Skip to content

CNTRLPLANE-3361: make transitMount required #2847

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
flavianmissi wants to merge 4 commits into
base: master
Choose a base branch
from
+149 −94
Open

CNTRLPLANE-3361: make transitMount required #2847

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a00a24e
types_kmsencryption: reword reference types go docs
flavianmissi May 18, 2026
5c688f0
types_kmsencryption: make transitMount field required
flavianmissi May 18, 2026
16210cc
regenerate files
flavianmissi May 18, 2026
086efcd
update encryption tests
flavianmissi May 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,5 +76,6 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise"
55 changes: 55 additions & 0 deletions config/v1/tests/apiservers.config.openshift.io/VaultKMS.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-encryption-key
expected: |
apiVersion: config.openshift.io/v1
Expand All @@ -42,6 +43,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-encryption-key

- name: Should accept kmsPluginImage with simple two-level path like quay.io/vault/kms-plugin
Expand All @@ -61,6 +63,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-encryption-key
expected: |
apiVersion: config.openshift.io/v1
Expand All @@ -80,6 +83,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-encryption-key

- name: Should be able to create with full Vault KMS Plugin config including all optional fields
Expand Down Expand Up @@ -150,6 +154,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-encryption-key
expected: |
apiVersion: config.openshift.io/v1
Expand All @@ -169,6 +174,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-encryption-key

- name: Should accept kmsPluginImage with deep multi-level namespace path
Expand All @@ -188,6 +194,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-encryption-key
expected: |
apiVersion: config.openshift.io/v1
Expand All @@ -207,6 +214,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-encryption-key

# RFC 3986 unreserved character tests
Expand Down Expand Up @@ -307,6 +315,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: encryption.key.v1
expected: |
apiVersion: config.openshift.io/v1
Expand All @@ -326,6 +335,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: encryption.key.v1

- name: Should reject transitKey with tilde character
Expand All @@ -345,6 +355,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: key~backup
expectedError: "transitKey must only contain alphanumeric characters, hyphens, periods, and underscores"

Expand Down Expand Up @@ -375,9 +386,31 @@ tests:
vaultAddress: https://vault.example.com:8200
authentication:
type: AppRole
transitMount: transit
transitKey: my-key
expectedError: "appRole config is required when authentication type is AppRole"

# transitMount required field validation
- name: Should reject Vault KMS config without transitMount
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: KMS
kms:
type: Vault
vault:
kmsPluginImage: registry.example.com/vault-plugin@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
vaultAddress: https://vault.example.com:8200
authentication:
type: AppRole
appRole:
secret:
name: vault-approle
transitKey: my-key
expectedError: "Required value"

# kmsPluginImage validation tests
- name: Should reject kmsPluginImage with tag instead of digest
initial: |
Expand All @@ -396,6 +429,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "the OCI Image reference must end with a valid '@sha256:<digest>' suffix"

Expand All @@ -416,6 +450,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "the OCI Image name should follow the host[:port][/namespace]/name format"

Expand All @@ -436,6 +471,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "the OCI Image reference must end with a valid '@sha256:<digest>' suffix, where '<digest>' is 64 characters long"

Expand All @@ -457,6 +493,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "must use the 'https' scheme"

Expand All @@ -477,6 +514,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "must not contain a path"

Expand All @@ -497,6 +535,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "must not have a query"

Expand All @@ -517,6 +556,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "must not have a fragment"

Expand All @@ -537,6 +577,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "must not have user info"

Expand All @@ -559,6 +600,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "vaultNamespace cannot end with a forward slash"

Expand All @@ -580,6 +622,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "vaultNamespace cannot contain spaces"

Expand All @@ -601,6 +644,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "vaultNamespace cannot be a reserved string"

Expand All @@ -622,6 +666,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "vaultNamespace cannot be a reserved string"

Expand All @@ -643,6 +688,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "vaultNamespace cannot be a reserved string"

Expand All @@ -664,6 +710,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "vaultNamespace cannot be a reserved string"

Expand All @@ -685,6 +732,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "vaultNamespace cannot be a reserved string"

Expand All @@ -706,6 +754,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "vaultNamespace cannot be a reserved string"

Expand Down Expand Up @@ -812,6 +861,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my encryption key
expectedError: "transitKey must only contain alphanumeric characters, hyphens, periods, and underscores"

Expand All @@ -832,6 +882,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my/key
expectedError: "transitKey cannot contain forward slashes"

Expand Down Expand Up @@ -873,6 +924,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my@key
expectedError: "transitKey must only contain alphanumeric characters, hyphens, periods, and underscores"

Expand All @@ -896,6 +948,7 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "serverName must be a valid DNS hostname"

Expand All @@ -917,6 +970,7 @@ tests:
appRole:
secret:
name: invalid_secret_name!
transitMount: transit
transitKey: my-key
expectedError: "name must be a valid DNS subdomain name"

Expand All @@ -940,5 +994,6 @@ tests:
appRole:
secret:
name: vault-approle
transitMount: transit
transitKey: my-key
expectedError: "name must be a valid DNS subdomain name"
18 changes: 7 additions & 11 deletions config/v1/types_kmsencryption.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ const (
type VaultAppRoleAuthentication struct {
// secret references a secret in the openshift-config namespace containing
// the AppRole credentials used to authenticate with Vault.
// The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID.
// The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID.
//
// +required
Secret VaultSecretReference `json:"secret,omitzero"`
Expand Down Expand Up @@ -193,22 +193,18 @@ type VaultKMSPluginConfig struct {

// transitMount specifies the mount path of the Vault Transit engine.
//
// When omitted, this means the user has no opinion and the platform is left
// to choose a reasonable default. These defaults are subject to change over time.
// The current default is "transit".
//
// The transit mount must be between 1 and 1024 characters when specified, cannot start or
// end with a forward slash, cannot contain consecutive forward slashes, and must only contain
// RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward
// slashes as path separators.
// The transit mount must be between 1 and 1024 characters, cannot start or
// end with a forward slash, cannot contain consecutive forward slashes, and
// must only contain RFC 3986 unreserved characters (alphanumeric, hyphen,
// period, underscore, tilde) and forward slashes as path separators.
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=1024
// +kubebuilder:validation:XValidation:rule="!self.startsWith('/')",message="transitMount cannot start with a forward slash"
// +kubebuilder:validation:XValidation:rule="!self.endsWith('/')",message="transitMount cannot end with a forward slash"
// +kubebuilder:validation:XValidation:rule="!self.contains('//')",message="transitMount cannot contain consecutive forward slashes"
// +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._~/-]+$')",message="transitMount must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward slashes"
// +optional
// +required
TransitMount string `json:"transitMount,omitempty"`

// transitKey specifies the name of the encryption key in Vault's Transit engine.
Expand All @@ -230,7 +226,7 @@ type VaultKMSPluginConfig struct {
type VaultTLSConfig struct {
// caBundle references a ConfigMap in the openshift-config namespace containing
// the CA certificate bundle used to verify the TLS connection to the Vault server.
// The ConfigMap must contain the CA bundle in the key "ca-bundle.crt".
// The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt".
// When this field is not set, the system's trusted CA certificates are used.
//
// The namespace for the ConfigMap is openshift-config.
Expand Down
17 changes: 7 additions & 10 deletions ...zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,7 +196,7 @@ spec:
description: |-
secret references a secret in the openshift-config namespace containing
the AppRole credentials used to authenticate with Vault.
The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID.
The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID.
properties:
name:
description: |-
Expand Down Expand Up @@ -276,7 +276,7 @@ spec:
description: |-
caBundle references a ConfigMap in the openshift-config namespace containing
the CA certificate bundle used to verify the TLS connection to the Vault server.
The ConfigMap must contain the CA bundle in the key "ca-bundle.crt".
The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt".
When this field is not set, the system's trusted CA certificates are used.

The namespace for the ConfigMap is openshift-config.
Expand Down Expand Up @@ -349,14 +349,10 @@ spec:
description: |-
transitMount specifies the mount path of the Vault Transit engine.

When omitted, this means the user has no opinion and the platform is left
to choose a reasonable default. These defaults are subject to change over time.
The current default is "transit".

The transit mount must be between 1 and 1024 characters when specified, cannot start or
end with a forward slash, cannot contain consecutive forward slashes, and must only contain
RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward
slashes as path separators.
The transit mount must be between 1 and 1024 characters, cannot start or
end with a forward slash, cannot contain consecutive forward slashes, and
must only contain RFC 3986 unreserved characters (alphanumeric, hyphen,
period, underscore, tilde) and forward slashes as path separators.
maxLength: 1024
minLength: 1
type: string
Expand Down Expand Up @@ -423,6 +419,7 @@ spec:
- authentication
- kmsPluginImage
- transitKey
- transitMount
- vaultAddress
type: object
required:
Expand Down
Loading