CNF-22624: RAN Hardening (5.0) - API Encryption (M10)

[sebrandon1]

Summary

• MEDIUM severity API server encryption — enables AES-CBC encryption at rest for etcd (Secrets, ConfigMaps, Routes, OAuth tokens)
• APIServer CRD patch (not a MachineConfig, no node reboots)
• Verified on OCP 4.22 (cnfdt16) — encryption.type: aescbc confirmed

Remediation Group

• M10: API Encryption

Jira

• CNF-22624
• Epic: CNF-22573 — RAN Hardening for 5.0

Test plan

• Applied APIServer CRD to OCP 4.22 cluster
• Verified encryption.type: aescbc set
• Encryption in progress for etcd resources

[openshift-ci-robot]

@sebrandon1: This pull request references CNF-22624 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

• MEDIUM severity API server encryption — enables AES-CBC encryption at rest for etcd (Secrets, ConfigMaps, Routes, OAuth tokens)
• APIServer CRD patch (not a MachineConfig, no node reboots)
• Verified on OCP 4.22 (cnfdt16) — encryption.type: aescbc confirmed

Remediation Group

• M10: API Encryption

Jira

• CNF-22624
• Epic: CNF-22573 — RAN Hardening for 4.23

Test plan

• Applied APIServer CRD to OCP 4.22 cluster
• Verified encryption.type: aescbc set
• Encryption in progress for etcd resources

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign imiller0 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Added an OpenShift APIServer configuration manifest (config.openshift.io/v1, metadata.name: cluster) that declares spec.encryption.type: aescbc to enable AES-CBC encryption for the API server.

Changes

Cohort / File(s)	Summary
API Server Encryption Configuration telco-ran/configuration/hardening/api-server/75-api-server-encryption.yaml	New APIServer manifest (metadata.name: cluster) declaring spec.encryption.type: aescbc.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title clearly references CNF-22624 and identifies the main change as 'RAN Hardening (5.0) - API Encryption (M10)', which directly aligns with the PR objective to implement API server encryption at rest using AES-CBC.
Description check	✅ Passed	The pull request description clearly explains the purpose (API server encryption via AES-CBC for etcd), the implementation approach (APIServer CRD patch), verification details (OCP 4.22 testing), and includes relevant references (Jira tickets, compliance group).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@telco-ran/configuration/crds/75-api-server-encryption.yaml`:
- Around line 6-7: The encryption configuration currently sets encryption.type
to "aescbc"; update the CRD so the encryption.type field uses "aesgcm" instead
of "aescbc" (i.e., change the value in the encryption block) to enable
authenticated AEAD encryption as recommended by OpenShift; ensure no other
dependent fields or defaults assume CBC-specific settings when you make this
replacement.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 02c77cff-3c3a-4c46-b751-36908549ac42

📥 Commits

Reviewing files that changed from the base of the PR and between 07d8ef9 and a346d39.

📒 Files selected for processing (1)

• telco-ran/configuration/crds/75-api-server-encryption.yaml

[imiller0]

/hold
Need to wait on merging until 4.22 branch is cut.
Also need to revisit what path to put these under "crds" will be confusing (too broad/generic of a term)

[openshift-ci-robot]

@sebrandon1: This pull request references CNF-22624 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• MEDIUM severity API server encryption — enables AES-CBC encryption at rest for etcd (Secrets, ConfigMaps, Routes, OAuth tokens)
• APIServer CRD patch (not a MachineConfig, no node reboots)
• Verified on OCP 4.22 (cnfdt16) — encryption.type: aescbc confirmed

Remediation Group

• M10: API Encryption

Jira

• CNF-22624
• Epic: CNF-22573 — RAN Hardening for 5.0

Test plan

• Applied APIServer CRD to OCP 4.22 cluster
• Verified encryption.type: aescbc set
• Encryption in progress for etcd resources

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sebrandon1]

Verification Test Results

Tested on cnfdt16 (OCP 4.22, RHCOS 9.8.20260403-0, 3 masters + 2 workers).

Apply: Applied 75-api-server-encryption.yaml via oc apply.
Wait: API server encryption rollout (~10 minutes).
Verify:

$ oc get apiserver cluster -o jsonpath='{.spec.encryption.type}'
aescbc

$ oc get openshiftapiserver -o jsonpath='{range .items[*]}{.status.conditions[?(@.type=="Encrypted")].status} {.status.conditions[?(@.type=="Encrypted")].message}{"\n"}{end}'
True All resources encrypted: routes.route.openshift.io

Result: PASS — API server encryption set to aescbc, all resources confirmed encrypted.