openshift · gangwgr · Feb 3, 2026 · Feb 3, 2026 · p0lyn0mial · Feb 4, 2026
diff --git a/go.mod b/go.mod
@@ -136,3 +136,7 @@ require (
 )
 
 replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+
+// TODO: Remove this replace once library-go PRs #2085 and #2086 are merged
+// Pulls from gangwgr:kms-test which includes KMS encryption mode and test scenarios
+replace github.com/openshift/library-go => github.com/gangwgr/library-go v0.0.0-20260203130836-0f1824cf5c74
diff --git a/go.sum b/go.sum
@@ -50,6 +50,8 @@ github.com/fvbommel/sortorder v1.1.0 h1:fUmoe+HLsBTctBDoaBwpQo5N+nrCp8g/BjKb/6ZQ
 github.com/fvbommel/sortorder v1.1.0/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/gangwgr/library-go v0.0.0-20260203130836-0f1824cf5c74 h1:8q2HtwDJvFgwPvjkuaKPN7TEAwfdBKmd1cZIZprvCyc=
+github.com/gangwgr/library-go v0.0.0-20260203130836-0f1824cf5c74/go.mod h1:DCRz1EgdayEmr9b6KXKDL+DWBN0rGHu/VYADeHzPoOk=
 github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -165,8 +167,6 @@ github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee h1:+S
 github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
 github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13 h1:6rd4zSo2UaWQcAPZfHK9yzKVqH0BnMv1hqMzqXZyTds=
 github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13/go.mod h1:YvOmPmV7wcJxpfhTDuFqqs2Xpb3M3ovsM6Qs/i2ptq4=
-github.com/openshift/library-go v0.0.0-20260129122340-60005ae435eb h1:RCm3Kw8gPmalqT4a+O61YtVmj2nfEMIZZUSqfukNrM0=
-github.com/openshift/library-go v0.0.0-20260129122340-60005ae435eb/go.mod h1:DCRz1EgdayEmr9b6KXKDL+DWBN0rGHu/VYADeHzPoOk=
 github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
 github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
 github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=

diff --git a/test/e2e-encryption-kms/encryption_kms_test.go b/test/e2e-encryption-kms/encryption_kms_test.go
@@ -1,20 +1,47 @@
 package e2e_encryption_kms
 
 import (
+	"context"
+	"fmt"
 	"testing"
+
+	configv1 "github.com/openshift/api/config/v1"
+	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/operatorclient"
+	operatorencryption "github.com/openshift/cluster-kube-apiserver-operator/test/library/encryption"
+	library "github.com/openshift/library-go/test/library/encryption"
+	librarykms "github.com/openshift/library-go/test/library/encryption/kms"
 )
 
 // TestKMSEncryptionOnOff tests KMS encryption on/off cycle.
 // This test:
 // 1. Deploys the mock KMS plugin
-// 2. Enables KMS encryption
-// 3. Verifies secrets are encrypted
-// 4. Disables encryption (Identity)
-// 5. Verifies secrets are not encrypted
-// 6. Re-enables KMS encryption
-// 7. Cleans up
-//
-// TODO: Implement full KMS encryption test once the CI job is validated.
+// 2. Creates a test secret (SecretOfLife)
+// 3. Enables KMS encryption
+// 4. Verifies secret is encrypted
+// 5. Disables encryption (Identity)
+// 6. Verifies secret is NOT encrypted
+// 7. Re-enables KMS encryption
+// 8. Verifies secret is encrypted again
+// 9. Disables encryption (Identity) again
+// 10. Verifies secret is NOT encrypted again
+// 11. Cleans up the KMS plugin
 func TestKMSEncryptionOnOff(t *testing.T) {
-	t.Log("KMS encryption on/off test placeholder - CI job validation")
+	t.Cleanup(librarykms.DeployUpstreamMockKMSPlugin(context.Background(), t, library.GetClients(t).Kube, librarykms.WellKnownUpstreamMockKMSPluginNamespace, librarykms.WellKnownUpstreamMockKMSPluginImage))
+	library.TestEncryptionTurnOnAndOff(t, library.OnOffScenario{
+		BasicScenario: library.BasicScenario{
+			Namespace:                       operatorclient.GlobalMachineSpecifiedConfigNamespace,
+			LabelSelector:                   "encryption.apiserver.operator.openshift.io/component" + "=" + operatorclient.TargetNamespace,
+			EncryptionConfigSecretName:      fmt.Sprintf("encryption-config-%s", operatorclient.TargetNamespace),
+			EncryptionConfigSecretNamespace: operatorclient.GlobalMachineSpecifiedConfigNamespace,
+			OperatorNamespace:               operatorclient.OperatorNamespace,
+			TargetGRs:                       operatorencryption.DefaultTargetGRs,
+			AssertFunc:                      operatorencryption.AssertSecretsAndConfigMaps,
+		},
+		CreateResourceFunc:             operatorencryption.CreateAndStoreSecretOfLife,
+		AssertResourceEncryptedFunc:    operatorencryption.AssertSecretOfLifeEncrypted,
+		AssertResourceNotEncryptedFunc: operatorencryption.AssertSecretOfLifeNotEncrypted,
+		ResourceFunc:                   operatorencryption.SecretOfLife,
+		ResourceName:                   "SecretOfLife",
+		EncryptionProvider:             configv1.EncryptionTypeKMS,
+	})
 }
diff --git a/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/key_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/key_controller.go
diff --git a/vendor/github.com/openshift/library-go/pkg/operator/encryption/crypto/keys.go b/vendor/github.com/openshift/library-go/pkg/operator/encryption/crypto/keys.go
diff --git a/vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptionconfig/config.go b/vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptionconfig/config.go