CNTRLPLANE-2241: Loosen KMS validation to allow nil KMSConfig

[ardaguclu]

User description

This is manual backport of #2669

---

PR Type

Bug fix

---

Description

• Relax KMS validation rule to allow nil KMSConfig when type is KMS

• Update validation message to clarify kms config is only forbidden for non-KMS types

• Modify test case to verify nil kms config is now accepted with KMS type

• Regenerate all CRD manifests and OpenAPI specs with updated validation rules

---

Diagram Walkthrough

flowchart LR
  A["Old validation rule:<br/>KMS type requires kms config"] -->|"Relax constraint"| B["New validation rule:<br/>Only forbid kms config for non-KMS types"]
  B --> C["Updated test cases"]
  B --> D["Regenerated CRD manifests"]
  B --> E["Updated OpenAPI spec"]

Loading

File Walkthrough

	Relevant files
Bug fix	1 files types_apiserver.go Update KMS validation rule to allow nil config                      +1/-1
Tests	1 files KMSEncryptionProvider.yaml Update test to verify nil kms config acceptance                    +10/-4
Configuration changes	7 files 0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml Regenerate CRD with updated validation rule                            +2/-4      0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml Regenerate CRD with updated validation rule                            +2/-4      0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml Regenerate CRD with updated validation rule                            +2/-4      KMSEncryptionProvider.yaml Regenerate featuregated CRD with updated validation            +2/-4      0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml Regenerate payload CRD with updated validation rule            +2/-4      0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml Regenerate payload CRD with updated validation rule            +2/-4      0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml Regenerate payload CRD with updated validation rule            +2/-4
Documentation	1 files openapi.json Remove feature gate reference from description                      +1/-1

---

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-2241 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

This is manual backport of #2669

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Hello @ardaguclu! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-2241 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

User description

This is manual backport of #2669

---

PR Type

Bug fix

---

Description

• Relax KMS validation rule to allow nil KMSConfig when type is KMS

• Update validation message to clarify kms config is only forbidden for non-KMS types

• Modify test case to verify nil kms config is now accepted with KMS type

• Regenerate all CRD manifests and OpenAPI specs with updated validation rules

---

Diagram Walkthrough

flowchart LR
 A["Old validation rule:<br/>KMS type requires kms config"] -->|"Relax constraint"| B["New validation rule:<br/>Only forbid kms config for non-KMS types"]
 B --> C["Updated test cases"]
 B --> D["Regenerated CRD manifests"]
 B --> E["Updated OpenAPI spec"]

Loading

File Walkthrough

	Relevant files
Bug fix	1 files types_apiserver.go Update KMS validation rule to allow nil config                      +1/-1
Tests	1 files KMSEncryptionProvider.yaml Update test to verify nil kms config acceptance                    +10/-4
Configuration changes	7 files 0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml Regenerate CRD with updated validation rule                            +2/-4      0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml Regenerate CRD with updated validation rule                            +2/-4      0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml Regenerate CRD with updated validation rule                            +2/-4      KMSEncryptionProvider.yaml Regenerate featuregated CRD with updated validation            +2/-4      0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml Regenerate payload CRD with updated validation rule            +2/-4      0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml Regenerate payload CRD with updated validation rule            +2/-4      0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml Regenerate payload CRD with updated validation rule            +2/-4
Documentation	1 files openapi.json Remove feature gate reference from description                      +1/-1

---

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Encryption misconfiguration Description: Relaxing the validation to allow spec.encryption.type: KMS with spec.encryption.kms unset may permit an encryption-at-rest misconfiguration (e.g., operator/controller behavior could fall back to a weaker/default provider or fail open), so reviewers should verify runtime behavior when KMS is selected but no KMS provider config is supplied. types_apiserver.go [178-178] Referred Code // +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="self.type != 'KMS' ? !has(self.kms) : true",message="kms config is forbidden when encryption type is not KMS" // +union
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Nil KMS edge case: The updated validation allows type: KMS with a missing kms configuration, which may lead to a runtime failure or unclear behavior unless downstream consumers explicitly handle the nil/empty KMS config case. Referred Code // +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="self.type != 'KMS' ? !has(self.kms) : true",message="kms config is forbidden when encryption type is not KMS" // +union Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Relaxed validation risk: By relaxing the schema rule to permit a nil kms config when self.type is KMS, the API may accept potentially insecure or non-functional encryption configurations unless other layers enforce completeness. Referred Code // +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="self.type != 'KMS' ? !has(self.kms) : true",message="kms config is forbidden when encryption type is not KMS" // +union Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
General	Simplify KMS validation rule Simplify the CEL validation expression by replacing the ternary operator with a more direct logical OR. config/v1/types_apiserver.go [178] -// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="self.type != 'KMS' ? !has(self.kms) : true",message="kms config is forbidden when encryption type is not KMS" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="self.type == 'KMS' || !has(self.kms)",message="kms config is forbidden when encryption type is not KMS" Apply / Chat Suggestion importance[1-10]: 4 __ Why: The suggestion correctly identifies that the CEL expression can be simplified to self.type == 'KMS' || !has(self.kms), which improves readability and maintainability.	Low
More

[openshift-ci]

@ardaguclu: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ardaguclu]

/cc @benluddy @bertinatto @p0lyn0mial

[ardaguclu]

/hold