CNTRLPLANE-2120: Add KMS foundations in encryption controllers in library-go #1900

ardaguclu · 2025-12-03T09:34:51Z

This PR is based on #1872 (changes in enhancements/kube-apiserver/kms-encryption-foundations.md).

There are many aspects that need to be implemented to support KMS in OpenShift. We have decided to open more granular EPs to better track the work.

This EPs main aim is to focus on the encryption controller changes in library-go. This EP defers some concepts to future in order to start with simpler, manageable iterations.

PoC PR openshift/library-go#2045 (this is just a PoC, original PR will be opened when this EP merges).

openshift-ci-robot · 2025-12-03T09:34:56Z

@ardaguclu: This pull request references CNTRLPLANE-2120 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

This PR is based on #1872 (changes in enhancements/kube-apiserver/kms-encryption-foundations.md).

There are many aspects that need to be implemented to support KMS in OpenShift. We have decided to open more granular EPs to better track the work.

This EPs main aim is to focus on the encryption controller changes in library-go. This EP defers some concepts to future in order to start with simpler, manageable iterations.

PoC PR openshift/library-go#2045 (this is just a PoC, original PR will be opened when this EP merges).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci · 2025-12-03T09:35:07Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jaypoulz for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

flavianmissi

Have to take a short break from reviewing, but leaving the comments I got so far.

enhancements/kube-apiserver/kms-encryption-foundations.md

ardaguclu · 2025-12-03T14:08:45Z

/cc @ibihim @flavianmissi

ardaguclu · 2025-12-04T07:24:41Z

@flavianmissi I was uncomfortable about the disconnects between the sections and the verbosity. So I overhauled the EP to have better clarity. Please let me know your thoughts.

enhancements/kube-apiserver/kms-encryption-foundations.md

openshift-ci · 2025-12-05T10:53:12Z

@ardaguclu: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

flavianmissi · 2025-12-05T12:26:56Z

/lgtm

ardaguclu · 2025-12-05T12:59:50Z

/cc @benluddy

ardaguclu · 2025-12-08T10:40:44Z

As we agreed with @flavianmissi, in next iterations there will be another condition to notify users to delete unused kms plugins from cluster, when prune_controller prunes them.

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Dec 3, 2025

openshift-ci bot requested review from hasbro17 and yuqi-zhang December 3, 2025 09:35

ardaguclu force-pushed the kms-encryption-controllers branch from c091cbc to f734b05 Compare December 3, 2025 09:43

flavianmissi reviewed Dec 3, 2025

View reviewed changes