Skip to content

CNTRLPLANE-3361: update vault kms plugin validation #2836

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
flavianmissi wants to merge 3 commits into
base: master
Choose a base branch
from
Open

CNTRLPLANE-3361: update vault kms plugin validation #2836

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fa8dbea
update vault kms plugin api validation
flavianmissi May 7, 2026
dc3d316
regenerate files
flavianmissi May 7, 2026
2ca5bc5
update vault kms plugin api tests
flavianmissi May 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 22 additions & 9 deletions config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,21 +5,14 @@ featureGates:
- KMSEncryption
tests:
onCreate:
- name: Should be able to create with KMS type without kms config
- name: Should reject KMS encryption type without kms config
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: KMS
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: KMS
expectedError: "kms config is required when encryption type is KMS"
- name: Should be able to create with aescbc encryption
initial: |
apiVersion: config.openshift.io/v1
Expand Down Expand Up @@ -65,3 +58,23 @@ tests:
profile: Default
encryption:
type: identity

- name: Should reject kms config when encryption type is not KMS
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: aescbc
kms:
type: Vault
vault:
kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
vaultAddress: https://vault.example.com:8200
authentication:
type: AppRole
appRole:
secret:
name: vault-approle
transitKey: my-key
expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise"
184 changes: 182 additions & 2 deletions config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,145 @@ tests:
name: vault-approle
transitKey: my-encryption-key

# RFC 3986 unreserved character tests
- name: Should accept transitMount with period character
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: KMS
kms:
type: Vault
vault:
kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
vaultAddress: https://vault.example.com:8200
authentication:
type: AppRole
appRole:
secret:
name: vault-approle
transitMount: transit.v1
transitKey: my-key
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: KMS
kms:
type: Vault
vault:
kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
vaultAddress: https://vault.example.com:8200
authentication:
type: AppRole
appRole:
secret:
name: vault-approle
transitMount: transit.v1
transitKey: my-key

- name: Should accept transitMount with tilde character
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: KMS
kms:
type: Vault
vault:
kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
vaultAddress: https://vault.example.com:8200
authentication:
type: AppRole
appRole:
secret:
name: vault-approle
transitMount: transit~backup
transitKey: my-key
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: KMS
kms:
type: Vault
vault:
kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
vaultAddress: https://vault.example.com:8200
authentication:
type: AppRole
appRole:
secret:
name: vault-approle
transitMount: transit~backup
transitKey: my-key

- name: Should accept transitKey with period character
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: KMS
kms:
type: Vault
vault:
kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
vaultAddress: https://vault.example.com:8200
authentication:
type: AppRole
appRole:
secret:
name: vault-approle
transitKey: encryption.key.v1
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: KMS
kms:
type: Vault
vault:
kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
vaultAddress: https://vault.example.com:8200
authentication:
type: AppRole
appRole:
secret:
name: vault-approle
transitKey: encryption.key.v1

- name: Should reject transitKey with tilde character
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: KMS
kms:
type: Vault
vault:
kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
vaultAddress: https://vault.example.com:8200
authentication:
type: AppRole
appRole:
secret:
name: vault-approle
transitKey: key~backup
expectedError: "transitKey must only contain alphanumeric characters, hyphens, periods, and underscores"

# Type validation - vault field must be set when type is Vault
- name: Should reject KMS type Vault without vault config
initial: |
Expand Down Expand Up @@ -632,7 +771,7 @@ tests:
name: vault-approle
transitMount: my transit
transitKey: my-key
expectedError: "transitMount cannot contain spaces"
expectedError: "transitMount must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes"

- name: Should reject transitMount containing consecutive forward slashes
initial: |
Expand Down Expand Up @@ -674,7 +813,7 @@ tests:
secret:
name: vault-approle
transitKey: my encryption key
expectedError: "transitKey cannot contain spaces"
expectedError: "transitKey must only contain alphanumeric characters, hyphens, periods, and underscores"

- name: Should reject transitKey containing forward slashes
initial: |
Expand All @@ -696,6 +835,47 @@ tests:
transitKey: my/key
expectedError: "transitKey cannot contain forward slashes"

- name: Should reject transitMount with special characters
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: KMS
kms:
type: Vault
vault:
kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
vaultAddress: https://vault.example.com:8200
authentication:
type: AppRole
appRole:
secret:
name: vault-approle
transitMount: transit@test
transitKey: my-key
expectedError: "transitMount must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes"

- name: Should reject transitKey with special characters
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: KMS
kms:
type: Vault
vault:
kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
vaultAddress: https://vault.example.com:8200
authentication:
type: AppRole
appRole:
secret:
name: vault-approle
transitKey: my@key
expectedError: "transitKey must only contain alphanumeric characters, hyphens, periods, and underscores"

# serverName validation tests
- name: Should reject invalid serverName
initial: |
Expand Down
1 change: 1 addition & 0 deletions config/v1/types_apiserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,7 @@ type APIServerNamedServingCert struct {
}

// APIServerEncryption is used to encrypt sensitive resources on the cluster.
// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryption,rule="has(self.type) && self.type == 'KMS' ? has(self.kms) : !has(self.kms)",message="kms config is required when encryption type is KMS, and forbidden otherwise"
// +union
type APIServerEncryption struct {
// type defines what encryption type should be used to encrypt resources at the datastore layer.
Expand Down
18 changes: 9 additions & 9 deletions config/v1/types_kmsencryption.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,9 +114,7 @@ const (
type VaultAppRoleAuthentication struct {
// secret references a secret in the openshift-config namespace containing
// the AppRole credentials used to authenticate with Vault.
// The secret must contain two keys: "roleID" for the AppRole Role ID and "secretID" for the AppRole Secret ID.
//
// The namespace for the secret is openshift-config.
// The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID.
//
// +required
Secret VaultSecretReference `json:"secret,omitzero"`
Expand Down Expand Up @@ -194,33 +192,35 @@ type VaultKMSConfig struct {
Authentication VaultAuthentication `json:"authentication,omitzero"`

// transitMount specifies the mount path of the Vault Transit engine.
// The value must be between 1 and 1024 characters when specified.
//
// When omitted, this means the user has no opinion and the platform is left
// to choose a reasonable default. These defaults are subject to change over time.
// The current default is "transit".
//
// The mount path cannot start or end with a forward slash, cannot contain spaces,
// and cannot contain consecutive forward slashes.
// The transit mount must be between 1 and 1024 characters when specified, cannot start or
// end with a forward slash, cannot contain consecutive forward slashes, and must only contain
// RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward
// slashes as path separators.
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=1024
// +kubebuilder:validation:XValidation:rule="!self.startsWith('/')",message="transitMount cannot start with a forward slash"
// +kubebuilder:validation:XValidation:rule="!self.endsWith('/')",message="transitMount cannot end with a forward slash"
// +kubebuilder:validation:XValidation:rule="!self.contains(' ')",message="transitMount cannot contain spaces"
// +kubebuilder:validation:XValidation:rule="!self.contains('//')",message="transitMount cannot contain consecutive forward slashes"
// +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._~/-]+$')",message="transitMount must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes"
// +optional
TransitMount string `json:"transitMount,omitempty"`

// transitKey specifies the name of the encryption key in Vault's Transit engine.
// This key is used to encrypt and decrypt data.
//
// The key name must be between 1 and 512 characters and cannot contain spaces or forward slashes.
// The transit key must be between 1 and 512 characters, cannot contain forward slashes,
// and must only contain alphanumeric characters, hyphens, periods, and underscores.
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=512
// +kubebuilder:validation:XValidation:rule="!self.contains(' ')",message="transitKey cannot contain spaces"
// +kubebuilder:validation:XValidation:rule="!self.contains('/')",message="transitKey cannot contain forward slashes"
// +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._-]+$')",message="transitKey must only contain alphanumeric characters, hyphens, periods, and underscores"
// +required
TransitKey string `json:"transitKey,omitempty"`
}
Expand Down
30 changes: 19 additions & 11 deletions ...zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,9 +196,7 @@ spec:
description: |-
secret references a secret in the openshift-config namespace containing
the AppRole credentials used to authenticate with Vault.
The secret must contain two keys: "roleID" for the AppRole Role ID and "secretID" for the AppRole Secret ID.

The namespace for the secret is openshift-config.
The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID.
properties:
name:
description: |-
Expand Down Expand Up @@ -336,26 +334,29 @@ spec:
transitKey specifies the name of the encryption key in Vault's Transit engine.
This key is used to encrypt and decrypt data.

The key name must be between 1 and 512 characters and cannot contain spaces or forward slashes.
The transit key must be between 1 and 512 characters, cannot contain forward slashes,
and must only contain alphanumeric characters, hyphens, periods, and underscores.
maxLength: 512
minLength: 1
type: string
x-kubernetes-validations:
- message: transitKey cannot contain spaces
rule: '!self.contains('' '')'
- message: transitKey cannot contain forward slashes
rule: '!self.contains(''/'')'
- message: transitKey must only contain alphanumeric characters,
hyphens, periods, and underscores
rule: self.matches('^[a-zA-Z0-9._-]+$')
transitMount:
description: |-
transitMount specifies the mount path of the Vault Transit engine.
The value must be between 1 and 1024 characters when specified.

When omitted, this means the user has no opinion and the platform is left
to choose a reasonable default. These defaults are subject to change over time.
The current default is "transit".

The mount path cannot start or end with a forward slash, cannot contain spaces,
and cannot contain consecutive forward slashes.
The transit mount must be between 1 and 1024 characters when specified, cannot start or
end with a forward slash, cannot contain consecutive forward slashes, and must only contain
RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward
slashes as path separators.
maxLength: 1024
minLength: 1
type: string
Expand All @@ -364,11 +365,13 @@ spec:
rule: '!self.startsWith(''/'')'
- message: transitMount cannot end with a forward slash
rule: '!self.endsWith(''/'')'
- message: transitMount cannot contain spaces
rule: '!self.contains('' '')'
- message: transitMount cannot contain consecutive forward
slashes
rule: '!self.contains(''//'')'
- message: transitMount must only contain RFC 3986 unreserved
characters (alphanumeric, hyphen, period, underscore,
tilde) and forward slashes
rule: self.matches('^[a-zA-Z0-9._~/-]+$')
vaultAddress:
description: |-
vaultAddress specifies the address of the HashiCorp Vault instance.
Expand Down Expand Up @@ -452,6 +455,11 @@ spec:
- KMS
type: string
type: object
x-kubernetes-validations:
- message: kms config is required when encryption type is KMS, and
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
Expand Down
Loading