Skip to content

CNTRLPLANE-3234: wire KMS health reporter status writer#947

Merged
openshift-merge-bot[bot] merged 3 commits into
openshift:masterfrom
ibihim:kms-health-writer
Jul 13, 2026
Merged

CNTRLPLANE-3234: wire KMS health reporter status writer#947
openshift-merge-bot[bot] merged 3 commits into
openshift:masterfrom
ibihim:kms-health-writer

Conversation

@ibihim

@ibihim ibihim commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

What

  • bump library-go
  • wire up health reporter
  • add kms v2 test suite

Why

  • library-go contains new changes, that conflict with the current stub.
  • health reporter is now working and can generate useful data.
  • Something was off with the test suite, following @gangwgr suggestion.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 9, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@ibihim: This pull request explicitly references no jira issue.

Details

In response to this:

What

Replaces the nil, nil operator-client stub in the kms-health-reporter command registration with the real status writer from library-go: writers.NewAuthenticationWriter.

The reporter now SSA-applies KMS plugin health reports to Authentication/cluster at .status.oauthAPIServer.encryptionStatus, using the per-node fieldManager (kms-health-reporter-<node>) that library-go derives from --node-name, so reporters on different nodes co-own the health reports without conflicts.

Why now

The latest library-go reworked the health reporter integration: the v1helpers.OperatorClient factory hook was replaced by a narrow EncryptionStatusWriter (kms/health + kms/health/writers packages). The old stub no longer matches the API, and since the new Config.Run calls the writer unconditionally, a nil writer is no longer a safe placeholder.

library-go pin

Uses the same fork pin as openshift/cluster-kube-apiserver-operator#2223 and #2224 (gangwgr/library-go@7c4cf6073c53), which contains the kms/health/writers package. Intended to be swapped to an upstream openshift/library-go bump before merge.

Sibling PRs: openshift/cluster-kube-apiserver-operator#2224

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Caution

Review failed

An error occurred during the review process. Please try again later.

Walkthrough

The authentication operator's KMS health command now uses a concrete authentication writer. The library-go requirement is updated, and KMS test selection is split into separate suites with an openshift/kms dependency.

Changes

KMS Health and Test Integration

Layer / File(s) Summary
Authentication KMS health wiring
cmd/authentication-operator/main.go, go.mod
Registers kmshealth.NewCommand with kmswriters.NewAuthenticationWriter and updates the required github.com/openshift/library-go version.
KMS test suite routing
cmd/cluster-authentication-operator-tests-ext/main.go
Excludes encryption-kms-2 tests from encryption-kms and adds a serialized encryption-kms-2 suite dependent on openshift/kms.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

Suggested labels: lgtm

Suggested reviewers: gangwgr


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name Status Explanation Resolution
Container-Privileges ❌ Error The vendored KMS preflight pod template adds hostNetwork: true (and runAsUser: 0) in kms-preflight-pod.yaml. Remove or justify the insecure pod settings in the changed manifest, or exclude vendored third-party manifests from this check.
✅ Passed checks (14 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo test titles changed; the patch only updates command wiring, vendored library code, and no *_test.go files.
Test Structure And Quality ✅ Passed No Ginkgo/Gomega test files were changed; the diff only updates command/vendor code, so the checklist is not applicable.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; changes only rewire KMS health command wiring and bump vendored library-go, so MicroShift compatibility is not implicated.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the PR only rewires KMS health command wiring and updates vendored library-go code.
Topology-Aware Scheduling Compatibility ✅ Passed PASS: PR only rewires KMS health reporter writer; no new affinity, nodeSelector, tolerations, replica, or topology-aware scheduling logic in auth operator.
Ote Binary Stdout Contract ✅ Passed No process-level stdout writes were added; the auth-operator main only rewires KMS command registration and the OTE entrypoint still logs to stderr.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR only rewires kms-health command and updates vendored library-go; no new Ginkgo e2e tests, IPv4 literals, or external connectivity assumptions found.
No-Weak-Crypto ✅ Passed Diff only rewires the KMS health writer and bumps library-go; no added weak crypto, custom crypto, or secret comparisons appear in changed lines.
No-Sensitive-Data-In-Logs ✅ Passed The diff adds no logs with secrets/PII; the only logging is generic startup/error reporting and no new sensitive fields are introduced.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: wiring the KMS health reporter to use the authentication status writer.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

Tools execution failed with the following error:

Failed to run tools: 13 INTERNAL: Received RST_STREAM with code 2 (Internal server error)


Comment @coderabbitai help to get the list of available commands.

@ibihim ibihim changed the title NO-JIRA: wire KMS health reporter status writer CNTRLPLANE-3234: wire KMS health reporter status writer Jul 9, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@ibihim: This pull request references CNTRLPLANE-3234 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

What

Replaces the nil, nil operator-client stub in the kms-health-reporter command registration with the real status writer from library-go: writers.NewAuthenticationWriter.

The reporter now SSA-applies KMS plugin health reports to Authentication/cluster at .status.oauthAPIServer.encryptionStatus, using the per-node fieldManager (kms-health-reporter-<node>) that library-go derives from --node-name, so reporters on different nodes co-own the health reports without conflicts.

Why now

The latest library-go reworked the health reporter integration: the v1helpers.OperatorClient factory hook was replaced by a narrow EncryptionStatusWriter (kms/health + kms/health/writers packages). The old stub no longer matches the API, and since the new Config.Run calls the writer unconditionally, a nil writer is no longer a safe placeholder.

library-go pin

Uses the same fork pin as openshift/cluster-kube-apiserver-operator#2223 and #2224 (gangwgr/library-go@7c4cf6073c53), which contains the kms/health/writers package. Intended to be swapped to an upstream openshift/library-go bump before merge.

Sibling PRs: openshift/cluster-kube-apiserver-operator#2224

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

  • Improved the authentication operator’s KMS health command so it now uses the appropriate authentication-backed writer when checking and reporting health.

  • Chores

  • Updated a dependency source used by the operator to a newer library revision.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@tjungblu

tjungblu commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

/lgtm
/approve

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 9, 2026
@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tjungblu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 9, 2026
@ardaguclu

Copy link
Copy Markdown
Member

/hold
Go.mod is wrong

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 9, 2026
@tjungblu

tjungblu commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

/hold gomod is also wrong here

@ibihim

ibihim commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

/retest

@ibihim

ibihim commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

lol

@ibihim ibihim force-pushed the kms-health-writer branch from 9e8b27c to 0f30e14 Compare July 9, 2026 23:09
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 9, 2026
@tjungblu

Copy link
Copy Markdown
Contributor

/retest

@tjungblu

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 10, 2026
@gangwgr

gangwgr commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

/unhold

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 10, 2026
@gangwgr

gangwgr commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

/test e2e-aws-operator-encryption-kms-2

ibihim added 2 commits July 10, 2026 14:42
Plumb NewAuthenticationWriter into the KMS health reporter command. This replaces the nil operator client stub so health reports are applied to Authentication/cluster status with the reporter's per-node field manager.
Register the KMS-to-KMS migration test as a child of openshift/kms and exclude it from the original encryption-kms suite so the serial test is not run in both shards.
@ibihim ibihim force-pushed the kms-health-writer branch from 0f30e14 to 6330ef9 Compare July 10, 2026 12:44
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 10, 2026
@tjungblu

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 10, 2026
@gangwgr

gangwgr commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

/verified by ci runs

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jul 13, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@gangwgr: This PR has been marked as verified by ci runs.

Details

In response to this:

/verified by ci runs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

@ibihim: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit 92eadef into openshift:master Jul 13, 2026
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants