NO-JIRA: add two more encryption rotation scenarios#2218
Open
tjungblu wants to merge 1 commit into
Open
Conversation
|
@tjungblu: This pull request explicitly references no jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
Contributor
|
Skipping CI for Draft Pull Request. |
tjungblu
commented
May 12, 2026
Comment on lines
+225
to
+230
| // TODO(thomas): wire up a hook to define this from a provider configuration | ||
| // TODO(thomas): when we're on KMS provider we can grab the keyId from an annotation | ||
| // TODO(thomas): a new rotation controller can update the annotation for KMS | ||
|
|
||
| // TODO(thomas): alternative, when we detect a new KeyId, we can also remove the migrated-* annotations, | ||
| // that way the controller will definitely try to reconcile it again. |
Contributor
Author
There was a problem hiding this comment.
I'll remove that, sorry
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdds a shared operator-condition callback, APIServer encryption apply and cleanup helpers, polling utilities to wait for stable encryption and count rotations, an operator-observed migration-in-progress detector, and two rotation-during-migration test scenarios. ChangesEncryption migration and rotation testing
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 8❌ Failed checks (1 warning, 7 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
tjungblu
force-pushed
the
rotation_tests
branch
2 times, most recently
from
7e6ba8f to
9f815c4
Compare
tjungblu
added a commit
to tjungblu/cluster-kube-apiserver-operator
that referenced
this pull request
May 13, 2026
from library-go openshift/library-go#2218 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
p0lyn0mial
reviewed
May 13, 2026
Contributor
p0lyn0mial
left a comment
p0lyn0mial
left a comment
There was a problem hiding this comment.
I did a first quick pass. I’d like to clarify the scope. Are we creating new cases that will support all providers, or just KMS?
| t.Skipf("initial migration finished before an in-progress window was observed; set GetOperatorConditionsFunc or use a cluster where migration stays visible longer") | ||
| } | ||
|
|
||
| require.NoError(e, ForceKeyRotation(e, scenario.UnsupportedConfigFunc, fmt.Sprintf("test-rotation-during-first-migration-%s", rand.String(4)))) |
Contributor
There was a problem hiding this comment.
ForceKeyRotation has no effect on KMS. What is out plan here ? Do we want to run the new scenarios for all encryption providers ?
Contributor
Author
There was a problem hiding this comment.
ForceKeyRotation will be implemented differently later on
| // ClearForcedKeyRotationReason clears encryption.reason under UnsupportedConfigOverrides (same merge path as | ||
| // ForceKeyRotation). Call when a test finishes so the next test in sequence does not inherit a non-empty | ||
| // reason and the key controller does not keep seeing an external rotation request. | ||
| func ClearForcedKeyRotationReason(t testing.TB, updateUnsupportedConfig UpdateUnsupportedConfigFunc) error { |
Contributor
There was a problem hiding this comment.
instead of a new fn why no to change teh ForceKeyRotation to register a cleanup routine via t.Cleanup ?
Contributor
Author
There was a problem hiding this comment.
why would I couple those two functionalities together? what if I just want to force a key rotation and not cleanup?
|
|
||
| require.NoError(e, ForceKeyRotation(e, scenario.UnsupportedConfigFunc, fmt.Sprintf("test-rotation-during-first-migration-%s", rand.String(4)))) | ||
| // n=2: one write-key revision from turning encryption on, one from ForceKeyRotation. | ||
| WaitForNRotations(e, clientSet.Kube, scenario.EncryptionProvider, scenario.TargetGRs, ns, labelSelector, prevMeta, 2) |
Contributor
There was a problem hiding this comment.
also for KMS, rotation will not create a new key.
Contributor
Author
There was a problem hiding this comment.
yep, so this would be implemented differently in KMS - I assume this would use this API that you and Ben cobbled together so far
openshift-ci
Bot
added
the
needs-rebase
tjungblu
force-pushed
the
rotation_tests
branch
3 times, most recently
from
0cadc78 to
dc56c5c
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/library/encryption/helpers.go`:
- Around line 399-416: The operator-condition branch currently returns true for
any Migrating condition; change the loop that scans conds (inside the wait.Poll
using getOp) to also verify the expectedWriteKey is the target of that
migration: only treat a condition as success if c.Type ==
encryptionMigrationControllerProgressingType && c.Status ==
operatorv1.ConditionTrue && c.Reason == "Migrating" AND (expectedWriteKey == ""
OR the condition text contains expectedWriteKey). In practice, update the
condition check in the loop to inspect the condition's message/text (e.g.,
c.Message) for expectedWriteKey and only return true when it matches; keep the
existing fallback to secret metadata polling and the t.Logf call unchanged.
- Around line 339-355: WaitUntilEncryptionStable compares meta.Mode to the raw
expectedMode which can be the zero-value; normalize empty expectedMode to the
canonical defaultEncryptionMode before polling so callers passing "" don’t hang.
In WaitUntilEncryptionStable set wantMode := string(expectedMode) and if
wantMode == "" assign wantMode = defaultEncryptionMode (same mapping used by
WaitForEncryptionKeyBasedOn) so the meta.Mode comparison and
allTargetGRsMigrated checks use the normalized mode.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 62d417f5-06d3-4c1f-95cd-58e2149b95b8
📒 Files selected for processing (3)
test/library/encryption/helpers.gotest/library/encryption/perf_scenarios.gotest/library/encryption/scenarios.go
💤 Files with no reviewable changes (1)
- test/library/encryption/perf_scenarios.go
🚧 Files skipped from review as they are similar to previous changes (1)
- test/library/encryption/scenarios.go
Comment on lines
+339
to
+355
| func WaitUntilEncryptionStable(t testing.TB, kube kubernetes.Interface, expectedMode configv1.EncryptionType, targetGRs []schema.GroupResource, namespace, labelSelector string) { | ||
| t.Helper() | ||
| wantMode := string(expectedMode) | ||
| err := wait.Poll(waitPollInterval, waitPollTimeout, func() (bool, error) { | ||
| meta, err := GetLastKeyMeta(t, kube, namespace, labelSelector) | ||
| if err != nil { | ||
| return false, err | ||
| } | ||
| if meta.Mode != wantMode { | ||
| return false, nil | ||
| } | ||
| if !allTargetGRsMigrated(meta, targetGRs) { | ||
| return false, nil | ||
| } | ||
| return true, nil | ||
| }) | ||
| require.NoError(t, err) |
There was a problem hiding this comment.
Normalize empty expectedMode to identity before polling.
WaitForEncryptionKeyBasedOn already maps "" to defaultEncryptionMode, but this helper compares meta.Mode to "" directly. Any caller that passes the zero-value encryption type will sit here until timeout, and WaitForNRotations inherits that behavior.
Suggested fix
func WaitUntilEncryptionStable(t testing.TB, kube kubernetes.Interface, expectedMode configv1.EncryptionType, targetGRs []schema.GroupResource, namespace, labelSelector string) {
t.Helper()
wantMode := string(expectedMode)
+ if wantMode == "" {
+ wantMode = defaultEncryptionMode
+ }
err := wait.Poll(waitPollInterval, waitPollTimeout, func() (bool, error) {
meta, err := GetLastKeyMeta(t, kube, namespace, labelSelector)
if err != nil {
return false, err📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| func WaitUntilEncryptionStable(t testing.TB, kube kubernetes.Interface, expectedMode configv1.EncryptionType, targetGRs []schema.GroupResource, namespace, labelSelector string) { | |
| t.Helper() | |
| wantMode := string(expectedMode) | |
| err := wait.Poll(waitPollInterval, waitPollTimeout, func() (bool, error) { | |
| meta, err := GetLastKeyMeta(t, kube, namespace, labelSelector) | |
| if err != nil { | |
| return false, err | |
| } | |
| if meta.Mode != wantMode { | |
| return false, nil | |
| } | |
| if !allTargetGRsMigrated(meta, targetGRs) { | |
| return false, nil | |
| } | |
| return true, nil | |
| }) | |
| require.NoError(t, err) | |
| func WaitUntilEncryptionStable(t testing.TB, kube kubernetes.Interface, expectedMode configv1.EncryptionType, targetGRs []schema.GroupResource, namespace, labelSelector string) { | |
| t.Helper() | |
| wantMode := string(expectedMode) | |
| if wantMode == "" { | |
| wantMode = defaultEncryptionMode | |
| } | |
| err := wait.Poll(waitPollInterval, waitPollTimeout, func() (bool, error) { | |
| meta, err := GetLastKeyMeta(t, kube, namespace, labelSelector) | |
| if err != nil { | |
| return false, err | |
| } | |
| if meta.Mode != wantMode { | |
| return false, nil | |
| } | |
| if !allTargetGRsMigrated(meta, targetGRs) { | |
| return false, nil | |
| } | |
| return true, nil | |
| }) | |
| require.NoError(t, err) |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@test/library/encryption/helpers.go` around lines 339 - 355,
WaitUntilEncryptionStable compares meta.Mode to the raw expectedMode which can
be the zero-value; normalize empty expectedMode to the canonical
defaultEncryptionMode before polling so callers passing "" don’t hang. In
WaitUntilEncryptionStable set wantMode := string(expectedMode) and if wantMode
== "" assign wantMode = defaultEncryptionMode (same mapping used by
WaitForEncryptionKeyBasedOn) so the meta.Mode comparison and
allTargetGRsMigrated checks use the normalized mode.
tjungblu
added a commit
to tjungblu/cluster-kube-apiserver-operator
that referenced
this pull request
May 15, 2026
from library-go openshift/library-go#2218 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
tjungblu
added a commit
to tjungblu/cluster-kube-apiserver-operator
that referenced
this pull request
May 15, 2026
from library-go openshift/library-go#2218 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
tjungblu
added a commit
to tjungblu/cluster-kube-apiserver-operator
that referenced
this pull request
May 15, 2026
from library-go openshift/library-go#2218 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
This adds two new encryption tests: * Forced rotation during first migration * Forced rotation during a rotation Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: tjungblu The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
tjungblu
added a commit
to tjungblu/cluster-kube-apiserver-operator
that referenced
this pull request
May 20, 2026
from library-go openshift/library-go#2218 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
tjungblu
added a commit
to tjungblu/cluster-kube-apiserver-operator
that referenced
this pull request
May 20, 2026
from library-go openshift/library-go#2218 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
There was a problem hiding this comment.
♻️ Duplicate comments (2)
test/library/encryption/scenarios.go (1)
295-330:⚠️ Potential issue | 🟠 Major | ⚡ Quick winGuard these overlap scenarios against KMS.
Both tests assume
ForceKeyRotationproduces a new write-key secret and thatWaitForNRotationscan count suffix increments. That only matches the static-provider path, so aRotationScenariousingEncryptionTypeKMSwill fail or assert the wrong behavior here.Suggested fix
func TestEncryptionRotationDuringFirstMigration(t testing.TB, scenario RotationScenario) { + if scenario.EncryptionProvider.Type == configv1.EncryptionTypeKMS { + t.Skip("rotation overlap scenarios currently rely on write-key secret revisions, which are not valid for KMS") + } + ns := scenario.Namespace labelSelector := scenario.LabelSelector @@ func TestEncryptionRotationDuringOngoingRotation(t testing.TB, scenario RotationScenario) { + if scenario.EncryptionProvider.Type == configv1.EncryptionTypeKMS { + t.Skip("rotation overlap scenarios currently rely on write-key secret revisions, which are not valid for KMS") + } + ns := scenario.Namespace labelSelector := scenario.LabelSelectorAlso applies to: 336-369
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/library/encryption/scenarios.go` around lines 295 - 330, TestEncryptionRotationDuringFirstMigration assumes ForceKeyRotation creates a new write-key secret and that WaitForNRotations counts suffix increments, which is only true for the static-provider path; guard this scenario against KMS by checking the scenario.EncryptionProvider.Type (or scenario.TargetEncryptionType) and skip or alter behavior when it equals EncryptionTypeKMS: either skip the ForceKeyRotation + WaitForNRotations block for KMS scenarios or use a KMS-appropriate assertion path; update TestEncryptionRotationDuringFirstMigration (and the similar block at lines 336-369) to branch on EncryptionTypeKMS before calling ForceKeyRotation and WaitForNRotations so KMS scenarios do not run static-provider assumptions.test/library/encryption/helpers.go (1)
396-408:⚠️ Potential issue | 🟠 Major | ⚡ Quick winTie the operator-condition window to
expectedWriteKey.This succeeds on any
Migratingcondition, so a stale or unrelated migration can satisfy the poll before the write key you want to stack on is active. That lets the overlap tests trigger the next rotation against the wrong window.Suggested fix
if getOp != nil { err := wait.Poll(2*time.Second, windowWait, func() (bool, error) { + meta, err := GetLastKeyMeta(t, kube, namespace, labelSelector) + if err != nil { + return false, err + } + if expectedWriteKey != "" && meta.Name != expectedWriteKey { + return false, nil + } + if allTargetGRsMigrated(meta, targetGRs) { + return false, nil + } + conds, err := getOp(t) if err != nil { return false, err } for _, c := range conds {🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/library/encryption/helpers.go` around lines 396 - 408, The poll currently returns true for any Condition of type encryptionMigrationControllerProgressingType with Status True/Reason "Migrating", which can match unrelated/stale migrations; update the closure used in wait.Poll (the one calling getOp) to additionally verify that the progressing condition pertains to the expectedWriteKey (compare against expectedWriteKey using whatever field carries the target key—e.g., c.Message, c.ReasonDetail, annotation or status field that encodes the write key) before returning true so only the migration window for expectedWriteKey satisfies the poll; change only the closure in the getOp poll logic to include this extra equality check.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In `@test/library/encryption/helpers.go`:
- Around line 396-408: The poll currently returns true for any Condition of type
encryptionMigrationControllerProgressingType with Status True/Reason
"Migrating", which can match unrelated/stale migrations; update the closure used
in wait.Poll (the one calling getOp) to additionally verify that the progressing
condition pertains to the expectedWriteKey (compare against expectedWriteKey
using whatever field carries the target key—e.g., c.Message, c.ReasonDetail,
annotation or status field that encodes the write key) before returning true so
only the migration window for expectedWriteKey satisfies the poll; change only
the closure in the getOp poll logic to include this extra equality check.
In `@test/library/encryption/scenarios.go`:
- Around line 295-330: TestEncryptionRotationDuringFirstMigration assumes
ForceKeyRotation creates a new write-key secret and that WaitForNRotations
counts suffix increments, which is only true for the static-provider path; guard
this scenario against KMS by checking the scenario.EncryptionProvider.Type (or
scenario.TargetEncryptionType) and skip or alter behavior when it equals
EncryptionTypeKMS: either skip the ForceKeyRotation + WaitForNRotations block
for KMS scenarios or use a KMS-appropriate assertion path; update
TestEncryptionRotationDuringFirstMigration (and the similar block at lines
336-369) to branch on EncryptionTypeKMS before calling ForceKeyRotation and
WaitForNRotations so KMS scenarios do not run static-provider assumptions.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: afaf36a5-894b-4628-b69c-79ffe8ca314e
📒 Files selected for processing (3)
test/library/encryption/helpers.gotest/library/encryption/perf_scenarios.gotest/library/encryption/scenarios.go
Contributor
|
@tjungblu: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds two new encryption tests:
Summary by CodeRabbit