[WIP]Adding KMS TestKMSEncryptionOnOff test by gangwgr · Pull Request #2018 · openshift/cluster-kube-apiserver-operator

gangwgr · 2026-01-29T11:44:50Z

Adding KMS TestKMSEncryptionOnOff test

coderabbitai · 2026-01-29T11:44:59Z

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (1)

do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

🔍 Trigger a full review

✨ Finishing touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci · 2026-01-29T11:51:16Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gangwgr
Once this PR has been reviewed and has the lgtm label, please assign p0lyn0mial for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

p0lyn0mial · 2026-01-29T12:44:40Z

go.mod

 	github.com/miekg/dns v1.1.61
 	github.com/onsi/ginkgo/v2 v2.21.0
 	github.com/openshift-eng/openshift-tests-extension v0.0.0-20250804142706-7b3ab438a292
-	github.com/openshift/api v0.0.0-20251111013132-5c461e21bdb7


please move "vendor" changes to a separate PR.

p0lyn0mial · 2026-01-29T12:45:47Z

test/e2e-encryption-kms/encryption_kms_test.go

-	t.Log("KMS encryption on/off test placeholder - CI job validation")
+	ctx := context.Background()
+
+	// Get clients for deploying KMS plugin


rm this line.

p0lyn0mial · 2026-01-29T12:46:02Z

test/e2e-encryption-kms/encryption_kms_test.go

+	// Get clients for deploying KMS plugin
+	clientSet := library.GetClients(t)
+
+	// Step 1: Deploy the mock KMS plugin


rm this line.

p0lyn0mial · 2026-01-29T12:46:21Z

test/e2e-encryption-kms/encryption_kms_test.go

+	clientSet := library.GetClients(t)
+
+	// Step 1: Deploy the mock KMS plugin
+	t.Log("Deploying mock KMS plugin...")


rm this log - we added logs to the deployer.

p0lyn0mial · 2026-01-29T12:47:01Z

test/e2e-encryption-kms/encryption_kms_test.go

+
+	// Step 1: Deploy the mock KMS plugin
+	t.Log("Deploying mock KMS plugin...")
+	cleanup := kms.DeployUpstreamMockKMSPlugin(


this could be changed to:

t.Cleanup(kms.DeployUpstreamMockKMSPlugin(...))

p0lyn0mial · 2026-01-29T12:47:11Z

test/e2e-encryption-kms/encryption_kms_test.go

+	)
+	defer cleanup()
+
+	// Step 2-10: Run the encryption on/off test


rm this line.

p0lyn0mial · 2026-01-29T12:47:45Z

test/e2e-encryption-kms/encryption_kms_test.go

+	defer cleanup()
+
+	// Step 2-10: Run the encryption on/off test
+	t.Log("Running KMS encryption on/off test...")


do we need these logs ?

ardaguclu · 2026-01-29T13:08:44Z

Better to wait #2015 to be merged.

p0lyn0mial · 2026-01-29T13:21:48Z

test/e2e-encryption-kms/encryption_kms_test.go

+	t.Cleanup(kms.DeployUpstreamMockKMSPlugin(
+		ctx,
+		t,
+		clientSet.Kube,


could we library.GetClients(t).Kube ?

p0lyn0mial · 2026-01-29T13:51:14Z

test/e2e-encryption-kms/encryption_kms_test.go

+	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/operatorclient"
+	operatorencryption "github.com/openshift/cluster-kube-apiserver-operator/test/library/encryption"
+	library "github.com/openshift/library-go/test/library/encryption"
+	"github.com/openshift/library-go/test/library/encryption/kms"


librarykms

p0lyn0mial · 2026-01-29T13:51:38Z

test/e2e-encryption-kms/encryption_kms_test.go

+	// Get clients for deploying KMS plugin
+	clientSet := library.GetClients(t)
+
+	t.Cleanup(kms.DeployUpstreamMockKMSPlugin(


nit: could you make a one liner instead ?

p0lyn0mial · 2026-01-29T14:25:18Z

we must also pull openshift/library-go#2086 in

ardaguclu · 2026-01-30T06:14:50Z

pkg/operator/targetconfigcontroller/targetconfigcontroller.go

-	if err := encryptionkms.AddKMSPluginVolumeAndMountToPodSpec(&required.Spec, "kube-apiserver", featureGateAccessor); err != nil {
-		return nil, false, fmt.Errorf("failed to add KMS encryption volumes: %w", err)
+	// Add KMS plugin volume mount if the KMS encryption feature gate is enabled
+	if err := kms.AddKMSPluginVolumeAndMountToPodSpec(&required.Spec, "kube-apiserver", featureGateAccessor); err != nil {


We don't need these changes as well, master branch should include them already.

ardaguclu · 2026-01-30T09:55:07Z

go.sum

 github.com/fvbommel/sortorder v1.1.0/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/gangwgr/library-go v0.0.0-20260129150807-18fba7769367 h1:dz9NGDpWK+clJaUfXP94lG5okB38qppI6lnqB/rSe0s=


I don't see the changes in openshift/library-go#2086

ardaguclu · 2026-02-02T07:13:19Z

/testwith gangwgr/cluster-kube-apiserver-operator/kms-e2e-full-test openshift/cluster-openshift-apiserver-operator#643

openshift-ci · 2026-02-02T07:13:22Z

@ardaguclu, testwith: Error processing request. ERROR:

could not determine job runs: requested job is invalid. needs to be formatted like: <org>/<repo>/<branch>/<variant?>/<job>. instead it was: gangwgr/cluster-kube-apiserver-operator/kms-e2e-full-test

ardaguclu · 2026-02-02T07:15:39Z

/testwith openshift/cluster-kube-apiserver-operator/main/e2e-gcp-operator-encryption-kms openshift/cluster-openshift-apiserver-operator#643

ardaguclu · 2026-02-02T07:17:04Z

/testwith abort
it is known that this run will fail

ardaguclu · 2026-02-02T07:22:16Z

To sum up, once we sort out the KMS plugin issue, we can run this command;

/testwith openshift/cluster-kube-apiserver-operator/main/e2e-gcp-operator-encryption-kms openshift/cluster-openshift-apiserver-operator#643 openshift/cluster-authentication-operator#832

gangwgr · 2026-02-02T08:40:36Z

/testwith openshift/cluster-kube-apiserver-operator/main/e2e-gcp-operator-encryption-kms openshift/cluster-openshift-apiserver-operator#643 openshift/cluster-authentication-operator#832

ardaguclu · 2026-02-02T11:10:11Z

/testwith openshift/cluster-kube-apiserver-operator/main/e2e-gcp-operator-encryption-kms openshift/cluster-openshift-apiserver-operator#643 openshift/cluster-authentication-operator#832

This adds TestKMSEncryptionOnOff which tests the full KMS encryption on/off cycle using the mock KMS plugin from library-go.

gangwgr · 2026-02-03T08:20:38Z

/testwith openshift/cluster-kube-apiserver-operator/main/e2e-gcp-operator-encryption-kms openshift/cluster-openshift-apiserver-operator#643 openshift/cluster-authentication-operator#832

gangwgr · 2026-02-03T09:19:59Z

/testwith openshift/cluster-kube-apiserver-operator/main/e2e-gcp-operator-encryption-kms openshift/cluster-openshift-apiserver-operator#643 openshift/cluster-authentication-operator#832

gangwgr · 2026-02-03T09:46:31Z

/testwith openshift/cluster-kube-apiserver-operator/main/e2e-gcp-operator-encryption-kms openshift/cluster-openshift-apiserver-operator#643 openshift/cluster-authentication-operator#832

gangwgr · 2026-02-03T13:13:57Z

/testwith openshift/cluster-kube-apiserver-operator/main/e2e-gcp-operator-encryption-kms openshift/cluster-openshift-apiserver-operator#643 openshift/cluster-authentication-operator#832

openshift-ci · 2026-02-03T17:05:59Z

@gangwgr: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-operator-encryption-single-node	`780b8a7`	link	false	`/test e2e-gcp-operator-encryption-single-node`
ci/prow/e2e-aws-ovn-serial-1of2	`780b8a7`	link	true	`/test e2e-aws-ovn-serial-1of2`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

p0lyn0mial · 2026-02-04T10:56:09Z

test/e2e-encryption-kms/encryption_kms_test.go

+// 11. Cleans up the KMS plugin
 func TestKMSEncryptionOnOff(t *testing.T) {
-	t.Log("KMS encryption on/off test placeholder - CI job validation")
+	t.Cleanup(librarykms.DeployUpstreamMockKMSPlugin(context.Background(), t, library.GetClients(t).Kube, librarykms.WellKnownUpstreamMockKMSPluginNamespace, librarykms.WellKnownUpstreamMockKMSPluginImage))


Let’s also add a comment stating that this step is only required for v1. In the future, the platform will manage the plugins, and this code will no longer be needed.

p0lyn0mial · 2026-02-04T10:56:25Z

test/e2e-encryption-kms/encryption_kms_test.go

+// 11. Cleans up the KMS plugin
 func TestKMSEncryptionOnOff(t *testing.T) {
-	t.Log("KMS encryption on/off test placeholder - CI job validation")
+	t.Cleanup(librarykms.DeployUpstreamMockKMSPlugin(context.Background(), t, library.GetClients(t).Kube, librarykms.WellKnownUpstreamMockKMSPluginNamespace, librarykms.WellKnownUpstreamMockKMSPluginImage))


also, once openshift/library-go#2113 merges t.Cleanup won't be needed.

gangwgr · 2026-02-06T07:16:11Z

/close

openshift-merge-robot · 2026-02-06T07:16:20Z

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci · 2026-02-06T07:16:22Z

@gangwgr: Closed this PR.

Details

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 29, 2026

openshift-ci bot requested review from p0lyn0mial and wangke19 January 29, 2026 11:50

gangwgr force-pushed the kms-e2e-full-test branch from 8a2c3d1 to 304c290 Compare January 29, 2026 12:22

p0lyn0mial reviewed Jan 29, 2026

View reviewed changes

gangwgr force-pushed the kms-e2e-full-test branch from 304c290 to ea1327b Compare January 29, 2026 12:47

p0lyn0mial reviewed Jan 29, 2026

View reviewed changes

gangwgr force-pushed the kms-e2e-full-test branch 2 times, most recently from 4820d14 to db52c11 Compare January 29, 2026 12:50

p0lyn0mial reviewed Jan 29, 2026

View reviewed changes

gangwgr force-pushed the kms-e2e-full-test branch from db52c11 to 5c80e90 Compare January 29, 2026 14:03

gangwgr force-pushed the kms-e2e-full-test branch 3 times, most recently from bc16b88 to 75d17e3 Compare January 30, 2026 06:03

ardaguclu reviewed Jan 30, 2026

View reviewed changes

gangwgr force-pushed the kms-e2e-full-test branch from 75d17e3 to 7f0e519 Compare January 30, 2026 06:22

ardaguclu reviewed Jan 30, 2026

View reviewed changes

gangwgr force-pushed the kms-e2e-full-test branch from 7f0e519 to f588d0c Compare January 30, 2026 10:10

gangwgr force-pushed the kms-e2e-full-test branch from f588d0c to 8633746 Compare February 2, 2026 08:40

gangwgr force-pushed the kms-e2e-full-test branch from 8633746 to 38bd477 Compare February 2, 2026 11:08

CNTRLPLANE-2247: Add KMS encryption e2e test

cdbdd56

This adds TestKMSEncryptionOnOff which tests the full KMS encryption on/off cycle using the mock KMS plugin from library-go.

gangwgr force-pushed the kms-e2e-full-test branch from 38bd477 to 4ae268d Compare February 3, 2026 08:18

gangwgr force-pushed the kms-e2e-full-test branch from 4ae268d to 16db423 Compare February 3, 2026 09:18

gangwgr force-pushed the kms-e2e-full-test branch from 16db423 to f149af1 Compare February 3, 2026 09:45

vendor: update library-go for KMS encryption test support

780b8a7

gangwgr force-pushed the kms-e2e-full-test branch from f149af1 to 780b8a7 Compare February 3, 2026 13:11

p0lyn0mial reviewed Feb 4, 2026

View reviewed changes

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 6, 2026

openshift-ci bot closed this Feb 6, 2026

Conversation

gangwgr commented Jan 29, 2026

Uh oh!

coderabbitai bot commented Jan 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review skipped

Uh oh!

openshift-ci bot commented Jan 29, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

ardaguclu commented Jan 29, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

p0lyn0mial commented Jan 29, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

ardaguclu commented Feb 2, 2026

Uh oh!

openshift-ci bot commented Feb 2, 2026

Uh oh!

ardaguclu commented Feb 2, 2026

Uh oh!

ardaguclu commented Feb 2, 2026

Uh oh!

ardaguclu commented Feb 2, 2026

Uh oh!

gangwgr commented Feb 2, 2026

Uh oh!

ardaguclu commented Feb 2, 2026

Uh oh!

gangwgr commented Feb 3, 2026

Uh oh!

gangwgr commented Feb 3, 2026

Uh oh!

gangwgr commented Feb 3, 2026

Uh oh!

gangwgr commented Feb 3, 2026

Uh oh!

openshift-ci bot commented Feb 3, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

gangwgr commented Feb 6, 2026

Uh oh!

openshift-merge-robot commented Feb 6, 2026

Uh oh!

openshift-ci bot commented Feb 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

coderabbitai bot commented Jan 29, 2026 •

edited

Loading