NO-JIRA: report preflight pod status in status condition

[tjungblu]

Uses the downward API and service account from #2307 to post the status of the check in dedicated pod conditions.

This also adds the kekId that is important for the rotation later.

Summary by CodeRabbit

Release Notes

• New Features

  • Pod status conditions now surface KMS preflight results, including the detected encryption key ID and plugin version when available.

• Improvements

  • KMS preflight health checks now poll until the plugin reports healthy, and carry richer status information alongside check outcomes.
  • The preflight command reports pod condition updates more comprehensively, returning combined errors when condition reporting fails.

• Tests

  • Added/updated coverage for pod condition generation and conflict-retry behavior when updating status.

[openshift-ci-robot]

@tjungblu: This pull request explicitly references no jira issue.

Details

In response to this:

Uses the downward API and service account from #2307 to post the status of the check in dedicated pod conditions.

This also adds the kekId that is important for the rotation later.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

checker.check and checkStatus are updated to return *kmsservice.StatusResponse alongside error. A new pod_status.go file is added that writes preflight results to the running Pod's status conditions using three new exported PodConditionType constants. The command's run function is updated to pass both the status response and error to setPodCheckCondition before returning.

Changes

KMS Preflight Pod Status Reporting

Layer / File(s)	Summary
Checker signature and StatusResponse capture pkg/operator/encryption/kms/preflight/checker.go, pkg/operator/encryption/kms/preflight/checker_test.go	check and checkStatus now return (*kmsservice.StatusResponse, error); the polling success path captures and returns the response. TestCheck is updated to assert the returned status and its KeyID.
Pod condition types and building pkg/operator/encryption/kms/preflight/pod_status.go	Introduces three exported PodConditionType constants (EncryptionKMSPreflightCheck, EncryptionKMSPreflightKeyID, EncryptionKMSPreflightVersion). podCheckConditions builds the condition slice from optional StatusResponse and error, defaulting to success and switching to failure when error is present. upsertPodCondition helper replaces or appends conditions by type.
Pod status persistence via Kubernetes client pkg/operator/encryption/kms/preflight/pod_status.go, pkg/operator/encryption/kms/preflight/pod_status_test.go	setPodCheckCondition reads pod identity from environment variables, resolves kubeconfig with in-cluster fallback, creates a Kubernetes client, retrieves the target Pod, and invokes the status updater. updatePodCheckConditions applies computed conditions via upsert, retrieves latest Pod state, and persists updates with conflict retry logic. Tests verify condition structure and retry behavior on conflicts.
Command integration of status reporting pkg/operator/encryption/kms/preflight/cmd.go	run function captures both status and checkErr from checker.check, calls setPodCheckCondition with both values to report results to the Pod, and returns combined error via errors.Join to surface both check and reporting failures.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• ardaguclu
• dgrisonnet

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Line 108 of checker.go logs plaintext test data in error message: "decrypt roundtrip mismatch: got %q, want %q" exposes decrypted plaintext bytes and original plaintext in pod conditions and logs.	Replace line 108 with: return fmt.Errorf("decrypt roundtrip failed, plaintext mismatch on %d bytes", len(plainText)) to avoid exposing sensitive test data in error messages.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	Custom check instructions target Ginkgo test patterns (It blocks, BeforeEach/AfterEach, Eventually/Consistently), but PR adds standard Go testing (*testing.T) using table-driven patterns—different...	Clarify whether the check applies to standard Go tests (*testing.T) in addition to Ginkgo tests, or scope it to Ginkgo exclusively.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'report preflight pod status in status condition' clearly and specifically describes the main change: adding pod condition reporting for KMS preflight check results.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo tests found in the PR. All tests use standard Go testing framework with static, descriptive test function names (TestCheck, TestPodCheckConditions, TestUpdatePodCheckConditions_retriesOnC...
Microshift Test Compatibility	✅ Passed	PR adds only standard Go unit tests (using testing.T), not Ginkgo e2e tests. Check applies only to Ginkgo tests, so it does not apply here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. The new tests are standard Go unit tests (TestCheck, TestPodCheckConditions, TestUpdatePodCheckConditions_retriesOnConflict) that do not require cluster t...
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only preflight check status reporting via pod conditions with no deployment manifests, affinity rules, nodeSelectors, topologySpread constraints, PDBs, or topology assumptions.
Ote Binary Stdout Contract	✅ Passed	No stdout writes in process-level code; klog uses stderr by default, satisfying OTE binary JSON stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR contains only standard Go unit tests (not Ginkgo e2e tests), so IPv6/disconnected network check does not apply.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected in the PR changes.
Container-Privileges	✅ Passed	The PR contains no privileged container configurations (privileged:true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation, or root without justification) in any of the five modifi...

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tjungblu
Once this PR has been reviewed and has the lgtm label, please assign dgrisonnet for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/operator/encryption/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/operator/encryption/kms/preflight/cmd.go`:
- Around line 65-71: The error returned by the setPodCheckCondition function
call is being logged but discarded; if checkErr is nil (preflight check passed),
the function still returns success on line 74 even though the condition
reporting failed. Instead of only logging the error from setPodCheckCondition,
properly handle it by either returning it directly if it occurs, or aggregating
it with checkErr so that failures in condition reporting are not silently
ignored and result in the function returning an error rather than success.

In `@pkg/operator/encryption/kms/preflight/pod_status.go`:
- Around line 52-53: The UpdateStatus call at line 52 needs to handle concurrent
pod status updates that may result in conflict errors. Wrap the entire operation
that includes the preceding Get call and the UpdateStatus call within
retry.RetryOnConflict to automatically retry on conflicts. The retry logic
should fetch the current pod state with Get, apply any necessary modifications
to the status, and then attempt UpdateStatus, allowing the operation to retry if
a conflict occurs during the update.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c82a7e83-4d01-4726-9221-4235504bb722

📥 Commits

Reviewing files that changed from the base of the PR and between e1dc851 and 9eb3372.

📒 Files selected for processing (5)

• pkg/operator/encryption/kms/preflight/checker.go
• pkg/operator/encryption/kms/preflight/checker_test.go
• pkg/operator/encryption/kms/preflight/cmd.go
• pkg/operator/encryption/kms/preflight/pod_status.go
• pkg/operator/encryption/kms/preflight/pod_status_test.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/operator/encryption/kms/preflight/pod_status.go`:
- Around line 33-35: The condition at lines 33-35 silently returns nil when
namespace or name is empty, which allows the preflight check to appear
successful without actually reporting Pod status. Replace this silent nil return
with an appropriate error return that indicates the pod identity environment
variables are missing, ensuring the preflight check fails fast and clearly
reports the failure when namespace or name is empty.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fbac80ca-2faf-4ed1-bf2d-e34e03aff280

📥 Commits

Reviewing files that changed from the base of the PR and between 9eb3372 and b137471.

📒 Files selected for processing (5)

• pkg/operator/encryption/kms/preflight/checker.go
• pkg/operator/encryption/kms/preflight/checker_test.go
• pkg/operator/encryption/kms/preflight/cmd.go
• pkg/operator/encryption/kms/preflight/pod_status.go
• pkg/operator/encryption/kms/preflight/pod_status_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/operator/encryption/kms/preflight/checker_test.go
• pkg/operator/encryption/kms/preflight/checker.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fail fast when pod identity env vars are missing.

At Line 33-Line 35, returning nil silently skips condition publication, so preflight can appear successful without reporting Pod status. This weakens the feature’s primary objective.

Suggested fix

-	if namespace == "" || name == "" {
-		return nil
-	}
+	if namespace == "" || name == "" {
+		return fmt.Errorf("missing POD_NAMESPACE or POD_NAME; cannot report preflight pod conditions")
+	}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if namespace == "" || name == "" {
	return nil
	}
	if namespace == "" || name == "" {
	return fmt.Errorf("missing POD_NAMESPACE or POD_NAME; cannot report preflight pod conditions")
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/operator/encryption/kms/preflight/pod_status.go` around lines 33 - 35,
The condition at lines 33-35 silently returns nil when namespace or name is
empty, which allows the preflight check to appear successful without actually
reporting Pod status. Replace this silent nil return with an appropriate error
return that indicates the pod identity environment variables are missing,
ensuring the preflight check fails fast and clearly reports the failure when
namespace or name is empty.

[openshift-ci]

@tjungblu: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.