kms: wire up config overrides for KMS values

[kevinrizza]

pass log level along to vault

WIP - this commit is using a replaces directive for my library-go fork. needs to be updated to vendor real change in library-go

Summary by CodeRabbit

• Chores
  • Updated dependency configuration to redirect a core library to an alternative source repository for builds, ensuring the project uses the specified upstream variant.
  • Extended KMS plugin sidecar setup to accept additional runtime configuration (unsupported overrides), allowing more granular sidecar behavior and improved runtime flexibility.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 504f3a0e-71cf-44f0-96da-e091c1ef362e

📥 Commits

Reviewing files that changed from the base of the PR and between c1766d3 and e2a1a1d.

⛔ Files ignored due to path filters (6)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/unsupported_config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• pkg/operator/workload/sync_openshift_oauth_apiserver.go

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

---

Walkthrough

Adds a go.mod replace for library-go and updates the operator call to AddKMSPluginSidecarToPodSpec to pass operatorSpec.UnsupportedConfigOverrides.Raw as an additional argument.

Changes

KMS Plugin Configuration Update

Layer / File(s)	Summary
Module dependency replacement go.mod	A replace directive redirects github.com/openshift/library-go to github.com/kevinrizza/library-go at a pseudo-version.
KMS plugin sidecar configuration pkg/operator/workload/sync_openshift_oauth_apiserver.go	The AddKMSPluginSidecarToPodSpec invocation now passes operatorSpec.UnsupportedConfigOverrides.Raw as an additional parameter alongside the existing feature gate accessor.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 warnings)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	PR passes UnsupportedConfigOverrides.Raw to kevinrizza fork which logs parsing errors via klog.Warning, potentially exposing sensitive config data like passwords and API keys in logs.	Either sanitize config before logging, avoid logging raw content on parse errors, or use official library-go instead of fork with this logging issue.
Microshift Test Compatibility	⚠️ Warning	Tests use [OCPFeatureGate:KMSEncryption] which relies on FeatureGates not supported on MicroShift, without protection mechanisms.	Add [Skipped:MicroShift] label to test names or implement exutil.IsMicroShiftCluster() runtime check with g.Skip().
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	New Ginkgo tests in test/e2e-encryption-kms/encryption_kms.go call DefaultVaultEncryptionProvider which deploys Vault KMS plugin, requiring external connectivity in disconnected environments.	Add [Skipped:Disconnected] markers to test names or mock DefaultVaultEncryptionProvider for disconnected CI environments.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly summarizes the main change: wiring up config overrides for KMS values, which aligns with passing log level through to Vault via the operatorSpec.UnsupportedConfigOverrides.Raw parameter in the sync function.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names are stable and deterministic with no dynamic values like generated suffixes, timestamps, UUIDs, or variable interpolation.
Test Structure And Quality	✅ Passed	PR does not add or modify Ginkgo tests. Check requires "Review Ginkgo test code" but PR only modifies go.mod and a production Go file with unit tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added. Changes are only to go.mod and sync_openshift_oauth_apiserver.go operational code.
Topology-Aware Scheduling Compatibility	✅ Passed	No scheduling constraints introduced. PR adds KMS config override parameter and go.mod replace only. Deployment already topology-safe with maxUnavailable: 1 and master node anti-affinity.
Ote Binary Stdout Contract	✅ Passed	OTE binary has klog.LogToStderr(true) on line 22. PR changes only add KMS config parameter; no new stdout writes in process-level code.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms, custom implementations, or non-constant-time secret comparisons detected in the PR changes to go.mod and sync_openshift_oauth_apiserver.go.
Container-Privileges	✅ Passed	Privileged containers have clear justification comments (audit logs, trust bundles, permissions). No unjustified privilege escalation, hostPID, hostNetwork, hostIPC, or SYS_ADMIN found.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ingvagabund for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 137: The go.mod contains a replace directive pointing to a personal fork
("replace github.com/openshift/library-go => github.com/kevinrizza/library-go
..."); remove this replace before merge and instead vendor or reference the
upstream module version of github.com/openshift/library-go (pin to an exact
upstream pseudo-version or tag) and update go.sum accordingly; ensure the chosen
upstream version is justified, license-compatible, and hashes are verified per
supply-chain requirements.

In `@pkg/operator/workload/sync_openshift_oauth_apiserver.go`:
- Around line 325-326: The code references an undefined variable operatorConfig
on the call that passes featureGateAccessor and UnsupportedConfigOverrides.Raw;
replace operatorConfig with the actual function parameter operatorSpec to fix
the undefined reference (update the call that currently uses operatorConfig to
use operatorSpec.Spec.UnsupportedConfigOverrides.Raw so it compiles correctly
and uses the intended value).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2ea4c870-3a75-4941-9910-1965438958ec

📥 Commits

Reviewing files that changed from the base of the PR and between 4c8a2c0 and 7a216a4.

⛔ Files ignored due to path filters (6)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/unsupported_config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• pkg/operator/workload/sync_openshift_oauth_apiserver.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Remove the personal fork replace directive before merge.

The replace directive points to a personal fork (github.com/kevinrizza/library-go) rather than the upstream github.com/openshift/library-go. As noted in the PR description, this is WIP state and should be updated to vendor the real library-go change before merge. Merging with a personal fork violates supply chain security best practices.

As per coding guidelines: "New deps: justify need, check license compatibility" and "Pin exact versions; verify hashes where supported" from supply chain security requirements.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 137, The go.mod contains a replace directive pointing to a
personal fork ("replace github.com/openshift/library-go =>
github.com/kevinrizza/library-go ..."); remove this replace before merge and
instead vendor or reference the upstream module version of
github.com/openshift/library-go (pin to an exact upstream pseudo-version or tag)
and update go.sum accordingly; ensure the chosen upstream version is justified,
license-compatible, and hashes are verified per supply-chain requirements.

Source: Coding guidelines

[coderabbitai]

♻️ Duplicate comments (1)

pkg/operator/workload/sync_openshift_oauth_apiserver.go (1)

325-326: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Fix unresolved undefined variable in KMS sidecar call.

Line 326 still references operatorConfig, which is not in scope here. This is a compile-time failure; use the in-scope operatorSpec instead.

🐛 Minimal fix

 	if err := kmspluginlifecycle.AddKMSPluginSidecarToPodSpec(
 		ctx,
 		&required.Spec.Template.Spec,
 		"oauth-apiserver",
 		c.targetNamespace,
 		fmt.Sprintf("encryption-config-%d", operatorStatus.LatestAvailableRevision),
 		c.kubeClient.CoreV1(),
 		c.featureGateAccessor,
-		operatorConfig.Spec.UnsupportedConfigOverrides.Raw); err != nil {
+		operatorSpec.UnsupportedConfigOverrides.Raw); err != nil {
 		return nil, fmt.Errorf("failed to add KMS plugin to pod spec: %w", err)
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/operator/workload/sync_openshift_oauth_apiserver.go` around lines 325 -
326, The call to the KMS sidecar still uses the out-of-scope variable
operatorConfig (operatorConfig.Spec.UnsupportedConfigOverrides.Raw); replace
that reference with the in-scope operatorSpec by changing
operatorConfig.Spec.UnsupportedConfigOverrides.Raw to
operatorSpec.Spec.UnsupportedConfigOverrides.Raw (i.e., update the KMS sidecar
invocation to use operatorSpec and keep the same field access), ensuring you
only alter the variable name used in the call where c.featureGateAccessor and
the overrides are passed.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@pkg/operator/workload/sync_openshift_oauth_apiserver.go`:
- Around line 325-326: The call to the KMS sidecar still uses the out-of-scope
variable operatorConfig (operatorConfig.Spec.UnsupportedConfigOverrides.Raw);
replace that reference with the in-scope operatorSpec by changing
operatorConfig.Spec.UnsupportedConfigOverrides.Raw to
operatorSpec.Spec.UnsupportedConfigOverrides.Raw (i.e., update the KMS sidecar
invocation to use operatorSpec and keep the same field access), ensuring you
only alter the variable name used in the call where c.featureGateAccessor and
the overrides are passed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5cc366ad-41d9-4b7b-9fc3-5d33acfaa35f

📥 Commits

Reviewing files that changed from the base of the PR and between 7a216a4 and 972c646.

⛔ Files ignored due to path filters (6)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/unsupported_config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• pkg/operator/workload/sync_openshift_oauth_apiserver.go

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

[coderabbitai]

♻️ Duplicate comments (1)

pkg/operator/workload/sync_openshift_oauth_apiserver.go (1)

326-326: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Fix undefined variable reference.

Line 326 references operatorConfig which does not exist in scope. The function parameter is named operatorSpec (line 224). This will cause a compilation failure.

🐛 Proposed fix

-		operatorConfig.Spec.UnsupportedConfigOverrides.Raw); err != nil {
+		operatorSpec.UnsupportedConfigOverrides.Raw); err != nil {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/operator/workload/sync_openshift_oauth_apiserver.go` at line 326, The
code references an undefined variable operatorConfig; replace that reference
with the actual function parameter operatorSpec and ensure the field access
matches the parameter's type (e.g., use
operatorSpec.UnsupportedConfigOverrides.Raw or
operatorSpec.Spec.UnsupportedConfigOverrides.Raw as appropriate) where
UnsupportedConfigOverrides.Raw is used so the compiler finds the correct symbol.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@pkg/operator/workload/sync_openshift_oauth_apiserver.go`:
- Line 326: The code references an undefined variable operatorConfig; replace
that reference with the actual function parameter operatorSpec and ensure the
field access matches the parameter's type (e.g., use
operatorSpec.UnsupportedConfigOverrides.Raw or
operatorSpec.Spec.UnsupportedConfigOverrides.Raw as appropriate) where
UnsupportedConfigOverrides.Raw is used so the compiler finds the correct symbol.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2c80514f-3519-4cbb-bb68-a7511df8e985

📥 Commits

Reviewing files that changed from the base of the PR and between 972c646 and c1766d3.

⛔ Files ignored due to path filters (6)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/unsupported_config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• pkg/operator/workload/sync_openshift_oauth_apiserver.go

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

[openshift-ci]

@kevinrizza: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-operator-encryption-kms	e2a1a1d	link	false	/test e2e-aws-operator-encryption-kms

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.