WIP: Fake bump to get credentials in KMS plugin

[bertinatto]

Summary by CodeRabbit

• Chores

  • Updated KMS library dependency reference.

• Tests

  • Updated KMS encryption test configurations to use production encryption provider instead of test provider.

[coderabbitai]

Walkthrough

This PR updates the Go module dependency for library-go to use a fork and switches two KMS e2e tests from fake to real vault encryption providers. The module replacement enables the test provider changes.

Changes

KMS Encryption Provider Update

Layer / File(s)	Summary
Library dependency replacement go.mod	The replace directive for github.com/openshift/library-go is updated to redirect to github.com/bertinatto/library-go at version v0.0.0-20260529122804-e63c73d0ca68.
Test encryption provider migrations test/e2e-encryption-kms/encryption_kms.go	Two KMS test scenarios are updated to use DefaultVaultEncryptionProvider instead of DefaultFakeVaultEncryptionProvider: the KMS on/off cycle test and the KMS/AES encryption providers migration test.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested reviewers

• everettraven
• kaleemsiddiqu

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Container-Privileges	❌ Error	PR adds K8s manifests with privileged: true containers in bindata/oauth-apiserver/deploy.yaml and bindata/oauth-openshift/deployment.yaml. Containers run as root without documented justification.	Add explicit security justification in securityContext blocks and consider capability-based approach instead of privileged mode where feasible.
Microshift Test Compatibility	⚠️ Warning	Tests reference OAuth API (oauth.openshift.io) unavailable on MicroShift without MicroShift skip protections ([Skipped:MicroShift], [apigroup:oauth.openshift.io], or IsMicroShiftCluster check).	Add [apigroup:oauth.openshift.io] tag to test names or [Skipped:MicroShift] label, or add exutil.IsMicroShiftCluster() guard with g.Skip() in test body.
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	Two new e2e tests lack SNO protections. The encryption library they use requires rolling updates across multiple instances, making them incompatible with Single Node OpenShift.	Add [Skipped:SingleReplicaTopology] label to test names or guard with exutil.IsSingleNode() check to skip on SNO.
Title check	❓ Inconclusive	The title 'WIP: Fake bump to get credentials in KMS plugin' is vague and unclear. While it mentions KMS plugin and credentials, the phrase 'Fake bump to get credentials' does not clearly convey the actual intent of the changes, which is to switch from fake vault encryption providers to real ones.	Consider revising the title to be more descriptive, such as 'Use real vault encryption provider in KMS encryption tests' to better reflect the actual changes in the pull request.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in the modified file are stable and deterministic, containing only static descriptors with no dynamic information.
Test Structure And Quality	✅ Passed	Test file meets quality requirements: single responsibilities, explicit 120m timeouts, meaningful assertion messages in helpers, and consistent with codebase patterns.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies go.mod and a test file (encryption_kms.go); no deployment manifests, operator code, or scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	No stdout writes in process-level code (main, init, TestMain); klog redirected to stderr; test changes only involve function parameters inside It() blocks.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests added; PR only modifies existing tests by switching encryption providers (Fake→Real), with no IPv4 assumptions or external connectivity changes.
No-Weak-Crypto	✅ Passed	PR uses industry-standard encryption (Vault KMS with AES). No MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB, custom crypto, or unsafe constant-time comparisons found.
No-Sensitive-Data-In-Logs	✅ Passed	PR changes contain no logging statements exposing sensitive data. encryption_kms.go only swaps provider configs; go.mod is a dependency update.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign p0lyn0mial for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 137: The global go.mod replace redirecting
github.com/openshift/library-go to github.com/bertinatto/library-go (the replace
line) must not be left as an unscoped personal fork: either revert this replace
to restore the upstream module, or restrict it to test/e2e modules or a
temporary tool-specific go.work so production code importing
github.com/openshift/library-go (e.g., pkg/operator/starter.go and other
imports) are unaffected; if you must keep the forked replace, add an in-file
justification comment and a short supply-chain control section in the repo
(linking signed provenance/attestation like Sigstore/cosign, license
compatibility confirmation, and an explicit expiry/scope plan and
reviewer/owner) so maintainers can review the change safely.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fde8468e-fc59-4d05-bb8d-b996d10b3924

📥 Commits

Reviewing files that changed from the base of the PR and between 7eccc16 and 3946ad2.

⛔ Files ignored due to path filters (7)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptiondata/secret.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• test/e2e-encryption-kms/encryption_kms.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Replace directives =="
rg -n '^\s*replace\s+' go.mod

echo
echo "== library-go imports outside tests (impact scope) =="
rg -n --type go '"github.com/openshift/library-go' -g '!**/vendor/**' -g '!**/*_test.go' -g '!**/test/**' || true

echo
echo "== library-go imports in tests =="
rg -n --type go '"github.com/openshift/library-go' -g '!**/vendor/**' -g '**/*_test.go' -g '**/test/**' || true

Repository: openshift/cluster-authentication-operator

Length of output: 27577

---

Request changes: don’t globally replace github.com/openshift/library-go with an untrusted personal fork without provenance/scope controls

go.mod line 137 adds a global module replace redirecting github.com/openshift/library-go to github.com/bertinatto/library-go v0.0.0-20260529122804-e63c73d0ca68 with no in-file justification. This impacts non-test/production code (e.g., pkg/operator/starter.go imports many github.com/openshift/library-go/... packages), not just e2e/tests.

Provide explicit, reviewable supply-chain rationale and controls (provenance/attestations such as Sigstore/cosign, license compatibility confirmation, and a clear expiry/scope plan), or revert/gate the change to a safer mechanism (not a global go.mod replace to a personal fork).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 137, The global go.mod replace redirecting
github.com/openshift/library-go to github.com/bertinatto/library-go (the replace
line) must not be left as an unscoped personal fork: either revert this replace
to restore the upstream module, or restrict it to test/e2e modules or a
temporary tool-specific go.work so production code importing
github.com/openshift/library-go (e.g., pkg/operator/starter.go and other
imports) are unaffected; if you must keep the forked replace, add an in-file
justification comment and a short supply-chain control section in the repo
(linking signed provenance/attestation like Sigstore/cosign, license
compatibility confirmation, and an explicit expiry/scope plan and
reviewer/owner) so maintainers can review the change safely.

[openshift-ci]

@bertinatto: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-operator-encryption	3946ad2	link	true	/test e2e-operator-encryption
ci/prow/e2e-operator	3946ad2	link	true	/test e2e-operator
ci/prow/e2e-gcp-operator-encryption-perf	3946ad2	link	true	/test e2e-gcp-operator-encryption-perf
ci/prow/e2e-aws-operator-encryption-kms	3946ad2	link	false	/test e2e-aws-operator-encryption-kms
ci/prow/e2e-console-login	3946ad2	link	true	/test e2e-console-login

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.