Unify kms provider config for reusability

[ardaguclu]

Preflight checker will call KMSPluginState function to get KMSState. After that we need to have another function to convert KMSState to EncryptionConfiguration. This PR aims to pave the way for #2321

This PR must not make any logical changes.

Summary by CodeRabbit

• Refactor
  • Improved KMS plugin configuration handling by centralizing provider-specific logic for better resolution and management of encryption provider settings and resource references.

[coderabbitai]

Walkthrough

KMS provider config logic is extracted from key_controller.go into a new kms_provider_config.go file. The extracted KMSPluginState function builds state.KMSState from a key ID and plugin config, resolving Vault AppRole secret and CA bundle configmap references from openshift-config. key_controller.go now delegates to KMSPluginState and removes all previously inline logic.

Changes

KMS provider config extraction

Layer / File(s)	Summary
New KMSPluginState implementation and Vault provider logic pkg/operator/encryption/controllers/kms_provider_config.go	Introduces KMSPluginState that constructs a state.KMSState/KMSConfiguration (API v2, Unix socket endpoint, default timeout) from keyID and pluginConfig, then fetches and validates required keys from a Secret (role-id, secret-id for Vault AppRole) and optional ConfigMap (ca-bundle.crt for Vault CA bundle) in openshift-config. Provider logic is abstracted via kmsProviderConfig; newKMSProviderConfig selects the Vault implementation and errors on unsupported provider or auth types.
Delegation to KMSPluginState and removal of inline logic pkg/operator/encryption/controllers/key_controller.go	Removes the kmsEndpointFormat constant, the kmsProviderConfig interface, newKMSProviderConfig factory, and vaultProviderConfig implementation. Updates the KMS branch of generateKeySecret to assign ks.KMS from the result of KMSPluginState(...).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Error messages in kms_provider_config.go (lines 48, 53, 66, 71) expose Kubernetes Secret and ConfigMap names through error messages that flow to OperatorCondition status (exposed in API), revealing...	Redact Secret/ConfigMap names in error messages, e.g., use generic messages like "failed to get secret in openshift-config: %w" without the secret name, or use placeholder IDs.
Topology-Aware Scheduling Compatibility	⚠️ Warning	PR introduces kms-preflight-pod.yaml with nodeSelector targeting master nodes, breaking HyperShift where no control-plane nodes exist in-cluster.	Add topology awareness: check ControlPlaneTopology and use different scheduling strategies for SNO, TNF, TNA, and HyperShift. Consider using node affinity with topology-aware selection or topology spread constraints.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the main objective of the PR: unifying KMS provider configuration to make it reusable across different components by extracting logic into the KMSPluginState function.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR does not contain any Ginkgo test code. The modified files (key_controller.go, kms_provider_config.go) are source files, not test files. The codebase uses Go's standard testing framework, no...
Test Structure And Quality	✅ Passed	No Ginkgo test code was added or modified in this PR, so there are no test structure and quality requirements to assess.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The changes are limited to controller code (key_controller.go and kms_provider_config.go), which are production code files, not test files.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. Changes are limited to controller implementation files (key_controller.go and new kms_provider_config.go), which do not require SNO compatibility checks.
Ote Binary Stdout Contract	✅ Passed	No stdout writes in process-level code. The new kms_provider_config.go file contains only regular functions with fmt.Sprintf/Errorf usage (for data construction), no logging to stdout, and no init/...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are to production code files (key_controller.go, kms_provider_config.go) in the controllers package, not test files.
No-Weak-Crypto	✅ Passed	No weak cryptography patterns detected in the PR. The changes do not use MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB mode, custom crypto implementations, or unsafe secret comparisons.
Container-Privileges	✅ Passed	PR modifies only Go source files with no Kubernetes manifests, container specs, or Dockerfile content. Container-privileges check is not applicable.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/operator/encryption/OWNERS [ardaguclu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/operator/encryption/controllers/kms_provider_config.go`:
- Around line 43-45: The referencedSecretName method can return an empty string
with required AppRole keys present, which causes the code to silently skip
adding PluginSecretData to the KMSState even though role-id and secret-id are
required downstream. Add validation after the referencedSecretName call (around
line 43-45) to reject cases where secretName is empty but expectedKeys indicates
required AppRole credentials are needed. Check if secretName is empty and
expectedKeys contains required keys like role-id or secret-id, and if so, return
an error rather than continuing to return incomplete KMSState without
PluginSecretData. This ensures required credential references are validated at
the trust boundary using an allow-list approach rather than silently accepting
invalid states.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0b578376-2a75-4085-99ec-2e2fb68c366c

📥 Commits

Reviewing files that changed from the base of the PR and between b95bf57 and aa3a3c7.

📒 Files selected for processing (2)

• pkg/operator/encryption/controllers/key_controller.go
• pkg/operator/encryption/controllers/kms_provider_config.go

[coderabbitai]

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Reject empty Vault AppRole secret names before returning KMS state.

Line 110 can return "" with required AppRole keys, and Line 45 then treats that as “no secret reference,” returning a KMSState without PluginSecretData. That silently drops the required role-id / secret-id data used downstream.

Proposed fix

 func (v *vaultProviderConfig) referencedSecretName() (string, []string, error) {
 	switch v.vault.Authentication.Type {
 	case configv1.VaultAuthenticationTypeAppRole:
-		return v.vault.Authentication.AppRole.Secret.Name, []string{"role-id", "secret-id"}, nil
+		secretName := v.vault.Authentication.AppRole.Secret.Name
+		if secretName == "" {
+			return "", nil, fmt.Errorf("Vault AppRole secret name must not be empty")
+		}
+		return secretName, []string{"role-id", "secret-id"}, nil
 	default:
 		return "", nil, fmt.Errorf("unsupported Vault authentication type %q", v.vault.Authentication.Type)
 	}
 }

As per path instructions, “Validate at trust boundaries with allow-lists, not deny-lists.”

Also applies to: 107-110

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/operator/encryption/controllers/kms_provider_config.go` around lines 43 -
45, The referencedSecretName method can return an empty string with required
AppRole keys present, which causes the code to silently skip adding
PluginSecretData to the KMSState even though role-id and secret-id are required
downstream. Add validation after the referencedSecretName call (around line
43-45) to reject cases where secretName is empty but expectedKeys indicates
required AppRole credentials are needed. Check if secretName is empty and
expectedKeys contains required keys like role-id or secret-id, and if so, return
an error rather than continuing to return incomplete KMSState without
PluginSecretData. This ensures required credential references are validated at
the trust boundary using an allow-list approach rather than silently accepting
invalid states.

Source: Path instructions

[ardaguclu]

This was a PoC
/close

[openshift-ci]

@ardaguclu: Closed this PR.

Details

In response to this:

This was a PoC
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.