From bbbdd50d4e831da588e989ed5067bdfdfe2de07a Mon Sep 17 00:00:00 2001
From: Flavian Missi <fmissi@redhat.com>
Date: Mon, 18 May 2026 15:16:16 +0200
Subject: [PATCH] pluginlifecycle: treat transit-mount as required

the api has changed to make this field required, so we change to reflect
it.
---
 .../encryption/kms/pluginlifecycle/sidecar_test.go        | 6 +++---
 pkg/operator/encryption/kms/pluginlifecycle/vault.go      | 5 +----
 pkg/operator/encryption/kms/pluginlifecycle/vault_test.go | 8 ++++----
 .../encryption/kms/k8s-mock-plugin/wrapper/main.go        | 5 ++++-
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/pkg/operator/encryption/kms/pluginlifecycle/sidecar_test.go b/pkg/operator/encryption/kms/pluginlifecycle/sidecar_test.go
index 397c1622fd..83a799aca7 100644
--- a/pkg/operator/encryption/kms/pluginlifecycle/sidecar_test.go
+++ b/pkg/operator/encryption/kms/pluginlifecycle/sidecar_test.go
@@ -108,11 +108,11 @@ func TestAddKMSPluginSidecarToPodSpec(t *testing.T) {
 	sidecarArgs := []string{
 		"-listen-address=unix:///var/run/kmsplugin/kms-555.sock",
 		"-vault-address=https://vault.example.com:8200",
+		"-transit-mount=transit",
 		"-transit-key=my-key",
 		"-approle-role-id=dummy-role-id-555",
 		"-approle-secret-id-path=/var/run/secrets/vault-kms/secret-id-555",
 		"-vault-namespace=my-namespace",
-		"-transit-mount=transit",
 	}
 
 	socketMount := corev1.VolumeMount{
@@ -179,11 +179,11 @@ func TestAddKMSPluginSidecarToPodSpec(t *testing.T) {
 						Args: []string{
 							"-listen-address=unix:///var/run/kmsplugin/kms-777.sock",
 							"-vault-address=https://vault2.example.com:8200",
+							"-transit-mount=transit2",
 							"-transit-key=other-key",
 							"-approle-role-id=dummy-role-id-777",
 							"-approle-secret-id-path=/var/run/secrets/vault-kms/secret-id-777",
 							"-vault-namespace=other-namespace",
-							"-transit-mount=transit2",
 						},
 						VolumeMounts: []corev1.VolumeMount{socketMount},
 					},
@@ -193,11 +193,11 @@ func TestAddKMSPluginSidecarToPodSpec(t *testing.T) {
 						Args: []string{
 							"-listen-address=unix:///var/run/kmsplugin/kms-555.sock",
 							"-vault-address=https://vault.example.com:8200",
+							"-transit-mount=transit",
 							"-transit-key=my-key",
 							"-approle-role-id=dummy-role-id-555",
 							"-approle-secret-id-path=/var/run/secrets/vault-kms/secret-id-555",
 							"-vault-namespace=my-namespace",
-							"-transit-mount=transit",
 						},
 						VolumeMounts: []corev1.VolumeMount{socketMount},
 					},
diff --git a/pkg/operator/encryption/kms/pluginlifecycle/vault.go b/pkg/operator/encryption/kms/pluginlifecycle/vault.go
index 4e459dd039..6fe1b5405e 100644
--- a/pkg/operator/encryption/kms/pluginlifecycle/vault.go
+++ b/pkg/operator/encryption/kms/pluginlifecycle/vault.go
@@ -37,6 +37,7 @@ func (v *vault) BuildSidecarContainer() (corev1.Container, error) {
 	args := []string{
 		fmt.Sprintf("-listen-address=%s", v.udsPath),
 		fmt.Sprintf("-vault-address=%s", v.config.VaultAddress),
+		fmt.Sprintf("-transit-mount=%s", v.config.TransitMount),
 		fmt.Sprintf("-transit-key=%s", v.config.TransitKey),
 		// TODO(bertinatto): dummy value for the Vault mock plugin; will come from the encryption-config secret.
 		fmt.Sprintf("-approle-role-id=dummy-role-id-%s", v.keyID),
@@ -49,10 +50,6 @@ func (v *vault) BuildSidecarContainer() (corev1.Container, error) {
 		args = append(args, fmt.Sprintf("-vault-namespace=%s", v.config.VaultNamespace))
 	}
 
-	if v.config.TransitMount != "" {
-		args = append(args, fmt.Sprintf("-transit-mount=%s", v.config.TransitMount))
-	}
-
 	return corev1.Container{
 		Name:  v.Name(),
 		Image: v.config.KMSPluginImage,
diff --git a/pkg/operator/encryption/kms/pluginlifecycle/vault_test.go b/pkg/operator/encryption/kms/pluginlifecycle/vault_test.go
index 2b3b662a57..bcc9e22bc4 100644
--- a/pkg/operator/encryption/kms/pluginlifecycle/vault_test.go
+++ b/pkg/operator/encryption/kms/pluginlifecycle/vault_test.go
@@ -43,11 +43,11 @@ func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
 						Args: []string{
 							"-listen-address=unix:///var/run/kmsplugin/kms-555.sock",
 							"-vault-address=https://vault.example.com:8200",
+							"-transit-mount=transit",
 							"-transit-key=my-key",
 							"-approle-role-id=dummy-role-id-555",
 							"-approle-secret-id-path=/var/run/secrets/vault-kms/secret-id-555",
 							"-vault-namespace=my-namespace",
-							"-transit-mount=transit",
 						},
 					},
 				},
@@ -88,11 +88,11 @@ func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
 						Args: []string{
 							"-listen-address=unix:///var/run/kmsplugin/kms-555.sock",
 							"-vault-address=https://vault.example.com:8200",
+							"-transit-mount=transit",
 							"-transit-key=my-key",
 							"-approle-role-id=dummy-role-id-555",
 							"-approle-secret-id-path=/var/run/secrets/vault-kms/secret-id-555",
 							"-vault-namespace=my-namespace",
-							"-transit-mount=transit",
 						},
 					},
 				},
@@ -106,8 +106,8 @@ func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
 					KMSPluginImage: "quay.io/test/vault:v2",
 					VaultAddress:   "https://vault.example.com:8200",
 					TransitKey:     "my-key",
+					TransitMount:   "transit",
 					VaultNamespace: "",
-					TransitMount:   "",
 				},
 			},
 			containerName: "kms-plugin",
@@ -122,12 +122,12 @@ func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
 						Args: []string{
 							"-listen-address=unix:///var/run/kmsplugin/kms.sock",
 							"-vault-address=https://vault.example.com:8200",
+							"-transit-mount=transit",
 							"-transit-key=my-key",
 							"-approle-role-id=dummy-role-id-999",
 							"-approle-secret-id-path=/var/run/secrets/vault-kms/secret-id-999",
 							// These are not added
 							// "-vault-namespace=",
-							// "-transit-mount=",
 						},
 					},
 				},
diff --git a/test/library/encryption/kms/k8s-mock-plugin/wrapper/main.go b/test/library/encryption/kms/k8s-mock-plugin/wrapper/main.go
index 17a6adf406..c3441ea67a 100644
--- a/test/library/encryption/kms/k8s-mock-plugin/wrapper/main.go
+++ b/test/library/encryption/kms/k8s-mock-plugin/wrapper/main.go
@@ -37,12 +37,12 @@ func main() {
 
 	flag.StringVar(&o.listenAddress, "listen-address", "", "Listen address for the KMS plugin (e.g. unix:///var/run/kmsplugin/kms.sock)")
 	flag.StringVar(&o.vaultAddress, "vault-address", "", "Vault server address")
+	flag.StringVar(&o.transitMount, "transit-mount", "", "Vault transit secret engine mount path")
 	flag.StringVar(&o.transitKey, "transit-key", "", "Vault transit key name")
 	flag.StringVar(&o.approleRoleID, "approle-role-id", "", "Vault AppRole role ID")
 	flag.StringVar(&o.approleSecretIDPath, "approle-secret-id-path", "", "Path to file containing Vault AppRole secret ID")
 	flag.StringVar(&o.logLevel, "log-level", "", "Log level (optional, valid value: debug-extended)")
 	flag.StringVar(&o.vaultNamespace, "vault-namespace", "", "Vault namespace (optional)")
-	flag.StringVar(&o.transitMount, "transit-mount", "", "Vault transit secret engine mount path (optional)")
 	flag.Parse()
 
 	flag.VisitAll(func(f *flag.Flag) {
@@ -64,6 +64,9 @@ func (o *options) validate() error {
 	if o.vaultAddress == "" {
 		return fmt.Errorf("--vault-address must be set")
 	}
+	if o.transitMount == "" {
+		return fmt.Errorf("--transit-mount must be set")
+	}
 	if o.transitKey == "" {
 		return fmt.Errorf("--transit-key must be set")
 	}