From 1f7dfcd692f82dbf14d4384a589141c5b7b86402 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arda=20G=C3=BC=C3=A7l=C3=BC?= Date: Mon, 26 Jan 2026 10:51:09 +0300 Subject: [PATCH] Loosen KMS validation to allow nil KMSConfig --- .../KMSEncryptionProvider.yaml | 14 ++++++++++---- config/v1/types_apiserver.go | 2 +- ...operator_01_apiservers-CustomNoUpgrade.crd.yaml | 6 ++---- ...ator_01_apiservers-DevPreviewNoUpgrade.crd.yaml | 6 ++---- ...tor_01_apiservers-TechPreviewNoUpgrade.crd.yaml | 6 ++---- .../KMSEncryptionProvider.yaml | 6 ++---- openapi/openapi.json | 2 +- ...operator_01_apiservers-CustomNoUpgrade.crd.yaml | 6 ++---- ...ator_01_apiservers-DevPreviewNoUpgrade.crd.yaml | 6 ++---- ...tor_01_apiservers-TechPreviewNoUpgrade.crd.yaml | 6 ++---- 10 files changed, 26 insertions(+), 34 deletions(-) diff --git a/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index 59386f7de22..30a0cc4d7d7 100644 --- a/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -54,16 +54,22 @@ tests: aws: keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a region: us-east-1 - expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise" - - name: Should fail to create with an empty KMS config + expectedError: "kms config is forbidden when encryption type is not KMS" + - name: Should be able to create with KMS type and nil kms config initial: | apiVersion: config.openshift.io/v1 kind: APIServer spec: encryption: type: KMS - kms: {} - expectedError: "spec.encryption.kms.type: Required value" + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + encryption: + type: KMS - name: Should fail to create with kms type AWS but without aws config initial: | apiVersion: config.openshift.io/v1 diff --git a/config/v1/types_apiserver.go b/config/v1/types_apiserver.go index 0afe7b1d8de..8c94a3a0acf 100644 --- a/config/v1/types_apiserver.go +++ b/config/v1/types_apiserver.go @@ -175,7 +175,7 @@ type APIServerNamedServingCert struct { } // APIServerEncryption is used to encrypt sensitive resources on the cluster. -// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="has(self.type) && self.type == 'KMS' ? has(self.kms) : !has(self.kms)",message="kms config is required when encryption type is KMS, and forbidden otherwise" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="self.type != 'KMS' ? !has(self.kms) : true",message="kms config is forbidden when encryption type is not KMS" // +union type APIServerEncryption struct { // type defines what encryption type should be used to encrypt resources at the datastore layer. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index f4416bf9b3c..9f1479710d2 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -245,10 +245,8 @@ spec: type: string type: object x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' + - message: kms config is forbidden when encryption type is not KMS + rule: 'self.type != ''KMS'' ? !has(self.kms) : true' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index bfeefa11f36..cb03eaa21b5 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -245,10 +245,8 @@ spec: type: string type: object x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' + - message: kms config is forbidden when encryption type is not KMS + rule: 'self.type != ''KMS'' ? !has(self.kms) : true' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index a49976e0dfd..c8f05f1b285 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -245,10 +245,8 @@ spec: type: string type: object x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' + - message: kms config is forbidden when encryption type is not KMS + rule: 'self.type != ''KMS'' ? !has(self.kms) : true' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index a3919b9a489..121f7efa4ae 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -245,10 +245,8 @@ spec: type: string type: object x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' + - message: kms config is forbidden when encryption type is not KMS + rule: 'self.type != ''KMS'' ? !has(self.kms) : true' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/openapi/openapi.json b/openapi/openapi.json index 38dd8f68ff7..dfd633b2aa6 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -9881,7 +9881,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1.PKI" }, "policyType": { - "description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + "description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).", "type": "string", "default": "" }, diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index f4416bf9b3c..9f1479710d2 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -245,10 +245,8 @@ spec: type: string type: object x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' + - message: kms config is forbidden when encryption type is not KMS + rule: 'self.type != ''KMS'' ? !has(self.kms) : true' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index bfeefa11f36..cb03eaa21b5 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -245,10 +245,8 @@ spec: type: string type: object x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' + - message: kms config is forbidden when encryption type is not KMS + rule: 'self.type != ''KMS'' ? !has(self.kms) : true' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index a49976e0dfd..c8f05f1b285 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -245,10 +245,8 @@ spec: type: string type: object x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' + - message: kms config is forbidden when encryption type is not KMS + rule: 'self.type != ''KMS'' ? !has(self.kms) : true' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates