Skip to content

WIP: Fake bump to get credentials in KMS plugin #2169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bertinatto wants to merge 4 commits into
base: main
Choose a base branch
from
Open

WIP: Fake bump to get credentials in KMS plugin #2169

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
238a1f9
fake bump
bertinatto May 29, 2026
b6b1ebe
fitting
bertinatto May 28, 2026
d1dec67
fake bump to get real plugin in tests
bertinatto May 29, 2026
b0b6df4
kms: use real vault plugin in tests
bertinatto May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,3 +136,5 @@ require (
)

replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1

replace github.com/openshift/library-go => github.com/bertinatto/library-go v0.0.0-20260529122804-e63c73d0ca68
4 changes: 2 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ github.com/apparentlymart/go-cidr v1.0.1 h1:NmIwLZ/KdsjIUlhf+/Np40atNXm/+lZ5txfT
github.com/apparentlymart/go-cidr v1.0.1/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
github.com/bertinatto/library-go v0.0.0-20260529122804-e63c73d0ca68 h1:WMwZr0dhwlT0zDzH4WgRxQ0Rq2Qi2sr/u7RB5vFxZ7A=
github.com/bertinatto/library-go v0.0.0-20260529122804-e63c73d0ca68/go.mod h1:/HBhy6jm/igWI3Y1vYFwFG3ZCcXmnNsKUT6VBpPyM9A=
github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
Expand Down Expand Up @@ -165,8 +167,6 @@ github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee h1:+S
github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a h1:EKx2XhOKehd1C5ptY7IrLl4WV35E8kP0pRPnG5BUZXk=
github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a/go.mod h1:V933kvY/cb/Un7UCEOhXHUySNX327u7Epe8g9KNqg2Q=
github.com/openshift/library-go v0.0.0-20260527152424-3ad832f9a5a5 h1:IPkGTFwKR7Y6/6NNsp681u8Qi/zZGJdY2dySYVTuyyc=
github.com/openshift/library-go v0.0.0-20260527152424-3ad832f9a5a5/go.mod h1:/HBhy6jm/igWI3Y1vYFwFG3ZCcXmnNsKUT6VBpPyM9A=
github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
Expand Down
2 changes: 1 addition & 1 deletion pkg/operator/targetconfigcontroller/targetconfigcontroller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -330,7 +330,7 @@ func managePods(ctx context.Context, client coreclientv1.ConfigMapsGetter, secre
required.Spec.Containers[i].Env = append(container.Env, proxyEnvVars...)
}

if err := kmspluginlifecycle.AddKMSPluginSidecarToPodSpec(ctx, &required.Spec, "kube-apiserver", operatorclient.TargetNamespace, "encryption-config", secretClient, featureGateAccessor); err != nil {
if err := kmspluginlifecycle.AddKMSPluginSidecarToStaticPodSpec(ctx, &required.Spec, "kube-apiserver", operatorclient.TargetNamespace, "encryption-config", "/etc/kubernetes/static-pod-resources", secretClient, featureGateAccessor); err != nil {
return nil, false, fmt.Errorf("failed to add KMS plugin to pod spec: %w", err)
}

Expand Down
4 changes: 2 additions & 2 deletions test/e2e-encryption-kms/encryption_kms.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ func testKMSEncryptionOnOff(ctx context.Context, t testing.TB) {
AssertResourceNotEncryptedFunc: operatorencryption.AssertSecretOfLifeNotEncrypted,
ResourceFunc: operatorencryption.SecretOfLife,
ResourceName: "SecretOfLife",
EncryptionProvider: librarykms.DefaultFakeVaultEncryptionProvider,
EncryptionProvider: librarykms.DefaultVaultEncryptionProvider,
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update scenario comments to match the real Vault provider flow.

After switching to librarykms.DefaultVaultEncryptionProvider, the step lists still say “Deploys the mock KMS plugin” (Line 29, Line 61), which is now misleading.

Suggested comment update 
 // testKMSEncryptionOnOff tests KMS encryption on/off cycle.
 // This test:
-// 1. Deploys the mock KMS plugin
+// 1. Configures the Vault-backed KMS provider
 // 2. Creates a test secret (SecretOfLife)
 // 3. Enables KMS encryption
 // 4. Verifies secret is encrypted
 // 5. Disables encryption (Identity)
 // 6. Verifies secret is NOT encrypted
 // 7. Re-enables KMS encryption
 // 8. Verifies secret is encrypted again
 // 9. Disables encryption (Identity) again
 // 10. Verifies secret is NOT encrypted again

 // testKMSEncryptionProvidersMigration tests migration between KMS and AES encryption providers.
 // This test:
-// 1. Deploys the mock KMS plugin
+// 1. Configures the Vault-backed KMS provider
 // 2. Creates a test secret (SecretOfLife)
 // 3. Randomly picks one AES encryption provider (AESGCM or AESCBC)
 // 4. Shuffles the selected AES provider with KMS to create a randomized migration order
 // 5. Migrates between the providers in the shuffled order
 // 6. Verifies secret is correctly encrypted after each migration

Also applies to: 84-84

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-encryption-kms/encryption_kms.go` at line 55, The scenario comments
are outdated: after setting EncryptionProvider to
librarykms.DefaultVaultEncryptionProvider the comments that read "Deploys the
mock KMS plugin" are misleading. Update the scenario step comments near the
EncryptionProvider assignment and the other mentions to describe the real Vault
provider flow (e.g., "Deploys the Vault KMS provider / configures Vault KMS"),
ensuring references to librarykms.DefaultVaultEncryptionProvider and any related
setup steps reflect the real Vault deployment instead of "mock".

})
}

Expand Down Expand Up @@ -81,7 +81,7 @@ func testKMSEncryptionProvidersMigration(ctx context.Context, t testing.TB) {
ResourceFunc: operatorencryption.SecretOfLife,
ResourceName: "SecretOfLife",
EncryptionProviders: library.ShuffleEncryptionProviders([]library.EncryptionProvider{
librarykms.DefaultFakeVaultEncryptionProvider,
librarykms.DefaultVaultEncryptionProvider,
library.SupportedStaticEncryptionProviders[rand.IntN(len(library.SupportedStaticEncryptionProviders))],
}),
})
Expand Down
79 changes: 42 additions & 37 deletions vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptiondata/secret.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading