore the upstream module or, if the fork is
required, add a short documented justification and mitigation: record the exact
fork/version and why it's needed, verify license compatibility, run and record
CVE/supply-chain scans for that specific version, ensure the release pipeline
produces provenance/SBOM and artifact signing (e.g., Sigstore/cosign) for builds
using the fork, and add an explicit removal plan and timeline; update repository
docs (e.g., a SECURITY or DEPENDENCIES note) to reflect these steps before
merging.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 731381c7-46ff-46da-b155-61fef9fe56fa

📥 Commits

Reviewing files that changed from the base of the PR and between b9a9d00 and 3a0ca99.

⛔ Files ignored due to path filters (6)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptiondata/secret.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• pkg/operator/targetconfigcontroller/targetconfigcontroller.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "[1] Confirm replace directive in go.mod"
rg -n '^replace github.com/openshift/library-go => ' go.mod

echo "[2] Extract replacement target/version and flag non-openshift namespace"
python - <<'PY'
import re, pathlib
text = pathlib.Path("go.mod").read_text()
m = re.search(r'^replace github\.com/openshift/library-go => (\S+) (\S+)$', text, re.M)
if not m:
    raise SystemExit("replace directive not found")
target, version = m.groups()
print(f"target={target}")
print(f"version={version}")
print(f"non_official_namespace={not target.startswith('github.com/openshift/')}")
PY

echo "[3] Confirm vendored module metadata carries the same replacement"
rg -n 'github.com/openshift/library-go .*=> github.com/bertinatto/library-go' vendor/modules.txt

Repository: openshift/cluster-kube-apiserver-operator

Length of output: 743

---

Block merging personal-fork replace for github.com/openshift/library-go without provenance controls

• go.mod (line 140) replaces github.com/openshift/library-go with github.com/bertinatto/library-go at v0.0.0-20260528185215-82202de1e3b1.
• vendor/modules.txt includes the same replacement mapping, so vendored builds will use the fork.
• Require a documented justification + license compatibility and CVE/supply-chain scanning for that exact version, and ensure the release pipeline meets provenance/SBOM and artifact-signing requirements (e.g., Sigstore/cosign) with an explicit removal plan; otherwise revert the replace.

replace github.com/openshift/library-go => github.com/bertinatto/library-go v0.0.0-20260528185215-82202de1e3b1

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 140, The PR introduces a direct module replacement "replace
github.com/openshift/library-go => github.com/bertinatto/library-go
v0.0.0-20260528185215-82202de1e3b1" in go.mod (also mirrored in
vendor/modules.txt) without documented provenance or supply-chain controls;
either revert that replace to restore the upstream module or, if the fork is
required, add a short documented justification and mitigation: record the exact
fork/version and why it's needed, verify license compatibility, run and record
CVE/supply-chain scans for that specific version, ensure the release pipeline
produces provenance/SBOM and artifact signing (e.g., Sigstore/cosign) for builds
using the fork, and add an explicit removal plan and timeline; update repository
docs (e.g., a SECURITY or DEPENDENCIES note) to reflect these steps before
merging.

[bertinatto]

/test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign xueqzhan for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e-encryption-kms/encryption_kms.go`:
- Line 55: The scenario comments are outdated: after setting EncryptionProvider
to librarykms.DefaultVaultEncryptionProvider the comments that read "Deploys the
mock KMS plugin" are misleading. Update the scenario step comments near the
EncryptionProvider assignment and the other mentions to describe the real Vault
provider flow (e.g., "Deploys the Vault KMS provider / configures Vault KMS"),
ensuring references to librarykms.DefaultVaultEncryptionProvider and any related
setup steps reflect the real Vault deployment instead of "mock".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f812f600-5966-4222-80f1-6ae2230df190

📥 Commits

Reviewing files that changed from the base of the PR and between d985e36 and b0b6df4.

⛔ Files ignored due to path filters (7)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptiondata/secret.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (3)

• go.mod
• pkg/operator/targetconfigcontroller/targetconfigcontroller.go
• test/e2e-encryption-kms/encryption_kms.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/operator/targetconfigcontroller/targetconfigcontroller.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update scenario comments to match the real Vault provider flow.

After switching to librarykms.DefaultVaultEncryptionProvider, the step lists still say “Deploys the mock KMS plugin” (Line 29, Line 61), which is now misleading.

Suggested comment update

 // testKMSEncryptionOnOff tests KMS encryption on/off cycle.
 // This test:
-// 1. Deploys the mock KMS plugin
+// 1. Configures the Vault-backed KMS provider
 // 2. Creates a test secret (SecretOfLife)
 // 3. Enables KMS encryption
 // 4. Verifies secret is encrypted
 // 5. Disables encryption (Identity)
 // 6. Verifies secret is NOT encrypted
 // 7. Re-enables KMS encryption
 // 8. Verifies secret is encrypted again
 // 9. Disables encryption (Identity) again
 // 10. Verifies secret is NOT encrypted again

 // testKMSEncryptionProvidersMigration tests migration between KMS and AES encryption providers.
 // This test:
-// 1. Deploys the mock KMS plugin
+// 1. Configures the Vault-backed KMS provider
 // 2. Creates a test secret (SecretOfLife)
 // 3. Randomly picks one AES encryption provider (AESGCM or AESCBC)
 // 4. Shuffles the selected AES provider with KMS to create a randomized migration order
 // 5. Migrates between the providers in the shuffled order
 // 6. Verifies secret is correctly encrypted after each migration

Also applies to: 84-84

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-encryption-kms/encryption_kms.go` at line 55, The scenario comments
are outdated: after setting EncryptionProvider to
librarykms.DefaultVaultEncryptionProvider the comments that read "Deploys the
mock KMS plugin" are misleading. Update the scenario step comments near the
EncryptionProvider assignment and the other mentions to describe the real Vault
provider flow (e.g., "Deploys the Vault KMS provider / configures Vault KMS"),
ensuring references to librarykms.DefaultVaultEncryptionProvider and any related
setup steps reflect the real Vault deployment instead of "mock".

[openshift-ci]

@bertinatto: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-operator-encryption-kms	b0b6df4	link	false	/test e2e-gcp-operator-encryption-kms

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[bertinatto]

/testwith openshift/cluster-kube-apiserver-operator/main/e2e-gcp-operator-encryption-kms openshift/cluster-openshift-apiserver-operator#699 openshift/cluster-authentication-operator#903