Skip to content

OCPBUGS-74418: Introduce KMSEncryption feature gate #2670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ardaguclu wants to merge 1 commit into
base: release-4.21
Choose a base branch
from
Open

OCPBUGS-74418: Introduce KMSEncryption feature gate #2670

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 10 additions & 4 deletions config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,16 +54,22 @@ tests:
aws:
keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
region: us-east-1
expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise"
- name: Should fail to create with an empty KMS config
expectedError: "kms config is forbidden when encryption type is not KMS"
- name: Should be able to create with KMS type and nil kms config
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: KMS
kms: {}
expectedError: "spec.encryption.kms.type: Required value"
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: KMS
- name: Should fail to create with kms type AWS but without aws config
initial: |
apiVersion: config.openshift.io/v1
Expand Down
2 changes: 1 addition & 1 deletion config/v1/types_apiserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ type APIServerNamedServingCert struct {
}

// APIServerEncryption is used to encrypt sensitive resources on the cluster.
// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="has(self.type) && self.type == 'KMS' ? has(self.kms) : !has(self.kms)",message="kms config is required when encryption type is KMS, and forbidden otherwise"
// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="self.type != 'KMS' ? !has(self.kms) : true",message="kms config is forbidden when encryption type is not KMS"
// +union
type APIServerEncryption struct {
// type defines what encryption type should be used to encrypt resources at the datastore layer.
Expand Down
6 changes: 2 additions & 4 deletions ...zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,10 +245,8 @@ spec:
type: string
type: object
x-kubernetes-validations:
- message: kms config is required when encryption type is KMS, and
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
- message: kms config is forbidden when encryption type is not KMS
rule: 'self.type != ''KMS'' ? !has(self.kms) : true'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
Expand Down
6 changes: 2 additions & 4 deletions ...enerated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,10 +245,8 @@ spec:
type: string
type: object
x-kubernetes-validations:
- message: kms config is required when encryption type is KMS, and
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
- message: kms config is forbidden when encryption type is not KMS
rule: 'self.type != ''KMS'' ? !has(self.kms) : true'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
Expand Down
6 changes: 2 additions & 4 deletions ...nerated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,10 +245,8 @@ spec:
type: string
type: object
x-kubernetes-validations:
- message: kms config is required when encryption type is KMS, and
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
- message: kms config is forbidden when encryption type is not KMS
rule: 'self.type != ''KMS'' ? !has(self.kms) : true'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
Expand Down
6 changes: 2 additions & 4 deletions ...ated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,10 +245,8 @@ spec:
type: string
type: object
x-kubernetes-validations:
- message: kms config is required when encryption type is KMS, and
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
- message: kms config is forbidden when encryption type is not KMS
rule: 'self.type != ''KMS'' ? !has(self.kms) : true'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
Expand Down
2 changes: 1 addition & 1 deletion openapi/openapi.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9881,7 +9881,7 @@
"$ref": "#/definitions/com.github.openshift.api.config.v1.PKI"
},
"policyType": {
"description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.",
"description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).",
"type": "string",
"default": ""
},
Expand Down
6 changes: 2 additions & 4 deletions payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,10 +245,8 @@ spec:
type: string
type: object
x-kubernetes-validations:
- message: kms config is required when encryption type is KMS, and
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
- message: kms config is forbidden when encryption type is not KMS
rule: 'self.type != ''KMS'' ? !has(self.kms) : true'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
Expand Down
6 changes: 2 additions & 4 deletions payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,10 +245,8 @@ spec:
type: string
type: object
x-kubernetes-validations:
- message: kms config is required when encryption type is KMS, and
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
- message: kms config is forbidden when encryption type is not KMS
rule: 'self.type != ''KMS'' ? !has(self.kms) : true'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
Expand Down
6 changes: 2 additions & 4 deletions payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,10 +245,8 @@ spec:
type: string
type: object
x-kubernetes-validations:
- message: kms config is required when encryption type is KMS, and
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
- message: kms config is forbidden when encryption type is not KMS
rule: 'self.type != ''KMS'' ? !has(self.kms) : true'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
Expand Down