Skip to content

CNTRLPLANE-3361: Align with latest beta API of Vault#2936

Open
ardaguclu wants to merge 1 commit into
openshift:masterfrom
ardaguclu:vault-new-version
Open

CNTRLPLANE-3361: Align with latest beta API of Vault#2936
ardaguclu wants to merge 1 commit into
openshift:masterfrom
ardaguclu:vault-new-version

Conversation

@ardaguclu

@ardaguclu ardaguclu commented Jul 16, 2026

Copy link
Copy Markdown
Member

Vault notifies us about their planned API changes in the new beta image. This new version brings some breaking changes. If we were in GA, we must have made changes in backwards compatible way. However, we haven't promoted this feature to GA yet. That's why, this PR tombstones the deprecated fields (i.e. transit-mount, transit-key), introduces one required field vault-key-path and one optional field vault-auth-namespace.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 16, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 16, 2026

Copy link
Copy Markdown

@ardaguclu: This pull request references CNTRLPLANE-3361 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Vault notifies us about their planned API changes in the new beta image. This new version brings some breaking changes. If we were in GA, we must make changes in backwards compatible way. However, we haven't promoted this feature to GA yet. That's why, this PR tombstones the deprecated fields (i.e. transit-mount, transit-key), introduces one required field vault-key-path and one optional field vault-auth-namespace.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

The Vault KMS API replaces transitMount and transitKey with required vaultKeyPath and adds optional vaultAuthNamespace. Corresponding validation rules and required fields are updated in three APIServer CRD variants. Vault KMS creation, acceptance, and negative validation fixtures are revised to use the new fields and test path and namespace constraints.

Suggested reviewers: flavianmissi

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The touched test titles are static, descriptive YAML fixture names with no dynamic data or unstable identifiers.
Test Structure And Quality ✅ Passed Touched files are declarative YAML fixtures and schema types, not Ginkgo specs; the Ginkgo-specific quality checks don’t apply here.
Microshift Test Compatibility ✅ Passed No new Ginkgo/e2e tests were added; the PR only changes YAML fixtures and schema files, so MicroShift compatibility checks are not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Ginkgo e2e tests were added; the PR only changes config fixtures, types, and CRD schemas, with no SNO assumptions present.
Topology-Aware Scheduling Compatibility ✅ Passed Changes are limited to API schema, CRD, and test fixtures for Vault KMS; no deployment/controller scheduling logic or topology-sensitive pod constraints were added.
Ote Binary Stdout Contract ✅ Passed PR only changes KMS schema/test fixtures and generated OpenAPI/CRDs; no process-level entrypoints or stdout/logging writes were added.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PASS: The PR only changes API schema/fixture YAML and no new Ginkgo e2e tests; no IPv4-only code paths or external connectivity requirements were added.
No-Weak-Crypto ✅ Passed Patch only updates Vault KMS schema/tests; the commit diff contains no weak-crypto tokens or secret/token comparison code.
Container-Privileges ✅ Passed Touched files only update Vault API schema/tests/CRDs; no privileged, hostPID/Network/IPC, SYS_ADMIN, runAsRoot, or securityContext settings were added.
No-Sensitive-Data-In-Logs ✅ Passed PASS: The touched files are schema/test fixtures only, and I found no logging calls or secret/PII-bearing output in them.
Title check ✅ Passed The title clearly summarizes the main change: aligning the Vault API with the latest beta version.
Description check ✅ Passed The description matches the changeset by explaining the tombstoned fields and new Vault key-path and namespace fields.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Hello @ardaguclu! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

@ardaguclu

Copy link
Copy Markdown
Member Author

/hold
until we are ready to merge this yet. But that doesn't block reviews and approvals.

@openshift-ci openshift-ci Bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Jul 16, 2026
@openshift-ci
openshift-ci Bot requested review from JoelSpeed and everettraven July 16, 2026 09:56
@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ardaguclu

Copy link
Copy Markdown
Member Author

/cc @p0lyn0mial @tjungblu @bertinatto

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml`:
- Around line 365-366: Extend the vaultKeyPath invalid-test fixtures near
“Should reject vaultKeyPath without /keys/ separator” with cases for a
1025-character mount and a 513-character key, ensuring each complete path
remains under 1542 characters and is rejected by the schema.

In `@config/v1/types_kmsencryption.go`:
- Around line 212-219: Preserve independent mount and key length limits for the
vaultKeyPath validation. In config/v1/types_kmsencryption.go lines 212-219, add
CEL checks limiting the mount component to 1024 characters and the key name
component to 512 characters; regenerate the corresponding validation in
payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
lines 379-407,
payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
lines 379-407, and
payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
lines 379-407; add rejection fixtures for independently overlong components in
config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml lines 365-366.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: de2ae300-c773-4f55-9ac3-09c5a6e2950e

📥 Commits

Reviewing files that changed from the base of the PR and between 72066cc and 4414e4c.

⛔ Files ignored due to path filters (7)
  • config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
  • config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
  • openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
  • openapi/openapi.json is excluded by !openapi/**
📒 Files selected for processing (6)
  • config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml
  • config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml
  • config/v1/types_kmsencryption.go
  • payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
  • payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
  • payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml

Comment on lines +365 to +366
# vaultKeyPath invalid tests
- name: Should reject vaultKeyPath without /keys/ separator

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Add component-length rejection cases.

Add fixtures for a 1025-character mount and a 513-character key whose complete paths remain below 1542 characters. They currently demonstrate that the schema admits values rejected by the former component contracts.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml` around lines
365 - 366, Extend the vaultKeyPath invalid-test fixtures near “Should reject
vaultKeyPath without /keys/ separator” with cases for a 1025-character mount and
a 513-character key, ensuring each complete path remains under 1542 characters
and is rejected by the schema.

Comment on lines +212 to +219
// +kubebuilder:validation:MinLength=8
// +kubebuilder:validation:MaxLength=1542
// +kubebuilder:validation:XValidation:rule="!self.startsWith('/')",message="vaultKeyPath cannot start with a forward slash"
// +kubebuilder:validation:XValidation:rule="!self.endsWith('/')",message="vaultKeyPath cannot end with a forward slash"
// +kubebuilder:validation:XValidation:rule="!self.contains('//')",message="vaultKeyPath cannot contain consecutive forward slashes"
// +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._~/-]+$')",message="vaultKeyPath must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes"
// +kubebuilder:validation:XValidation:rule="self.split('/').filter(s, s == '.' || s == '..').size() == 0",message="vaultKeyPath must not contain '.' or '..' path segments"
// +kubebuilder:validation:XValidation:rule=`self.matches('^[a-zA-Z0-9._~-]+(/[a-zA-Z0-9._~-]+)*/keys/[a-zA-Z0-9_]([a-zA-Z0-9_.-]*[a-zA-Z0-9_])?$')`,message="vaultKeyPath must follow the format <mount>/keys/<key-name> where the key name starts and ends with an alphanumeric character or underscore and may contain alphanumeric characters, underscores, hyphens, and periods"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Preserve the independent mount and key length limits. The aggregate 1542-character limit permits either component to exceed its previous contract.

  • config/v1/types_kmsencryption.go#L212-L219: add CEL validation limiting the mount to 1024 and key name to 512 characters.
  • payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml#L379-L407: regenerate the corrected validation.
  • payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml#L379-L407: regenerate the corrected validation.
  • payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml#L379-L407: regenerate the corrected validation.
  • config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml#L365-L366: add rejection fixtures for independently overlong components.
📍 Affects 5 files
  • config/v1/types_kmsencryption.go#L212-L219 (this comment)
  • payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml#L379-L407
  • payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml#L379-L407
  • payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml#L379-L407
  • config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml#L365-L366
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/v1/types_kmsencryption.go` around lines 212 - 219, Preserve
independent mount and key length limits for the vaultKeyPath validation. In
config/v1/types_kmsencryption.go lines 212-219, add CEL checks limiting the
mount component to 1024 characters and the key name component to 512 characters;
regenerate the corresponding validation in
payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
lines 379-407,
payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
lines 379-407, and
payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
lines 379-407; add rejection fixtures for independently overlong components in
config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml lines 365-366.

Source: Path instructions

@ardaguclu

Copy link
Copy Markdown
Member Author

/test integration
/test verify-hypershift-integration

// +required
VaultKeyPath string `json:"vaultKeyPath,omitempty"`

// --- TOMBSTONE ---

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we really need a tombstone value here?

the API was introduced in this release and the entire feature is behind a GA feature gate. I’m sure there are no clusters where this struct would already be populated.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with you and I would be happy to remove those fields without tombstoning. But I think, tombstoning will be asked by API reviewers cc: @JoelSpeed @everettraven

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think, this comment #2931 (comment) also applies here.

TransitMount string `json:"transitMount,omitempty"`
// TransitMount string `json:"transitMount,omitempty"`

// --- TOMBSTONE ---

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same question here.

@ardaguclu

Copy link
Copy Markdown
Member Author

verify-crd-schema, verify-crdify are expected. verify-hypershift-integration seems to be perma-failing on every PR.

@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

@ardaguclu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/verify-hypershift-integration 4414e4c link true /test verify-hypershift-integration
ci/prow/verify-crd-schema 4414e4c link true /test verify-crd-schema
ci/prow/verify-crdify 4414e4c link true /test verify-crdify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants