Skip to content

kms to kms key identifier check#941

Open
gangwgr wants to merge 3 commits into
openshift:masterfrom
gangwgr:kmstokms
Open

kms to kms key identifier check#941
gangwgr wants to merge 3 commits into
openshift:masterfrom
gangwgr:kmstokms

Conversation

@gangwgr

@gangwgr gangwgr commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

kms to kms key identifier check

Summary by CodeRabbit

  • Tests
    • Strengthened end-to-end encryption assertions for token-of-life data, now explicitly verifying encryption via KMS with the expected write key/selector during migration scenarios.
  • Chores
    • Updated the module dependency by switching to a forked library via a versioned replacement.
    • Performed a small import ordering cleanup in test support code.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a6c665fe-c238-4426-af2f-65033d707981

📥 Commits

Reviewing files that changed from the base of the PR and between 5b02176 and c858190.

⛔ Files ignored due to path filters (11)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/kms_preflight_controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/preflight/assets/kms-preflight-pod.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/preflight/checker.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/preflight/cmd.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/preflight/deployer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/preflight/pod_status.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/preflight/pod_template.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/test/library/encryption/assertion.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/test/library/encryption/scenarios.go is excluded by !**/vendor/**, !vendor/**
  • vendor/modules.txt is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (3)
  • Untitled
  • go.mod
  • test/e2e-encryption-kms/encryption_kms_2.go
🚧 Files skipped from review as they are similar to previous changes (3)
  • Untitled
  • test/e2e-encryption-kms/encryption_kms_2.go
  • go.mod

Walkthrough

This PR redirects github.com/openshift/library-go to a forked module version, reorders imports in a test helper, and changes an e2e KMS encryption assertion to check a specific write key.

Changes

Dependency and test helper updates

Layer / File(s) Summary
Module replacement
Untitled, go.mod
Updates the library-go module resolution to github.com/gangwgr/library-go with pinned pseudo-versions.
Test helper imports
test/library/waits.go
Reorders Kubernetes-related imports ahead of standard-library imports.
KMS token assertion
test/e2e-encryption-kms/encryption_kms_2.go
Replaces the generic encryption check with a custom assertion that verifies KMS write-key details for the token-of-life resource.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

Suggested reviewers: atiratree


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name Status Explanation Resolution
No-Sensitive-Data-In-Logs ❌ Error New KMS assertion logs raw etcd bytes (raw head) on failures, and it is used on OAuth token data, which could expose tokens if encryption is wrong. Remove raw-data logging from AssertEtcdValueEncryptedWithOperatorKeyID; log only non-sensitive metadata (resource, key ID, namespace) or a hash.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and refers to the KMS-to-KMS key identifier check that the PR adjusts.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Touched Ginkgo titles are static strings; no pod/namespace/UUID/timestamp/node-derived values appear in the modified test files.
Test Structure And Quality ✅ Passed PASS: The new assertion follows existing encryption-test patterns, uses shared helpers with bounded timeouts, and adds no new setup/cleanup or assertion-quality issues.
Microshift Test Compatibility ✅ Passed No new Ginkgo specs were added; the PR only tightens an existing KMS encryption assertion, with no new MicroShift-incompatible API usage.
Single Node Openshift (Sno) Test Compatibility ✅ Passed The PR only tightens KMS encryption assertions on a token resource; it adds no node/HA assumptions and no new SNO-sensitive Ginkgo test.
Topology-Aware Scheduling Compatibility ✅ Passed PASS: The only topology-sensitive field (master nodeSelector/tolerations) preexisted; this patch adds RBAC/test changes and no new scheduling constraints.
Ote Binary Stdout Contract ✅ Passed PASS: The PR only changes a test assertion, import order, and a go.mod replace; no main/init/TestMain/suite-level stdout writes were added.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed The added e2e test uses only cluster-internal KMS/Vault helpers and token asserts; no hardcoded IPv4, IPv6-hostile URL building, or public internet connectivity found.
No-Weak-Crypto ✅ Passed No weak-crypto APIs or insecure token comparisons were added; the diff only adds KMS assertion logic and dependency metadata.
Container-Privileges ✅ Passed No touched manifest sets privileged, hostPID/Network/IPC, allowPrivilegeEscalation, SYS_ADMIN, or runAsUser=0; the pod YAML only defines SA, tolerations, and resources.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from flavianmissi and p0lyn0mial July 3, 2026 07:27
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ardaguclu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
test/e2e-encryption-kms/encryption_kms_2.go (1)

43-44: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Duplicated namespace/label-selector literals.

"openshift-config-managed" and the component label selector string at Lines 43-44 duplicate the values already set in the BasicScenario literal at Lines 30-31. Consider referencing local variables to avoid drift if either changes.

♻️ Suggested consolidation
+	namespace := "openshift-config-managed"
+	labelSelector := "encryption.apiserver.operator.openshift.io/component" + "=" + "openshift-oauth-apiserver"
+
 	library.TestEncryptionProvidersMigration(ctx, t, library.ProvidersMigrationScenario{
 		BasicScenario: library.BasicScenario{
-			Namespace:                       "openshift-config-managed",
-			LabelSelector:                   "encryption.apiserver.operator.openshift.io/component" + "=" + "openshift-oauth-apiserver",
+			Namespace:                       namespace,
+			LabelSelector:                   labelSelector,
 			...
 		},
 		AssertResourceEncryptedFunc: func(t testing.TB, cs library.ClientSet, resource runtime.Object) {
 			library.AssertTokenOfLifeEncrypted(t, cs, resource)
-			library.AssertKMSEncryptedWithWriteKey(t, cs.Kube, "openshift-config-managed",
-				"encryption.apiserver.operator.openshift.io/component=openshift-oauth-apiserver",
+			library.AssertKMSEncryptedWithWriteKey(t, cs.Kube, namespace, labelSelector,
 				[]byte(library.GetRawTokenOfLife(t, cs)),
 				library.AuthTargetGRs[0],
 			)
 		},
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-encryption-kms/encryption_kms_2.go` around lines 43 - 44, The
namespace and label-selector literals in the KMS encryption assertion are
duplicated from the BasicScenario setup, so update the call in the
encryption_kms_2 test to reuse the existing local values instead of hardcoding
them. Use the BasicScenario fields/variables already initialized in this test to
keep the namespace and component selector in sync with the scenario
configuration.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/e2e-encryption-kms/encryption_kms_2.go`:
- Around line 43-44: The namespace and label-selector literals in the KMS
encryption assertion are duplicated from the BasicScenario setup, so update the
call in the encryption_kms_2 test to reuse the existing local values instead of
hardcoding them. Use the BasicScenario fields/variables already initialized in
this test to keep the namespace and component selector in sync with the scenario
configuration.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e6f33694-055f-4a92-935d-9b53742d6eb9

📥 Commits

Reviewing files that changed from the base of the PR and between 2fbe1fb and 5b02176.

⛔ Files ignored due to path filters (11)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/kms_preflight_controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/preflight/assets/kms-preflight-pod.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/preflight/checker.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/preflight/cmd.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/preflight/deployer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/preflight/pod_status.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/preflight/pod_template.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/test/library/encryption/assertion.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/test/library/encryption/scenarios.go is excluded by !**/vendor/**, !vendor/**
  • vendor/modules.txt is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (4)
  • Untitled
  • go.mod
  • test/e2e-encryption-kms/encryption_kms_2.go
  • test/library/waits.go

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@gangwgr: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-agnostic c858190 link true /test e2e-agnostic
ci/prow/e2e-gcp-operator-disruptive c858190 link true /test e2e-gcp-operator-disruptive

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 8, 2026
@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant