NO-JIRA: Introduce KMS encryption mode into encryption controllers

[ardaguclu]

This PR adds KMS as a new mode in encryption controllers to be functioning along side with the other modes. Functionality has been proved to be working #2041.

This PR takes the minimal bits from #2041 (because PoC PR also contains kms plugin communication to obtain the key_id. However, we decided that initially we don't need to track key_id).

Basically, idea is to track the hash of kmsconfig to detect any configuration changes. So that key_controller can create new secret to initiate migration. KMS key secret will not contain any confidential data. It will simply store the hash value of key_id. But for now, we don't access KMS plugin in operator controllers. That means key_id hash value will stay static.

[openshift-ci-robot]

@ardaguclu: This pull request explicitly references no jira issue.

In response to this:

This PR adds KMS as a new mode in encryption controllers to be functioning along side with the other modes. Functionality has been proved to be working #2041.

This PR takes the minimal bits from #2041 (because PoC PR also contains kms plugin communication to obtain the key_id. However, we decided that initially we don't need to track key_id).

Basically, idea is to track the hash of kmsconfig to detect any configuration changes. So that key_controller can create new secret to initiate migration. KMS key secret will not contain any confidential data. It will simply store the hash value of key_id. But for now, we don't access KMS plugin in operator controllers. That means key_id hash value will stay static.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ardaguclu
Once this PR has been reviewed and has the lgtm label, please assign p0lyn0mial for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• pkg/operator/encryption/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ardaguclu]

Fake bumps to test CI:

• WIP: Fake bump of KMS mode cluster-kube-apiserver-operator#1957
• WIP: Fake bump of KMS mode cluster-openshift-apiserver-operator#629 (hasn't been bumped to 1.34 yet)
• WIP: Fake bump to test KMS mode cluster-authentication-operator#805 (hasn't been bumped to 1.34 yet)

[ardaguclu]

/hold
until having a green CI

[ardaguclu]

/hold cancel
ready for review

[openshift-ci]

@ardaguclu: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.