WIP kms: wire up config overrides for KMS values

[kevinrizza]

pass log level along to vault

WIP - this commit is using a replaces directive for my library-go fork. needs to be updated to vendor real change in library-go

Summary by CodeRabbit

• Chores

  • Updated module replacement directives to redirect an OpenShift library to an updated vendored module.

• Bug Fixes

  • KMS plugin sidecar configuration now receives additional operator overrides so deployment reconciliation correctly applies secure key management configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 71d926b0-98d4-41ab-a50b-312aad61ae92

📥 Commits

Reviewing files that changed from the base of the PR and between 2e422f8 and a02eb47.

⛔ Files ignored due to path filters (6)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/unsupported_config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• pkg/operator/workload/workload_openshiftapiserver_v311_00_sync.go

🚧 Files skipped from review as they are similar to previous changes (2)

• go.mod
• pkg/operator/workload/workload_openshiftapiserver_v311_00_sync.go

---

Walkthrough

Adds operatorConfig.Spec.UnsupportedConfigOverrides.Raw as an argument to AddKMSPluginSidecarToPodSpec, and adds a go.mod replace directive mapping github.com/openshift/library-go to github.com/kevinrizza/library-go at v0.0.0-20260610202501-42a0e5fc0061.

Changes

KMS Plugin Sidecar Configuration

Layer / File(s)	Summary
KMS sidecar pod spec argument extension pkg/operator/workload/workload_openshiftapiserver_v311_00_sync.go	The AddKMSPluginSidecarToPodSpec call now passes operatorConfig.Spec.UnsupportedConfigOverrides.Raw after featureGateAccessor.
Library-go dependency replacement go.mod	Adds a replace directive redirecting github.com/openshift/library-go to github.com/kevinrizza/library-go at v0.0.0-20260610202501-42a0e5fc0061.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 3 warnings)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	UnsupportedConfigOverrides raw bytes are passed to parseUnsupportedKMSConfig which logs conversion errors via klog.Warning, potentially exposing sensitive encryption credentials in error messages.	Sanitize error messages before logging or validate config format before logging to avoid exposing sensitive configuration data in warnings.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	New Ginkgo tests in test/e2e-encryption-kms/encryption_kms.go have require.NoError assertions without meaningful failure messages, violating requirement #4.	Add failure context to assertions: change require.NoError(t, err) to require.NoError(t, err, "failed to create test namespace") on lines 48 and 85.
Microshift Test Compatibility	⚠️ Warning	Two new Ginkgo e2e tests with [OCPFeatureGate:KMSEncryption] tag were added without MicroShift protection; tests depend on feature gates which are unsupported assumptions per check instructions.	Add [Skipped:MicroShift] label to test names or guard with exutil.IsMicroShiftCluster() runtime check with g.Skip().

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main changes: wiring up config overrides for KMS values by passing UnsupportedConfigOverrides to the KMS sidecar injection function.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All 10 Ginkgo g.It() test titles in the PR are static, hardcoded strings without dynamic content like random IDs, timestamps, or generated values.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added in this PR. Changes are to go.mod and operator implementation code only, making the SNO compatibility check inapplicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies KMS sidecar injector configuration; doesn't introduce new scheduling constraints. Existing deployment safely uses required anti-affinity with maxUnavailable:1.
Ote Binary Stdout Contract	✅ Passed	PR changes do not introduce stdout writes in process-level code; the new unsupportedConfig parameter is processed during runtime (not init/main) using klog.Warning which writes to stderr.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	New Ginkgo tests dynamically detect cluster IPs, properly handle IPv4/IPv6 formatting, and use only in-cluster connectivity with no hardcoded IPv4 addresses or external internet access.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected in the PR changes.
Container-Privileges	✅ Passed	PR contains privileged containers with justification comments for audit logging requirements in openshift-apiserver deployment bindata.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ardaguclu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 137-138: The go.mod currently contains a replace directive
pointing to a personal fork ("github.com/kevinrizza/library-go =>
github.com/kevinrizza/library-go v0.0.0-20260609171831-1dc5b3029e36"); replace
this temporary fork reference with the official module
(github.com/openshift/library-go) once the upstream changes are merged, and use
a proper tagged release version (not a pseudo-version) or remove the replace
entirely if the required version is satisfied by the existing require line;
ensure the upstream PR is merged to openshift/library-go before updating the
replace, then run go mod tidy to update the lock info.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4d172e8c-108b-4ba8-8413-26e972787bcb

📥 Commits

Reviewing files that changed from the base of the PR and between 98775a1 and d53a8b7.

⛔ Files ignored due to path filters (6)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/unsupported_config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• pkg/operator/workload/workload_openshiftapiserver_v311_00_sync.go

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Replace personal fork with official library-go release before merge.

This replace directive points to a personal fork (github.com/kevinrizza/library-go) rather than the official OpenShift library. As acknowledged in the PR description, this is temporary WIP that must be updated to vendor the official library-go change.

Supply chain risks:

• Personal forks lack the review, signing, and provenance guarantees of official releases
• The pseudo-version indicates an unreleased commit rather than a tagged version
• This introduces potential supply chain compromise vectors

Required before merge:

1. The underlying library-go changes must be merged to github.com/openshift/library-go
2. Update this replace directive to point to the official library (or remove it entirely if the version in the require block is sufficient)
3. Use a tagged release version rather than a pseudo-version

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 137 - 138, The go.mod currently contains a replace
directive pointing to a personal fork ("github.com/kevinrizza/library-go =>
github.com/kevinrizza/library-go v0.0.0-20260609171831-1dc5b3029e36"); replace
this temporary fork reference with the official module
(github.com/openshift/library-go) once the upstream changes are merged, and use
a proper tagged release version (not a pseudo-version) or remove the replace
entirely if the required version is satisfied by the existing require line;
ensure the upstream PR is merged to openshift/library-go before updating the
replace, then run go mod tidy to update the lock info.

Source: Coding guidelines

[openshift-ci]

@kevinrizza: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn	a02eb47	link	true	/test e2e-aws-ovn
ci/prow/e2e-aws-operator-encryption-kms	a02eb47	link	false	/test e2e-aws-operator-encryption-kms

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.