wire real kms plugin

[gangwgr]

Summary by CodeRabbit

• Tests

  • KMS end-to-end encryption tests now exercise the real vault-based encryption provider for KMS on/off cycling and provider migration scenarios.

• Chores

  • Library dependency updated to a newer version and module resolution redirected to an alternate source for builds.
  • KMS plugin is now attached as a static pod sidecar to the API server deployment.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0829804d-93c1-4cfd-beb3-503f2d35d17b

📥 Commits

Reviewing files that changed from the base of the PR and between 71d9de5 and 5040d7c.

⛔ Files ignored due to path filters (4)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptiondata/secret.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/vault.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• pkg/operator/targetconfigcontroller/targetconfigcontroller.go

---

Walkthrough

This PR updates module resolution for github.com/openshift/library-go via a replace directive, switches two KMS e2e tests to use librarykms.DefaultVaultEncryptionProvider instead of the fake provider, and injects the KMS plugin as a static-pod sidecar in the kube-apiserver pod spec.

Changes

KMS Vault Provider Update

Layer / File(s)	Summary
Module dependency and resolution update go.mod	github.com/openshift/library-go requirement updated to a newer version, and a replace directive added to redirect the module to github.com/gangwgr/library-go for module resolution.
E2E test encryption provider updates test/e2e-encryption-kms/encryption_kms.go	KMS e2e tests switched from librarykms.DefaultFakeVaultEncryptionProvider to librarykms.DefaultVaultEncryptionProvider in the KMS on/off cycle and KMS↔AES migration scenarios.
KMS plugin injected as static-pod sidecar pkg/operator/targetconfigcontroller/targetconfigcontroller.go	managePods now calls AddKMSPluginSidecarToStaticPodSpec to attach the KMS plugin as a static pod sidecar when building the kube-apiserver pod spec.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• openshift/cluster-kube-apiserver-operator#2167: Both PRs modify test/e2e-encryption-kms/encryption_kms.go to change which KMS encryption provider the e2e tests use in the same scenarios.
• openshift/cluster-kube-apiserver-operator#2168: Related edits to KMS test wiring and mock/real Vault plugin handling in the e2e test flow.

Suggested reviewers

• p0lyn0mial
• dgrisonnet
• benluddy

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	New e2e tests added require external image pulls (quay.io, registry.ci.openshift.org) that will fail in disconnected environments without registry mirrors.	Verify images are available in your disconnected environment or add [Skipped:Disconnected] tag. For disconnected CI, configure image mirrors or include images in mirrored registries.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'wire real kms plugin' directly describes the main changes: switching from fake to real KMS encryption providers and updating the plugin wiring configuration.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names contain only static strings with no dynamic information like timestamps, UUIDs, pod names, or IP addresses.
Test Structure And Quality	✅ Passed	Test code meets all quality requirements: proper test responsibility, 120m timeouts specified, delegates setup/cleanup/assertions to library, consistent with codebase patterns.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The changes only modify existing tests' provider configuration and update dependencies/code logic.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added in this PR. Tests in encryption_kms.go were added in prior commit; only KMS provider configuration changes.
Topology-Aware Scheduling Compatibility	✅ Passed	Changes only modify KMS sidecar credential mounting without introducing topology-aware scheduling constraints, affinity rules, or node selectors.
Ote Binary Stdout Contract	✅ Passed	No process-level stdout violations found. Test changes are within Ginkgo It() blocks, controller changes in event handlers, and go.mod is dependency management.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or unsafe secret comparisons detected in the code changes.
Container-Privileges	✅ Passed	The three modified files (go.mod, encryption_kms.go, targetconfigcontroller.go) contain no privileged container settings or escalation configurations.
No-Sensitive-Data-In-Logs	✅ Passed	PR contains no logging that exposes sensitive data; it only changes function calls and test configuration, with sensitive credentials properly isolated in container args without logging.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign flavianmissi for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 140: The replace directive in go.mod that points
github.com/openshift/library-go to a personal fork (the replace line using
github.com/gangwgr/library-go at pseudo-version 2ba893b1bf49) must be removed or
replaced with an approved, traceable alternative: either revert to the official
upstream module, or add a documented, temporary replace policy consisting of (1)
a brief justification and owner/trust approval in the PR description, (2) a
target upstream commit or fork provenance link and the fork commit SHA, (3) a
retire-by date and explicit plan to remove the replace, and (4) SBOM/provenance
and Sigstore/cosign signing attestations for artifacts that build with this
dependency; update go.sum and vendor/modules.txt accordingly and mention these
controls in the PR so reviewers can verify the provenance before merging.

In `@test/e2e-encryption-kms/encryption_kms.go`:
- Line 55: Update the scenario comments that refer to deploying a mock KMS to
reflect that the test now uses the real Vault provider: find the test
configuration where EncryptionProvider is set to
librarykms.DefaultVaultEncryptionProvider and replace any step text or comments
that say “Deploys the mock KMS plugin” (and similar occurrences around the
second instance near the other mention) with wording indicating the real Vault
provider is used (e.g., “Deploys/configures Vault KMS provider” or “Uses
DefaultVaultEncryptionProvider (Vault)”), keeping the comment meaning consistent
with the existing test setup.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cd85d0e5-b82e-4dda-a7c7-acbfb788131a

📥 Commits

Reviewing files that changed from the base of the PR and between 42ecd90 and b2c7625.

⛔ Files ignored due to path filters (4)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• test/e2e-encryption-kms/encryption_kms.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Confirm the exact replace directive committed in this PR
rg -n 'replace github.com/openshift/library-go' go.mod

# Verify the referenced commit exists in the fork
git ls-remote https://github.com/gangwgr/library-go | rg '2ba893b1bf49' || true

# Fetch commit metadata for audit trail (requires gh auth in sandbox)
gh api repos/gangwgr/library-go/commits/2ba893b1bf49 --jq '{sha: .sha, author: .commit.author, message: .commit.message}'

Repository: openshift/cluster-kube-apiserver-operator

Length of output: 434

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Ensure go.sum is updated for the forked module
rg -n 'github\.com/gangwgr/library-go' go.sum || true
rg -n 'github\.com/openshift/library-go' go.sum || true

# Check whether the same commit exists upstream (to assess derivation/audit trail)
git ls-remote https://github.com/openshift/library-go | rg '2ba893b1bf49' || true

# Look for any PR/commit rationale documenting the temporary fork + retirement plan
rg -n 'library-go|gangwgr|replace github\.com/openshift/library-go' . || true

Repository: openshift/cluster-kube-apiserver-operator

Length of output: 50398

---

🏁 Script executed:

# Ensure the forked commit is traceable to upstream history (not just “exists” in the fork)
git ls-remote https://github.com/openshift/library-go | rg '2ba893b1bf49' || true

# Confirm go.sum + vendor are consistent with the replace (pinning)
rg -n 'github\.com/gangwgr/library-go v0\.0\.0-20260529041857-2ba893b1bf49' go.sum
rg -n 'github\.com/openshift/library-go v0\.0\.0-20260529041857-2ba893b1bf49.*gangwgr/library-go' vendor/modules.txt

Repository: openshift/cluster-kube-apiserver-operator

Length of output: 526

---

🏁 Script executed:

# Confirm fork commit corresponds to an upstream change (same commit/PR/tag) rather than an unrelated fork delta
git ls-remote https://github.com/openshift/library-go | rg '2ba893b1bf49' || true

# Check for any repo/pipeline evidence of required SBOM/provenance + cosign signing coverage
rg -n '(cosign|sigstore|sbom|provenance|slsa)' . || true

Repository: openshift/cluster-kube-apiserver-operator

Length of output: 3386

---

🏁 Script executed:

# Prove upstream linkage (same SHA) or equivalent upstream PR/commit
git ls-remote https://github.com/openshift/library-go | rg '2ba893b1bf49' || true

# Check repo/CI for SBOM/provenance + signing (cosign/sigstore/rekor)
rg -n '(cosign|sigstore|rekor|sbom|provenance|slsa|attestations)' . || true

Repository: openshift/cluster-kube-apiserver-operator

Length of output: 7324

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the exact replace + pinned sums
rg -n 'replace github\.com/openshift/library-go' go.mod
rg -n 'github\.com/gangwgr/library-go v0\.0\.0-20260529041857-2ba893b1bf49' go.sum vendor/modules.txt

# Map fork commit to upstream history/PR (e.g., same SHA or upstream PR)
git ls-remote https://github.com/openshift/library-go | rg '2ba893b1bf49' || true

# Look for actual SBOM/provenance/signing controls (cosign/slsa/attestations), not just Rekor schema types
rg -n '(cosign|sigstore|sbom|provenance|slsa|attestation)' . || true

Repository: openshift/cluster-kube-apiserver-operator

Length of output: 4037

---

🏁 Script executed:

rg -n 'replace github\.com/openshift/library-go' go.mod
rg -n 'github\.com/gangwgr/library-go v0\.0\.0-20260529041857-2ba893b1bf49' go.sum vendor/modules.txt
git ls-remote https://github.com/openshift/library-go | rg '2ba893b1bf49' || true
rg -n '(cosign|sigstore|sbom|provenance|slsa|attest|rekor)' . || true

Repository: openshift/cluster-kube-apiserver-operator

Length of output: 10248

---

Supply-chain: block merging go.mod replace of github.com/openshift/library-go to a personal fork without provenance/retirement controls

go.mod line 140 redirects the dependency:

replace github.com/openshift/library-go => github.com/gangwgr/library-go v0.0.0-20260529041857-2ba893b1bf49

The fork pseudo-version/commit are pinned in go.sum (h1 hashes) and reflected in vendor/modules.txt; the referenced commit 2ba893b1bf49a66e91d21713c7d34b99644f7f05 exists in the fork (refs/pull/2248/head). However, there’s no accompanying evidence here of required provenance controls per prodsec-skills:

• Upstream linkage/audit trail (how this fork commit relates to openshift/library-go)
• Owner trust + explicit temporary/retirement plan to remove the replace
• Confirmation that SBOM/provenance attestations and Sigstore/cosign signing cover the build/artifacts produced from this dependency

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 140, The replace directive in go.mod that points
github.com/openshift/library-go to a personal fork (the replace line using
github.com/gangwgr/library-go at pseudo-version 2ba893b1bf49) must be removed or
replaced with an approved, traceable alternative: either revert to the official
upstream module, or add a documented, temporary replace policy consisting of (1)
a brief justification and owner/trust approval in the PR description, (2) a
target upstream commit or fork provenance link and the fork commit SHA, (3) a
retire-by date and explicit plan to remove the replace, and (4) SBOM/provenance
and Sigstore/cosign signing attestations for artifacts that build with this
dependency; update go.sum and vendor/modules.txt accordingly and mention these
controls in the PR so reviewers can verify the provenance before merging.

[gangwgr]

/test e2e-gcp-operator-encryption-kms

[gangwgr]

/test e2e-gcp-operator-encryption-kms

[gangwgr]

/test e2e-gcp-operator-encryption-kms

[openshift-ci]

@gangwgr: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-operator-encryption-kms	5040d7c	link	false	/test e2e-gcp-operator-encryption-kms

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.