[WIP] CNTRLPLANE-2711: add vault kms plug configuration api

[flavianmissi]

No description provided.

[openshift-ci-robot]

@flavianmissi: This pull request references CNTRLPLANE-2711 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Hello @flavianmissi! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Removed the KMSEncryptionProvider feature gate and its test YAML and feature-gate registration entries. Replaced AWS-specific KMS configuration with a Vault-based provider: added spec.encryption.kms.type: "Vault" and spec.encryption.kms.vault (fields include vaultAddress, kmsPluginImage, approleSecretRef, transitKey, optional tls and transitMount/vaultNamespace). Updated Go API annotations and CRD validations to reference the KMSEncryption feature gate and adjusted payload feature-gate manifests to remove KMSEncryptionProvider entries.

🚥 Pre-merge checks | ✅ 9 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to evaluate relevance to the changeset.	Add a meaningful pull request description explaining the purpose, motivation, and scope of the Vault KMS plugin configuration API changes.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding a Vault KMS plugin configuration API, which aligns with the core content of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo test files with dynamic test names; all YAML test cases use static, deterministic names.
Test Structure And Quality	✅ Passed	This pull request does not introduce or modify any Ginkgo test code, making this check not applicable. The PR only modifies YAML test specification data files.
Microshift Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. Changes consist of API type definitions, YAML test fixtures, CRD manifests, and feature gate configurations only.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Pull request contains no new Ginkgo e2e tests, only API configuration and validation test updates.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only API schema and feature gate configuration changes with no deployment manifests, operator controllers, or pod scheduling specifications.
Ote Binary Stdout Contract	✅ Passed	PR modifies API definitions, feature gates, and CRD manifests with no process-level entry points or OTE test runners introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This pull request does not add any new Ginkgo e2e tests. The changes consist entirely of Go type definitions, API CRD manifests, feature gate registrations, and test configuration YAML files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/v1/types_kmsencryption.go`:
- Around line 67-73: Add explicit Kubernetes validation markers to enforce the
documented bounds: annotate VaultNamespace, TransitMount, and TransitKey with
kubebuilder validation comments before each field (e.g. //
+kubebuilder:validation:MinLength=1 and //
+kubebuilder:validation:MaxLength=256) and keep the existing json tag
(json:"...,omitempty"). This ensures the CRD rejects empty strings and overly
long values for the VaultNamespace, TransitMount, and TransitKey fields.
- Around line 57-65: The VaultAddress field currently allows both http and
https; update its validation to require HTTPS only by changing the kubebuilder
XValidation rule on VaultAddress to match '^https://', update the validation
message to say "vaultAddress must be a valid URL starting with 'https://'...",
and ensure the example and any documentation reference use https (e.g.,
'https://vault.example.com:8200'); modify the comment and the
+kubebuilder:validation:XValidation line for VaultAddress in
types_kmsencryption.go accordingly.
- Around line 5-24: The change removed AWS KMS support and will break upgrades
for clusters with persisted AWS configs; restore backward compatibility by
either reintroducing AWS as a deprecated union member on KMSConfig (add
AWSKMSProvider value to KMSProviderType and an AWSKMSConfig struct as a
+unionMember with deprecation tags) and implement conversion logic in the API
conversion/webhook handlers to migrate existing AWSKMSConfig to the new model,
or implement and wire a documented controller migration path that detects
existing KMSConfig entries with AWS data and converts them to the new Vault-only
shape (or marks them as exempt) during upgrade; touch KMSConfig,
KMSProviderType, VaultKMSConfig, and add AWSKMSConfig/AWSKMSProvider identifiers
and ensure feature-gate annotations and validation rules account for
preserved/deprecated AWS entries.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 31c84276-1bd6-44d1-aef1-c88652b3bb69

📥 Commits

Reviewing files that changed from the base of the PR and between 464776f and 0e6ccdb.

⛔ Files ignored due to path filters (10)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (17)

• config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml
• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• config/v1/types_apiserver.go
• config/v1/types_kmsencryption.go
• features.md
• features/features.go
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml

💤 Files with no reviewable changes (12)

• config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
• features/features.go
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• features.md
• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

config/v1/types_kmsencryption.go (2)

67-73: ⚠️ Potential issue | 🟠 Major

Add the length validators promised by the API contract.

The documentation states bounds for vaultNamespace (1-256), transitMount (1-128), and transitKey (1-128), but the kubebuilder markers are missing. This allows empty strings and arbitrarily long values to pass schema validation, causing runtime failures instead of admission-time rejection.

Suggested fix for vaultNamespace (lines 67-73)

 	// vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted.
 	// This is only applicable for Vault Enterprise installations.
 	// The value can be between 1 and 256 characters.
 	// When this field is not set, no namespace is used.
 	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
 	// +optional
 	VaultNamespace string `json:"vaultNamespace,omitempty"`

Suggested fix for transitMount (lines 128-134)

 	// transitMount specifies the mount path of the Vault Transit engine.
 	// The value can be between 1 and 128 characters.
 	// When this field is not set, it defaults to "transit".
 	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=128
 	// +kubebuilder:default="transit"
 	// +optional
 	TransitMount string `json:"transitMount,omitempty"`

Suggested fix for transitKey (lines 136-141)

 	// transitKey specifies the name of the encryption key in Vault's Transit engine.
 	// This key is used to encrypt and decrypt data.
 	// The value must be between 1 and 128 characters.
 	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=128
 	// +required
 	TransitKey string `json:"transitKey,omitempty"`

Also applies to: 128-141

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/v1/types_kmsencryption.go` around lines 67 - 73, Add kubebuilder
validation markers to enforce the documented length bounds on the three Vault
fields: annotate VaultNamespace with +kubebuilder:validation:MinLength=1 and
+kubebuilder:validation:MaxLength=256, annotate TransitMount with
+kubebuilder:validation:MinLength=1 and +kubebuilder:validation:MaxLength=128,
and annotate TransitKey with +kubebuilder:validation:MinLength=1 and
+kubebuilder:validation:MaxLength=128 so the API server rejects empty or overly
long values at admission time; ensure the markers appear immediately above the
corresponding struct fields VaultNamespace, TransitMount, and TransitKey.

---

57-65: ⚠️ Potential issue | 🟠 Major

Require HTTPS for the Vault endpoint.

Allowing http:// enables cleartext transmission of AppRole credentials and KMS traffic. The tlsVerify: SkipVerify option already covers insecure testing scenarios without disabling transport encryption entirely.

Suggested fix

-	// vaultAddress specifies the address of the HashiCorp Vault instance.
-	// The value must be a valid URL with scheme (http:// or https://) and can be up to 512 characters.
+	// vaultAddress specifies the address of the HashiCorp Vault instance.
+	// The value must be a valid HTTPS URL and can be up to 512 characters.
 	// Example: https://vault.example.com:8200
 	//
-	// +kubebuilder:validation:XValidation:rule="self.matches(r'^https?://')",message="vaultAddress must be a valid URL starting with 'http://' or 'https://' (e.g., 'https://vault.example.com:8200')."
+	// +kubebuilder:validation:XValidation:rule="self.matches(r'^https://')",message="vaultAddress must be a valid HTTPS URL (e.g., 'https://vault.example.com:8200')."
 	// +kubebuilder:validation:MaxLength=512
 	// +kubebuilder:validation:MinLength=1
 	// +required
 	VaultAddress string `json:"vaultAddress,omitempty"`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/v1/types_kmsencryption.go` around lines 57 - 65, The VaultAddress
field currently allows both http and https; change its validation to require
HTTPS only by updating the kubebuilder XValidation rule for VaultAddress
(symbol: VaultAddress) to match r'^https://', adjust the validation message to
state "vaultAddress must be a valid HTTPS URL starting with 'https://'" and keep
the MaxLength/MinLength/required tags intact so the API rejects non-HTTPS Vault
endpoints.

🧹 Nitpick comments (2)

payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

342-346: Validation message references KMSEncryption feature gate but rule doesn't enforce it.

The message says "kms config is required when encryption type is KMS and KMSEncryption feature gate is enabled" but the CEL rule itself doesn't check the feature gate state—it just validates kms presence based on type == 'KMS'. This is likely correct behavior (the feature gate controls schema presence, not this runtime rule), but the message is potentially misleading.

Consider simplifying the message to match the actual rule behavior:

-- message: kms config is required when encryption type is KMS and
-    KMSEncryption feature gate is enabled, and forbidden otherwise
+- message: kms config is required when encryption type is KMS, and forbidden otherwise

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml`
around lines 342 - 346, The validation message is misleading because it mentions
the KMSEncryption feature gate while the CEL rule only checks self.type and
self.kms; update the x-kubernetes-validations.message to reflect the actual rule
(e.g., "kms config is required when encryption type is 'KMS' and forbidden
otherwise") so it matches the rule for x-kubernetes-validations.rule that
evaluates has(self.type) && self.type == 'KMS' ? has(self.kms) : !has(self.kms);
adjust only the message string associated with that rule.

payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1)

342-346: Same validation message inconsistency as CustomNoUpgrade CRD.

The message mentions "KMSEncryption feature gate is enabled" but the CEL rule doesn't actually check feature gate state. Consider the same simplification suggested for the CustomNoUpgrade variant.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml`
around lines 342 - 346, The validation message for the x-kubernetes-validations
entry in the apiservers-TechPreviewNoUpgrade CRD is inconsistent with the CEL
rule: the message references "KMSEncryption feature gate is enabled" but the
rule only checks self.type and self.kms. Update the message to match the rule
(e.g., "kms config is required when encryption type is KMS and forbidden
otherwise") or, if you intend to gate on a feature flag, modify the CEL rule to
include that feature check; edit the x-kubernetes-validations -> message and/or
the rule that uses has(self.type) && self.type == 'KMS' ? has(self.kms) :
!has(self.kms) so they are consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/v1/types_kmsencryption.go`:
- Around line 48-55: The validation regex for VaultKMSPluginImage rejects
repository names containing underscores; update the kubebuilder XValidation rule
on VaultKMSPluginImage to allow underscores in the repository path by changing
the character class for the path portion from [a-zA-Z0-9./-]+ to include
underscores (e.g., [a-zA-Z0-9._/-]+) so OCI-compliant names like
"registry.example.com/my_project/vault_plugin@sha256:..." pass validation while
preserving the rest of the pattern and MinLength/MaxLength constraints.

---

Duplicate comments:
In `@config/v1/types_kmsencryption.go`:
- Around line 67-73: Add kubebuilder validation markers to enforce the
documented length bounds on the three Vault fields: annotate VaultNamespace with
+kubebuilder:validation:MinLength=1 and +kubebuilder:validation:MaxLength=256,
annotate TransitMount with +kubebuilder:validation:MinLength=1 and
+kubebuilder:validation:MaxLength=128, and annotate TransitKey with
+kubebuilder:validation:MinLength=1 and +kubebuilder:validation:MaxLength=128 so
the API server rejects empty or overly long values at admission time; ensure the
markers appear immediately above the corresponding struct fields VaultNamespace,
TransitMount, and TransitKey.
- Around line 57-65: The VaultAddress field currently allows both http and
https; change its validation to require HTTPS only by updating the kubebuilder
XValidation rule for VaultAddress (symbol: VaultAddress) to match r'^https://',
adjust the validation message to state "vaultAddress must be a valid HTTPS URL
starting with 'https://'" and keep the MaxLength/MinLength/required tags intact
so the API rejects non-HTTPS Vault endpoints.

---

Nitpick comments:
In
`@payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml`:
- Around line 342-346: The validation message is misleading because it mentions
the KMSEncryption feature gate while the CEL rule only checks self.type and
self.kms; update the x-kubernetes-validations.message to reflect the actual rule
(e.g., "kms config is required when encryption type is 'KMS' and forbidden
otherwise") so it matches the rule for x-kubernetes-validations.rule that
evaluates has(self.type) && self.type == 'KMS' ? has(self.kms) : !has(self.kms);
adjust only the message string associated with that rule.

In
`@payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml`:
- Around line 342-346: The validation message for the x-kubernetes-validations
entry in the apiservers-TechPreviewNoUpgrade CRD is inconsistent with the CEL
rule: the message references "KMSEncryption feature gate is enabled" but the
rule only checks self.type and self.kms. Update the message to match the rule
(e.g., "kms config is required when encryption type is KMS and forbidden
otherwise") or, if you intend to gate on a feature flag, modify the CEL rule to
include that feature check; edit the x-kubernetes-validations -> message and/or
the rule that uses has(self.type) && self.type == 'KMS' ? has(self.kms) :
!has(self.kms) so they are consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 3b8d09f5-f990-4d5b-8bf2-27856efe1d7c

📥 Commits

Reviewing files that changed from the base of the PR and between 0e6ccdb and 9204eb8.

⛔ Files ignored due to path filters (8)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (12)

• config/v1/types_kmsencryption.go
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml

💤 Files with no reviewable changes (8)

• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml

✅ Files skipped from review due to trivial changes (1)

• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

config/v1/types_kmsencryption.go (1)

5-24: ⚠️ Potential issue | 🔴 Critical

Preserve an upgrade path for existing aws KMS configs.

This change removes aws from the public kms union and provider enum without a deprecated member or any migration path in the API surface. Clusters that already persisted spec.encryption.kms.aws under the previous gate will be rejected on upgrade once this validation becomes authoritative.

Also applies to: 27-33

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/v1/types_kmsencryption.go` around lines 5 - 24, The KMS union removed
the previously allowed "aws" provider with no migration or deprecated field,
which will reject clusters that already have spec.encryption.kms.aws; restore
backward compatibility by reintroducing a deprecated/hidden union member for the
AWS provider (e.g. add an Aws *AWSKMSConfig `json:"aws,omitempty"` with
appropriate +optional and +deprecated markers or a FeatureGate-aware validation
exception) and keep the union discriminator Type KMSProviderType accepting the
old "aws" enum value (or add a deprecated enum entry) so existing persisted
KMSConfig objects with Type == "AWS" and the Aws member continue to validate
during upgrade while new API users are prevented from creating new AWS configs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/v1/types_kmsencryption.go`:
- Around line 37-79: The CRD manifests are out of sync with the VaultKMSConfig
Go type: the Go struct now uses kmsPluginImage and a nested TLS struct
(VaultTLSConfig with caBundle and serverName) but the published CRDs still
expose vaultKMSPluginImage, flat tlsCA/tlsServerName/tlsVerify and old
http:///length validations; update the CRD schema to match the Go API by
renaming fields (vaultKMSPluginImage -> kmsPluginImage), nesting TLS under tls
with caBundle and serverName fields, removing the old http:// rule and
correcting MinLength/MaxLength rules to match KMSPluginImage and VaultAddress,
then regenerate the CRD manifests (e.g., run your controller-gen/CRD generation
or project make target) so the published YAML matches VaultKMSConfig,
KMSPluginImage, VaultAddress and TLS/VaultTLSConfig definitions.

---

Duplicate comments:
In `@config/v1/types_kmsencryption.go`:
- Around line 5-24: The KMS union removed the previously allowed "aws" provider
with no migration or deprecated field, which will reject clusters that already
have spec.encryption.kms.aws; restore backward compatibility by reintroducing a
deprecated/hidden union member for the AWS provider (e.g. add an Aws
*AWSKMSConfig `json:"aws,omitempty"` with appropriate +optional and +deprecated
markers or a FeatureGate-aware validation exception) and keep the union
discriminator Type KMSProviderType accepting the old "aws" enum value (or add a
deprecated enum entry) so existing persisted KMSConfig objects with Type ==
"AWS" and the Aws member continue to validate during upgrade while new API users
are prevented from creating new AWS configs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 6481d801-9501-491c-91d0-022980739a42

📥 Commits

Reviewing files that changed from the base of the PR and between 9204eb8 and adcbfe4.

⛔ Files ignored due to path filters (8)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (12)

• config/v1/types_kmsencryption.go
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml

💤 Files with no reviewable changes (8)

• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/v1/types_kmsencryption.go`:
- Around line 56-60: The XValidation on vaultAddress (self.matches('^https://'))
only enforces the prefix and allows invalid values like "https://"; update the
validation to either enforce a full URL shape (replace the XValidation rule with
a stronger regex/pattern that requires a host and optional port/path, e.g.
require at least "https://<host>" semantics) or, if you prefer the lighter
check, change the documentation/message to state "must start with 'https://'" to
match the current rule; update the kubebuilder:XValidation rule and the
vaultAddress comment/message accordingly so they are consistent (referencing the
vaultAddress field and its XValidation rule).
- Line 50: The XValidation message still references the old field name
vaultKMSPluginImage; update the validation annotation on the kmsPluginImage
field so the message uses the new field name (kmsPluginImage) and keep the rest
of the guidance unchanged. Locate the kubebuilder XValidation tag shown and
replace "vaultKMSPluginImage" in the message with "kmsPluginImage" so admission
errors point to the correct field.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 55d2598e-91dd-493c-9853-e17140c344fb

📥 Commits

Reviewing files that changed from the base of the PR and between 42d4c42 and bd0b2a0.

⛔ Files ignored due to path filters (8)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (12)

• config/v1/types_kmsencryption.go
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml

💤 Files with no reviewable changes (8)

• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml

[openshift-ci]

@flavianmissi: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify-crdify	4e09913	link	true	/test verify-crdify
ci/prow/integration	4e09913	link	true	/test integration
ci/prow/verify-crd-schema	4e09913	link	true	/test verify-crd-schema

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.