WIP: remove kms encryption from TechPreview feature gate

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml

@@ -158,69 +158,6 @@ spec:
                 description: encryption allows the configuration of encryption of
                   resources at the datastore layer.
                 properties:
-                  kms:
-                    description: |-
-                      kms defines the configuration for the external KMS instance that manages the encryption keys,
-                      when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an
-                      externally configured KMS instance.
-
-                      The Key Management Service (KMS) instance provides symmetric encryption and is responsible for
-                      managing the lifecyle of the encryption keys outside of the control plane.
-                      This allows integration with an external provider to manage the data encryption keys securely.
-                    properties:
-                      aws:
-                        description: |-
-                          aws defines the key config for using an AWS KMS instance
-                          for the encryption. The AWS KMS instance is managed
-                          by the user outside the purview of the control plane.
-                        properties:
-                          keyARN:
-                            description: |-
-                              keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
-                              The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
-                              - `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
-                              - `<account_id>` is a 12-digit numeric identifier for the AWS account.
-                              - `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
-                            maxLength: 128
-                            minLength: 1
-                            type: string
-                            x-kubernetes-validations:
-                            - message: keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`.
-                                The account ID must be a 12 digit number and the region
-                                and key ID should consist only of lowercase hexadecimal
-                                characters and hyphens (-).
-                              rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
-                          region:
-                            description: |-
-                              region specifies the AWS region where the KMS instance exists, and follows the format
-                              `<region-prefix>-<region-name>-<number>`, e.g.: `us-east-1`.
-                              Only lowercase letters and hyphens followed by numbers are allowed.
-                            maxLength: 64
-                            minLength: 1
-                            type: string
-                            x-kubernetes-validations:
-                            - message: region must be a valid AWS region, consisting
-                                of lowercase characters, digits and hyphens (-) only.
-                              rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$')
-                        required:
-                        - keyARN
-                        - region
-                        type: object
-                      type:
-                        description: |-
-                          type defines the kind of platform for the KMS provider.
-                          Available provider types are AWS only.
-                        enum:
-                        - AWS
-                        type: string
-                    required:
-                    - type
-                    type: object
-                    x-kubernetes-validations:
-                    - message: aws config is required when kms provider type is AWS,
-                        and forbidden otherwise
-                      rule: 'has(self.type) && self.type == ''AWS'' ?  has(self.aws)
-                        : !has(self.aws)'
                   type:
                     description: |-
                       type defines what encryption type should be used to encrypt resources at the datastore layer.
@@ -241,14 +178,8 @@ spec:
                     - identity
                     - aescbc
                     - aesgcm
-                    - KMS
                     type: string
                 type: object
-                x-kubernetes-validations:
-                - message: kms config is required when encryption type is KMS, and
-                    forbidden otherwise
-                  rule: 'has(self.type) && self.type == ''KMS'' ?  has(self.kms) :
-                    !has(self.kms)'
               servingCerts:
                 description: |-
                   servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates

features.md

@@ -10,6 +10,7 @@
 | Example2| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | |  |
 | ExternalSnapshotMetadata| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | |  |
 | IngressControllerDynamicConfigurationManager| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | |  |
+| KMSEncryptionProvider| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | |  |
 | NewOLMCatalogdAPIV1Metas| | | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span>  |
 | NewOLMOwnSingleNamespace| | | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span>  |
 | NewOLMPreflightPermissionChecks| | | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span>  |
@@ -50,7 +51,6 @@
 | InsightsConfig| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | InsightsOnDemandDataGather| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | IrreconcilableMachineConfig| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| KMSEncryptionProvider| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | MachineAPIMigration| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ManagedBootImagesCPMS| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | MaxUnavailableStatefulSet| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |

features/features.go

@@ -648,7 +648,7 @@ var (
 						contactPerson("swghosh").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1682").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enableIn(configv1.DevPreviewNoUpgrade).
 						mustRegister()
 
 	FeatureGateHighlyAvailableArbiter = newFeatureGate("HighlyAvailableArbiter").

payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml

@@ -35,6 +35,9 @@
                     {
                         "name": "IngressControllerDynamicConfigurationManager"
                     },
+                    {
+                        "name": "KMSEncryptionProvider"
+                    },
                     {
                         "name": "MachineAPIOperatorDisableMachineHealthCheckController"
                     },
@@ -208,9 +211,6 @@
                     {
                         "name": "IrreconcilableMachineConfig"
                     },
-                    {
-                        "name": "KMSEncryptionProvider"
-                    },
                     {
                         "name": "KMSv1"
                     },

payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml

@@ -35,6 +35,9 @@
                     {
                         "name": "IngressControllerDynamicConfigurationManager"
                     },
+                    {
+                        "name": "KMSEncryptionProvider"
+                    },
                     {
                         "name": "MachineAPIOperatorDisableMachineHealthCheckController"
                     },
@@ -190,9 +193,6 @@
                     {
                         "name": "IrreconcilableMachineConfig"
                     },
-                    {
-                        "name": "KMSEncryptionProvider"
-                    },
                     {
                         "name": "KMSv1"
                     },