Skip to content

WIP: Backport KMS TechPreview v1 API changes to 4.21 #2737

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bertinatto wants to merge 3 commits into
base: release-4.21
Choose a base branch
from
Open

WIP: Backport KMS TechPreview v1 API changes to 4.21 #2737

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e91537f
Introduce KMSEncryption feature gate
ardaguclu Jan 26, 2026
e1c0dd5
Move KMSEncryptionProvider FG to DevPreview
ardaguclu Jan 26, 2026
a2258d5
make update
bertinatto Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 0 additions & 69 deletions ...nerated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,69 +158,6 @@ spec:
description: encryption allows the configuration of encryption of
resources at the datastore layer.
properties:
kms:
description: |-
kms defines the configuration for the external KMS instance that manages the encryption keys,
when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an
externally configured KMS instance.

The Key Management Service (KMS) instance provides symmetric encryption and is responsible for
managing the lifecyle of the encryption keys outside of the control plane.
This allows integration with an external provider to manage the data encryption keys securely.
properties:
aws:
description: |-
aws defines the key config for using an AWS KMS instance
for the encryption. The AWS KMS instance is managed
by the user outside the purview of the control plane.
properties:
keyARN:
description: |-
keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
- `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
- `<account_id>` is a 12-digit numeric identifier for the AWS account.
- `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
maxLength: 128
minLength: 1
type: string
x-kubernetes-validations:
- message: keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`.
The account ID must be a 12 digit number and the region
and key ID should consist only of lowercase hexadecimal
characters and hyphens (-).
rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
region:
description: |-
region specifies the AWS region where the KMS instance exists, and follows the format
`<region-prefix>-<region-name>-<number>`, e.g.: `us-east-1`.
Only lowercase letters and hyphens followed by numbers are allowed.
maxLength: 64
minLength: 1
type: string
x-kubernetes-validations:
- message: region must be a valid AWS region, consisting
of lowercase characters, digits and hyphens (-) only.
rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$')
required:
- keyARN
- region
type: object
type:
description: |-
type defines the kind of platform for the KMS provider.
Available provider types are AWS only.
enum:
- AWS
type: string
required:
- type
type: object
x-kubernetes-validations:
- message: aws config is required when kms provider type is AWS,
and forbidden otherwise
rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws)
: !has(self.aws)'
type:
description: |-
type defines what encryption type should be used to encrypt resources at the datastore layer.
Expand All @@ -241,14 +178,8 @@ spec:
- identity
- aescbc
- aesgcm
- KMS
Copy link

@qodo-code-review qodo-code-review bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. kmsencryption tests missing 📘 Rule violation ⛯ Reliability

This PR introduces the KMSEncryption FeatureGate and changes the APIServer TechPreviewNoUpgrade
CRD schema to no longer allow type: KMS, but the existing validation tests still only target
KMSEncryptionProvider. Without adding/updating tests for the new gate and updated schema, these
API changes risk going unvalidated and regressing.
Agent Prompt 
## Issue description
The PR changes the APIServer encryption schema behavior (TechPreviewNoUpgrade CRD no longer allows `type: KMS`) and introduces a new FeatureGate (`KMSEncryption`), but the validation tests under `config/v1/tests/apiservers.config.openshift.io/` still only cover `KMSEncryptionProvider`.

## Issue Context
Per compliance, API/CRD changes must be accompanied by corresponding integration/validation tests under the API group's `tests/` directory.

## Fix Focus Areas
- features/features.go[653-667]
- config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml[157-183]
- config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml[1-20]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

type: string
type: object
x-kubernetes-validations:
- message: kms config is required when encryption type is KMS, and
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
Expand Down
3 changes: 2 additions & 1 deletion features.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
| ClusterAPIMachineManagementVSphere| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | |
| Example2| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | |
| ExternalSnapshotMetadata| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | |
| KMSEncryptionProvider| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | |
| NewOLMCatalogdAPIV1Metas| | | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span> |
| NewOLMOwnSingleNamespace| | | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span> |
| NewOLMPreflightPermissionChecks| | | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span> |
Expand Down Expand Up @@ -52,7 +53,7 @@
| InsightsConfig| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> |
| InsightsOnDemandDataGather| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> |
| IrreconcilableMachineConfig| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> |
| KMSEncryptionProvider| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> |
| KMSEncryption| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> |
| MachineAPIMigration| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> |
| ManagedBootImagesCPMS| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> |
| MaxUnavailableStatefulSet| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> |
Expand Down
10 changes: 9 additions & 1 deletion features/features.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -655,9 +655,17 @@ var (
contactPerson("swghosh").
productScope(ocpSpecific).
enhancementPR("https://github.com/openshift/enhancements/pull/1682").
enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
enableIn(configv1.DevPreviewNoUpgrade).
Copy link
Member Author

@bertinatto bertinatto Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to do this in 4.21 as well? Or should we just introduce KMSEncryption?

mustRegister()

FeatureGateKMSEncryption = newFeatureGate("KMSEncryption").
reportProblemsToJiraComponent("kube-apiserver").
contactPerson("ardaguclu").
productScope(ocpSpecific).
enhancementPR("https://github.com/openshift/enhancements/pull/1900").
enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
mustRegister()

FeatureGateHighlyAvailableArbiter = newFeatureGate("HighlyAvailableArbiter").
reportProblemsToJiraComponent("Two Node with Arbiter").
contactPerson("eggfoobar").
Expand Down
2 changes: 1 addition & 1 deletion openapi/openapi.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9881,7 +9881,7 @@
"$ref": "#/definitions/com.github.openshift.api.config.v1.PKI"
},
"policyType": {
"description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.",
"description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).",
"type": "string",
"default": ""
},
Expand Down
69 changes: 0 additions & 69 deletions payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,69 +158,6 @@ spec:
description: encryption allows the configuration of encryption of
resources at the datastore layer.
properties:
kms:
description: |-
kms defines the configuration for the external KMS instance that manages the encryption keys,
when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an
externally configured KMS instance.

The Key Management Service (KMS) instance provides symmetric encryption and is responsible for
managing the lifecyle of the encryption keys outside of the control plane.
This allows integration with an external provider to manage the data encryption keys securely.
properties:
aws:
description: |-
aws defines the key config for using an AWS KMS instance
for the encryption. The AWS KMS instance is managed
by the user outside the purview of the control plane.
properties:
keyARN:
description: |-
keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
- `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
- `<account_id>` is a 12-digit numeric identifier for the AWS account.
- `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
maxLength: 128
minLength: 1
type: string
x-kubernetes-validations:
- message: keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`.
The account ID must be a 12 digit number and the region
and key ID should consist only of lowercase hexadecimal
characters and hyphens (-).
rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
region:
description: |-
region specifies the AWS region where the KMS instance exists, and follows the format
`<region-prefix>-<region-name>-<number>`, e.g.: `us-east-1`.
Only lowercase letters and hyphens followed by numbers are allowed.
maxLength: 64
minLength: 1
type: string
x-kubernetes-validations:
- message: region must be a valid AWS region, consisting
of lowercase characters, digits and hyphens (-) only.
rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$')
required:
- keyARN
- region
type: object
type:
description: |-
type defines the kind of platform for the KMS provider.
Available provider types are AWS only.
enum:
- AWS
type: string
required:
- type
type: object
x-kubernetes-validations:
- message: aws config is required when kms provider type is AWS,
and forbidden otherwise
rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws)
: !has(self.aws)'
type:
description: |-
type defines what encryption type should be used to encrypt resources at the datastore layer.
Expand All @@ -241,14 +178,8 @@ spec:
- identity
- aescbc
- aesgcm
- KMS
type: string
type: object
x-kubernetes-validations:
- message: kms config is required when encryption type is KMS, and
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
Expand Down
3 changes: 3 additions & 0 deletions payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,9 @@
{
"name": "IrreconcilableMachineConfig"
},
{
"name": "KMSEncryption"
},
{
"name": "KMSEncryptionProvider"
},
Comment on lines +135 to 140
Copy link

@qodo-code-review qodo-code-review bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

2. Kmsencryption enabled in default 🐞 Bug ✓ Correctness

The Default payload FeatureGate manifests enable KMSEncryption, but the feature gate registry only
enables it for DevPreviewNoUpgrade and TechPreviewNoUpgrade. This mismatch is likely to fail
hack/verify-payload-featuregates.sh (generated manifests won’t match) and/or unintentionally turn on
the gate for Default clusters.
Agent Prompt 
### Issue description
`KMSEncryption` is listed as **enabled** in the **Default** payload FeatureGate manifests, but the feature-gate registry enables it only for `DevPreviewNoUpgrade` and `TechPreviewNoUpgrade`. This creates a drift that is expected to fail `hack/verify-payload-featuregates.sh` (regen + diff) and/or unintentionally enable the gate for Default clusters.

### Issue Context
- Feature gate registry is in `features/features.go`.
- Payload featuregate manifests are expected to be generated from `features.AllFeatureSets()` (see `hack/verify-payload-featuregates.sh`).

### Fix Focus Areas
- payload-manifests/featuregates/featureGate-Hypershift-Default.yaml[125-142]
- payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml[130-146]
- features/features.go[653-667]
- hack/verify-payload-featuregates.sh[5-10]

### Expected fix
Option A (recommended): remove `KMSEncryption` from the Default payload manifests and regenerate via `hack/update-payload-featuregates.sh`.

Option B: if Default is intended, add `configv1.Default` to `FeatureGateKMSEncryption.enableIn(...)` and regenerate manifests + update docs accordingly.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Expand Down
3 changes: 3 additions & 0 deletions payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,9 @@
{
"name": "IrreconcilableMachineConfig"
},
{
"name": "KMSEncryption"
},
{
"name": "KMSEncryptionProvider"
},
Expand Down
5 changes: 4 additions & 1 deletion payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@
{
"name": "ExternalSnapshotMetadata"
},
{
"name": "KMSEncryptionProvider"
},
{
"name": "MachineAPIOperatorDisableMachineHealthCheckController"
},
Expand Down Expand Up @@ -218,7 +221,7 @@
"name": "IrreconcilableMachineConfig"
},
{
"name": "KMSEncryptionProvider"
"name": "KMSEncryption"
},
{
"name": "KMSv1"
Expand Down
3 changes: 3 additions & 0 deletions payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,9 @@
{
"name": "IrreconcilableMachineConfig"
},
{
"name": "KMSEncryption"
},
{
"name": "KMSEncryptionProvider"
},
Expand Down
3 changes: 3 additions & 0 deletions payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,9 @@
{
"name": "IrreconcilableMachineConfig"
},
{
"name": "KMSEncryption"
},
{
"name": "KMSEncryptionProvider"
},
Expand Down
5 changes: 4 additions & 1 deletion payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,9 @@
{
"name": "HyperShiftOnlyDynamicResourceAllocation"
},
{
"name": "KMSEncryptionProvider"
},
{
"name": "MachineAPIOperatorDisableMachineHealthCheckController"
},
Expand Down Expand Up @@ -200,7 +203,7 @@
"name": "IrreconcilableMachineConfig"
},
{
"name": "KMSEncryptionProvider"
"name": "KMSEncryption"
},
{
"name": "KMSv1"
Expand Down