Loosen KMS validation to allow nil KMSConfig

Author: ardaguclu

config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml

@@ -54,16 +54,22 @@ tests:
               aws:
                 keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
                 region: us-east-1
-      expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise"
-    - name: Should fail to create with an empty KMS config
+      expectedError: "kms config is forbidden when encryption type is not KMS"
+    - name: Should be able to create with KMS type and nil kms config
       initial: |
         apiVersion: config.openshift.io/v1
         kind: APIServer
         spec:
           encryption:
             type: KMS
-            kms: {}
-      expectedError: "spec.encryption.kms.type: Required value"
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          encryption:
+            type: KMS
     - name: Should fail to create with kms type AWS but without aws config 
       initial: |
         apiVersion: config.openshift.io/v1

config/v1/types_apiserver.go

@@ -175,7 +175,7 @@ type APIServerNamedServingCert struct {
 }
 
 // APIServerEncryption is used to encrypt sensitive resources on the cluster.
-// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="has(self.type) && self.type == 'KMS' ?  has(self.kms) : !has(self.kms)",message="kms config is required when encryption type is KMS, and forbidden otherwise"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="self.type != 'KMS' ? !has(self.kms) : true",message="kms config is forbidden when encryption type is not KMS"
 // +union
 type APIServerEncryption struct {
 	// type defines what encryption type should be used to encrypt resources at the datastore layer.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml

@@ -245,10 +245,8 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-validations:
-                - message: kms config is required when encryption type is KMS, and
-                    forbidden otherwise
-                  rule: 'has(self.type) && self.type == ''KMS'' ?  has(self.kms) :
-                    !has(self.kms)'
+                - message: kms config is forbidden when encryption type is not KMS
+                  rule: 'self.type != ''KMS'' ? !has(self.kms) : true'
               servingCerts:
                 description: |-
                   servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml

@@ -245,10 +245,8 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-validations:
-                - message: kms config is required when encryption type is KMS, and
-                    forbidden otherwise
-                  rule: 'has(self.type) && self.type == ''KMS'' ?  has(self.kms) :
-                    !has(self.kms)'
+                - message: kms config is forbidden when encryption type is not KMS
+                  rule: 'self.type != ''KMS'' ? !has(self.kms) : true'
               servingCerts:
                 description: |-
                   servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml

@@ -245,10 +245,8 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-validations:
-                - message: kms config is required when encryption type is KMS, and
-                    forbidden otherwise
-                  rule: 'has(self.type) && self.type == ''KMS'' ?  has(self.kms) :
-                    !has(self.kms)'
+                - message: kms config is forbidden when encryption type is not KMS
+                  rule: 'self.type != ''KMS'' ? !has(self.kms) : true'
               servingCerts:
                 description: |-
                   servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates

config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml

@@ -245,10 +245,8 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-validations:
-                - message: kms config is required when encryption type is KMS, and
-                    forbidden otherwise
-                  rule: 'has(self.type) && self.type == ''KMS'' ?  has(self.kms) :
-                    !has(self.kms)'
+                - message: kms config is forbidden when encryption type is not KMS
+                  rule: 'self.type != ''KMS'' ? !has(self.kms) : true'
               servingCerts:
                 description: |-
                   servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates

openapi/openapi.json

@@ -9881,7 +9881,7 @@
           "$ref": "#/definitions/com.github.openshift.api.config.v1.PKI"
         },
         "policyType": {
-          "description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.",
+          "description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).",
           "type": "string",
           "default": ""
         },

payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml

@@ -245,10 +245,8 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-validations:
-                - message: kms config is required when encryption type is KMS, and
-                    forbidden otherwise
-                  rule: 'has(self.type) && self.type == ''KMS'' ?  has(self.kms) :
-                    !has(self.kms)'
+                - message: kms config is forbidden when encryption type is not KMS
+                  rule: 'self.type != ''KMS'' ? !has(self.kms) : true'
               servingCerts:
                 description: |-
                   servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates

payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml

@@ -245,10 +245,8 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-validations:
-                - message: kms config is required when encryption type is KMS, and
-                    forbidden otherwise
-                  rule: 'has(self.type) && self.type == ''KMS'' ?  has(self.kms) :
-                    !has(self.kms)'
+                - message: kms config is forbidden when encryption type is not KMS
+                  rule: 'self.type != ''KMS'' ? !has(self.kms) : true'
               servingCerts:
                 description: |-
                   servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates

payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml

@@ -245,10 +245,8 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-validations:
-                - message: kms config is required when encryption type is KMS, and
-                    forbidden otherwise
-                  rule: 'has(self.type) && self.type == ''KMS'' ?  has(self.kms) :
-                    !has(self.kms)'
+                - message: kms config is forbidden when encryption type is not KMS
+                  rule: 'self.type != ''KMS'' ? !has(self.kms) : true'
               servingCerts:
                 description: |-
                   servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates