CNTRLPLANE-3237: In-place field update for KMS mode regardless of the convergence

[ardaguclu]

When a KMS sidecar revision is stuck (e.g. wrong container image), the cluster-admin needs to update APIServer.spec.encryption.kms with corrected values. Previously, all encryption controllers blocked on revision convergence, so the fix could never be applied.

This change allows the key_controller to update the latest key secret's KMS plugin config in-place for non-migration fields (image, TLS, AppRole) regardless of convergence state. If there is a change in migration-triggering fields, we should wait until convergence happens.

State controller carries in-place fields updates only when there is no change in the encryption-config data key.

Summary by CodeRabbit

• Bug Fixes

  • KMS plugin configuration now updates in-place during key transitions without recreating secrets, improving reliability during mode changes.

• Refactor

  • Enhanced encryption configuration application to support in-place updates while transitioning between encryption modes.

• Tests

  • Added test scenarios for KMS plugin configuration propagation during state transitions.
  • Enhanced end-to-end validation of plugin configuration changes and synchronization across key updates.

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-3237 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

When a KMS sidecar revision is stuck (e.g. wrong container image), the cluster-admin needs to update APIServer.spec.encryption.kms with corrected values. Previously, all encryption controllers blocked on revision convergence, so the fix could never be applied.

This change allows the key_controller to update the latest key secret's KMS plugin config in-place for non-migration fields (image, TLS, AppRole) regardless of convergence state. If there is a change in migration-triggering fields, we should wait until convergence happens.

State controller carries in-place fields updates only when there is no change in the encryption-config data key.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR implements in-place updates of KMS plugin configuration to allow changes like image updates without creating new encryption keys. The key controller detects when the latest KMS key's plugin config differs from the current APIServer KMS config and updates the secret in-place unless the change would trigger a migration. The state controller then propagates these updates to the encryption-config secret during transitioning states. End-to-end tests validate the complete flow.

Changes

KMS Plugin Configuration In-Place Updates

Layer / File(s)	Summary
Key secret plugin config in-place update pkg/operator/encryption/controllers/key_controller.go, pkg/operator/encryption/controllers/key_controller_test.go	Adds maybeUpdateKMSPluginConfigInPlace helper that lists key secrets, selects the newest, and updates its plugin-config data field when appropriate. Introduces kmsMigrationRequired to skip updates that would trigger key migration (provider type mismatch; Vault address/namespace/mount/key changes). Integrates the in-place update into checkAndCreateKeys before normal reconciliation. Unit test expectations updated to include the new list:secrets:openshift-config-managed action across all KMS scenarios.
Encryption config propagation during non-convergence pkg/operator/encryption/controllers/state_controller.go, pkg/operator/encryption/controllers/state_controller_test.go	Refactors applyEncryptionConfigSecret to accept explicit namespace/name parameters. Introduces maybeUpdateKMSDataInEncryptionConfigSecret to list key secrets, fetch the existing encryption-config, round-trip through state enrichment to pick up current KMS plugin config, and apply only if Encryption.Resources structure is unchanged and the KMS plugin key set matches. Integrates propagation into generateAndApplyCurrentEncryptionConfigSecret during non-converged states. Unit tests cover update-required, no-update, missing-config-secret, and non-KMS-mode cases.
End-to-end KMS plugin update testing test/e2e-encryption/encryption_test.go	Updates verifyKMSPlugins to poll for KMS plugin config propagation across encryption-config and per-key secrets using semantic deep equality. Adds test scenario that patches KMS Vault kmsPluginImage for key 12, polls until the key secret reflects the new image, asserts no new keys are created, and re-validates overall configuration.

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• p0lyn0mial
• dgrisonnet

🚥 Pre-merge checks | ✅ 9 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 57.14% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	E2E test has 48 assertions without meaningful failure messages (bare require.NoError(t, err)), violating diagnostic message requirement. Monolithic test also conflates multiple unrelated behaviors.	Add context messages to assertions (e.g., require.NoError(t, err, "failed to get kubeClient")) and refactor monolithic e2e test phases into separate tests using t.Run().
Microshift Test Compatibility	⚠️ Warning	The e2e test TestEncryptionIntegration uses config.openshift.io/v1 (APIServer) and operator.openshift.io/v1 APIs not available on MicroShift with no [Skipped:MicroShift] or [apigroup:...] protection.	Add [apigroup:config.openshift.io] or [apigroup:operator.openshift.io] tag to the test name, use [Skipped:MicroShift] label, or add exutil.IsMicroShiftCluster() guard with g.Skip() to skip on MicroShift.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly corresponds to the PR's core objective: enabling in-place KMS plugin config updates regardless of convergence state, as detailed in the raw summary and objectives.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo tests. All test files use standard Go testing framework with testing.T, not Ginkgo's It/Describe declarations. Check is inapplicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Custom check not applicable. The check targets Ginkgo e2e tests (It/Describe/Context/When), but this PR only modifies standard Go tests using the testing package.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only encryption controller logic and tests; introduces no deployment manifests, pod scheduling constraints, replica rules, or topology-dependent configurations.
Ote Binary Stdout Contract	✅ Passed	Library-go is not an OTE binary; fmt.Printf calls are in standard Go test helpers (fmtLogger) within TestEncryptionIntegration, not process-level code like main/init/TestMain/BeforeSuite.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	E2e test additions contain no IPv4 addresses, external connectivity requirements, or IPv6 incompatibilities. Only in-cluster Kubernetes API calls with example.com domains used.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ardaguclu
Once this PR has been reviewed and has the lgtm label, please assign p0lyn0mial for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/operator/encryption/OWNERS
• test/e2e-encryption/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

test/e2e-encryption/encryption_test.go (1)

646-648: ⚡ Quick win

Make the “no new key” assertion relative to the pre-update count.

Line 648 hardcodes 13, which couples this check to earlier scenario history. Capture the key count before the in-place patch and compare before/after so this assertion only validates the intended behavior.

Proposed fix

+	beforeKeys, err := kubeClient.CoreV1().Secrets("openshift-config-managed").List(ctx, metav1.ListOptions{LabelSelector: keySecretsLabel})
+	require.NoError(t, err)
+
 	t.Logf("In-place KMS plugin config update: change image (non-migration field)")
 	_, err = fakeApiServerClient.Patch(ctx, "cluster", types.MergePatchType, []byte(`{"spec":{"encryption":{"type":"KMS","kms":{"type":"Vault","vault":{"kmsPluginImage":"registry.example.com/kms-plugin@sha256:1111111111111111111111111111111111111111111111111111111111111111","vaultAddress":"https://vault.example.com","authentication":{"type":"AppRole","appRole":{"secret":{"name":"vault-approle-secret"}}},"transitKey":"test-transit-key"}}}}}`), metav1.PatchOptions{})
 	require.NoError(t, err)
@@
 	currentKeys, err := kubeClient.CoreV1().Secrets("openshift-config-managed").List(ctx, metav1.ListOptions{LabelSelector: keySecretsLabel})
 	require.NoError(t, err)
-	require.Equal(t, 13, len(currentKeys.Items), "in-place update should not create new keys")
+	require.Equal(t, len(beforeKeys.Items), len(currentKeys.Items), "in-place update should not create new keys")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-encryption/encryption_test.go` around lines 646 - 648, Before
performing the in-place patch, save the current secret count (e.g., call
kubeClient.CoreV1().Secrets("openshift-config-managed").List(...) and store
len(items) into a variable like previousKeyCount), then after the patch replace
the hardcoded assertion require.Equal(t, 13, len(currentKeys.Items), ...) with
require.Equal(t, previousKeyCount, len(currentKeys.Items), ...) so the test
verifies no new keys were created relative to the pre-update count; update
references to currentKeys and the List call accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/operator/encryption/controllers/state_controller.go`:
- Around line 219-227: The current guard only compares Encryption.Resources and
can allow a rebuiltConfig that has lost KMS plugin entries or secret data to be
applied; before calling applyEncryptionConfigSecret, add an explicit check
comparing existingConfig.Encryption.KMSPlugins (and/or the presence of expected
secret data) to rebuiltConfig.Encryption.KMSPlugins and bail out if existing had
plugins or secret references that are absent or empty in rebuiltConfig. In other
words, in the same block that uses equality.Semantic.DeepEqual for
Encryption.Resources, also ensure the KMSPlugins slice/map and any required
secret references in rebuiltConfig match existingConfig (or at minimum that
rebuiltConfig does not drop KMSPlugins that exist in current state) and only
call applyEncryptionConfigSecret when both Resources and KMSPlugins integrity
checks pass.

In `@test/e2e-encryption/encryption_test.go`:
- Around line 657-659: The current predicate passed to
waitForConfigEventuallyCond (the anonymous func at the call site) only checks
strings.Contains(got, "identity") which can match fallback mentions; replace it
with a stronger check that proves the KMS write position actually transitioned —
for example, verify the config contains a clear primary/active marker for
identity (e.g. a line like "kms: identity" or "primary: identity" using an exact
substring or regex match) and also assert the previous KMS no longer has write
privileges (ensure there is no "write: true" under the old KMS entry). Update
the anonymous function used in waitForConfigEventuallyCond to return true only
when both conditions (identity as the active KMS and absence of the old KMS
write flag) are met.

---

Nitpick comments:
In `@test/e2e-encryption/encryption_test.go`:
- Around line 646-648: Before performing the in-place patch, save the current
secret count (e.g., call
kubeClient.CoreV1().Secrets("openshift-config-managed").List(...) and store
len(items) into a variable like previousKeyCount), then after the patch replace
the hardcoded assertion require.Equal(t, 13, len(currentKeys.Items), ...) with
require.Equal(t, previousKeyCount, len(currentKeys.Items), ...) so the test
verifies no new keys were created relative to the pre-update count; update
references to currentKeys and the List call accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8a91a0b7-e17e-455b-9e3a-d539cda57d10

📥 Commits

Reviewing files that changed from the base of the PR and between c877160 and 3855e51.

📒 Files selected for processing (7)

• pkg/operator/encryption/controllers/key_controller.go
• pkg/operator/encryption/controllers/key_controller_test.go
• pkg/operator/encryption/controllers/state_controller.go
• pkg/operator/encryption/controllers/state_controller_test.go
• pkg/operator/encryption/encryptiondata/config.go
• pkg/operator/encryption/secrets/secrets.go
• test/e2e-encryption/encryption_test.go

[ardaguclu]

/retest

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/operator/encryption/controllers/state_controller.go`:
- Around line 226-235: The current check in the state reconciliation (the block
comparing existingConfig.KMSPlugins and rebuiltConfig.KMSPlugins) only ensures
keys exist but doesn't guard KMSPluginsSecretData; update the verification to
also ensure that for every keyID present in existingConfig.KMSPlugins the
corresponding entry exists in rebuiltConfig.KMSPluginsSecretData (and is
non-nil/contains expected data), and return an error if any secret-data entry is
missing or has been removed to prevent in-place propagation from silently
dropping credentials (reference existingConfig.KMSPlugins,
rebuiltConfig.KMSPlugins, and KMSPluginsSecretData in your change).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d4754b08-3a50-4bc5-b0e7-01cf2619e50e

📥 Commits

Reviewing files that changed from the base of the PR and between 3855e51 and 5c7b87f.

📒 Files selected for processing (7)

• pkg/operator/encryption/controllers/key_controller.go
• pkg/operator/encryption/controllers/key_controller_test.go
• pkg/operator/encryption/controllers/state_controller.go
• pkg/operator/encryption/controllers/state_controller_test.go
• pkg/operator/encryption/encryptiondata/config.go
• pkg/operator/encryption/secrets/secrets.go
• test/e2e-encryption/encryption_test.go

[ardaguclu]

/uncc @dgrisonnet

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/operator/encryption/controllers/key_controller.go`:
- Around line 284-300: secrets.ToKeyStates filters out invalid secrets before
sorting, so using backedKeys[0] can return an older parsed key when the newest
raw secret is malformed; change the logic in Key controller to first pick the
newest raw secret from keySecrets (by key ID / creation ordering), then parse
only that secret (using the same parsing used by ToKeyStates) and return an
error immediately if parsing fails; once you have the parsed newest secret, use
that (check Mode == state.KMS and call HasKMSPlugin) instead of using
backedKeys[0], ensuring failures surface fast and you don’t accidentally update
the wrong object.

In `@test/e2e-encryption/encryption_test.go`:
- Around line 623-626: The polling loop currently swallows errors from
encoding.DecodeKMSPluginConfig(pluginData) by returning (false, nil); change it
to return the decode error so the test fails fast—e.g., return false, err (or
wrap the error with context) instead of nil—so DecodeKMSPluginConfig failures
aren’t hidden during polling.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7a7d77d2-8e39-474d-8f3c-ad7cc26eda9a

📥 Commits

Reviewing files that changed from the base of the PR and between 2a95494 and 7bc33ac.

📒 Files selected for processing (7)

• pkg/operator/encryption/controllers/key_controller.go
• pkg/operator/encryption/controllers/key_controller_test.go
• pkg/operator/encryption/controllers/state_controller.go
• pkg/operator/encryption/controllers/state_controller_test.go
• pkg/operator/encryption/encryptiondata/config.go
• pkg/operator/encryption/secrets/secrets.go
• test/e2e-encryption/encryption_test.go

[coderabbitai]

🧹 Nitpick comments (2)

test/e2e-encryption/encryption_test.go (1)

288-320: ⚡ Quick win

Consider failing fast on decode errors during polling.

At lines 294-296 and 310-313, decode errors are silently swallowed by returning (false, nil), which continues polling. While this may be intentional for transient states, it can hide real regressions and only surface as a timeout failure, making debugging harder.

Given that line 645 in the in-place update test now correctly returns the decode error (addressing past review feedback), consider applying the same pattern here for consistency.

Proposed fix

 		cfg, err = encryptiondata.FromSecret(encryptionConfigSecret)
 		if err != nil {
-			return false, nil
+			return false, fmt.Errorf("failed to decode encryption config: %w", err)
 		}
 		for keyID := range expectedKeyIDs {
 			...
 			keyPluginConfig, err := encoding.DecodeKMSPluginConfig(keyPluginData)
 			if err != nil {
-				return false, nil
+				return false, fmt.Errorf("failed to decode kms-plugin-config for key %s: %w", keyID, err)
 			}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-encryption/encryption_test.go` around lines 288 - 320, The polling
callback in wait.PollUntilContextTimeout is swallowing decode errors by
returning (false, nil); change those to return (false, err) so decode failures
surface immediately. Specifically, when calling encryptiondata.FromSecret
(currently returning (false, nil) on err) and encoding.DecodeKMSPluginConfig
(also returning (false, nil) on err), propagate the actual error instead of nil;
leave transient-not-ready conditions that should continue polling as (false,
nil), but return the real err for decode failures so the test fails fast.

pkg/operator/encryption/controllers/key_controller.go (1)

347-360: 💤 Low value

Consider explicit handling of unknown KMS provider types.

Currently, kmsMigrationRequired returns false for any KMS provider type other than Vault. If a new provider type is added in the future without updating this function, all field changes would be treated as in-place-safe, potentially causing issues. Consider returning true for unknown types as a safe default, or adding a comment documenting that this function must be updated when new providers are added.

Given this is Tech Preview with only Vault supported, this is acceptable for now.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/operator/encryption/controllers/key_controller.go` around lines 347 -
360, The function kmsMigrationRequired currently treats any non-Vault provider
as in-place-safe, which is unsafe if new providers are added; update
kmsMigrationRequired (which takes latest, current configv1.KMSPluginConfig) to
explicitly handle provider types (e.g., switch on latest.Type / current.Type and
keep the Vault-specific checks) and ensure the default/unknown-case returns true
(or add a clear TODO comment that any new KMS provider must be added here) so
that unknown provider type changes force a migration rather than silently
allowing in-place changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/operator/encryption/controllers/key_controller.go`:
- Around line 347-360: The function kmsMigrationRequired currently treats any
non-Vault provider as in-place-safe, which is unsafe if new providers are added;
update kmsMigrationRequired (which takes latest, current
configv1.KMSPluginConfig) to explicitly handle provider types (e.g., switch on
latest.Type / current.Type and keep the Vault-specific checks) and ensure the
default/unknown-case returns true (or add a clear TODO comment that any new KMS
provider must be added here) so that unknown provider type changes force a
migration rather than silently allowing in-place changes.

In `@test/e2e-encryption/encryption_test.go`:
- Around line 288-320: The polling callback in wait.PollUntilContextTimeout is
swallowing decode errors by returning (false, nil); change those to return
(false, err) so decode failures surface immediately. Specifically, when calling
encryptiondata.FromSecret (currently returning (false, nil) on err) and
encoding.DecodeKMSPluginConfig (also returning (false, nil) on err), propagate
the actual error instead of nil; leave transient-not-ready conditions that
should continue polling as (false, nil), but return the real err for decode
failures so the test fails fast.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1920114c-47a2-4cb2-955c-7cc718c87c37

📥 Commits

Reviewing files that changed from the base of the PR and between 7bc33ac and 128dee6.

📒 Files selected for processing (5)

• pkg/operator/encryption/controllers/key_controller.go
• pkg/operator/encryption/controllers/key_controller_test.go
• pkg/operator/encryption/controllers/state_controller.go
• pkg/operator/encryption/controllers/state_controller_test.go
• test/e2e-encryption/encryption_test.go

[openshift-ci]

@ardaguclu: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[gangwgr]

KAS is not degrading after increasing waittime also it only stuck in previous revision
I see KAS pod has image pull error which prevent rollout

de-Selectors: <none>
Tolerations:   op=Exists
Events:
 Type   Reason  Age          From   Message
 ----   ------  ----         ----   -------
 Normal  Pulled  12m          kubelet spec.initContainers{setup}: Container image "registry.build10.ci.openshift.org/ci-ln-tb19pxk/stable@sha256:edb6ea867d6fec7ce62ac0e7d15ad0c59ac8fa8b108243f60669d8defddbbdd3" already present on machine and can be accessed by the pod
 Normal  Created 12m          kubelet spec.initContainers{setup}: Container created
 Normal  Started 12m          kubelet spec.initContainers{setup}: Container started
 Normal  Pulling 9m38s (x5 over 12m)  kubelet spec.initContainers{vault-kms-plugin-1}: Pulling image "quay.io/openshifttest/mock-kms-plugin-nonexistent@sha256:0000000000000000000000000000000000000000000000000000000000000000"
 Warning Failed  9m37s (x5 over 12m)  kubelet spec.initContainers{vault-kms-plugin-1}: Failed to pull image "quay.io/openshifttest/mock-kms-plugin-nonexistent@sha256:0000000000000000000000000000000000000000000000000000000000000000": unable to pull image or OCI artifact: pull image err: initializing source docker://quay.io/openshifttest/mock-kms-plugin-nonexistent@sha256:0000000000000000000000000000000000000000000000000000000000000000: reading manifest sha256:0000000000000000000000000000000000000000000000000000000000000000 in quay.io/openshifttest/mock-kms-plugin-nonexistent: unauthorized: access to the requested resource is not authorized; artifact err: image reference: get manifest from ref: create image source: reading manifest sha256:0000000000000000000000000000000000000000000000000000000000000000 in quay.io/openshifttest/mock-kms-plugin-nonexistent: unauthorized: access to the requested resource is not authorized
 Warning Failed  9m37s (x5 over 12m)  kubelet spec.initContainers{vault-kms-plugin-1}: Error: ErrImagePull
 Normal  BackOff 2m43s (x42 over 12m) kubelet spec.initContainers{vault-kms-plugin-1}: Back-off pulling image "quay.io/openshifttest/mock-kms-plugin-nonexistent@sha256:0000000000000000000000000000000000000000000000000000000000000000"
 Warning Failed  2m43s (x42 over 12m) kubelet spec.initContainers{vault-kms-plugin-1}: Error: ImagePullBackOff
rgangwar@rgangwar-mac web_gui % oc get po -n openshift-kube-apiserver-operator

 oc get po -n openshift-kube-apiserver
NAME                                                              READY   STATUS                  RESTARTS      AGE
installer-10-ip-10-0-104-226.us-west-1.compute.internal           0/1     Completed               0             14m
installer-8-ip-10-0-14-1.us-west-1.compute.internal               0/1     Completed               0             38m
kube-apiserver-guard-ip-10-0-104-226.us-west-1.compute.internal   0/1     Running                 0             27m
kube-apiserver-guard-ip-10-0-14-1.us-west-1.compute.internal      1/1     Running                 0             36m
kube-apiserver-guard-ip-10-0-66-116.us-west-1.compute.internal    1/1     Running                 0             18m
kube-apiserver-ip-10-0-104-226.us-west-1.compute.internal         0/6     Init:ImagePullBackOff   0             12m
kube-apiserver-ip-10-0-14-1.us-west-1.compute.internal            5/5     Running                 0             33m
kube-apiserver-ip-10-0-66-116.us-west-1.compute.internal          5/5     Running                 6 (19m ago)   29

oc get po -n openshift-kube-apiserver-operator                                                        
NAME                                       READY   STATUS    RESTARTS   AGE
kube-apiserver-operator-5bcfdfd7cb-w227r   1/1     Running   0          27m
rgangwar@rgangwar-mac web_gui % oc get kubeapiservers/cluster -o json | jq '.status.conditions[] | select(.type | endswith("Degraded")) | {type, status, reason, message}'
{
  "type": "MissingStaticPodControllerDegraded",
  "status": "False",
  "reason": "AsExpected",
  "message": null
}
{
  "type": "EncryptionStateControllerDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "NodeControllerDegraded",
  "status": "False",
  "reason": "MasterNodesReady",
  "message": "All master nodes are ready"
}
{
  "type": "EncryptionKeyControllerDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "EncryptionPruneControllerDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "EncryptionMigrationControllerDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "StartupMonitorPodContainerExcessiveRestartsDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "StartupMonitorPodDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "StaticPodsDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "NodeKubeconfigControllerDegraded",
  "status": "False",
  "reason": "AsExpected",
  "message": null
}
{
  "type": "RevisionControllerDegraded",
  "status": "False",
  "reason": "AsExpected",
  "message": null
}
{
  "type": "InstallerControllerDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "NodeInstallerDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "StaticPodFallbackRevisionDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "InstallerPodContainerWaitingDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "InstallerPodNetworkingDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "InstallerPodPendingDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "WorkerLatencyProfileDegraded",
  "status": "False",
  "reason": "AsExpected",
  "message": null
}
{
  "type": "AuditPolicyDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "BackingResourceControllerDegraded",
  "status": "False",
  "reason": "AsExpected",
  "message": null
}
{
  "type": "GuardControllerDegraded",
  "status": "False",
  "reason": "AsExpected",
  "message": null
}
{
  "type": "ResourceSyncControllerDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "ConfigObservationDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "KubeAPIServerStaticResourcesDegraded",
  "status": "False",
  "reason": "AsExpected",
  "message": null
}
{
  "type": "CertRotation_KubeSchedulerClient_Degraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "CertRotation_ControlPlaneNodeAdminClient_Degraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "CertRotation_ExternalLoadBalancerServing_Degraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "CertRotation_KubeControllerManagerClient_Degraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "CertRotation_LocalhostServing_Degraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "TargetConfigControllerDegraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "CertRotation_NodeSystemAdminClient_Degraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "CertRotation_CheckEndpointsClient_Degraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "CertRotation_AggregatorProxyClientCert_Degraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "CertRotation_KubeAPIServerToKubeletClientCert_Degraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "CertRotation_InternalLoadBalancerServing_Degraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "CertRotation_LocalhostRecoveryServing_Degraded",
  "status": "False",
  "reason": null,
  "message": null
}
{
  "type": "CertRotation_ServiceNetworkServing_Degraded",
  "status": "False",
  "reason": null,
  "message": null
}

```m

[gangwgr]

 ./cluster-kube-apiserver-operator-tests-ext run-test "[sig-api-machinery] kube-apiserver operator TestKMSEncryptionInvalidImageRecovery [OCPFeatureGate:KMSEncryption][Serial][Timeout:120m]"
  Running Suite:  - /Users/rgangwar/Downloads/backupoffice/cluster-kube-apiserver-operator
  ========================================================================================
  Random Seed: 1779868857 - will randomize all specs

  Will run 1 of 1 specs
  ------------------------------
  [sig-api-machinery] kube-apiserver operator TestKMSEncryptionInvalidImageRecovery [OCPFeatureGate:KMSEncryption][Serial][Timeout:120m]
  github.com/openshift/cluster-kube-apiserver-operator/test/e2e-encryption-kms/encryption_kms.go:27
Found configuration for host https://api.ci-ln-tb19pxk-76ef8.aws-4.ci.openshift.org:6443.
  Setting KMS encryption with invalid plugin image
Found configuration for host https://api.ci-ln-tb19pxk-76ef8.aws-4.ci.openshift.org:6443.
May 27 13:30:59.161: Applied AppRole secret vault-approle-secret in openshift-config (changed=false)
  Attempting to switch to aescbc (cluster should remain stuck on KMS)
  Waiting for operator to report degraded status
Found configuration for host https://api.ci-ln-tb19pxk-76ef8.aws-4.ci.openshift.org:6443.
May 27 13:31:00.130: Waiting up to 15m0s for a pod in openshift-kube-apiserver (selector=app=openshift-kube-apiserver) to enter ImagePullBackOff
May 27 13:31:00.846: Pod kube-apiserver-ip-10-0-104-226.us-west-1.compute.internal init container vault-kms-plugin-1 is in ImagePullBackOff
  Updating KMS encryption with valid plugin image to recover
Found configuration for host https://api.ci-ln-tb19pxk-76ef8.aws-4.ci.openshift.org:6443.
May 27 13:31:01.324: Applied AppRole secret vault-approle-secret in openshift-config (changed=false)
  Waiting for operator to recover with valid KMS image
Found configuration for host https://api.ci-ln-tb19pxk-76ef8.aws-4.ci.openshift.org:6443.
May 27 13:31:01.809: Waiting up to 30m0s for all pods in openshift-kube-apiserver (selector=app=openshift-kube-apiserver) to be Running and Ready
May 27 13:34:17.521: All 3 pods in openshift-kube-apiserver are Running and Ready
  Invalid image recovery test passed
  • [199.542 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 199.542 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped
[
  {
    "name": "[sig-api-machinery] kube-apiserver operator TestKMSEncryptionInvalidImageRecovery [OCPFeatureGate:KMSEncryption][Serial][Timeout:120m]",
    "lifecycle": "blocking",
    "duration": 199543,
    "startTime": "2026-05-27 08:00:57.978759 UTC",
    "endTime": "2026-05-27 08:04:17.521930 UTC",
    "result": "passed",
    "output": "Setting KMS encryption with invalid plugin image\nAttempting to switch to aescbc (cluster should remain stuck on KMS)\nWaiting for operator to report degraded status\nUpdating KMS encryption with valid plugin image to recover\nWaiting for operator to recover with valid KMS image\nInvalid image recovery test passed\n"
  }
]%                                                                                                                                                                                                                             rgangwar@rgangwar-mac cluster-kube-apiserver-operator % oc get co
NAME                                       VERSION                                               AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication                             5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        True          False      131m    APIServerDeploymentProgressing: deployment/apiserver.openshift-oauth-apiserver: 1/3 pods have been updated to the latest generation and 2/3 pods are available
baremetal                                  5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      156m    
cloud-controller-manager                   5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      159m    
cloud-credential                           5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      145m    
cluster-api                                5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      71m     
cluster-autoscaler                         5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      156m    
config-operator                            5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      157m    
console                                    5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      138m    
control-plane-machine-set                  5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      151m    
csi-snapshot-controller                    5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      156m    
dns                                        5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      155m    
etcd                                       5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      154m    
image-registry                             5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      145m    
ingress                                    5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      145m    
insights                                   5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      156m    
kube-apiserver                             5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        True          False      150m    NodeInstallerProgressing: 2 nodes are at revision 8; 1 node is at revision 12
kube-controller-manager                    5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      151m    
kube-scheduler                             5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      154m    
kube-storage-version-migrator              5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      157m    
machine-api                                5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      152m    
machine-approver                           5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      156m    
machine-config                             5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      157m    
marketplace                                5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      157m    
monitoring                                 5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      144m    
network                                    5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      158m    
node-tuning                                5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      53m     
olm                                        5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      156m    
openshift-apiserver                        5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        True          False      145m    APIServerDeploymentProgressing: deployment/apiserver.openshift-apiserver: 1/3 pods have been updated to the latest generation and 2/3 pods are available
openshift-controller-manager               5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      145m    
openshift-samples                          5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      145m    
operator-lifecycle-manager                 5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      156m    
operator-lifecycle-manager-catalog         5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      156m    
operator-lifecycle-manager-packageserver   5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      145m    
service-ca                                 5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      157m    
storage                                    5.0.0-0-2026-05-27-051023-test-ci-ln-tb19pxk-latest   True        False         False      145m 

[ardaguclu]

@gangwgr that is great news, so this means that we have verified that the changes in this PR work as expected.

Just one question: I saw kube-apiserver is in NodeInstallerProgressing: 2 nodes are at revision 8; 1 node is at revision 12. Did we see that all the pods have converged to revision 12?

[gangwgr]

@gangwgr that is great news, so this means that we have verified that the changes in this PR work as expected.

Just one question: I saw kube-apiserver is in NodeInstallerProgressing: 2 nodes are at revision 8; 1 node is at revision 12. Did we see that all the pods have converged to revision 12?
all converged I manually checked on local
2 scenarios I tested

1. DefaultFakeVaultEncryptionProvider by using this cluster not recovers it got stuck not sure why it stuck
2. DefaultVaultEncryptionProvider by using this cluster recovers

 oc get co                       
NAME                                       VERSION                                               AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      88m     
baremetal                                  5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
cloud-controller-manager                   5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      117m    
cloud-credential                           5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      102m    
cluster-api                                5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      77m     
cluster-autoscaler                         5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
config-operator                            5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
console                                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      96m     
control-plane-machine-set                  5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      113m    
csi-snapshot-controller                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      114m    
dns                                        5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      113m    
etcd                                       5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      112m    
image-registry                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      102m    
ingress                                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      101m    
insights                                   5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      114m    
kube-apiserver                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      108m    
kube-controller-manager                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      109m    
kube-scheduler                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      112m    
kube-storage-version-migrator              5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
machine-api                                5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      110m    
machine-approver                           5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      114m    
machine-config                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
marketplace                                5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
monitoring                                 5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      101m    
network                                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      116m    
node-tuning                                5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      108m    
olm                                        5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      114m    
openshift-apiserver                        5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        True          False      51m     APIServerDeploymentProgressing: deployment/apiserver.openshift-apiserver: 3/3 pods have been updated to the latest generation and 2/3 pods are available
openshift-controller-manager               5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      103m    
openshift-samples                          5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      102m    
operator-lifecycle-manager                 5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      114m    
operator-lifecycle-manager-catalog         5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      114m    
operator-lifecycle-manager-packageserver   5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      66m     
service-ca                                 5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
storage                                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      113m    
rgangwar@rgangwar-mac web_gui % oc get po -n openshift-apiserver
NAME                         READY   STATUS    RESTARTS   AGE
apiserver-565fdc5498-6f52p   2/2     Running   0          4m54s
apiserver-565fdc5498-hkdlj   2/2     Running   0          3m56s
apiserver-565fdc5498-wqsst   2/2     Running   0          2m
rgangwar@rgangwar-mac web_gui % oc get po -n openshift-apiserver
NAME                         READY   STATUS    RESTARTS   AGE
apiserver-565fdc5498-6f52p   2/2     Running   0          5m
apiserver-565fdc5498-hkdlj   2/2     Running   0          4m2s
apiserver-565fdc5498-wqsst   2/2     Running   0          2m6s
rgangwar@rgangwar-mac web_gui % oc get po -n openshift-apiserver
NAME                         READY   STATUS    RESTARTS   AGE
apiserver-565fdc5498-6f52p   2/2     Running   0          5m53s
apiserver-565fdc5498-hkdlj   2/2     Running   0          4m55s
apiserver-565fdc5498-wqsst   2/2     Running   0          2m59s
rgangwar@rgangwar-mac web_gui % oc get co                       
NAME                                       VERSION                                               AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      90m     
baremetal                                  5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      116m    
cloud-controller-manager                   5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      118m    
cloud-credential                           5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      103m    
cluster-api                                5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      78m     
cluster-autoscaler                         5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      116m    
config-operator                            5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      116m    
console                                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      97m     
control-plane-machine-set                  5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      114m    
csi-snapshot-controller                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
dns                                        5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
etcd                                       5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      113m    
image-registry                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      103m    
ingress                                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      103m    
insights                                   5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
kube-apiserver                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      109m    
kube-controller-manager                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      110m    
kube-scheduler                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      113m    
kube-storage-version-migrator              5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      116m    
machine-api                                5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      111m    
machine-approver                           5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
machine-config                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      116m    
marketplace                                5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      116m    
monitoring                                 5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      102m    
network                                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      117m    
node-tuning                                5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      110m    
olm                                        5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
openshift-apiserver                        5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      52m     
openshift-controller-manager               5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      104m    
openshift-samples                          5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      103m    
operator-lifecycle-manager                 5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
operator-lifecycle-manager-catalog         5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
operator-lifecycle-manager-packageserver   5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      67m     
service-ca                                 5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      116m    
storage                                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      114m    
rgangwar@rgangwar-mac web_gui % oc get apiserver/cluster -o yaml
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
  annotations:
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    oauth-apiserver.openshift.io/secure-token-storage: "true"
    release.openshift.io/create-only: "true"
  creationTimestamp: "2026-05-27T09:07:01Z"
  generation: 7
  name: cluster
  ownerReferences:
  - apiVersion: config.openshift.io/v1
    kind: ClusterVersion
    name: version
    uid: eec4ce12-5e13-46fc-8012-c45bdb30a8e4
  resourceVersion: "72131"
  uid: 9b038dee-01a8-473b-ae1a-d07d996ef6fc
spec:
  audit:
    profile: Default
  clientCA:
    name: ""
  encryption:
    kms:
      type: Vault
      vault:
        authentication:
          appRole:
            secret:
              name: vault-approle-secret
          type: AppRole
        kmsPluginImage: quay.io/openshifttest/mock-kms-plugin@sha256:03bb07a2c08b509653c4c70217a06a4b389c10b4d87922f50ee5eac82db5e140
        transitKey: kms-key
        transitMount: transit
        vaultAddress: https://vault.vault-kms.svc:8200
        vaultNamespace: admin
    type: KMS
  servingCerts: {}

 oc get co                       
NAME                                       VERSION                                               AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      88m     
baremetal                                  5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
cloud-controller-manager                   5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      117m    
cloud-credential                           5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      102m    
cluster-api                                5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      77m     
cluster-autoscaler                         5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
config-operator                            5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
console                                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      96m     
control-plane-machine-set                  5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      113m    
csi-snapshot-controller                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      114m    
dns                                        5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      113m    
etcd                                       5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      112m    
image-registry                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      102m    
ingress                                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      101m    
insights                                   5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      114m    
kube-apiserver                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      108m    
kube-controller-manager                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      109m    
kube-scheduler                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      112m    
kube-storage-version-migrator              5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
machine-api                                5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      110m    
machine-approver                           5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      114m    
machine-config                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
marketplace                                5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
monitoring                                 5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      101m    
network                                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      116m    
node-tuning                                5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      108m    
olm                                        5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      114m    
openshift-apiserver                        5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        True          False      51m     APIServerDeploymentProgressing: deployment/apiserver.openshift-apiserver: 3/3 pods have been updated to the latest generation and 2/3 pods are available
openshift-controller-manager               5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      103m    
openshift-samples                          5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      102m    
operator-lifecycle-manager                 5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      114m    
operator-lifecycle-manager-catalog         5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      114m    
operator-lifecycle-manager-packageserver   5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      66m     
service-ca                                 5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
storage                                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      113m    
rgangwar@rgangwar-mac web_gui % oc get po -n openshift-apiserver
NAME                         READY   STATUS    RESTARTS   AGE
apiserver-565fdc5498-6f52p   2/2     Running   0          4m54s
apiserver-565fdc5498-hkdlj   2/2     Running   0          3m56s
apiserver-565fdc5498-wqsst   2/2     Running   0          2m
rgangwar@rgangwar-mac web_gui % oc get po -n openshift-apiserver
NAME                         READY   STATUS    RESTARTS   AGE
apiserver-565fdc5498-6f52p   2/2     Running   0          5m
apiserver-565fdc5498-hkdlj   2/2     Running   0          4m2s
apiserver-565fdc5498-wqsst   2/2     Running   0          2m6s
rgangwar@rgangwar-mac web_gui % oc get po -n openshift-apiserver
NAME                         READY   STATUS    RESTARTS   AGE
apiserver-565fdc5498-6f52p   2/2     Running   0          5m53s
apiserver-565fdc5498-hkdlj   2/2     Running   0          4m55s
apiserver-565fdc5498-wqsst   2/2     Running   0          2m59s
rgangwar@rgangwar-mac web_gui % oc get co                       
NAME                                       VERSION                                               AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      90m     
baremetal                                  5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      116m    
cloud-controller-manager                   5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      118m    
cloud-credential                           5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      103m    
cluster-api                                5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      78m     
cluster-autoscaler                         5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      116m    
config-operator                            5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      116m    
console                                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      97m     
control-plane-machine-set                  5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      114m    
csi-snapshot-controller                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
dns                                        5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
etcd                                       5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      113m    
image-registry                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      103m    
ingress                                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      103m    
insights                                   5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
kube-apiserver                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      109m    
kube-controller-manager                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      110m    
kube-scheduler                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      113m    
kube-storage-version-migrator              5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      116m    
machine-api                                5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      111m    
machine-approver                           5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
machine-config                             5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      116m    
marketplace                                5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      116m    
monitoring                                 5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      102m    
network                                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      117m    
node-tuning                                5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      110m    
olm                                        5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
openshift-apiserver                        5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      52m     
openshift-controller-manager               5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      104m    
openshift-samples                          5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      103m    
operator-lifecycle-manager                 5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
operator-lifecycle-manager-catalog         5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      115m    
operator-lifecycle-manager-packageserver   5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      67m     
service-ca                                 5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      116m    
storage                                    5.0.0-0-2026-05-27-084931-test-ci-ln-nsc6nvk-latest   True        False         False      114m    
rgangwar@rgangwar-mac web_gui % oc get apiserver/cluster -o yaml
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
  annotations:
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    oauth-apiserver.openshift.io/secure-token-storage: "true"
    release.openshift.io/create-only: "true"
  creationTimestamp: "2026-05-27T09:07:01Z"
  generation: 7
  name: cluster
  ownerReferences:
  - apiVersion: config.openshift.io/v1
    kind: ClusterVersion
    name: version
    uid: eec4ce12-5e13-46fc-8012-c45bdb30a8e4
  resourceVersion: "72131"
  uid: 9b038dee-01a8-473b-ae1a-d07d996ef6fc
spec:
  audit:
    profile: Default
  clientCA:
    name: ""
  encryption:
    kms:
      type: Vault
      vault:
        authentication:
          appRole:
            secret:
              name: vault-approle-secret
          type: AppRole
        kmsPluginImage: quay.io/openshifttest/mock-kms-plugin@sha256:03bb07a2c08b509653c4c70217a06a4b389c10b4d87922f50ee5eac82db5e140
        transitKey: kms-key
        transitMount: transit
        vaultAddress: https://vault.vault-kms.svc:8200
        vaultNamespace: admin
    type: KMS
  servingCerts: {}

[gangwgr]

@ardaguclu tested with again with new cluster, in that it is recovering from stuck state