Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
name: "APIServer"
crdName: apiservers.config.openshift.io
featureGates:
- KMSEncryption
Comment thread
JoelSpeed marked this conversation as resolved.
tests:
onCreate:
- name: Should be able to create with KMS type without kms config
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: KMS
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: KMS
- name: Should be able to create with aescbc encryption
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: aescbc
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: aescbc
- name: Should be able to create with aesgcm encryption
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: aesgcm
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: aesgcm
- name: Should be able to create with identity encryption
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: identity
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: identity
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if w
name: "APIServer"
crdName: apiservers.config.openshift.io
featureGates:
- KMSEncryptionProvider
- KMSEncryptionProvider
tests:
onCreate:
- name: Should be able to create encrypt with KMS for AWS with valid values
Expand Down Expand Up @@ -64,7 +64,7 @@ tests:
type: KMS
kms: {}
expectedError: "spec.encryption.kms.type: Required value"
- name: Should fail to create with kms type AWS but without aws config
- name: Should fail to create with kms type AWS but without aws config
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
Expand Down
1 change: 1 addition & 0 deletions config/v1/types_apiserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,7 @@ type APIServerEncryption struct {

// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";identity;aescbc;aesgcm
// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryptionProvider,enum="";identity;aescbc;aesgcm;KMS

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

won't this flag also be on for TP ? If yes, will it allow for setting an empty KMSConfig ?

@ardaguclu ardaguclu Jan 26, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JoelSpeed on TP enabled cluster, won't this old feature gate be enabled too?. Won't this create conflicting behavior? i.e. KMSEncryption allows simply KMS enum but KMSEncryptionProvider does not allow it.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JoelSpeed is there a way to write an integration / unit test that would enable these two FG ?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or each feature gate needs to be explicitly enabled on the cluster. So that we would just assume that user will enable KMSEncryption but not KMSEncryptionProvider

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently yes, on a TP cluster you would see the old/existing behaviour. If you promoted the feature KMSEncyption to default, you would not be able to set the KMS field because it wouldn't exist.

If you are concerned about the interactions between them/testing both, you can either disable KMSEncryptionProvider from TechPreview and move it back to just DevPreview, or we can set up tests that require both gates, and just one gate, or, one gate that not the other. In the test files where you specify the gates, prefix with - to negate the inclusion

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Won't this create conflicting behavior? i.e. KMSEncryption allows simply KMS enum but KMSEncryptionProvider does not allow it.

You'd currently observe just the behaviour of the KMSEncryptionProvider feature gate, as it's a superset of the new gate.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think, we are both fine to moving KMSEncryptionProvider to DevPreview.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've moved KMSEncryptionProvider FG to DevPreview.

// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryption,enum="";identity;aescbc;aesgcm;KMS
type EncryptionType string

const (
Expand Down
1 change: 1 addition & 0 deletions config/v1/zz_generated.featuregated-crd-manifests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ apiservers.config.openshift.io:
Capability: ""
Category: ""
FeatureGates:
- KMSEncryption
- KMSEncryptionProvider
FilenameOperatorName: config-operator
FilenameOperatorOrdering: "01"
Expand Down

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions features.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@
| InsightsConfig| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> |
| InsightsOnDemandDataGather| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> |
| IrreconcilableMachineConfig| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> |
| KMSEncryption| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> |
| KMSEncryptionProvider| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> |
| MachineAPIMigration| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> |
| ManagedBootImagesCPMS| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> |
Expand Down
8 changes: 8 additions & 0 deletions features/features.go
Original file line number Diff line number Diff line change
Expand Up @@ -674,6 +674,14 @@ var (
enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
mustRegister()

FeatureGateKMSEncryption = newFeatureGate("KMSEncryption").
reportProblemsToJiraComponent("kube-apiserver").
contactPerson("ardaguclu").
productScope(ocpSpecific).
enhancementPR("https://github.com/openshift/enhancements/pull/1900").
enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
mustRegister()

FeatureGateHighlyAvailableArbiter = newFeatureGate("HighlyAvailableArbiter").
reportProblemsToJiraComponent("Two Node with Arbiter").
contactPerson("eggfoobar").
Expand Down
29 changes: 17 additions & 12 deletions openapi/openapi.json
Original file line number Diff line number Diff line change
Expand Up @@ -9533,7 +9533,7 @@
}
},
"com.github.openshift.api.config.v1.OIDCClientConfig": {
"description": "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method",
"description": "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method.",
"type": "object",
"required": [
"componentName",
Expand Down Expand Up @@ -10252,7 +10252,7 @@
"$ref": "#/definitions/com.github.openshift.api.config.v1.PowerVSPlatformSpec"
},
"type": {
"description": "type is the underlying infrastructure provider for the cluster. This value controls whether infrastructure automation such as service load balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are \"AWS\", \"Azure\", \"BareMetal\", \"GCP\", \"Libvirt\", \"OpenStack\", \"VSphere\", \"oVirt\", \"KubeVirt\", \"EquinixMetal\", \"PowerVS\", \"AlibabaCloud\", \"Nutanix\" and \"None\". Individual components may not support all platforms, and must handle unrecognized platforms as None if they do not support that platform.",
"description": "type is the underlying infrastructure provider for the cluster. This value controls whether infrastructure automation such as service load balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are \"AWS\", \"Azure\", \"BareMetal\", \"GCP\", \"Libvirt\", \"OpenStack\", \"VSphere\", \"oVirt\", \"IBMCloud\", \"KubeVirt\", \"EquinixMetal\", \"PowerVS\", \"AlibabaCloud\", \"Nutanix\", \"External\", and \"None\". Individual components may not support all platforms, and must handle unrecognized platforms as None if they do not support that platform.",
"type": "string",
"default": ""
},
Expand Down Expand Up @@ -10547,7 +10547,7 @@
"default": ""
},
"prefix": {
"description": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".",
"description": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".",
"type": "string",
"default": ""
}
Expand Down Expand Up @@ -14677,11 +14677,15 @@
"x-kubernetes-list-type": "map"
},
"method": {
"description": "method is the fencing method used by this agent (e.g., \"redfish\", \"ipmi\", \"fence_aws\"). This is extracted from the pacemaker resource agent type.",
"type": "string"
"description": "method is the fencing method used by this agent. Valid values are \"Redfish\" and \"IPMI\". Redfish is a standard RESTful API for server management. IPMI (Intelligent Platform Management Interface) is a hardware management interface.\n\nPossible enum values:\n - `\"IPMI\"` uses IPMI (Intelligent Platform Management Interface), a hardware management interface.\n - `\"Redfish\"` uses Redfish, a standard RESTful API for server management.",
"type": "string",
"enum": [
"IPMI",
"Redfish"
]
},
"name": {
"description": "name is the pacemaker resource name of the fencing agent (e.g., \"master-0_redfish\"). The name consists of the target node name followed by an underscore and the fencing method. Currently only \"redfish\" is supported as a fencing method. The node name portion must be a valid RFC 1123 subdomain (max 253 chars). Maximum total length is 261 characters (253 + 1 + 7 for \"_redfish\").",
"description": "name is the unique identifier for this fencing agent (e.g., \"master-0_redfish\"). The name must be unique within the fencingAgents array for this node. It may contain alphanumeric characters, dots, hyphens, and underscores. Maximum length is 300 characters, providing headroom beyond the typical format of <node_name>_<type> (253 for RFC 1123 node name + 1 underscore + type).",
"type": "string"
}
}
Expand Down Expand Up @@ -14721,14 +14725,14 @@
"type": "object",
"required": [
"conditions",
"name",
"nodeName",
"addresses",
"resources",
"fencingAgents"
],
"properties": {
"addresses": {
"description": "addresses is a list of IP addresses reachable to the node. Pacemaker allows multiple IP addresses for Corosync communication between nodes. The first address in this list is used for IP-based peer URLs for etcd membership. Each address must be a valid global unicast IPv4 or IPv6 address in canonical form (e.g., \"192.168.1.1\" not \"192.168.001.001\", or \"2001:db8::1\" not \"2001:0db8::1\"). This excludes loopback, link-local, and multicast addresses.",
"description": "addresses is a list of IP addresses for the node. Pacemaker allows multiple IP addresses for Corosync communication between nodes. The first address in this list is used for IP-based peer URLs for etcd membership. Each address must be a valid global unicast IPv4 or IPv6 address in canonical form (e.g., \"192.168.1.1\" not \"192.168.001.001\", or \"2001:db8::1\" not \"2001:0db8::1\"). This excludes loopback, link-local, and multicast addresses.",
"type": "array",
"items": {
"default": {},
Expand All @@ -14749,7 +14753,7 @@
"x-kubernetes-list-type": "map"
},
"fencingAgents": {
"description": "fencingAgents contains the status of fencing agents that can fence this node. Unlike resources (which are scheduled to run on this node), fencing agents are mapped to the node they can fence (their target), not the node where monitoring operations run. Each fencing agent entry includes the agent name, fencing method, and health conditions. A node is considered fence-capable if at least one fencing agent is healthy. Expected to have 1 fencing agent per node, but up to 8 are supported for redundancy.",
"description": "fencingAgents contains the status of fencing agents that can fence this node. Unlike resources (which are scheduled to run on this node), fencing agents are mapped to the node they can fence (their target), not the node where monitoring operations run. Each fencing agent entry includes a unique name, fencing type, target node, and health conditions. A node is considered fence-capable if at least one fencing agent is healthy. Expected to have 1 fencing agent per node, but up to 8 are supported for redundancy. Names must be unique within this array.",
"type": "array",
"items": {
"default": {},
Expand All @@ -14760,8 +14764,8 @@
],
"x-kubernetes-list-type": "map"
},
"name": {
"description": "name is the name of the node. This is expected to match the Kubernetes node's name, which must be a lowercase RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with an alphanumeric character, and be at most 253 characters in length.",
"nodeName": {
"description": "nodeName is the name of the node. This is expected to match the Kubernetes node's name, which must be a lowercase RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with an alphanumeric character, and be at most 253 characters in length.",
"type": "string"
},
"resources": {
Expand Down Expand Up @@ -14837,10 +14841,11 @@
"description": "nodes provides detailed status for each control-plane node in the Pacemaker cluster. While Pacemaker supports up to 32 nodes, the limit is set to 5 (max OpenShift control-plane nodes). For Two Node OpenShift with Fencing, exactly 2 nodes are expected in a healthy cluster. An empty list indicates a catastrophic failure where Pacemaker reports no nodes.",
"type": "array",
"items": {
"default": {},
"$ref": "#/definitions/com.github.openshift.api.etcd.v1alpha1.PacemakerClusterNodeStatus"
},
"x-kubernetes-list-map-keys": [
"name"
"nodeName"
],
"x-kubernetes-list-type": "map"
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,9 @@
{
"name": "IrreconcilableMachineConfig"
},
{
"name": "KMSEncryption"
},
{
"name": "KMSEncryptionProvider"
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,9 @@
{
"name": "IrreconcilableMachineConfig"
},
{
"name": "KMSEncryption"
},
{
"name": "KMSEncryptionProvider"
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,9 @@
{
"name": "IrreconcilableMachineConfig"
},
{
"name": "KMSEncryption"
},
{
"name": "KMSEncryptionProvider"
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,9 @@
{
"name": "IrreconcilableMachineConfig"
},
{
"name": "KMSEncryption"
},
{
"name": "KMSEncryptionProvider"
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,9 @@
{
"name": "IrreconcilableMachineConfig"
},
{
"name": "KMSEncryption"
},
{
"name": "KMSEncryptionProvider"
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,9 @@
{
"name": "IrreconcilableMachineConfig"
},
{
"name": "KMSEncryption"
},
{
"name": "KMSEncryptionProvider"
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,9 @@
{
"name": "IrreconcilableMachineConfig"
},
{
"name": "KMSEncryption"
},
{
"name": "KMSEncryptionProvider"
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,9 @@
{
"name": "IrreconcilableMachineConfig"
},
{
"name": "KMSEncryption"
},
{
"name": "KMSEncryptionProvider"
},
Expand Down