NO-JIRA: kms rotation controller

[tjungblu]

Summary by CodeRabbit

• Chores
  • Updated module resolution to redirect two third-party dependencies to alternative sources, ensuring compatibility with testing and build workflows.
  • These redirects change where the project fetches specific dependency versions, stabilizing builds and aiding integration testing without altering runtime behavior.

[openshift-ci-robot]

@tjungblu: This pull request explicitly references no jira issue.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds two replace directives to go.mod to remap github.com/onsi/ginkgo/v2 and github.com/openshift/library-go to specified forked module paths and pinned pseudo-versions.

Changes

Module Dependency Redirects

Layer / File(s)	Summary
Ginkgo and library-go module replacements go.mod	Add replace directives to redirect github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 and github.com/openshift/library-go => github.com/tjungblu/library-go v0.0.0-20260611114644-374bd672722f.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 12 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	Assertion calls in test library lack meaningful failure messages. Multiple require.NoError() calls in test/library/encryption/helpers.go don't include context about what failed, violating the asser...	Add descriptive messages to require.NoError() calls (e.g., require.NoError(t, err, "failed to create operator client")) to help diagnose test failures.
Topology-Aware Scheduling Compatibility	⚠️ Warning	The oauth-openshift deployment uses maxUnavailable: 0 with maxSurge: 0 and nodeSelector targeting only control-plane nodes, causing deadlock on SNO (1 node) and TNF (2 nodes) topologies during roll...	Review the library-go replace directive for topology-aware scheduling functions (CountNodesFuncWrapper, EnsureAtMostOnePodPerNode); ensure maxUnavailable >= 1 for rolling deployments on constrained topologies, or implement topology-aware...
Title check	❓ Inconclusive	The title mentions 'kms rotation controller' which appears to be relevant to the PR objectives, but the changes in go.mod only add module replace directives and don't directly implement or modify a KMS rotation controller.	Clarify whether the title should reference the module dependency updates in go.mod, or if the actual KMS rotation controller implementation is in excluded vendor files. The title is vague about the primary change being dependency management.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All 16 Ginkgo test names in the repository are static and deterministic. They contain only fixed strings without timestamps, UUIDs, pod names, node names, or other dynamic values.
Microshift Test Compatibility	✅ Passed	PR does not add any new Ginkgo e2e tests. Changes are limited to go.mod/go.sum and vendored library code with test helper functions using standard Go testing interface, not Ginkgo.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests (It, Describe, Context, When) were added in this PR. Changes are only in go.mod, go.sum, and vendored code. The custom check is not applicable.
Ote Binary Stdout Contract	✅ Passed	OTE binary main.go correctly sets klog.LogToStderr(true) early in main(), has no fmt.Print/stdout writes in process-level code, and PR only contains go.mod dependency updates.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The new Ginkgo e2e tests (encryption_kms.go) contain no IPv4 assumptions, hardcoded addresses, or external connectivity requirements. Tests use cluster-internal namespaces and Kubernetes APIs only.
No-Weak-Crypto	✅ Passed	No weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons found in PR code changes.
Container-Privileges	✅ Passed	PR only modifies go.mod with dependency version changes; no Kubernetes manifests or container configurations are altered.
No-Sensitive-Data-In-Logs	✅ Passed	KMS rotation controller logs only metadata: namespace, secret name, and KEK ID (identifier, not key material). No actual secrets, tokens, passwords, API keys, PII, or sensitive data are exposed in...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign everettraven for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 137: The replace directive swapping github.com/openshift/library-go to
the fork github.com/tjungblu/library-go v0.0.0-20260601112848-644b24dd829d
changes the trust boundary; add a provenance package and attestations tied to
that specific replacement: document rationale and include a verifiable SBOM
(e.g., CycloneDX or SPDX) for the forked module, provide the git commit hash
(644b24dd829d8acc3f2806deaaf6fe80e9da0c9e) and upstream commit, and attach
Sigstore/cosign signing evidence (signature + certificate) for the forked module
artifact; place these artifacts and a short summary into the repo (e.g., a
PROVENANCE.md or vendor/provenance directory) and update go.mod commit
message/PR description to reference them so reviewers can verify the replacement
of github.com/openshift/library-go with github.com/tjungblu/library-go.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cd7731f6-3681-4134-b172-e94df631c502

📥 Commits

Reviewing files that changed from the base of the PR and between 7eccc16 and 5da2462.

⛔ Files ignored due to path filters (19)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/encryption_rotation_controller.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptiondata/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptionstatus/convergence.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptionstatus/migration.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptionstatus/operator.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptionstatus/rotation.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptionstatus/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/secrets/secrets.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_configmap.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_daemonset.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_namespace.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_rolebinding.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/assets/k8s_mock_kms_plugin_serviceaccount.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/k8s_mock_kms_plugin_deployer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Resolve module metadata from Go proxy (version existence/source timestamp).
curl -s "https://proxy.golang.org/github.com/tjungblu/library-go/@v/v0.0.0-20260601112848-644b24dd829d.info" | jq .

# 2) Check module zip/hash metadata availability (evidence for reproducibility chain).
curl -s "https://proxy.golang.org/github.com/tjungblu/library-go/@v/v0.0.0-20260601112848-644b24dd829d.mod" | sed -n '1,80p'

# 3) Query OSV for known vulns affecting the fork module coordinate.
curl -s https://api.osv.dev/v1/query -H 'content-type: application/json' -d '{
  "package": {"name":"github.com/tjungblu/library-go","ecosystem":"Go"},
  "version":"v0.0.0-20260601112848-644b24dd829d"
}' | jq .

# 4) Compare with upstream module/version currently required in go.mod.
curl -s https://api.osv.dev/v1/query -H 'content-type: application/json' -d '{
  "package": {"name":"github.com/openshift/library-go","ecosystem":"Go"},
  "version":"v0.0.0-20260527152424-3ad832f9a5a5"
}' | jq .

# 5) Optional: fetch fork repo metadata (license visibility, default branch, etc.).
curl -s "https://api.github.com/repos/tjungblu/library-go" | jq '{full_name,private,fork,license,default_branch,pushed_at}'

Repository: openshift/cluster-authentication-operator

Length of output: 3953

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FORK_MOD="github.com/tjungblu/library-go"
UPSTREAM_MOD="github.com/openshift/library-go"
FORK_VER="v0.0.0-20260601112848-644b24dd829d"
UPSTREAM_VER="v0.0.0-20260527152424-3ad832f9a5a5"

echo "== go proxy .info (fork) =="
curl -s "https://proxy.golang.org/${FORK_MOD}/@v/${FORK_VER}.info" | jq .

echo "== go proxy .info (upstream) =="
curl -s "https://proxy.golang.org/${UPSTREAM_MOD}/@v/${UPSTREAM_VER}.info" | jq .

echo "== GitHub repo license (fork) =="
curl -s "https://api.github.com/repos/tjungblu/library-go" \
  | jq '{full_name,license:{key: .license.key, name: .license.name, spdx_id: .license.spdx_id}, fork, private, default_branch}'

echo "== GitHub repo license (upstream) =="
curl -s "https://api.github.com/repos/openshift/library-go" \
  | jq '{full_name,license:{key: .license.key, name: .license.name, spdx_id: .license.spdx_id}, fork, private, default_branch}'

echo "== OSV query (fork version) =="
curl -s https://api.osv.dev/v1/query \
  -H 'content-type: application/json' \
  -d "{\"package\":{\"name\":\"${FORK_MOD}\",\"ecosystem\":\"Go\"},\"version\":\"${FORK_VER}\"}" \
  | jq '{vulnerabilities:(.vulns // .vulnerabilities // .))}'

# The jq above might fail if field differs; print whole response if empty
echo "== OSV raw (fork version) =="
curl -s https://api.osv.dev/v1/query \
  -H 'content-type: application/json' \
  -d "{\"package\":{\"name\":\"${FORK_MOD}\",\"ecosystem\":\"Go\"},\"version\":\"${FORK_VER}\"}" \
  | jq .

echo "== OSV raw (upstream version) =="
curl -s https://api.osv.dev/v1/query \
  -H 'content-type: application/json' \
  -d "{\"package\":{\"name\":\"${UPSTREAM_MOD}\",\"ecosystem\":\"Go\"},\"version\":\"${UPSTREAM_VER}\"}" \
  | jq .

Repository: openshift/cluster-authentication-operator

Length of output: 1406

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FORK_MOD="github.com/tjungblu/library-go"
UPSTREAM_MOD="github.com/openshift/library-go"
FORK_VER="v0.0.0-20260601112848-644b24dd829d"
UPSTREAM_VER="v0.0.0-20260527152424-3ad832f9a5a5"

echo "== go proxy .info (fork) =="
curl -s "https://proxy.golang.org/${FORK_MOD}/@v/${FORK_VER}.info" | jq '{Version,Time,Origin,GoMod}'

echo "== go proxy .info (upstream) =="
curl -s "https://proxy.golang.org/${UPSTREAM_MOD}/@v/${UPSTREAM_VER}.info" | jq '{Version,Time,Origin,GoMod}'

echo "== GitHub repo license (fork) =="
curl -s "https://api.github.com/repos/tjungblu/library-go" \
  | jq '{license:(.license // null | {key:.key,name:.name,spdx_id:.spdx_id}), default_branch, fork, private}'

echo "== GitHub repo license (upstream) =="
curl -s "https://api.github.com/repos/openshift/library-go" \
  | jq '{license:(.license // null | {key:.key,name:.name,spdx_id:.spdx_id}), default_branch, fork, private}'

echo "== OSV (fork version) summary =="
curl -s https://api.osv.dev/v1/query \
  -H 'content-type: application/json' \
  -d "{\"package\":{\"name\":\"${FORK_MOD}\",\"ecosystem\":\"Go\"},\"version\":\"${FORK_VER}\"}" \
  | jq '{vuln_count:(.vulns|length), vulns:[.vulns[]?.id, .vulns[]?.details?.summary] }'

echo "== OSV (upstream version) summary =="
curl -s https://api.osv.dev/v1/query \
  -H 'content-type: application/json' \
  -d "{\"package\":{\"name\":\"${UPSTREAM_MOD}\",\"ecosystem\":\"Go\"},\"version\":\"${UPSTREAM_VER}\"}" \
  | jq '{vuln_count:(.vulns|length), vulns:[.vulns[]?.id, .vulns[]?.details?.summary] }'

Repository: openshift/cluster-authentication-operator

Length of output: 1213

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FORK_MOD="github.com/tjungblu/library-go"
UPSTREAM_MOD="github.com/openshift/library-go"
FORK_VER="v0.0.0-20260601112848-644b24dd829d"
UPSTREAM_VER="v0.0.0-20260527152424-3ad832f9a5a5"

echo "== go proxy .info (fork) =="
curl -s "https://proxy.golang.org/${FORK_MOD}/@v/${FORK_VER}.info" | jq '{Version,Time,Origin}'

echo "== go proxy .info (upstream) =="
curl -s "https://proxy.golang.org/${UPSTREAM_MOD}/@v/${UPSTREAM_VER}.info" | jq '{Version,Time,Origin}'

echo "== GitHub repo license (fork) =="
curl -s "https://api.github.com/repos/tjungblu/library-go" \
  | jq '{license:(.license // null | {key:.key,name:.name,spdx_id:.spdx_id}), default_branch, fork, private}'

echo "== GitHub repo license (upstream) =="
curl -s "https://api.github.com/repos/openshift/library-go" \
  | jq '{license:(.license // null | {key:.key,name:.name,spdx_id:.spdx_id}), default_branch, fork, private}'

echo "== OSV (fork version) =="
curl -s https://api.osv.dev/v1/query \
  -H 'content-type: application/json' \
  -d "{\"package\":{\"name\":\"${FORK_MOD}\",\"ecosystem\":\"Go\"},\"version\":\"${FORK_VER}\"}" \
  | jq '{vuln_count:(.vulns|length), vulns:((.vulns // []) | map({id, summary:(.details.summary // .summary // "")}))}'

echo "== OSV (upstream version) =="
curl -s https://api.osv.dev/v1/query \
  -H 'content-type: application/json' \
  -d "{\"package\":{\"name\":\"${UPSTREAM_MOD}\",\"ecosystem\":\"Go\"},\"version\":\"${UPSTREAM_VER}\"}" \
  | jq '{vuln_count:(.vulns|length), vulns:((.vulns // []) | map({id, summary:(.details.summary // .summary // "")}))}'

Repository: openshift/cluster-authentication-operator

Length of output: 1163

---

Add provenance/SBOM/signing governance for the forked module replacement

Redirecting github.com/openshift/library-go to github.com/tjungblu/library-go v0.0.0-20260601112848-644b24dd829d changes the trust boundary—include a clear rationale plus verifiable provenance/SBOM attestation and Sigstore/cosign signing evidence for the resulting artifacts.

• License compatibility: fork and upstream are both Apache-2.0.
• Vulnerabilities: OSV reports 0 known vulns for both the fork version and the upstream version.
• Go proxy origin metadata ties the fork version to commit 644b24dd829d8acc3f2806deaaf6fe80e9da0c9e (and upstream to 3ad832f9a5a5302f51fff12cc91f68e74fdbb62b), but that doesn’t replace required SBOM/provenance/signing controls.

go.mod replacement

replace github.com/openshift/library-go => github.com/tjungblu/library-go v0.0.0-20260601112848-644b24dd829d

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 137, The replace directive swapping
github.com/openshift/library-go to the fork github.com/tjungblu/library-go
v0.0.0-20260601112848-644b24dd829d changes the trust boundary; add a provenance
package and attestations tied to that specific replacement: document rationale
and include a verifiable SBOM (e.g., CycloneDX or SPDX) for the forked module,
provide the git commit hash (644b24dd829d8acc3f2806deaaf6fe80e9da0c9e) and
upstream commit, and attach Sigstore/cosign signing evidence (signature +
certificate) for the forked module artifact; place these artifacts and a short
summary into the repo (e.g., a PROVENANCE.md or vendor/provenance directory) and
update go.mod commit message/PR description to reference them so reviewers can
verify the replacement of github.com/openshift/library-go with
github.com/tjungblu/library-go.

[ardaguclu]

I know that this is draft and WIP. Just dropped a comment if it makes sense;

In order to adopt the invariants of other controllers, if there is active migration or one of the kms plugins are not healthy, we should return just like !converged.

[tjungblu]

thanks Arda, much appreciated. Can you leave this here? openshift/library-go#2237

This is just mostly slopware to see whether this kinda works.

[ardaguclu]

I'll extensively review openshift/library-go#2237 tomorrow

[tjungblu]

it's the same thing you just reviewed ;)

[ardaguclu]

I didn't know that it is ready for review :), I'll allocate sufficient time for it

[ardaguclu]

Instead of new function, I think it is better to use ToEncryptionState by querying key Secrets.

[tjungblu]

/test e2e-aws-operator-encryption-kms

[tjungblu]

/test e2e-aws-operator-encryption-kms

[openshift-ci]

@tjungblu: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-operator-encryption-kms	7dc541a	link	false	/test e2e-aws-operator-encryption-kms

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.