diff --git a/go.mod b/go.mod index 367f091dd8..aaa3d1777e 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/openshift/api v0.0.0-20260126183958-606bd613f9f7 github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13 - github.com/openshift/library-go v0.0.0-20260129122340-60005ae435eb + github.com/openshift/library-go v0.0.0-20260205090821-b15d656dc16c github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d github.com/spf13/cobra v1.9.1 github.com/spf13/pflag v1.0.6 diff --git a/go.sum b/go.sum index 56a493a095..0ed7c4332f 100644 --- a/go.sum +++ b/go.sum @@ -152,8 +152,8 @@ github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee h1:+S github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE= github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13 h1:6rd4zSo2UaWQcAPZfHK9yzKVqH0BnMv1hqMzqXZyTds= github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13/go.mod h1:YvOmPmV7wcJxpfhTDuFqqs2Xpb3M3ovsM6Qs/i2ptq4= -github.com/openshift/library-go v0.0.0-20260129122340-60005ae435eb h1:RCm3Kw8gPmalqT4a+O61YtVmj2nfEMIZZUSqfukNrM0= -github.com/openshift/library-go v0.0.0-20260129122340-60005ae435eb/go.mod h1:DCRz1EgdayEmr9b6KXKDL+DWBN0rGHu/VYADeHzPoOk= +github.com/openshift/library-go v0.0.0-20260205090821-b15d656dc16c h1:HNvAXKiu2wpJu5/vGf6b6Sn2blWOxk9DryoG9tI9ObY= +github.com/openshift/library-go v0.0.0-20260205090821-b15d656dc16c/go.mod h1:DCRz1EgdayEmr9b6KXKDL+DWBN0rGHu/VYADeHzPoOk= github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d h1:Rzx23P63JFNNz5D23ubhC0FCN5rK8CeJhKcq5QKcdyU= github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d/go.mod h1:iVi9Bopa5cLhjG5ie9DoZVVqkH8BGb1FQVTtecOLn4I= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ= diff --git a/test/e2e-encryption-kms/encryption_kms_test.go b/test/e2e-encryption-kms/encryption_kms_test.go index cb8ca759e3..8f6d89a8a8 100644 --- a/test/e2e-encryption-kms/encryption_kms_test.go +++ b/test/e2e-encryption-kms/encryption_kms_test.go @@ -1,20 +1,52 @@ package e2e_encryption_kms import ( + "context" + "fmt" "testing" + + "k8s.io/apimachinery/pkg/runtime" + + configv1 "github.com/openshift/api/config/v1" + operatorencryption "github.com/openshift/cluster-authentication-operator/test/library/encryption" + library "github.com/openshift/library-go/test/library/encryption" + librarykms "github.com/openshift/library-go/test/library/encryption/kms" ) // TestKMSEncryptionOnOff tests KMS encryption on/off cycle. // This test: -// 1. Deploys the mock KMS plugin -// 2. Enables KMS encryption -// 3. Verifies secrets are encrypted -// 4. Disables encryption (Identity) -// 5. Verifies secrets are not encrypted -// 6. Re-enables KMS encryption -// 7. Cleans up -// -// TODO: Implement full KMS encryption test once the CI job is validated. +// 2. Creates a test OAuth access token (TokenOfLife) +// 3. Enables KMS encryption +// 4. Verifies token is encrypted +// 5. Disables encryption (Identity) +// 6. Verifies token is NOT encrypted +// 7. Re-enables KMS encryption +// 8. Verifies token is encrypted again +// 9. Disables encryption (Identity) again +// 10. Verifies token is NOT encrypted again +// 11. Cleans up the KMS plugin func TestKMSEncryptionOnOff(t *testing.T) { - t.Log("KMS encryption on/off test placeholder - CI job validation") + // Deploy the mock KMS plugin for testing. + // NOTE: This manual deployment is only required for KMS v1. In the future, + // the platform will manage the KMS plugins, and this code will no longer be needed. + librarykms.DeployUpstreamMockKMSPlugin(context.Background(), t, library.GetClients(t).Kube, librarykms.WellKnownUpstreamMockKMSPluginNamespace, librarykms.WellKnownUpstreamMockKMSPluginImage) + library.TestEncryptionTurnOnAndOff(t, library.OnOffScenario{ + BasicScenario: library.BasicScenario{ + Namespace: "openshift-config-managed", + LabelSelector: "encryption.apiserver.operator.openshift.io/component" + "=" + "openshift-oauth-apiserver", + EncryptionConfigSecretName: fmt.Sprintf("encryption-config-openshift-oauth-apiserver"), + EncryptionConfigSecretNamespace: "openshift-config-managed", + OperatorNamespace: "openshift-authentication-operator", + TargetGRs: operatorencryption.DefaultTargetGRs, + AssertFunc: operatorencryption.AssertTokens, + }, + CreateResourceFunc: func(t testing.TB, _ library.ClientSet, namespace string) runtime.Object { + return operatorencryption.CreateAndStoreTokenOfLife(context.TODO(), t, operatorencryption.GetClients(t)) + }, + AssertResourceEncryptedFunc: operatorencryption.AssertTokenOfLifeEncrypted, + AssertResourceNotEncryptedFunc: operatorencryption.AssertTokenOfLifeNotEncrypted, + ResourceFunc: func(t testing.TB, _ string) runtime.Object { return operatorencryption.TokenOfLife(t) }, + ResourceName: "TokenOfLife", + EncryptionProvider: configv1.EncryptionTypeKMS, + }) } diff --git a/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go b/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go index bff6155c2f..ca2806ecc6 100644 --- a/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go +++ b/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go @@ -30,6 +30,8 @@ import ( "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/client-go/util/cert" + + configv1 "github.com/openshift/api/config/v1" ) // TLS versions that are known to golang. Go 1.13 adds support for @@ -243,6 +245,9 @@ func ValidCipherSuites() []string { return validCipherSuites } +// DefaultTLSProfileType is the intermediate profile type. +const DefaultTLSProfileType = configv1.TLSProfileIntermediateType + // DefaultCiphers returns the default cipher suites for TLS connections. // // RECOMMENDATION: Instead of relying on this function directly, consumers should respect diff --git a/vendor/github.com/openshift/library-go/pkg/operator/configobserver/apiserver/observe_tlssecurityprofile.go b/vendor/github.com/openshift/library-go/pkg/operator/configobserver/apiserver/observe_tlssecurityprofile.go index b04701681c..3360126e3f 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/configobserver/apiserver/observe_tlssecurityprofile.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/configobserver/apiserver/observe_tlssecurityprofile.go @@ -85,7 +85,7 @@ func innerTLSSecurityProfileObservations(genericListers configobserver.Listers, func getSecurityProfileCiphers(profile *configv1.TLSSecurityProfile) (string, []string) { var profileType configv1.TLSProfileType if profile == nil { - profileType = configv1.TLSProfileIntermediateType + profileType = crypto.DefaultTLSProfileType } else { profileType = profile.Type } @@ -101,7 +101,7 @@ func getSecurityProfileCiphers(profile *configv1.TLSSecurityProfile) (string, [] // nothing found / custom type set but no actual custom spec if profileSpec == nil { - profileSpec = configv1.TLSProfiles[configv1.TLSProfileIntermediateType] + profileSpec = configv1.TLSProfiles[crypto.DefaultTLSProfileType] } // need to remap all Ciphers to their respective IANA names used by Go diff --git a/vendor/github.com/openshift/library-go/test/library/encryption/assertion.go b/vendor/github.com/openshift/library-go/test/library/encryption/assertion.go index f4493e2df1..02261356ba 100644 --- a/vendor/github.com/openshift/library-go/test/library/encryption/assertion.go +++ b/vendor/github.com/openshift/library-go/test/library/encryption/assertion.go @@ -34,6 +34,7 @@ const ( aesCBCTransformerPrefixV1 = "k8s:enc:aescbc:v1:" aesGCMTransformerPrefixV1 = "k8s:enc:aesgcm:v1:" secretboxTransformerPrefixV1 = "k8s:enc:secretbox:v1:" + kmsTransformerPrefixV2 = "k8s:enc:kms:v2:" ) func init() { @@ -163,6 +164,8 @@ func encryptionModeFromEtcdValue(data []byte) (string, bool) { return "aesgcm" case hasPrefixAndTrailingData(data, []byte(secretboxTransformerPrefixV1)): // Secretbox has this prefix return "secretbox" + case hasPrefixAndTrailingData(data, []byte(kmsTransformerPrefixV2)): // KMS v2 has this prefix + return "KMS" case hasPrefixAndTrailingData(data, []byte(jsonEncodingPrefix)): // unencrypted json data has this prefix return "identity-json" case hasPrefixAndTrailingData(data, protoEncodingPrefix): // unencrypted protobuf data has this prefix diff --git a/vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_configmap.yaml b/vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_configmap.yaml new file mode 100644 index 0000000000..d9c3e9a0f6 --- /dev/null +++ b/vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_configmap.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: k8s-mock-kms-plugin + namespace: {{ .Namespace }} +data: + softhsm-config.json: | + { + "Path": "/usr/lib/softhsm/libsofthsm2.so", + "TokenLabel": "kms-test", + "Pin": "1234" + } + # pre-generated SoftHSM token with AES-256 key. + # run ../k8s-mock-plugin-key-gen/generate.sh to regenerate. + softhsm-tokens.tar.gz.b64: | + H4sIAAAAAAAAA9PTZ6A5MDAwMDQ3NwfRIIBOg9mGpoYmQFVmpsZmQHFzcyMzBgVT2juNgaG0uCSx + SEGBoSg/vwSfOkLyQxTo6SclWSalGaYk6SanJVvqmhmaGemaGxumAlkG5gbmJmZmhpaplCUSUASb + Y8Y77vg3NDExH41/ugAi4z89NS+1KLEkMz+PDDtAEWyGL/4N0ePfzNTElEHBgOq+xQJGePxDAdNA + O2AUDAwgMv8D62+jNEsjS91EQ8tkXVOTlFRdy9REE13TxCQjU2PjRBMjixS9nPzkbGx2EMz/6OW/ + kZGhseFo/qcHoGb85ydlpSZjCSQC8W9oZGqGHv8mZqPlPz2BMhofVh+wQGlGGP0fTQFMgoEZjebI + zi3WLUkthgWaIJq8wtmYw16NO3743+n8IbrBQ654o8P1RS3cTE2rvqxes3f2681QdW3oFk1At9A9 + /CyaEpjj5KHiTGhaYEbC+HDfwb0L9SYjK7oAG7oAO7oAB7oAF7oAD7q1Ajjchx5mMPFEKAPmLwWo + eBK6wcnoVqegC6Sia0lDNVugASpegK6zEF2gCE2ACeYtiNkODEww/8CCGSYuhF0cFtYMrAyjgEaA + yPK/JD87NQ9nBU8AkFz/G5qZmBmMlv/0ACTFP64KngAgFP+mGPFvbmBgPBr/dATgOqqBIdgTyofX + 0rBaXAEHgOrzQtMnAEpCyCkIqs4bKg+tXVh0oeI+aPo9hLuLzFeazTs0z0uff0K8jyJbufak7QIT + v1jacNd/lLvW0Bink9F64W7jVjf1Y/o3JrhXvTgRdIo7qjH6Q94aa7Wis/x+aYIib+56Qc33RTd/ + mrLoLKtVa1bK/Mt6/MqI48T9mDkzbzYfleKNm8ytfO3yvnVnmdZzNTxQ5330z2/9zpt+B+dP+bn+ + UWq1aNfvZvMIhu2djYvqNbukYbXlKBgFo2AUDDkAAM1LQHIAGgAA \ No newline at end of file diff --git a/vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_daemonset.yaml b/vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_daemonset.yaml new file mode 100644 index 0000000000..1b670fbc1c --- /dev/null +++ b/vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_daemonset.yaml @@ -0,0 +1,87 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: k8s-mock-kms-plugin + namespace: {{ .Namespace }} +spec: + selector: + matchLabels: + app: k8s-mock-kms-plugin + template: + metadata: + labels: + app: k8s-mock-kms-plugin + spec: + nodeSelector: + node-role.kubernetes.io/control-plane: "" + priorityClassName: system-node-critical + serviceAccountName: k8s-mock-kms-plugin + tolerations: + - operator: Exists + initContainers: + - name: init-softhsm + image: {{ .Image }} + imagePullPolicy: IfNotPresent + securityContext: + privileged: true + command: + - /bin/sh + - -c + args: + - | + set -e + set -x + + # if token exists, skip initialization + if [ $(ls -1 /var/lib/softhsm/tokens 2>/dev/null | wc -l) -ge 1 ]; then + echo "Skipping initialization of softhsm" + exit 0 + fi + + mkdir -p /var/lib/softhsm/tokens + cd /var/lib/softhsm/tokens + + # extract tokens from the configmap + # see ../k8s-mock-plugin-key-gen/README.md for details. + cat /etc/softhsm-tokens.tar.gz.b64 | base64 -d | tar xzf - + volumeMounts: + - mountPath: /var/lib/softhsm/tokens + name: softhsm-tokens + - mountPath: /etc/softhsm-tokens.tar.gz.b64 + name: softhsm-config + subPath: softhsm-tokens.tar.gz.b64 + containers: + - name: kms-plugin + image: {{ .Image }} + imagePullPolicy: IfNotPresent + securityContext: + privileged: true + command: + - /bin/sh + - -c + args: + - | + # remove the socket to prevent "bind: address already in use" + # not sure this is the best way + rm -f /var/run/kmsplugin/kms.sock + exec /usr/local/bin/mock-kms-plugin -listen-addr=unix:///var/run/kmsplugin/kms.sock -config-file-path=/etc/softhsm-config.json + volumeMounts: + - name: socket + mountPath: /var/run/kmsplugin + - name: softhsm-config + mountPath: /etc/softhsm-config.json + subPath: softhsm-config.json + - name: softhsm-tokens + mountPath: /var/lib/softhsm/tokens + volumes: + - name: socket + hostPath: + path: /var/run/kmsplugin + type: DirectoryOrCreate + - name: softhsm-tokens + hostPath: + path: /var/lib/softhsm/tokens + type: DirectoryOrCreate + - name: softhsm-config + configMap: + name: k8s-mock-kms-plugin diff --git a/vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_namespace.yaml b/vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_namespace.yaml new file mode 100644 index 0000000000..4141b1d701 --- /dev/null +++ b/vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_namespace.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Namespace }} + labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/warn: privileged \ No newline at end of file diff --git a/vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_rolebinding.yaml b/vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_rolebinding.yaml new file mode 100644 index 0000000000..9c42e8b826 --- /dev/null +++ b/vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_rolebinding.yaml @@ -0,0 +1,16 @@ +# RoleBinding to grant the k8s-mock-kms-plugin ServiceAccount access to the +# privileged SCC. This is required because the KMS plugin needs privileged +# access to create the Unix socket on the host filesystem. +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: k8s-mock-kms-plugin + namespace: {{ .Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: + - kind: ServiceAccount + name: k8s-mock-kms-plugin + namespace: {{ .Namespace }} diff --git a/vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_serviceaccount.yaml b/vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_serviceaccount.yaml new file mode 100644 index 0000000000..5eebaf6ad3 --- /dev/null +++ b/vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: k8s-mock-kms-plugin + namespace: {{ .Namespace }} diff --git a/vendor/github.com/openshift/library-go/test/library/encryption/kms/k8s_mock_kms_plugin_deployer.go b/vendor/github.com/openshift/library-go/test/library/encryption/kms/k8s_mock_kms_plugin_deployer.go new file mode 100644 index 0000000000..b713da4355 --- /dev/null +++ b/vendor/github.com/openshift/library-go/test/library/encryption/kms/k8s_mock_kms_plugin_deployer.go @@ -0,0 +1,152 @@ +package kms + +import ( + "bytes" + "context" + "embed" + "path/filepath" + "testing" + "text/template" + "time" + + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/wait" + "k8s.io/client-go/kubernetes" + "k8s.io/utils/clock" + + "github.com/openshift/library-go/pkg/operator/events" + "github.com/openshift/library-go/pkg/operator/resource/resourceapply" + "github.com/openshift/library-go/pkg/operator/resource/resourceread" +) + +//go:embed assets +var assetsFS embed.FS + +const ( + // WellKnownUpstreamMockKMSPluginNamespace is the default namespace where the KMS plugin runs. + WellKnownUpstreamMockKMSPluginNamespace = "k8s-mock-plugin" + + // WellKnownUpstreamMockKMSPluginImage is the pre-built mock KMS plugin image. + WellKnownUpstreamMockKMSPluginImage = "quay.io/openshifttest/mock-kms-plugin@sha256:998e1d48eba257f589ab86c30abd5043f662213e9aeff253e1c308301879d48a" + + // defaultPollTimeout the default poll timeout used by the deployer + defaultPollTimeout = 2 * time.Minute +) + +var manifestFilesToApplyDirectly = []string{ + "k8s_mock_kms_plugin_namespace.yaml", + "k8s_mock_kms_plugin_serviceaccount.yaml", + "k8s_mock_kms_plugin_rolebinding.yaml", + "k8s_mock_kms_plugin_configmap.yaml", +} + +var daemonSetManifestFile = "k8s_mock_kms_plugin_daemonset.yaml" + +// yamlTemplateData holds the template variables for YAML manifests. +// Fields must be exported (uppercase) for Go templates to access them. +type yamlTemplateData struct { + Namespace string + Image string +} + +// DeployUpstreamMockKMSPlugin deploys the upstream mock KMS v2 plugin using embedded YAML assets. +func DeployUpstreamMockKMSPlugin(ctx context.Context, t testing.TB, kubeClient kubernetes.Interface, namespace, image string) { + t.Helper() + + t.Logf("Deploying upstream mock KMS v2 plugin in namespace %q using image %s", namespace, image) + daemonSetName, err := applyUpstreamMockKMSPluginManifests(ctx, t, kubeClient, namespace, image) + if err != nil { + t.Fatalf("Failed to apply manifests: %v", err) + } + if err := waitForDaemonSetReady(ctx, t, kubeClient, namespace, daemonSetName); err != nil { + t.Fatalf("DaemonSet not ready: %v", err) + } + t.Logf("Upstream mock KMS v2 plugin deployed successfully!") +} + +// applyUpstreamMockKMSPluginManifests applies all the KMS plugin manifests. +// Returns the DaemonSet name on success. +func applyUpstreamMockKMSPluginManifests(ctx context.Context, t testing.TB, kubeClient kubernetes.Interface, namespace, image string) (string, error) { + t.Helper() + + data := yamlTemplateData{ + Namespace: namespace, + Image: image, + } + + recorder := events.NewInMemoryRecorder("k8s-mock-kms-plugin-deployer", clock.RealClock{}) + assetFunc := wrapAssetWithTemplateDataFunc(data) + + clientHolder := resourceapply.NewKubeClientHolder(kubeClient) + results := resourceapply.ApplyDirectly(ctx, clientHolder, recorder, resourceapply.NewResourceCache(), assetFunc, manifestFilesToApplyDirectly...) + + for _, result := range results { + if result.Error != nil { + return "", result.Error + } + t.Logf("Applied %s (changed=%v)", result.File, result.Changed) + } + + rawDaemonSet, err := assetFunc(daemonSetManifestFile) + if err != nil { + return "", err + } + + daemonSet := resourceread.ReadDaemonSetV1OrDie(rawDaemonSet) + _, _, err = resourceapply.ApplyDaemonSet(ctx, kubeClient.AppsV1(), recorder, daemonSet, -1) + if err != nil { + return "", err + } + t.Logf("Applied DaemonSet %s/%s", namespace, daemonSet.Name) + + return daemonSet.Name, nil +} + +// waitForDaemonSetReady waits for the KMS plugin DaemonSet to be ready. +func waitForDaemonSetReady(ctx context.Context, t testing.TB, kubeClient kubernetes.Interface, namespace, daemonSetName string) error { + t.Helper() + + t.Logf("Waiting for DaemonSet %s/%s to be ready...", namespace, daemonSetName) + + return wait.PollUntilContextTimeout(ctx, time.Second, defaultPollTimeout, true, func(ctx context.Context) (bool, error) { + ds, err := kubeClient.AppsV1().DaemonSets(namespace).Get(ctx, daemonSetName, metav1.GetOptions{}) + if err != nil { + if apierrors.IsNotFound(err) { + return false, nil + } + return false, err + } + + t.Logf("DaemonSet %s/%s status: desired=%d, ready=%d, available=%d", + namespace, daemonSetName, ds.Status.DesiredNumberScheduled, ds.Status.NumberReady, ds.Status.NumberAvailable) + + // for simplicity just ensure at least one pod is scheduled before checking readiness + if ds.Status.DesiredNumberScheduled == 0 { + return false, nil + } + return ds.Status.NumberReady == ds.Status.DesiredNumberScheduled, nil + }) +} + +// wrapAssetWithTemplateDataFunc returns an AssetFunc that templates the YAML with the given data. +func wrapAssetWithTemplateDataFunc(data yamlTemplateData) resourceapply.AssetFunc { + return func(name string) ([]byte, error) { + content, err := assetsFS.ReadFile(filepath.Join("assets", name)) + if err != nil { + return nil, err + } + + tmpl, err := template.New(name).Parse(string(content)) + if err != nil { + return nil, err + } + + var buf bytes.Buffer + if err := tmpl.Execute(&buf, data); err != nil { + return nil, err + } + + return buf.Bytes(), nil + } +} diff --git a/vendor/github.com/openshift/library-go/test/library/encryption/scenarios.go b/vendor/github.com/openshift/library-go/test/library/encryption/scenarios.go index 99d60bfe49..79a9ff96ef 100644 --- a/vendor/github.com/openshift/library-go/test/library/encryption/scenarios.go +++ b/vendor/github.com/openshift/library-go/test/library/encryption/scenarios.go @@ -50,12 +50,21 @@ func TestEncryptionTypeAESGCM(t *testing.T, scenario BasicScenario) { AssertEncryptionConfig(e, clientSet, scenario.EncryptionConfigSecretName, scenario.EncryptionConfigSecretNamespace, scenario.TargetGRs) } +func TestEncryptionTypeKMS(t *testing.T, scenario BasicScenario) { + e := NewE(t, PrintEventsOnFailure(scenario.OperatorNamespace)) + clientSet := SetAndWaitForEncryptionType(e, configv1.EncryptionTypeKMS, scenario.TargetGRs, scenario.Namespace, scenario.LabelSelector) + scenario.AssertFunc(e, clientSet, configv1.EncryptionTypeKMS, scenario.Namespace, scenario.LabelSelector) + AssertEncryptionConfig(e, clientSet, scenario.EncryptionConfigSecretName, scenario.EncryptionConfigSecretNamespace, scenario.TargetGRs) +} + func TestEncryptionType(t *testing.T, scenario BasicScenario, provider configv1.EncryptionType) { switch provider { case configv1.EncryptionTypeAESCBC: TestEncryptionTypeAESCBC(t, scenario) case configv1.EncryptionTypeAESGCM: TestEncryptionTypeAESGCM(t, scenario) + case configv1.EncryptionTypeKMS: + TestEncryptionTypeKMS(t, scenario) case configv1.EncryptionTypeIdentity, "": TestEncryptionTypeIdentity(t, scenario) default: diff --git a/vendor/modules.txt b/vendor/modules.txt index 7b0e974b75..8f2d1b864e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -376,7 +376,7 @@ github.com/openshift/client-go/user/applyconfigurations/internal github.com/openshift/client-go/user/applyconfigurations/user/v1 github.com/openshift/client-go/user/clientset/versioned/scheme github.com/openshift/client-go/user/clientset/versioned/typed/user/v1 -# github.com/openshift/library-go v0.0.0-20260129122340-60005ae435eb +# github.com/openshift/library-go v0.0.0-20260205090821-b15d656dc16c ## explicit; go 1.24.0 github.com/openshift/library-go/pkg/apiserver/jsonpatch github.com/openshift/library-go/pkg/apps/deployment @@ -450,6 +450,7 @@ github.com/openshift/library-go/pkg/route/routeapihelpers github.com/openshift/library-go/pkg/serviceability github.com/openshift/library-go/test/library github.com/openshift/library-go/test/library/encryption +github.com/openshift/library-go/test/library/encryption/kms # github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d ## explicit; go 1.22.0 github.com/openshift/multi-operator-manager/pkg/flagtypes