API-1844: Update KMSConfig to support all external kms plugins

[ardaguclu]

KMSConfig is gated behind KMSEncryptionProvider feature gate which is in tech preview. However, currently there isn't any controller listening KMSConfig and KMSEncryptionProvider. So that gives us an opportunity to change the API fields in a breaking way, according to the newest updates in this feature (AWS related kms configurations are obsolete, since we won't support it internally)

Note: We'll have to backport these changes into 4.21.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@ardaguclu: This pull request references API-1844 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.21.0" version, but no target version was set.

Details

In response to this:

KMSConfig is gated behind KMSEncryptionProvider feature gate which is currently in tech preview. However, currently there isn't any controller listening KMSConfig and KMSEncryptionProvider. So that gives us an opportunity to change the API fields in a breaking way, according to the newest updates in this feature.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Hello @ardaguclu! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[ardaguclu]

/hold

[coderabbitai]

Walkthrough

Replaces AWS-specific KMS configuration with an External-only KMS model using a UNIX-domain socket endpoint. Updates API types, tests, CRDs (generated and payload), and generated deepcopy/OpenAPI/Swagger artifacts to remove AWS fields, add endpoint with validation, and default provider semantics to External.

Changes

Cohort / File(s)	Summary
Type Definition config/v1/types_kmsencryption.go	Removes AWS-specific types/fields (AWSKMSConfig, KeyARN, Region, KMSProviderType); adds ManagementModel type with External constant and Endpoint string on KMSConfig; updates kubebuilder tags/comments to External/unix-socket semantics.
Tests config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml	Replaces AWS test cases with External endpoint scenarios (filesystem and abstract unix sockets), adds invalid/empty/too-short endpoint cases, updates expected outputs and validation messages to reference endpoint.
Generated CRD Manifests config/v1/zz_generated.crd-manifests/...apiservers-*.crd.yaml	Replaces kms.aws with kms.endpoint; makes endpoint required; restricts kms.type/managementModel to External (default); adds endpoint min/max length and unix:/// pattern validations; removes AWS fields/validations.
Feature-gated CRD config/v1/zz_generated.featuregated-crd-manifests/...KMSEncryptionProvider.yaml	Mirrors CRD changes: removes AWS block, adds endpoint with validations/length constraints, marks endpoint required, and limits type/managementModel to External.
Payload CRD Manifests payload-manifests/crds/...apiservers-*.crd.yaml	Mirrors generated/payload CRD changes: replaces kms.aws with kms.endpoint, enforces endpoint validation/requiredness, removes AWS-specific fields, and documents External/unix-socket semantics.
Deepcopy Generation config/v1/zz_generated.deepcopy.go	Removes autogenerated deepcopy funcs for AWSKMSConfig; KMS deepcopy path changed to shallow/value copy for the KMS field (AWS-specific deep-copy logic removed).
Swagger Docs Generation config/v1/zz_generated.swagger_doc_generated.go	Removes AWSKMSConfig swagger entries; updates map_KMSConfig to drop aws, add endpoint and managementModel docs, and update descriptions to External/unix-socket semantics.
OpenAPI Go Generation openapi/generated_openapi/zz_generated.openapi.go	Removes OpenAPI definition for AWSKMSConfig; updates KMSConfig schema to remove union/discriminator, add endpoint (required) and managementModel, adjust descriptions and required fields, and remove AWS dependencies.
OpenAPI JSON openapi/openapi.json	Removes com.github.openshift.api.config.v1.AWSKMSConfig definition and updates OpenAPI schemas to reflect endpoint-centric External KMS, new validation constraints, and adjusted references across the generated schema.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

• Focus review on:
  • config/v1/types_kmsencryption.go for public API/type signature and kubebuilder tag correctness.
  • CRD files (generated and payload) for consistent regex, min/max lengths, required/default values, and error messages.
  • Generated artifacts (zz_generated.deepcopy.go, zz_generated.swagger_doc_generated.go, openapi/generated_openapi/zz_generated.openapi.go, openapi/openapi.json) for any leftover AWS references or dependency mismatches.
  • Tests (KMSEncryptionProvider.yaml) to ensure validation expectations match the new endpoint validation rules.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@ardaguclu: This pull request references API-1844 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.21.0" version, but no target version was set.

Details

In response to this:

KMSConfig is gated behind KMSEncryptionProvider feature gate which is in tech preview. However, currently there isn't any controller listening KMSConfig and KMSEncryptionProvider. So that gives us an opportunity to change the API fields in a breaking way, according to the newest updates in this feature.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1)

161-195: Endpoint CEL validation likely allows whitespace later in the string; confirm intent.

self.matches('^unix:///(@[^/\\s]+|[^@\\s].*)$') prevents leading whitespace after unix:///, but .* can still match whitespace later (e.g., unix:///var/run/kms plugin.sock). If whitespace should be invalid anywhere, tighten the regex (e.g., use [^\\s]* for the remainder).

config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1)

161-195: Keep endpoint CEL validation consistent with desired whitespace policy.

Same note as the non-featuregated CRD: [^@\\s].* can allow whitespace after the first character; tighten if you want to reject whitespace anywhere in the endpoint.

🧹 Nitpick comments (5)

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

171-182: Consider stricter endpoint path validation.

The regex pattern allows spaces in socket paths after the first character (e.g., unix:///my socket) and doesn't enforce absolute filesystem paths starting with / as the description states. The pattern [^@\s].* only prevents the first character from being @ or whitespace.

If the intent is to strictly enforce absolute paths and prevent spaces anywhere in the path, consider updating the regex to:

^unix:///(@[^/\s]+|/[^\s]+)$

This would:

• Require filesystem paths to start with / (matching "absolute filesystem path" in the description)
• Disallow spaces throughout the entire path

payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1)

171-182: Redundant validation between pattern and x-kubernetes-validations.

The x-kubernetes-validations rule at lines 180-182 checks self.startsWith('unix:///'), which is already enforced by the pattern at line 178. The pattern ^unix:///(@[^/\s]+|[^@\s].*)$ ensures the string starts with unix:/// through the ^ anchor.

Consider removing the redundant startsWith validation or using a single comprehensive validation approach. The pattern validation alone is sufficient for the format check.

Additionally, the same path validation refinement mentioned for other CRD variants applies here - consider stricter enforcement of absolute paths.

payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

171-182: Same validation redundancy as DevPreviewNoUpgrade payload variant.

The combination of pattern and x-kubernetes-validations.startsWith creates redundant checks. The pattern already enforces the unix:/// prefix requirement.

config/v1/types_kmsencryption.go (1)

15-23: Endpoint validation is consistent with CRD definitions.

The kubebuilder validation tags match the CRD OpenAPI schema validations. The XValidation regex correctly uses Go string escaping (\\s).

However, the same validation refinement suggestion applies: consider stricter enforcement to require absolute paths starting with / and disallow spaces throughout the path, matching the description's intent of "absolute filesystem path."

openapi/openapi.json (1)

7977-7981: Consider adding schema-level validation for endpoint format.

The endpoint field description documents the required format (unix:///path/to/socket or unix:///@abstractsocket), but this validation is not enforced by the schema itself (no pattern or format constraint). Moving validation to the schema level would improve API usability and catch errors earlier.

Consider adding a regex pattern to validate the Unix socket endpoint format:

"endpoint": {
  "description": "endpoint specifies the unix domain socket endpoint...",
  "type": "string",
  "pattern": "^unix:///.+$"
}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between c2a41ea and 3f54cfe.

📒 Files selected for processing (13)

• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (4 hunks)
• config/v1/types_kmsencryption.go (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.deepcopy.go (1 hunks)
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1 hunks)
• config/v1/zz_generated.swagger_doc_generated.go (1 hunks)
• openapi/generated_openapi/zz_generated.openapi.go (1 hunks)
• openapi/openapi.json (2 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• config/v1/zz_generated.deepcopy.go
• config/v1/zz_generated.swagger_doc_generated.go
• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• config/v1/types_kmsencryption.go
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• openapi/openapi.json
• openapi/generated_openapi/zz_generated.openapi.go
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml

🔇 Additional comments (8)

config/v1/zz_generated.deepcopy.go (1)

43-51: Deepcopy change looks correct for the new KMSConfig shape (shallow-copy-safe).

**out = **in is the expected deepcopy-gen pattern here, and KMSConfig.DeepCopyInto being *out = *in indicates it’s safe with the current fields.

config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1)

7-132: Test updates align with the new External/endpoint schema and cover key failure modes.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

183-194: LGTM - Clean migration to External provider model.

The type field correctly defaults to External, and making endpoint required ensures users provide the necessary configuration. The single-value enum is appropriate for this migration phase.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1)

171-194: Validation and field definitions are consistent with CustomNoUpgrade variant.

The endpoint field validations and type field configuration match the CustomNoUpgrade CRD variant. The same optional refinement regarding stricter path validation applies here.

payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1)

171-182: Consistent validation structure with other variants.

The endpoint validation follows the same pattern as other payload manifest variants, including the redundant startsWith check alongside the comprehensive pattern validation.

config/v1/types_kmsencryption.go (2)

6-13: LGTM - Type field properly configured.

The Type field correctly defaults to External and is marked optional, allowing the default behavior to take effect when unspecified. The enum restriction to External only is appropriate for this migration.

---

27-34: LGTM - Clean enum definition.

The KMSProviderType enum restriction and ExternalKMSProvider constant properly reflect the External-only KMS provider model. The migration from AWS-specific types is breaking but justified by the tech preview status noted in the PR description.

openapi/openapi.json (1)

9856-9856: Verify scope of policyType changes.

The policyType description update (hunk 2) appears unrelated to the KMS configuration changes described in the PR objectives. Confirm whether this change is intentional and part of this PR's scope or a merge artifact.

[openshift-ci-robot]

@ardaguclu: This pull request references API-1844 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.21.0" version, but no target version was set.

Details

In response to this:

KMSConfig is gated behind KMSEncryptionProvider feature gate which is in tech preview. However, currently there isn't any controller listening KMSConfig and KMSEncryptionProvider. So that gives us an opportunity to change the API fields in a breaking way, according to the newest updates in this feature (AWS related kms configurations are obsolete, since we won't support it)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ardaguclu: This pull request references API-1844 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.21.0" version, but no target version was set.

Details

In response to this:

KMSConfig is gated behind KMSEncryptionProvider feature gate which is in tech preview. However, currently there isn't any controller listening KMSConfig and KMSEncryptionProvider. So that gives us an opportunity to change the API fields in a breaking way, according to the newest updates in this feature (AWS related kms configurations are obsolete, since we won't support it internally)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ardaguclu]

Based on https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/#developing-a-kms-plugin-gRPC-server-notes-kms-v2, valid values are unix:///path or unix:///@abstractsocket.

[ardaguclu]

Based on https://man7.org/linux/man-pages/man7/unix.7.html ("Address format" section), maximum length is 108. It is less for mac. So I decided to set it to 120.

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (2)

openapi/generated_openapi/zz_generated.openapi.go (1)

15140-15146: type field still missing Enum and Default

The previously flagged issue persists: the type field lacks Enum: []interface{}{"External"} and Default: "External" in the schema, despite the description indicating these constraints. Fix this at the generator or source annotation level.

openapi/openapi.json (1)

7973-7986: Remove invalid empty-string default for required endpoint (and tighten validation).
endpoint is required (Line 7973-7975) but defaults to "" (Line 7980), which is not a valid unix socket endpoint. Also, type reads like an enum with a default but isn’t encoded as one.

       "required": [
         "endpoint"
       ],
       "properties": {
         "endpoint": {
           "description": "endpoint specifies the unix domain socket endpoint for communicating with the external KMS plugin. The endpoint must follow the format \"unix:///path/to/socket\" or \"unix:///@abstractsocket\" for abstract sockets. The path must start with \"unix:///\" followed by either an absolute filesystem path or an abstract socket name (prefixed with @).",
           "type": "string",
-          "default": ""
+          "minLength": 1
+          // Consider also adding a pattern for unix domain sockets if compatible with your validation strategy:
+          // "pattern": "^unix:///.*|^unix:///@.+"
         },
         "type": {
           "description": "type defines the kind of KMS provider. Valid values are \"External\". When set to External, the KMS provider is an external plugin accessed via unix socket. When not specified, defaults to External.",
-          "type": "string"
+          "type": "string",
+          "enum": ["External"],
+          "default": "External"
         }
       }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 3f54cfe and ded0d94.

📒 Files selected for processing (13)

• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (4 hunks)
• config/v1/types_kmsencryption.go (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.deepcopy.go (1 hunks)
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1 hunks)
• config/v1/zz_generated.swagger_doc_generated.go (1 hunks)
• openapi/generated_openapi/zz_generated.openapi.go (1 hunks)
• openapi/openapi.json (2 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• config/v1/zz_generated.deepcopy.go
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• config/v1/zz_generated.swagger_doc_generated.go
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• openapi/generated_openapi/zz_generated.openapi.go
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• config/v1/types_kmsencryption.go
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• openapi/openapi.json

🔇 Additional comments (5)

config/v1/zz_generated.deepcopy.go (1)

43-50: Confirm shallow-copy semantics for KMSConfig are safe here

**out = **in performs a value copy of the KMSConfig struct. This is fine if KMSConfig only contains value fields (e.g., strings/enums), but would be incorrect if it contains slices/maps/pointers that need deep copy. Since this is generated, please just verify the current KMSConfig shape matches this assumption.

payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

170-195: endpoint.minLength: 9 likely rejects valid unix:///a endpoints; regex also allows whitespace

If unix:///a should be valid, minLength should be 8 (not 9). Also, the current rule allows whitespace after the first character in the filesystem-path branch ([^@\s].*). Consider tightening to disallow whitespace anywhere.

-                        minLength: 9
+                        minLength: 8
...
-                          rule: self.matches('^unix:///(@[^/\s]+|[^@\s].*)$')
+                          rule: self.matches('^unix:///(@[^/\s]+|[^@\s][^\s]*)$')

Likely an incorrect or invalid review comment.

config/v1/zz_generated.swagger_doc_generated.go (1)

2194-2198: KMSConfig swagger doc update matches the new External+endpoint model
This looks consistent with the API shift to an external KMS plugin over a unix-domain socket.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

161-195: The endpoint regex is correct as written; \s is properly supported in Kubernetes CEL regex (which uses RE2)

Kubernetes' CEL matches() function uses the RE2 regex dialect via cel-go, which fully supports \s as a whitespace character class. The original pattern '^unix:///(@[^/\s]+|[^@\s].*)$' is valid and works as intended. No change is needed.

config/v1/types_kmsencryption.go (1)

26-34: External-only provider enum + renamed const look consistent with the new API.
Restricting KMSProviderType to External and using ExternalKMSProvider aligns with the CRD defaulting/enum.

[openshift-ci-robot]

@ardaguclu: This pull request references API-1844 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.21.0" version, but no target version was set.

Details

In response to this:

KMSConfig is gated behind KMSEncryptionProvider feature gate which is in tech preview. However, currently there isn't any controller listening KMSConfig and KMSEncryptionProvider. So that gives us an opportunity to change the API fields in a breaking way, according to the newest updates in this feature (AWS related kms configurations are obsolete, since we won't support it internally)

Note: We'll have to backport these changes into 4.21.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (5)

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1)

171-195: Generated TechPreview CRD still has weaker/different endpoint regex than payload CRDs.

This file uses rule: self.matches('^unix:///(@[^/ ]+|[^@ ][^ ]*)$'), while the payload CRDs in this PR use the \s-based regex. Please update the source definition and re-run generation so TechPreviewNoUpgrade’s generated CRD matches the payload and fully rejects whitespace (not just spaces).

openapi/generated_openapi/zz_generated.openapi.go (1)

15139-15156: Generated schema still doesn’t enforce type constraints (enum/default) and may under-validate endpoint

type’s description says it defaults to and only allows "External", but the schema doesn’t set Enum / Default, so clients won’t get validation from OpenAPI (and may accept invalid values). Also consider encoding the unix-socket constraints for endpoint as Pattern/MinLength (not just in the description) if those markers exist on the Go type. Since this is generated, please fix the source markers (or generator mapping) and regenerate, rather than editing this file directly.

config/v1/types_kmsencryption.go (1)

15-23: Update regex to use standard escape sequences.

The endpoint validation regex currently uses literal space characters, which is inconsistent with the payload CRD manifest at payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (line 182). Use \s escape sequences for consistency and regenerate all CRD manifests.

Apply this diff:

-	// +kubebuilder:validation:XValidation:rule="self.matches('^unix:///(@[^/ ]+|[^@ ][^ ]*)$')",message="endpoint must follow the format 'unix:///path' or 'unix:///@abstractname'"
+	// +kubebuilder:validation:XValidation:rule="self.matches('^unix:///(@[^/\\s]+|[^@\\s][^\\s]*)$')",message="endpoint must follow the format 'unix:///path' or 'unix:///@abstractname'"

Note: The omitempty tag on the required field is intentional per project linting requirements.

openapi/openapi.json (2)

7973-7986: Remove invalid empty-string default for required endpoint (and consider constraining type).
endpoint is required (Line 7973-7975) but has "default": "" (Line 7980), which contradicts the described unix socket format and can generate invalid defaults in clients. Also, type claims only "External" is valid but isn’t constrained/defaulted in the schema.

       "required": [
         "endpoint"
       ],
       "properties": {
         "endpoint": {
           "description": "endpoint specifies the unix domain socket endpoint ...",
           "type": "string",
-          "default": ""
+          "minLength": 1
         },
         "type": {
           "description": "type defines the kind of KMS provider. Valid values are \"External\". ... When not specified, defaults to External.",
-          "type": "string"
+          "type": "string",
+          "enum": ["External"],
+          "default": "External"
         }
       }

---

9855-9859: Don’t default required policyType to ""; enforce allowed values.
The description says policyType is required and only allows specific values (Line 9855-9856), but the schema sets "default": "" (Line 9858).

         "policyType": {
           "description": "policyType is a required field ... Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". ...",
           "type": "string",
-          "default": ""
+          "enum": ["PublicKey", "FulcioCAWithRekor", "PKI"]
         },

Also ensure the parent object’s "required" list includes "policyType" (not shown in this hunk).

🧹 Nitpick comments (1)

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1)

171-182: Generated file - review source instead.

This is an auto-generated CRD manifest. Any validation or regex pattern issues should be addressed in the source Go file config/v1/types_kmsencryption.go, which will then regenerate this manifest.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between ded0d94 and fb3a92d.

📒 Files selected for processing (13)

• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (4 hunks)
• config/v1/types_kmsencryption.go (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.deepcopy.go (1 hunks)
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1 hunks)
• config/v1/zz_generated.swagger_doc_generated.go (1 hunks)
• openapi/generated_openapi/zz_generated.openapi.go (1 hunks)
• openapi/openapi.json (2 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• openapi/generated_openapi/zz_generated.openapi.go
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• config/v1/zz_generated.swagger_doc_generated.go
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• config/v1/zz_generated.deepcopy.go
• config/v1/types_kmsencryption.go
• openapi/openapi.json

🔇 Additional comments (13)

payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1)

171-195: Endpoint-based External KMS schema looks good in payload CRD.

payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

171-195: Payload CustomNoUpgrade CRD endpoint-based External KMS schema looks good.

config/v1/zz_generated.deepcopy.go (1)

43-50: No action needed. The KMSConfig struct contains only value types (Type as KMSProviderType, a string alias, and Endpoint as string), making the shallow copy **out = **in safe.

config/v1/zz_generated.swagger_doc_generated.go (1)

2194-2202: KMSConfig SwaggerDoc looks consistent with the new External+endpoint model
Docs clearly communicate type=External and the two supported unix socket endpoint forms; this matches the direction of the CRD/test updates.

config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (4)

8-39: Good: positive External endpoint case + clear rejection of non-unix:///... endpoints
The success path and the “missing unix scheme” failure case directly exercise the new endpoint validation behavior.

---

40-59: Good: test asserts kms is forbidden unless spec.encryption.type=KMS, and endpoint is required
These cases validate the key guardrail and the required-ness of endpoint.

---

60-110: Verify defaulting + error-message stability in the test harness
If expectedError requires exact matching, messages like spec.encryption.kms.endpoint: Required value (and similar) can vary across validation layers/versions; consider ensuring the harness matches substrings (or adjust expected strings accordingly).

---

111-143: Endpoint edge-case coverage is solid; verify abstract socket format is truly supported end-to-end
Schema validation allows unix:///@abstractname; please confirm the downstream KMS client/dialer path supports this format (not just admission).

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

161-195: CRD schema update is coherent: External-only + required endpoint with format validation
The required field, enum restriction, defaulting to External, and CEL rule appear consistent with the updated tests/docs; please just ensure the chosen endpoint regex/length bounds match the intended supported plugin endpoint conventions.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1)

183-195: LGTM: External provider configuration.

The type field correctly defaults to External with appropriate enum constraints, and the required field change from AWS-specific to endpoint aligns with the new External KMS provider model.

config/v1/types_kmsencryption.go (3)

6-13: LGTM: Type field updated correctly.

The Type field correctly defaults to External, with updated description and validation. The omitempty tag is intentional per this project's linting requirements to ensure consistent behavior between structured and unstructured clients.

---

27-29: LGTM: KMSProviderType correctly updated.

The enum validation correctly restricts the type to External, aligning with the removal of AWS-specific provider support.

---

32-33: LGTM: Constant correctly renamed.

The constant rename from AWSKMSProvider to ExternalKMSProvider with value "External" correctly reflects the new provider model. This breaking change is acceptable given the tech preview status and absence of controllers watching these resources.

[ardaguclu]

verify-crd-schema and verify-crdify failures are valid. Because we are removing aws related fields.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (5)

config/v1/types_kmsencryption.go (1)

15-23: Tighten endpoint regex to reject all whitespace (not just spaces).

self.matches('^unix:///(@[^/ ]+|[^@ ][^ ]*)$') rejects literal spaces but still allows tabs/newlines. If the intent is “no whitespace anywhere”, switch to \s (escaped for CEL).

-	// +kubebuilder:validation:XValidation:rule="self.matches('^unix:///(@[^/ ]+|[^@ ][^ ]*)$')",message="endpoint must follow the format 'unix:///path' or 'unix:///@abstractname'"
+	// +kubebuilder:validation:XValidation:rule="self.matches('^unix:///(@[^/\\s]+|[^@\\s][^\\s]*)$')",message="endpoint must follow the format 'unix:///path' or 'unix:///@abstractname'"

payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

170-195: CRD endpoint validation should reject all whitespace (use \\s).

Mirror the stricter pattern used in the Go type validation so tabs/newlines aren’t accepted:

-                          rule: self.matches('^unix:///(@[^/ ]+|[^@ ][^ ]*)$')
+                          rule: self.matches('^unix:///(@[^/\\s]+|[^@\\s][^\\s]*)$')

config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1)

171-195: Align kms.endpoint CEL regex across all CRD variants (featuregated/generated/payload).
This manifest’s rule: self.matches('^unix:///(@[^/ ]+|[^@ ][^ ]*)$') excludes only literal spaces; earlier review feedback noted other CRDs use \s-style exclusion—please make them identical by updating the generator source and regenerating outputs.

#!/bin/bash
set -euo pipefail

# Compare all CEL rules for endpoint validation across the repo
rg -n "endpoint must follow the format|self\.matches\('\^unix:///" -S

echo
echo "Unique regex rules found:"
rg -n "self\.matches\('\^unix:///[^\n]*'\)" -S | sed -E "s/.*self\.matches\('([^']+)'\).*/\1/" | sort -u

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

171-195: KMS endpoint/type schema update is consistent here; keep it generator-driven.
This matches the featuregated manifest (endpoint required, type default/enum External, same CEL regex). If you adjust the endpoint regex for consistency, ensure it’s done in the generator source and regen updates this file too.

openapi/openapi.json (1)

9854-9858: Remove invalid policyType default "" and model allowed values explicitly.
This still contradicts the description (“required” + allowed values) and can lead to invalid objects being considered “default-valid” by generators.

         "policyType": {
           "description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).",
           "type": "string",
-          "default": ""
+          "enum": ["PublicKey", "FulcioCAWithRekor", "PKI"]
         },

Also verify the enclosing schema’s "required" includes "policyType" (outside this hunk).

🧹 Nitpick comments (1)

config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1)

8-143: Test updates cover External+endpoint and key failure modes well.

Optional: add one negative case for endpoint containing \t/\n if you adopt the \\s-based regex.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between fb3a92d and e5ef450.

📒 Files selected for processing (13)

• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (4 hunks)
• config/v1/types_kmsencryption.go (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.deepcopy.go (1 hunks)
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1 hunks)
• config/v1/zz_generated.swagger_doc_generated.go (1 hunks)
• openapi/generated_openapi/zz_generated.openapi.go (1 hunks)
• openapi/openapi.json (2 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• config/v1/zz_generated.deepcopy.go
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• config/v1/types_kmsencryption.go
• openapi/openapi.json
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• config/v1/zz_generated.swagger_doc_generated.go
• openapi/generated_openapi/zz_generated.openapi.go

🔇 Additional comments (8)

config/v1/types_kmsencryption.go (1)

6-13: External-only provider typing/defaulting looks consistent.

Also applies to: 26-34

config/v1/zz_generated.deepcopy.go (1)

43-50: DeepCopyInto KMSConfig shallow-copy is correct with current value-only fields.

config/v1/zz_generated.swagger_doc_generated.go (1)

2194-2198: KMSConfig SwaggerDoc looks aligned with the new External+endpoint API surface.
Docs now correctly describe type=External and the unix socket endpoint formats. Since this is generated, just ensure the source-of-truth type comments/validation in config/v1/types_kmsencryption.go match this wording before regen.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1)

170-195: KMS schema update looks consistent (endpoint + External-only type); keep validation in sync after source change.
This matches the TechPreview manifest, including the endpoint validation rule; if you adjust the regex in the Go source, regenerate this file too to keep DevPreview/TechPreview identical.

payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1)

170-195: Payload CRD aligns with generated schema; ensure regeneration after any regex tweak.
Given this is a payload manifest, please regenerate from the same source change (if you move to \s) to avoid subtle drift between payload vs zz_generated manifests.

payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1)

170-195: Same endpoint validation consideration applies here (space-only exclusion).
If the intent is “no whitespace”, prefer a source-level \s regex and regenerate to update this payload file as well.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1)

170-195: Endpoint regex blocks spaces but not tabs; however, this is not a practical concern.

The regex ^unix:///(@[^/ ]+|[^@ ][^ ]*)$ does match only literal spaces and not other whitespace. However:

1. Filesystem paths cannot contain newlines (kernel restriction), and tabs in socket paths are extraordinarily rare in practice.
2. The suggested \s fix is problematic: it would match newlines, which could break YAML multiline string parsing that occurs before validation.
3. The test suite (in config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml) explicitly validates rejection of spaces in paths, confirming the intent is deliberate.
4. The codebase pattern: No other CEL validations use \s; explicit character classes like [0-9] are preferred, suggesting intentional specificity.

The current regex is fit for purpose. If stricter whitespace handling is desired, consider documenting the intentional choice in the source file comment rather than introducing a regex that could have unintended side effects.

openapi/openapi.json (1)

7971-7986: Constrain KMSConfig.type to the documented value (and ensure endpoint validation exists).
Right now "type" is an unconstrained string while the description says only "External" is valid and defaulted when omitted. Consider enforcing that with enum (and optionally default) so generated clients/validation can’t accept arbitrary values. Also, endpoint is required but shown without any pattern/length constraints—ensure those validations are actually present in this schema if they’re intended.

       "properties": {
         "endpoint": {
           "description": "endpoint specifies the unix domain socket endpoint for communicating with the external KMS plugin. The endpoint must follow the format \"unix:///path/to/socket\" for filesystem-based sockets or \"unix:///@abstractname\" for abstract sockets.",
           "type": "string"
         },
         "type": {
           "description": "type defines the kind of KMS provider. Valid values are \"External\". When set to External, the KMS provider is an external plugin accessed via unix socket. When not specified, defaults to External.",
-          "type": "string"
+          "type": "string",
+          "enum": ["External"],
+          "default": "External"
         }
       }

[ardaguclu]

/cc @flavianmissi
I'd like to hear your opinions. This aligns with the API definitions in your EP (External, Internal). Also we won't need to generate unix domain socket anymore. This will be our unique identifier.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (3)

openapi/generated_openapi/zz_generated.openapi.go (1)

15140-15146: [Duplicate] OpenAPI schema still missing Enum and Default for type field

The generated schema lacks Enum: ["External"] and Default: "External" despite the description stating "defaults to External". This is the same issue flagged in the previous review.

The source markers (+kubebuilder:default=External and +kubebuilder:validation:Enum=External) are not propagating to the generated OpenAPI schema, weakening the published API contract. Clients cannot rely on schema-level validation or defaulting.

Verify that the source markers are correctly applied and regenerate the schema. If the type-level Enum marker is not being recognized, consider applying it directly to the field.

config/v1/types_kmsencryption.go (1)

16-24: Tighten endpoint CEL regex to match documented unix:///path / unix:///@name more precisely. The current pattern (a) allows unix:////... via the filesystem branch and (b) only blocks literal spaces, not all whitespace.

-	// +kubebuilder:validation:XValidation:rule="self.matches('^unix:///(@[^/ ]+|[^@ ][^ ]*)$')",message="endpoint must follow the format 'unix:///path' or 'unix:///@abstractname'"
+	// +kubebuilder:validation:XValidation:rule="self.matches('^unix:///(@[^/\\s]+|[^@/\\s][^\\s]*)$')",message="endpoint must follow the format 'unix:///path' or 'unix:///@abstractname'"

After updating the Go type, regenerate the CRD/payload manifests so all three stay in sync. (CEL regex escape semantics vary by engine/version, so please double-check this against the apiserver’s CEL implementation.)

openapi/openapi.json (1)

9854-9858: policyType: default: "" contradicts “required field” and allowed values

This should either have no default (since it’s required) or be constrained to the allowed values (and default to one of them only if you truly want a default).

         "policyType": {
           "description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).",
-          "type": "string",
-          "default": ""
+          "type": "string",
+          "enum": ["PublicKey", "FulcioCAWithRekor", "PKI"]
         },

Also ensure the parent schema’s "required" includes "policyType" if it’s truly mandatory.

🧹 Nitpick comments (3)

config/v1/zz_generated.deepcopy.go (1)

43-51: Keep DeepCopy semantics for APIServerEncryption.KMS (avoid **out = **in). The current code is equivalent today, but it’s easy to accidentally lose deep-copy semantics if KMSConfig later gains reference fields. Prefer the standard pattern (*in).DeepCopyInto(*out) (via generator source), even if it compiles to the same thing now.

 func (in *APIServerEncryption) DeepCopyInto(out *APIServerEncryption) {
 	*out = *in
 	if in.KMS != nil {
 		in, out := &in.KMS, &out.KMS
 		*out = new(KMSConfig)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }

config/v1/zz_generated.swagger_doc_generated.go (1)

2194-2198: Align Swagger text with schema constraints (required/wording).
Swagger doc says “unix socket” and doesn’t state endpoint is required; CRD/schema typically uses “unix domain socket” and makes endpoint required + validated. Consider tweaking the strings for consistency.

 var map_KMSConfig = map[string]string{
 	"":         "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption",
-	"type":     "type defines the kind of KMS provider. Valid values are \"External\". When set to External, the KMS provider is an external plugin accessed via unix socket. When not specified, defaults to External.",
-	"endpoint": "endpoint specifies the unix domain socket endpoint for communicating with the external KMS plugin. The endpoint must follow the format \"unix:///path/to/socket\" for filesystem-based sockets or \"unix:///@abstractname\" for abstract sockets.",
+	"type":     "type defines the kind of KMS provider. Valid values are \"External\". When set to External, the KMS provider is an external plugin accessed via a unix domain socket. When not specified, defaults to External.",
+	"endpoint": "endpoint specifies the unix domain socket endpoint for communicating with the external KMS plugin (required). The endpoint must follow the format \"unix:///path/to/socket\" for filesystem-based sockets or \"unix:///@abstractname\" for abstract sockets.",
 }

openapi/generated_openapi/zz_generated.openapi.go (1)

15147-15155: Consider adding Pattern validation for endpoint format

The description specifies that the endpoint must follow the format "unix:///path/to/socket" or "unix:///@abstractname", but the schema lacks a Pattern field to enforce this at validation time.

Without a pattern constraint, invalid endpoints (e.g., "http://example.com" or "/path/to/socket") could pass schema validation, deferring errors to runtime.

Consider adding a pattern in the source type definition, such as:

+kubebuilder:validation:Pattern=`^unix://(/|@).+$`

Then regenerate the OpenAPI schema to include the Pattern field.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between e5ef450 and 49b5e72.

📒 Files selected for processing (13)

• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (4 hunks)
• config/v1/types_kmsencryption.go (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.deepcopy.go (1 hunks)
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1 hunks)
• config/v1/zz_generated.swagger_doc_generated.go (1 hunks)
• openapi/generated_openapi/zz_generated.openapi.go (1 hunks)
• openapi/openapi.json (2 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• config/v1/zz_generated.deepcopy.go
• config/v1/types_kmsencryption.go
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• openapi/openapi.json
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• openapi/generated_openapi/zz_generated.openapi.go
• config/v1/zz_generated.swagger_doc_generated.go

🔇 Additional comments (8)

config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1)

161-195: KMS schema update looks consistent (External-only + endpoint required).

config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1)

8-143: CRD validation tests are solid, but error-message matching may be brittle across apiserver versions. If this test harness expects exact strings, consider using regexp/contains (if supported) or include the full field path prefix that kube-apiserver typically returns (e.g., spec.encryption.kms.endpoint: Invalid value: ...).

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

161-195: KMS endpoint validation looks coherent; confirm regex matches intended formats.
endpoint is required and validated with ^unix:///(@[^/ ]+|[^@ ][^ ]*)$, which appears to cover unix:///path and unix:///@abstractname as documented. Please sanity-check edge cases you want to allow/forbid (e.g., abstract names with /, or any whitespace) since this is user-facing API validation.

config/v1/types_kmsencryption.go (1)

6-15: External-only provider defaulting/enum looks consistent.

Also applies to: 31-34

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1)

171-195: Generated CRD changes reflect the new kms.endpoint + External-only provider model. Please keep this file regenerated from config/v1/types_kmsencryption.go (don’t hand-edit).

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1)

171-195: Looks consistent with the TechPreviewNoUpgrade CRD: endpoint required + External-only type/default (generated output).

payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1)

171-195: Payload-manifest CRD matches the new schema (endpoint required; External-only). If you adjust the Go regex, re-run generation so payload + zz_generated stay aligned.

payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

171-195: CustomNoUpgrade payload CRD update is consistent with the other variants (endpoint required + External-only).

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1)

8-143: Tests appear to use spec.encryption.kms.type, but the API/CRDs use spec.encryption.kms.managementModel.
Unless there’s another type field elsewhere (not shown in the provided CRDs), these tests look out of sync with the new field name and defaulting expectations.

-            kms:
-              type: External
-              endpoint: unix:///var/run/kmsplugin/socket.sock
+            kms:
+              managementModel: External
+              endpoint: unix:///var/run/kmsplugin/socket.sock
@@
-            kms:
-              endpoint: unix:///var/run/kmsplugin/socket.sock
+            kms:
+              endpoint: unix:///var/run/kmsplugin/socket.sock
@@
-            kms:
-              type: External
-              endpoint: unix:///var/run/kmsplugin/socket.sock
+            kms:
+              managementModel: External
+              endpoint: unix:///var/run/kmsplugin/socket.sock
@@
-            kms:
-              type: External
-              endpoint: unix:///@abstractsocket
+            kms:
+              managementModel: External
+              endpoint: unix:///@abstractsocket

(Apply similarly throughout, and rename “default type” wording to “default managementModel”.)

♻️ Duplicate comments (4)

config/v1/types_kmsencryption.go (1)

6-24: Tighten Endpoint XValidation to reject all whitespace (not just spaces).

Current regex ([^ ]) blocks only literal spaces; tabs, newlines, and other whitespace would still pass. Use \s-based exclusion to reject all whitespace:

-	// +kubebuilder:validation:XValidation:rule="self.matches('^unix:///(@[^/ ]+|[^@ ][^ ]*)$')",message="endpoint must follow the format 'unix:///path' or 'unix:///@abstractname'"
+	// +kubebuilder:validation:XValidation:rule="self.matches('^unix:///(@[^/\\s]+|[^@\\s][^\\s]*)$')",message="endpoint must follow the format 'unix:///path' or 'unix:///@abstractname'"

openapi/generated_openapi/zz_generated.openapi.go (1)

15140-15156: OpenAPI contract is weaker than the described constraints (missing enum/default + endpoint validation).

managementModel is described as only allowing "External", but the schema shown doesn’t enforce it (no Enum/Default). endpoint is required but has no Pattern/MinLength, so invalid values can still pass OpenAPI validation. Please ensure the kubebuilder markers are applied at the field level (not only the underlying type) and then regenerate this file (don’t patch generated output directly).

#!/bin/bash
set -euo pipefail

echo "=== Generated KMSConfig schema (context) ==="
sed -n '15130,15170p' openapi/generated_openapi/zz_generated.openapi.go

echo -e "\n=== Source markers for KMSConfig fields (locate file(s)) ==="
rg -n --type go 'type\s+KMSConfig\b|KMSConfig\s+struct' .

echo -e "\n=== Check for field-level markers (Enum/default/pattern/minlength) ==="
rg -n --type go '\+kubebuilder:validation:Enum=|\+kubebuilder:default=|\+kubebuilder:validation:Pattern=|\+kubebuilder:validation:MinLength=' .

openapi/openapi.json (2)

7971-7985: Add OpenAPI validation for endpoint and constrain managementModel to External.

Right now endpoint is required but can still be "" or non-unix:///... strings, and managementModel is documented as External-only but unconstrained.

       "properties": {
         "endpoint": {
           "description": "endpoint specifies the unix domain socket endpoint for communicating with the external KMS plugin. The endpoint must follow the format \"unix:///path/to/socket\" for filesystem-based sockets or \"unix:///@abstractname\" for abstract sockets.",
-          "type": "string"
+          "type": "string",
+          "minLength": 1,
+          "pattern": "^unix:///((@[^/\\x00\\n\\r]+)|([^/\\x00\\n\\r]+(/[^/\\x00\\n\\r]+)*))$"
         },
         "managementModel": {
           "description": "type defines how KMS plugins are managed. Valid values are \"External\". When set to External, encryption keys are managed by a user-deployed KMS plugin that communicates via unix domain socket using KMS V2 API.",
-          "type": "string"
+          "type": "string",
+          "enum": ["External"],
+          "default": "External"
         }
       }

---

9854-9858: Remove invalid policyType default "" and enforce allowed values.

The schema currently defaults policyType to "", which contradicts the documented allowed values.

         "policyType": {
           "description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).",
           "type": "string",
-          "default": ""
+          "enum": ["PublicKey", "FulcioCAWithRekor", "PKI"]
         },

Also ensure the parent schema’s "required": [...] includes "policyType" if it’s truly required.

🧹 Nitpick comments (2)

config/v1/types_kmsencryption.go (1)

6-14: Fix field docs: description says “type defines …” but the field is managementModel.
This wording propagates into the CRD schema descriptions (seen in the provided CRDs). Consider updating the comment to avoid user confusion.

Also applies to: 27-28

config/v1/zz_generated.swagger_doc_generated.go (1)

2194-2198: SwaggerDoc text: managementModel description incorrectly starts with “type defines …”

In map_KMSConfig, the managementModel field’s description begins with “type defines…”, which is confusing now that type is not that field. Suggest updating the wording to “managementModel defines…” for clarity/accuracy (in the generator source).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 49b5e72 and 5b4bb70.

📒 Files selected for processing (13)

• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (4 hunks)
• config/v1/types_kmsencryption.go (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.deepcopy.go (1 hunks)
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1 hunks)
• config/v1/zz_generated.swagger_doc_generated.go (1 hunks)
• openapi/generated_openapi/zz_generated.openapi.go (1 hunks)
• openapi/openapi.json (2 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• config/v1/zz_generated.deepcopy.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• openapi/generated_openapi/zz_generated.openapi.go
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• config/v1/types_kmsencryption.go
• config/v1/zz_generated.swagger_doc_generated.go
• openapi/openapi.json
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml

🔇 Additional comments (6)

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

161-195: Generated CRD: ensure it’s regenerated after tightening endpoint validation / docs in Go types.
If you adopt \s-based whitespace exclusion (recommended), this file should update via regeneration rather than manual edits.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1)

161-195: Same as CustomNoUpgrade: treat as generated output; regen after any endpoint regex/doc adjustments in config/v1/types_kmsencryption.go.

config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1)

171-195: Generated manifest; no additional concerns beyond the endpoint whitespace validation already raised in config/v1/types_kmsencryption.go.

payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

161-195: Payload artifact: if you change Endpoint validation/docs in the Go type, regenerate payload-manifests to keep them byte-identical with generated CRDs.

payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1)

171-195: KMS endpoint configuration is consistent and correct.

The endpoint field is properly configured as a required string with unix socket format validation. The regex pattern ^unix:///(@[^/ ]+|[^@ ][^ ]*)$ correctly validates both filesystem paths (unix:///path/to/socket) and abstract sockets (unix:///@socketname) while rejecting any paths containing whitespace. Length constraints (minLength 9, maxLength 120) and the managementModel default to External align with the shift from AWS-centric to External KMS via unix socket.

payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1)

171-195: Regex patterns now consistent across both CRD manifests.

Both the TechPreviewNoUpgrade and DevPreviewNoUpgrade CRD manifests now use the identical regex pattern ^unix:///(@[^/ ]+|[^@ ][^ ]*)$ with literal space characters. This resolves the prior inconsistency flagged in past reviews and ensures both feature-gated variants enforce identical endpoint validation. The pattern correctly prevents whitespace in socket paths while supporting both filesystem-based and abstract socket formats.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1)

161-196: Tighten kms.endpoint regex if you want to forbid unix:////...

Current CEL rule allows a path that begins with / after unix:/// (e.g., unix:////tmp/sock), which is arguably outside the documented formats. If you intend to only allow unix:///path... (where path starts immediately after the 3rd slash) or unix:///@abstract..., consider adjusting the regex accordingly.

♻️ Duplicate comments (5)

openapi/openapi.json (1)

9854-9858: policyType: empty-string default conflicts with “required” + allowed-values contract

This still has "default": "" while the description says it’s required and constrained to PublicKey|FulcioCAWithRekor|PKI. Prefer removing the empty default and adding an enum (and ensure the parent schema actually requires policyType).

payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

161-196: Same kms.endpoint regex permissiveness as the DevPreviewNoUpgrade CRD
See the earlier comment about unix:////... being accepted by the current regex.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1)

171-182: Endpoint validation still allows non-space whitespace characters despite partial fix.

The validation regex self.matches('^unix:///(@[^/ ]+|[^@ ][^ ]*)$') uses literal space characters instead of the \s whitespace class, which blocks spaces but still permits tabs, newlines, and other whitespace. Unix socket paths should reject all whitespace. The pattern [^@ ][^ ]* permits paths like unix:///var/run/kms\t.sock (containing a tab).

This is a continuation of the earlier whitespace validation issue. While the developer changed from \s to literal spaces, the fundamental problem persists.

Recommend updating the regex to properly exclude all whitespace:

-rule: self.matches('^unix:///(@[^/ ]+|[^@ ][^ ]*)$')
+rule: self.matches('^unix:///(@[^/\s]+|[^@\s][^\s]*)$')

This ensures the validation uses the proper \s character class (or equivalent escaping appropriate for CEL in CRD validation rules) to reject all whitespace characters, not just literal spaces.

payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1)

171-182: Endpoint validation still allows non-space whitespace characters (payload manifest).

Same issue as identified in the generated CRD: the regex self.matches('^unix:///(@[^/ ]+|[^@ ][^ ]*)$') only blocks literal spaces but permits tabs and newlines.

Apply the same fix to ensure consistency across manifests:

-rule: self.matches('^unix:///(@[^/ ]+|[^@ ][^ ]*)$')
+rule: self.matches('^unix:///(@[^/\s]+|[^@\s][^\s]*)$')

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

171-182: Endpoint validation whitespace issue present in CustomNoUpgrade variant.

The endpoint validation regex self.matches('^unix:///(@[^/ ]+|[^@ ][^ ]*)$') has the same limitation as the TechPreviewNoUpgrade variants: it only blocks literal spaces, permitting tabs and newlines. Since this is a generated CRD, fix the issue at the source in config/v1/types_kmsencryption.go to propagate the correct validation pattern across all generated CRD manifests.

The source-level fix should use proper whitespace character classes:

// In types_kmsencryption.go, update the CEL validation rule
rule="self.matches('^unix:///(@[^/\\s]+|[^@\\s][^\\s]*)$')"

This single fix will regenerate all three CRD variants (TechPreviewNoUpgrade, DevPreviewNoUpgrade, CustomNoUpgrade) with the corrected validation rule.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 5b4bb70 and 7c879fc.

📒 Files selected for processing (13)

• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (4 hunks)
• config/v1/types_kmsencryption.go (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.deepcopy.go (1 hunks)
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1 hunks)
• config/v1/zz_generated.swagger_doc_generated.go (1 hunks)
• openapi/generated_openapi/zz_generated.openapi.go (1 hunks)
• openapi/openapi.json (2 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• openapi/generated_openapi/zz_generated.openapi.go
• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• config/v1/zz_generated.deepcopy.go
• config/v1/types_kmsencryption.go
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• config/v1/zz_generated.swagger_doc_generated.go
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• openapi/openapi.json

🔇 Additional comments (5)

config/v1/types_kmsencryption.go (1)

5-34: LGTM! Clean refactoring to External-only KMS model.

The restructuring from AWS-specific configuration to a streamlined External endpoint-based model is well-executed:

• ManagementModel: Properly constrained to External with appropriate enum validation and defaulting
• Endpoint: Comprehensive validation with regex pattern that correctly handles both filesystem (unix:///path) and abstract socket (unix:///@abstractname) formats, rejecting spaces and slashes in abstract sockets
• Length constraints: MinLength=9 and MaxLength=120 are appropriate for unix socket paths
• Documentation: Clear and concise field descriptions

The use of omitempty with +required is correct per the project's linter configuration (as confirmed in past review discussions).

config/v1/zz_generated.deepcopy.go (1)

43-51: LGTM! Deepcopy logic correctly simplified.

The change from deep copy to shallow copy (**out = **in) for the KMS field is appropriate. Since KMSConfig now only contains simple string fields (ManagementModel and Endpoint) with no pointers or nested structures, a shallow copy is both correct and more efficient.

config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1)

7-143: Excellent test coverage for the new KMS configuration.

The test suite comprehensively validates the External endpoint-based KMS configuration across 10 scenarios:

Positive cases:

• Valid filesystem socket paths (unix:///var/run/kmsplugin/socket.sock)
• Valid abstract sockets (unix:///@abstractsocket)
• Defaulting behavior (External management model when only endpoint is provided)

Negative cases:

• Format violations (missing unix:/// prefix, spaces in paths, slashes in abstract sockets)
• Missing required fields (empty config, missing endpoint)
• Length constraints (empty endpoint string triggers MinLength validation)
• Type mismatch (KMS config with aescbc encryption type)

The tests align perfectly with the validation rules in types_kmsencryption.go and provide strong confidence in the API behavior.

config/v1/zz_generated.swagger_doc_generated.go (1)

2194-2202: SwaggerDoc updates for KMSConfig look consistent with the new External endpoint model

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1)

171-195: Approve KMS configuration restructuring.

The migration from AWS-specific fields (aws.keyARN, aws.region) to the endpoint-based external KMS model is well-structured. The endpoint field is properly marked as required, validations are in place with reasonable length constraints (minLength 9 for unix:///a, maxLength 120), and default values are sensible. The overall schema change aligns with the PR objective to support only external KMS plugins.

[ardaguclu]

I ran Claude api-review command on my local and it didn't find any issues.

[flavianmissi]

Looking great, thanks Arda!

/lgtm

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

openapi/generated_openapi/zz_generated.openapi.go (1)

15140-15155: Validation constraints still missing from generated schema.

The field names have been correctly updated (type → managementModel, aws → endpoint), but the validation gaps identified in previous reviews persist:

1. managementModel (Lines 15140-15146): Description states "Valid values are "External"" but lacks:

   • Enum: []interface{}{"External"} to enforce the single valid value
   • Default: "External" to provide the default

2. endpoint (Lines 15147-15153): Description specifies unix socket format patterns but lacks:

   • Pattern: "^unix:///.*$|^unix:///@.*$" to enforce the format

Since this is a generated file, add the missing kubebuilder markers to the source type definition in config/v1/types_kmsencryption.go:

• +kubebuilder:validation:Enum=External on the managementModel field
• +kubebuilder:default=External on the managementModel field
• +kubebuilder:validation:Pattern=^unix:///.*$|^unix:///@.*$ on the endpoint field

Then regenerate the OpenAPI schema.

openapi/openapi.json (1)

7977-7984: Missing validation constraints issue previously raised.

The prior review comment at lines 7973-7985 flagged that the OpenAPI schema lacks the validation constraints present in the source code (config/v1/types_kmsencryption.go):

• endpoint: missing minLength, maxLength, and pattern constraints
• managementModel: missing enum and default values

Ensure the OpenAPI generation properly reflects the kubebuilder validation markers.

🧹 Nitpick comments (1)

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1)

161-195: KMS endpoint + managementModel schema looks solid

The unix-domain-socket endpoint validation and managementModel enum/default cleanly enforce the external KMS plugin model, and the CEL regex correctly rejects abstract sockets and obvious bad formats. One possible (non-blocking) refinement would be to align maxLength with the underlying unix socket path limit to fail clearly at validation time rather than later in the KMS client, but the current bound is acceptable as-is.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 7c879fc and ab46a2a.

📒 Files selected for processing (13)

• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (4 hunks)
• config/v1/types_kmsencryption.go (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1 hunks)
• config/v1/zz_generated.deepcopy.go (1 hunks)
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1 hunks)
• config/v1/zz_generated.swagger_doc_generated.go (1 hunks)
• openapi/generated_openapi/zz_generated.openapi.go (1 hunks)
• openapi/openapi.json (2 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1 hunks)
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
• config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• config/v1/zz_generated.swagger_doc_generated.go
• config/v1/types_kmsencryption.go
• payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
• config/v1/zz_generated.deepcopy.go
• openapi/generated_openapi/zz_generated.openapi.go
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
• config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
• openapi/openapi.json

🔇 Additional comments (10)

config/v1/zz_generated.deepcopy.go (1)

42-51: DeepCopy change for KMSConfig is correct

Using new(KMSConfig) plus **out = **in is appropriate now that KMSConfig only has value fields, and it avoids pointer aliasing. Generated code remains consistent with other simple structs.

config/v1/types_kmsencryption.go (1)

5-25: KMSConfig shape and validation look consistent and sound

ManagementModel + required Endpoint with the unix‑socket regex, length bounds, default, and docs all line up with the CRDs and tests. The omitempty on required fields matches this repo’s linter conventions.

config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1)

171-194: Feature‑gated CRD kms schema correctly mirrors the Go type

endpoint and managementModel definitions (including requiredness, defaults, and CEL regex) are in sync with KMSConfig and the tests, so CRD and server‑side behavior stay aligned.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1)

171-194: TechPreview CRD kms block is consistent with source and other CRDs

The kms endpoint and managementModel fields, validations, and required list match the Go type and the feature‑gated CRD, keeping the API coherent across feature sets.

config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml (1)

8-133: KMS tests comprehensively exercise the new endpoint semantics

The added cases cover valid configuration, defaulting of managementModel, and the main failure modes (scheme, missing/empty endpoint, spaces, abstract sockets, and invalid pairing with non‑KMS type), which should give good confidence in the new validation logic.

payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

161-195: Consistent KMS schema across feature sets

The kms block (endpoint + managementModel + required:endpoint and validations) matches the DevPreview CRD, which keeps behavior consistent across feature sets and avoids drift. No additional issues spotted here.

config/v1/zz_generated.swagger_doc_generated.go (1)

2194-2198: KMSConfig Swagger docs aligned with new External KMS model

The updated map_KMSConfig entries correctly describe the new managementModel and endpoint fields and match the CRD semantics (external plugin via unix:///path, no abstract sockets). This keeps generated Swagger/OpenAPI in sync with the refactored API.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (3)

171-181: Endpoint validation correctly implements UNIX socket format requirements.

The regex validation ^unix:///[^@ ][^ ]*$ properly:

• Enforces the unix:/// prefix format
• Prevents abstract Linux sockets (starting with @) as documented
• Rejects spaces in paths to avoid parsing ambiguities
• Works with the length constraints (minLength 9 ensures at least one character after the prefix)

This correctly transitions from AWS-specific fields to a generic External KMS endpoint model.

---

182-191: LGTM! Management model correctly restricted to External.

The default value of External and the enum constraint align with the transition away from AWS-specific KMS configurations. The description accurately reflects the External model using user-deployed KMS plugins with UNIX domain sockets and KMS V2 API.

---

192-194: Required field correctly updated for External KMS model.

Making endpoint required (instead of the removed AWS-specific fields) is appropriate for the External KMS configuration. This ensures users must specify the UNIX socket endpoint when configuring KMS encryption.

[ardaguclu]

@flavianmissi I've excluded abstract Linux paths from the validations (as we agreed upon). Could you PTAL?.

[flavianmissi]

Looks great!

/lgtm

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: flavianmissi
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ardaguclu]

/test e2e-aws-ovn
/test e2e-upgrade-out-of-change

[JoelSpeed]

/lgtm cancel
/hold

@ardaguclu @flavianmissi While I appreciate the team review and LGTM, please don't /lgtm on this repo until an API approver has had a pass. We are trying to avoid needless CI cycles so our E2Es don't run until the lgtm label is added, odds are that an API reviewer will ask for some changes so these E2E cycles are not going to help for the moment.

Will get you a reviewer assigned

[ardaguclu]

/lgtm cancel /hold

@ardaguclu @flavianmissi While I appreciate the team review and LGTM, please don't /lgtm on this repo until an API approver has had a pass. We are trying to avoid needless CI cycles so our E2Es don't run until the lgtm label is added, odds are that an API reviewer will ask for some changes so these E2E cycles are not going to help for the moment.

Will get you a reviewer assigned

Thank you for the comment. This doesn't look like the flow in other OCP repositories but the motivation makes sense to me. As prerequisite we need to merge our EP openshift/enhancements#1900 first (@JoelSpeed I've added you as api-approver, but we need to complete our reviews within the team first).

[JoelSpeed]

No worries @ardaguclu, it's a different process that we are trialing and I expect more repos to take on in the future. I'm hoping we can make it more obvious later

@yuqi-zhang is one of our API reviewers who's training up, he will take a first review pass here and on the EP, and once he's happy I'll take a look

[openshift-ci]

@ardaguclu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-serial-techpreview-1of2	ab46a2a	link	true	/test e2e-aws-serial-techpreview-1of2
ci/prow/verify-crdify	ab46a2a	link	true	/test verify-crdify
ci/prow/e2e-aws-serial-techpreview-2of2	ab46a2a	link	true	/test e2e-aws-serial-techpreview-2of2
ci/prow/verify-crd-schema	ab46a2a	link	true	/test verify-crd-schema

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[yuqi-zhang]

For serialization safety and to adhere to v1 API guarantees, we do not allow removal of any fields directly, even if it was only accessible in tech preview. Instead, we ask to tombstone them (removal with a comment), see some examples #2256 and #2576

This also means that the field name may not be used again, so we should be certain that we're ok with the removal.

[ardaguclu]

Thank you for review. That makes sense. I'll update this PR based on your comments, once we finalize the design.

[yuqi-zhang]

Could you help me understand why you'd like a default to be set here? We generally try not to set defaults via the API but instead through controllers and document the default behaviour via godocs, allowing for flexibility in the future. Since we only have one optional for now, is anything depending on this field to be explicitly set?

For additional context, see: https://github.com/openshift/enhancements/blob/master/dev-guide/api-conventions.md#defaulting

[yuqi-zhang]

Suggested change

	// The endpoint must follow the format "unix:///path".
	// The endpoint must follow the format "unix:///path" and be between 9 and 120 characters in length.

[yuqi-zhang]

Out of curiosity, what would potentially be other possible values in the future? Would there be any cloud-provided specific plugins supported here since you mentioned that AWS is obsolete? Just trying to understand what would be the api changes would look like in the future.