Skip to content

Adding key identifier in KMS to KMS cases#2346

Open
gangwgr wants to merge 1 commit into
openshift:masterfrom
gangwgr:kmstoks
Open

Adding key identifier in KMS to KMS cases#2346
gangwgr wants to merge 1 commit into
openshift:masterfrom
gangwgr:kmstoks

Conversation

@gangwgr

@gangwgr gangwgr commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Adding key identifier in KMS to KMS cases

Summary by CodeRabbit

  • Tests
    • Added KMS v2–specific validation for etcd payloads by checking for the expected embedded encryption prefix.
    • Improved parsing of KMS plugin/provider identifiers to extract the operator key ID and verify it matches the expected {keyID}_{resource} pattern.
    • Enhanced encryption assertions with clearer, more user-friendly diagnostics for non-KMS-encrypted payloads, malformed identifiers, and unexpected key IDs.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9666fd78-0179-40da-9a19-7cdd2ca5d37a

📥 Commits

Reviewing files that changed from the base of the PR and between 02433a0 and ffe81f9.

📒 Files selected for processing (1)
  • test/library/encryption/assertion.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • test/library/encryption/assertion.go

Walkthrough

Adds exported test helpers for deriving operator key IDs from encryption metadata and asserting KMS v2-encrypted etcd payload prefixes, including diagnostic reporting for malformed or mismatched payload prefixes.

Changes

KMS v2 Assertion Helpers

Layer / File(s) Summary
Parsing and prefix helpers
test/library/encryption/assertion.go
Adds imports and internal helpers to extract KMS v2 plugin names, derive embedded operator key ID components, and format expected k8s:enc:kms:v2: prefixes.
Exported assertion helpers
test/library/encryption/assertion.go
Adds OperatorKeyIDFromEncryptionKeyMeta, AssertEtcdValueEncryptedWithOperatorKeyID, and AssertKMSEncryptedWithWriteKey for operator key ID derivation and etcd payload validation.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is related to the main change: adding a key identifier to KMS-to-KMS encryption assertions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Only test/library/encryption/assertion.go changed; no _test.go files or Ginkgo titles were added/edited, so no unstable test names were introduced.
Test Structure And Quality ✅ Passed PASS: The PR only adds helper assertions in a test utility file; there are no new Ginkgo specs, resource setup/cleanup, or unbounded waits to audit.
Microshift Test Compatibility ✅ Passed No new Ginkgo tests were added; the changed file only adds helper assertions and contains no MicroShift-unsupported APIs, namespaces, or skip-worthy test bodies.
Single Node Openshift (Sno) Test Compatibility ✅ Passed Not applicable: the only changed file adds helper assertions in a test library and introduces no It/Describe/Context/When Ginkgo tests or SNO-sensitive assumptions.
Topology-Aware Scheduling Compatibility ✅ Passed PR only adds encryption test helpers in test/library/encryption/assertion.go; no deployment, controller, replica, affinity, or node-scheduling logic changed.
Ote Binary Stdout Contract ✅ Passed Changed file only adds test helpers and t.Logf calls; no main/init/TestMain/suite setup stdout writes or fmt.Print/klog stdout usage found.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Helper-only changes in assertion.go; no Ginkgo test bodies or IPv4/external connectivity assumptions were added.
No-Weak-Crypto ✅ Passed The new helpers only parse KMS prefixes and compare operator key IDs; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons found.
Container-Privileges ✅ Passed Only test/library/encryption/assertion.go changed; no K8s manifests or privilege/securityContext fields were added.
No-Sensitive-Data-In-Logs ✅ Passed The added logs only mention resource names, namespaces, and numeric operator key IDs; they don’t log secrets, tokens, raw payloads, or other sensitive data.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@gangwgr gangwgr changed the title Adding key identifier in KMS to KMS cases [WIP]Adding key identifier in KMS to KMS cases Jul 2, 2026
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 2, 2026
@openshift-ci openshift-ci Bot requested review from ardaguclu and dgrisonnet July 2, 2026 13:18
@gangwgr gangwgr changed the title [WIP]Adding key identifier in KMS to KMS cases Adding key identifier in KMS to KMS cases Jul 3, 2026
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 3, 2026
Comment thread test/library/encryption/assertion.go Outdated

pluginName, ok := kmsPluginNameFromEtcdValue(raw)
if !ok {
t.Errorf("etcd data for resource %q is not KMS-encrypted (expected operator keyID %q)", resource, expectedKeyID)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are you able to add the first 30'ish bytes here from raw? it will be pretty difficult to reconstruct this otherwise from CI. Also applies for the above places where the assertions fail.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is in operator repo caller

Comment thread test/library/encryption/assertion.go Outdated
Comment on lines +205 to +207
if _, err := strconv.ParseUint(keyID, 10, 64); err != nil {
return "", fmt.Errorf("invalid operator key ID %q in KMS plugin name %q: %w", keyID, pluginName, err)
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's nitpicky, but there's no need to parse this into an integer here when you're returning a string anyway. The assertion (that's currently missing) is checking whether the format is what we expect anyway.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

Comment thread test/library/encryption/assertion.go Outdated
t.Errorf("etcd data for resource %q has an invalid KMS encryption prefix (expected operator keyID %q)", resource, expectedKeyID)
return
}
t.Errorf("etcd data for resource %q is encrypted with operator keyID %q, expected %q", resource, gotKeyID, expectedKeyID)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where's the assertion for that? :)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm checking in caller

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
test/library/encryption/assertion.go (1)

231-271: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

No direct unit tests for the exported assertion functions.

assertion_kms_test.go only covers the internal parsing helpers (kmsPluginNameFromEtcdValue, operatorKeyIDFromKMSPluginName, expectedKMSPrefix, etcdRawHeadForDiagnostics). The exported AssertEtcdValueEncryptedWithOperatorKeyID and AssertKMSEncryptedWithWriteKey branch logic (not-KMS-encrypted, invalid prefix, keyID mismatch) is untested directly, only indirectly via the helper tests.

Consider adding a lightweight fake testing.TB (or using t.Run with a sub-test asserting t.Failed()) to cover the mismatch/invalid-prefix branches of AssertEtcdValueEncryptedWithOperatorKeyID directly.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/library/encryption/assertion.go` around lines 231 - 271, The exported
assertion helpers are missing direct coverage for their failure branches, so add
tests around AssertEtcdValueEncryptedWithOperatorKeyID and
AssertKMSEncryptedWithWriteKey rather than only the parsing helpers. Use a
lightweight fake testing.TB or subtests with t.Run and t.Failed() to exercise
the non-KMS-encrypted, invalid-prefix, and keyID-mismatch paths in
AssertEtcdValueEncryptedWithOperatorKeyID, and verify
AssertKMSEncryptedWithWriteKey reaches that logic via
GetLastKeyMeta/OperatorKeyIDFromEncryptionKeyMeta.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/library/encryption/assertion.go`:
- Around line 231-271: The exported assertion helpers are missing direct
coverage for their failure branches, so add tests around
AssertEtcdValueEncryptedWithOperatorKeyID and AssertKMSEncryptedWithWriteKey
rather than only the parsing helpers. Use a lightweight fake testing.TB or
subtests with t.Run and t.Failed() to exercise the non-KMS-encrypted,
invalid-prefix, and keyID-mismatch paths in
AssertEtcdValueEncryptedWithOperatorKeyID, and verify
AssertKMSEncryptedWithWriteKey reaches that logic via
GetLastKeyMeta/OperatorKeyIDFromEncryptionKeyMeta.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a5f83aef-4417-43cd-af8a-026fbcad7326

📥 Commits

Reviewing files that changed from the base of the PR and between c6cd1a2 and 953b4ca.

📒 Files selected for processing (2)
  • test/library/encryption/assertion.go
  • test/library/encryption/assertion_kms_test.go

Comment thread test/library/encryption/assertion.go Outdated
resource, pluginName, expectedKeyID, etcdRawHeadForDiagnostics(raw))
return
}
t.Errorf("etcd data for resource %q is encrypted with operator keyID %q, expected %q, raw head: %s",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay let me try this again, what do you assert here? This will always fail, won't it?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
t.Errorf("etcd data for resource %q is encrypted with operator keyID %q, expected %q, raw head: %s",
if want != gotKeyId {
t.Errorf("etcd data for resource %q is encrypted with operator keyID %q, expected %q, raw head: %s",

maybe?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay let me try this again, what do you assert here? This will always fail, won't it?
The last t.Errorf is only reached when the prefix check at the top fails — it's a diagnostic failure path, not the assertion itself. On success we return at line 242 (see Auth-O CI - https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-authentication-operator/941/pull-ci-openshift-cluster-authentication-operator-master-e2e-aws-operator-encryption-kms-2/2072983447919398912/artifacts/e2e-aws-operator-encryption-kms-2/openshift-e2e-test/artifacts/junit/extension_test_result_e2e__20260703-105523-everything.html, keyID "1" then "2" both pass there). We assert the full prefix k8s:enc:kms:v2:{keyID}_{resource}.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's highly unintuitive

Comment thread test/library/encryption/assertion.go Outdated
if len(raw) > max {
return hex.EncodeToString(raw[:max]) + "..."
}
return hex.EncodeToString(raw)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a better way to display it as a string without decoding hex? sorry I just realized that this is stupid, nobody is going to de-hex this when seeing this in CI...

@gangwgr gangwgr force-pushed the kmstoks branch 6 times, most recently from 77c641e to 02433a0 Compare July 3, 2026 13:31
Comment thread test/library/encryption/assertion.go Outdated
Comment on lines +256 to +258
return
}
t.Logf("etcd data for resource %q matches operator keyID %q", resource, expectedKeyID)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return
}
t.Logf("etcd data for resource %q matches operator keyID %q", resource, expectedKeyID)
} else {
t.Logf("etcd data for resource %q matches operator keyID %q", resource, expectedKeyID)
}

save yourself the return path, we're not developing in C

@tjungblu

tjungblu commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 3, 2026
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@gangwgr: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@tjungblu

tjungblu commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

/approve

@tjungblu

tjungblu commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

/hold

in case you need more testing

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 3, 2026
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gangwgr, tjungblu
Once this PR has been reviewed and has the lgtm label, please assign ardaguclu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gangwgr

gangwgr commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

/hold cancel

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants