From bdf3bbffa5e871e5d204d8706f2ca87e4a54954a Mon Sep 17 00:00:00 2001 From: Lukasz Szaszkiewicz Date: Fri, 10 Jul 2026 13:20:59 +0200 Subject: [PATCH 1/2] Add KMS preflight check API to operator/v1 --- .../KMSEncryption.yaml | 350 ++++++++++++++++++ .../KMSEncryption.yaml | 273 ++++++++++++++ .../KMSEncryption.yaml | 273 ++++++++++++++ operator/v1/types_kmsencryption.go | 71 ++++ 4 files changed, 967 insertions(+) diff --git a/operator/v1/tests/authentications.operator.openshift.io/KMSEncryption.yaml b/operator/v1/tests/authentications.operator.openshift.io/KMSEncryption.yaml index 504b8374e37..a3c3bd3ad0a 100644 --- a/operator/v1/tests/authentications.operator.openshift.io/KMSEncryption.yaml +++ b/operator/v1/tests/authentications.operator.openshift.io/KMSEncryption.yaml @@ -168,3 +168,353 @@ tests: lastCheckedTime: "2026-01-01T00:00:00Z" kekId: kek-1 expectedStatusError: "nodeName must be a lowercase RFC 1123 subdomain" + - name: Should accept preflight with only observedConfigHash and no result + initial: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + status: + oauthAPIServer: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + expected: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: + logLevel: Normal + operatorLogLevel: Normal + status: + oauthAPIServer: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + - name: Should accept preflight with a Succeeded result + initial: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + status: + oauthAPIServer: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + expected: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: + logLevel: Normal + operatorLogLevel: Normal + status: + oauthAPIServer: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + - name: Should accept preflight with a Failed result + initial: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + status: + oauthAPIServer: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Failed + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + expected: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: + logLevel: Normal + operatorLogLevel: Normal + status: + oauthAPIServer: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Failed + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + - name: Should accept preflight alongside healthReports + initial: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + status: + oauthAPIServer: + encryptionStatus: + healthReports: + - nodeName: node-a + keyId: key-1 + status: Healthy + lastCheckedTime: "2026-01-01T00:00:00Z" + kekId: kek-1 + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + expected: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: + logLevel: Normal + operatorLogLevel: Normal + status: + oauthAPIServer: + encryptionStatus: + healthReports: + - nodeName: node-a + keyId: key-1 + status: Healthy + lastCheckedTime: "2026-01-01T00:00:00Z" + kekId: kek-1 + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + - name: Should reject empty preflight + initial: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + status: + oauthAPIServer: + encryptionStatus: + preflight: {} + expectedStatusError: "should have at least 1 properties" + - name: Should reject observedConfigHash shorter than 8 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + status: + oauthAPIServer: + encryptionStatus: + preflight: + observedConfigHash: short + expectedStatusError: "should be at least 8" + - name: Should reject observedConfigHash longer than 8 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + status: + oauthAPIServer: + encryptionStatus: + preflight: + observedConfigHash: TOOLONGXX + expectedStatusError: "may not be more than 8 bytes" + - name: Should reject observedConfigHash with invalid base64 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + status: + oauthAPIServer: + encryptionStatus: + preflight: + observedConfigHash: "AA!@#$%^" + expectedStatusError: "must be a valid base64url encoded value" + - name: Should reject an invalid preflight result status + initial: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + status: + oauthAPIServer: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Unknown + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + expectedStatusError: "Unsupported value" + - name: Should reject configHash shorter than 8 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + status: + oauthAPIServer: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: short + remoteKeyID: vault-transit-key-v3 + expectedStatusError: "should be at least 8" + - name: Should reject configHash longer than 8 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + status: + oauthAPIServer: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: TOOLONGXX + remoteKeyID: vault-transit-key-v3 + expectedStatusError: "may not be more than 8 bytes" + - name: Should reject configHash with invalid base64 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + status: + oauthAPIServer: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: "AA!@#$%^" + remoteKeyID: vault-transit-key-v3 + expectedStatusError: "must be a valid base64url encoded value" + - name: Should reject empty remoteKeyID + initial: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: Authentication + metadata: + name: cluster + spec: {} + status: + oauthAPIServer: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: AQAAAA== + remoteKeyID: "" + expectedStatusError: "should be at least 1" diff --git a/operator/v1/tests/kubeapiservers.operator.openshift.io/KMSEncryption.yaml b/operator/v1/tests/kubeapiservers.operator.openshift.io/KMSEncryption.yaml index d526f5f3659..b410e79f2b6 100644 --- a/operator/v1/tests/kubeapiservers.operator.openshift.io/KMSEncryption.yaml +++ b/operator/v1/tests/kubeapiservers.operator.openshift.io/KMSEncryption.yaml @@ -141,3 +141,276 @@ tests: lastCheckedTime: "2026-01-01T00:00:00Z" kekId: kek-1 expectedStatusError: "nodeName must be a lowercase RFC 1123 subdomain" + - name: Should accept preflight with only observedConfigHash and no result + initial: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + expected: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: + logLevel: Normal + operatorLogLevel: Normal + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + - name: Should accept preflight with a Succeeded result + initial: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + expected: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: + logLevel: Normal + operatorLogLevel: Normal + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + - name: Should accept preflight with a Failed result + initial: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Failed + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + expected: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: + logLevel: Normal + operatorLogLevel: Normal + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Failed + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + - name: Should accept preflight alongside healthReports + initial: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + status: + encryptionStatus: + healthReports: + - nodeName: node-a + keyId: key-1 + status: Healthy + lastCheckedTime: "2026-01-01T00:00:00Z" + kekId: kek-1 + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + expected: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: + logLevel: Normal + operatorLogLevel: Normal + status: + encryptionStatus: + healthReports: + - nodeName: node-a + keyId: key-1 + status: Healthy + lastCheckedTime: "2026-01-01T00:00:00Z" + kekId: kek-1 + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + - name: Should reject empty preflight + initial: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + status: + encryptionStatus: + preflight: {} + expectedStatusError: "should have at least 1 properties" + - name: Should reject observedConfigHash shorter than 8 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: short + expectedStatusError: "should be at least 8" + - name: Should reject observedConfigHash longer than 8 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: TOOLONGXX + expectedStatusError: "may not be more than 8 bytes" + - name: Should reject observedConfigHash with invalid base64 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: "AA!@#$%^" + expectedStatusError: "must be a valid base64url encoded value" + - name: Should reject an invalid preflight result status + initial: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Unknown + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + expectedStatusError: "Unsupported value" + - name: Should reject configHash shorter than 8 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: short + remoteKeyID: vault-transit-key-v3 + expectedStatusError: "should be at least 8" + - name: Should reject configHash longer than 8 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: TOOLONGXX + remoteKeyID: vault-transit-key-v3 + expectedStatusError: "may not be more than 8 bytes" + - name: Should reject configHash with invalid base64 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: "AA!@#$%^" + remoteKeyID: vault-transit-key-v3 + expectedStatusError: "must be a valid base64url encoded value" + - name: Should reject empty remoteKeyID + initial: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: KubeAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: AQAAAA== + remoteKeyID: "" + expectedStatusError: "should be at least 1" diff --git a/operator/v1/tests/openshiftapiservers.operator.openshift.io/KMSEncryption.yaml b/operator/v1/tests/openshiftapiservers.operator.openshift.io/KMSEncryption.yaml index ca3eb115998..92801e93d79 100644 --- a/operator/v1/tests/openshiftapiservers.operator.openshift.io/KMSEncryption.yaml +++ b/operator/v1/tests/openshiftapiservers.operator.openshift.io/KMSEncryption.yaml @@ -141,3 +141,276 @@ tests: lastCheckedTime: "2026-01-01T00:00:00Z" kekId: kek-1 expectedStatusError: "nodeName must be a lowercase RFC 1123 subdomain" + - name: Should accept preflight with only observedConfigHash and no result + initial: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + expected: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: + logLevel: Normal + operatorLogLevel: Normal + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + - name: Should accept preflight with a Succeeded result + initial: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + expected: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: + logLevel: Normal + operatorLogLevel: Normal + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + - name: Should accept preflight with a Failed result + initial: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Failed + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + expected: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: + logLevel: Normal + operatorLogLevel: Normal + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Failed + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + - name: Should accept preflight alongside healthReports + initial: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + status: + encryptionStatus: + healthReports: + - nodeName: node-a + keyId: key-1 + status: Healthy + lastCheckedTime: "2026-01-01T00:00:00Z" + kekId: kek-1 + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + expected: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: + logLevel: Normal + operatorLogLevel: Normal + status: + encryptionStatus: + healthReports: + - nodeName: node-a + keyId: key-1 + status: Healthy + lastCheckedTime: "2026-01-01T00:00:00Z" + kekId: kek-1 + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + - name: Should reject empty preflight + initial: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + status: + encryptionStatus: + preflight: {} + expectedStatusError: "should have at least 1 properties" + - name: Should reject observedConfigHash shorter than 8 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: short + expectedStatusError: "should be at least 8" + - name: Should reject observedConfigHash longer than 8 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: TOOLONGXX + expectedStatusError: "may not be more than 8 bytes" + - name: Should reject observedConfigHash with invalid base64 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: "AA!@#$%^" + expectedStatusError: "must be a valid base64url encoded value" + - name: Should reject an invalid preflight result status + initial: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Unknown + configHash: AQAAAA== + remoteKeyID: vault-transit-key-v3 + expectedStatusError: "Unsupported value" + - name: Should reject configHash shorter than 8 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: short + remoteKeyID: vault-transit-key-v3 + expectedStatusError: "should be at least 8" + - name: Should reject configHash longer than 8 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: TOOLONGXX + remoteKeyID: vault-transit-key-v3 + expectedStatusError: "may not be more than 8 bytes" + - name: Should reject configHash with invalid base64 characters + initial: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: "AA!@#$%^" + remoteKeyID: vault-transit-key-v3 + expectedStatusError: "must be a valid base64url encoded value" + - name: Should reject empty remoteKeyID + initial: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + updated: | + apiVersion: operator.openshift.io/v1 + kind: OpenShiftAPIServer + spec: {} + status: + encryptionStatus: + preflight: + observedConfigHash: AQAAAA== + result: + status: Succeeded + configHash: AQAAAA== + remoteKeyID: "" + expectedStatusError: "should be at least 1" diff --git a/operator/v1/types_kmsencryption.go b/operator/v1/types_kmsencryption.go index a5dcf7d334e..9e9e95072d1 100644 --- a/operator/v1/types_kmsencryption.go +++ b/operator/v1/types_kmsencryption.go @@ -77,4 +77,75 @@ type KMSEncryptionStatus struct { // +listMapKey=nodeName // +listMapKey=keyId HealthReports []KMSPluginHealthReport `json:"healthReports,omitempty"` + + // preflight contains the state of KMS preflight validation for this operator. + // The preflight validates the KMS provider configuration before it is used + // to create a new encryption key, catching configuration issues early such + // as incorrect login credentials or an unreachable Vault service. + // When omitted, no preflight validation is in progress. + // +optional + Preflight KMSPreflightCheck `json:"preflight,omitzero"` +} + +// KMSPreflightCheck describes a preflight validation request and its result. +// +// +openshift:compatibility-gen:level=1 +// +kubebuilder:validation:MinProperties=1 +type KMSPreflightCheck struct { + // observedConfigHash is a hash of the KMS provider configuration and + // its referenced resources that has been observed and requires preflight + // validation before a new encryption key can be created. + // The value must be exactly 8 characters. + // +kubebuilder:validation:MinLength=8 + // +kubebuilder:validation:MaxLength=8 + // +kubebuilder:validation:XValidation:rule="self.matches('^[A-Za-z0-9_-]*={0,2}$')",message="must be a valid base64url encoded value" + // +required + ObservedConfigHash string `json:"observedConfigHash,omitempty"` + + // result contains the outcome of the most recent preflight check. + // Preflight is considered passed when result.status is Succeeded and + // result.configHash matches observedConfigHash. + // When omitted, no preflight check result has been reported yet. + // +optional + Result KMSPreflightResult `json:"result,omitzero"` +} + +// +kubebuilder:validation:Enum=Succeeded;Failed +type KMSPreflightResultStatus string + +const ( + KMSPreflightResultSucceeded KMSPreflightResultStatus = "Succeeded" + + KMSPreflightResultFailed KMSPreflightResultStatus = "Failed" +) + +// KMSPreflightResult contains the outcome of a preflight validation. +// +// +openshift:compatibility-gen:level=1 +type KMSPreflightResult struct { + // status indicates the outcome of the preflight check. + // Succeeded means the KMS plugin responded to Status, Encrypt, and + // Decrypt calls successfully. + // Failed means the validation did not pass. + // +required + Status KMSPreflightResultStatus `json:"status,omitempty"` + + // configHash is the hash of the configuration that was validated. + // This is compared against observedConfigHash to confirm the result + // corresponds to the current configuration. + // The value must be exactly 8 characters. + // +kubebuilder:validation:MinLength=8 + // +kubebuilder:validation:MaxLength=8 + // +kubebuilder:validation:XValidation:rule="self.matches('^[A-Za-z0-9_-]*={0,2}$')",message="must be a valid base64url encoded value" + // +required + ConfigHash string `json:"configHash,omitempty"` + + // remoteKeyID is the remote key encryption key identifier from KMS v2 + // StatusResponse.key_id. This is not a cryptographic key, but a unique + // representation of the remote key used to encrypt data. + // The value must be between 1 and 1024 characters. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + // +required + RemoteKeyID string `json:"remoteKeyID,omitempty"` } From 76b836eb69834859f0488ae2ad0b754fea3cb6fc Mon Sep 17 00:00:00 2001 From: Lukasz Szaszkiewicz Date: Fri, 10 Jul 2026 13:54:57 +0200 Subject: [PATCH 2/2] make update --- .../generated_openapi/zz_generated.openapi.go | 76 ++++++++++++++++++- openapi/openapi.json | 46 +++++++++++ ...01_kubeapiservers-CustomNoUpgrade.crd.yaml | 67 ++++++++++++++++ ...ubeapiservers-DevPreviewNoUpgrade.crd.yaml | 67 ++++++++++++++++ ...beapiservers-TechPreviewNoUpgrade.crd.yaml | 67 ++++++++++++++++ ...enshiftapiservers-CustomNoUpgrade.crd.yaml | 67 ++++++++++++++++ ...iftapiservers-DevPreviewNoUpgrade.crd.yaml | 67 ++++++++++++++++ ...ftapiservers-TechPreviewNoUpgrade.crd.yaml | 67 ++++++++++++++++ ...1_authentications-CustomNoUpgrade.crd.yaml | 67 ++++++++++++++++ ...thentications-DevPreviewNoUpgrade.crd.yaml | 67 ++++++++++++++++ ...hentications-TechPreviewNoUpgrade.crd.yaml | 67 ++++++++++++++++ operator/v1/zz_generated.deepcopy.go | 34 +++++++++ .../KMSEncryption.yaml | 67 ++++++++++++++++ .../KMSEncryption.yaml | 67 ++++++++++++++++ .../KMSEncryption.yaml | 67 ++++++++++++++++ operator/v1/zz_generated.model_name.go | 10 +++ .../v1/zz_generated.swagger_doc_generated.go | 22 ++++++ ...01_kubeapiservers-CustomNoUpgrade.crd.yaml | 67 ++++++++++++++++ ...ubeapiservers-DevPreviewNoUpgrade.crd.yaml | 67 ++++++++++++++++ ...beapiservers-TechPreviewNoUpgrade.crd.yaml | 67 ++++++++++++++++ ...enshiftapiservers-CustomNoUpgrade.crd.yaml | 67 ++++++++++++++++ ...iftapiservers-DevPreviewNoUpgrade.crd.yaml | 67 ++++++++++++++++ ...ftapiservers-TechPreviewNoUpgrade.crd.yaml | 67 ++++++++++++++++ ...1_authentications-CustomNoUpgrade.crd.yaml | 67 ++++++++++++++++ ...thentications-DevPreviewNoUpgrade.crd.yaml | 67 ++++++++++++++++ ...hentications-TechPreviewNoUpgrade.crd.yaml | 67 ++++++++++++++++ 26 files changed, 1594 insertions(+), 1 deletion(-) diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 780af028120..3c071a7e526 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -1202,6 +1202,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA operatorv1.IrreconcilableValidationOverrides{}.OpenAPIModelName(): schema_openshift_api_operator_v1_IrreconcilableValidationOverrides(ref), operatorv1.KMSEncryptionStatus{}.OpenAPIModelName(): schema_openshift_api_operator_v1_KMSEncryptionStatus(ref), operatorv1.KMSPluginHealthReport{}.OpenAPIModelName(): schema_openshift_api_operator_v1_KMSPluginHealthReport(ref), + operatorv1.KMSPreflightCheck{}.OpenAPIModelName(): schema_openshift_api_operator_v1_KMSPreflightCheck(ref), + operatorv1.KMSPreflightResult{}.OpenAPIModelName(): schema_openshift_api_operator_v1_KMSPreflightResult(ref), operatorv1.KubeAPIServer{}.OpenAPIModelName(): schema_openshift_api_operator_v1_KubeAPIServer(ref), operatorv1.KubeAPIServerList{}.OpenAPIModelName(): schema_openshift_api_operator_v1_KubeAPIServerList(ref), operatorv1.KubeAPIServerSpec{}.OpenAPIModelName(): schema_openshift_api_operator_v1_KubeAPIServerSpec(ref), @@ -58552,11 +58554,18 @@ func schema_openshift_api_operator_v1_KMSEncryptionStatus(ref common.ReferenceCa }, }, }, + "preflight": { + SchemaProps: spec.SchemaProps{ + Description: "preflight contains the state of KMS preflight validation for this operator. The preflight validates the KMS provider configuration before it is used to create a new encryption key, catching configuration issues early such as incorrect login credentials or an unreachable Vault service. When omitted, no preflight validation is in progress.", + Default: map[string]interface{}{}, + Ref: ref(operatorv1.KMSPreflightCheck{}.OpenAPIModelName()), + }, + }, }, }, }, Dependencies: []string{ - operatorv1.KMSPluginHealthReport{}.OpenAPIModelName()}, + operatorv1.KMSPluginHealthReport{}.OpenAPIModelName(), operatorv1.KMSPreflightCheck{}.OpenAPIModelName()}, } } @@ -58616,6 +58625,71 @@ func schema_openshift_api_operator_v1_KMSPluginHealthReport(ref common.Reference } } +func schema_openshift_api_operator_v1_KMSPreflightCheck(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "KMSPreflightCheck describes a preflight validation request and its result.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "observedConfigHash": { + SchemaProps: spec.SchemaProps{ + Description: "observedConfigHash is a hash of the KMS provider configuration and its referenced resources that has been observed and requires preflight validation before a new encryption key can be created. The value must be exactly 8 characters.", + Type: []string{"string"}, + Format: "", + }, + }, + "result": { + SchemaProps: spec.SchemaProps{ + Description: "result contains the outcome of the most recent preflight check. Preflight is considered passed when result.status is Succeeded and result.configHash matches observedConfigHash. When omitted, no preflight check result has been reported yet.", + Default: map[string]interface{}{}, + Ref: ref(operatorv1.KMSPreflightResult{}.OpenAPIModelName()), + }, + }, + }, + Required: []string{"observedConfigHash"}, + }, + }, + Dependencies: []string{ + operatorv1.KMSPreflightResult{}.OpenAPIModelName()}, + } +} + +func schema_openshift_api_operator_v1_KMSPreflightResult(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "KMSPreflightResult contains the outcome of a preflight validation.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status indicates the outcome of the preflight check. Succeeded means the KMS plugin responded to Status, Encrypt, and Decrypt calls successfully. Failed means the validation did not pass.", + Type: []string{"string"}, + Format: "", + }, + }, + "configHash": { + SchemaProps: spec.SchemaProps{ + Description: "configHash is the hash of the configuration that was validated. This is compared against observedConfigHash to confirm the result corresponds to the current configuration. The value must be exactly 8 characters.", + Type: []string{"string"}, + Format: "", + }, + }, + "remoteKeyID": { + SchemaProps: spec.SchemaProps{ + Description: "remoteKeyID is the remote key encryption key identifier from KMS v2 StatusResponse.key_id. This is not a cryptographic key, but a unique representation of the remote key used to encrypt data. The value must be between 1 and 1024 characters.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"status", "configHash", "remoteKeyID"}, + }, + }, + } +} + func schema_openshift_api_operator_v1_KubeAPIServer(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/openapi/openapi.json b/openapi/openapi.json index 8d1b80ca37e..16f54fbbcb1 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -33975,6 +33975,11 @@ "keyId" ], "x-kubernetes-list-type": "map" + }, + "preflight": { + "description": "preflight contains the state of KMS preflight validation for this operator. The preflight validates the KMS provider configuration before it is used to create a new encryption key, catching configuration issues early such as incorrect login credentials or an unreachable Vault service. When omitted, no preflight validation is in progress.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.KMSPreflightCheck" } } }, @@ -34014,6 +34019,47 @@ } } }, + "com.github.openshift.api.operator.v1.KMSPreflightCheck": { + "description": "KMSPreflightCheck describes a preflight validation request and its result.", + "type": "object", + "required": [ + "observedConfigHash" + ], + "properties": { + "observedConfigHash": { + "description": "observedConfigHash is a hash of the KMS provider configuration and its referenced resources that has been observed and requires preflight validation before a new encryption key can be created. The value must be exactly 8 characters.", + "type": "string" + }, + "result": { + "description": "result contains the outcome of the most recent preflight check. Preflight is considered passed when result.status is Succeeded and result.configHash matches observedConfigHash. When omitted, no preflight check result has been reported yet.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1.KMSPreflightResult" + } + } + }, + "com.github.openshift.api.operator.v1.KMSPreflightResult": { + "description": "KMSPreflightResult contains the outcome of a preflight validation.", + "type": "object", + "required": [ + "status", + "configHash", + "remoteKeyID" + ], + "properties": { + "configHash": { + "description": "configHash is the hash of the configuration that was validated. This is compared against observedConfigHash to confirm the result corresponds to the current configuration. The value must be exactly 8 characters.", + "type": "string" + }, + "remoteKeyID": { + "description": "remoteKeyID is the remote key encryption key identifier from KMS v2 StatusResponse.key_id. This is not a cryptographic key, but a unique representation of the remote key used to encrypt data. The value must be between 1 and 1024 characters.", + "type": "string" + }, + "status": { + "description": "status indicates the outcome of the preflight check. Succeeded means the KMS plugin responded to Status, Encrypt, and Decrypt calls successfully. Failed means the validation did not pass.", + "type": "string" + } + } + }, "com.github.openshift.api.operator.v1.KubeAPIServer": { "description": "KubeAPIServer provides information to configure an operator to manage kube-apiserver.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "type": "object", diff --git a/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml index 57df5e1297f..37b6831596f 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml @@ -254,6 +254,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object generations: description: generations are used to determine when an item needs diff --git a/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml index 0371d90d7a1..fa289dce14a 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml @@ -254,6 +254,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object generations: description: generations are used to determine when an item needs diff --git a/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml index bdabdecd350..ea688ff4227 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml @@ -254,6 +254,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object generations: description: generations are used to determine when an item needs diff --git a/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml index 0a3beba5bf3..d34b121d8e4 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml @@ -221,6 +221,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object generations: description: generations are used to determine when an item needs diff --git a/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml index 89cb665ff4d..7f1e255e78b 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml @@ -221,6 +221,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object generations: description: generations are used to determine when an item needs diff --git a/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml index d380fa60f47..ee817702282 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml @@ -221,6 +221,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object generations: description: generations are used to determine when an item needs diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml index a1d80bd5d9d..666a3253960 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml @@ -376,6 +376,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object latestAvailableRevision: description: |- diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml index 9e8ba13fd55..4852e6cbcf2 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -376,6 +376,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object latestAvailableRevision: description: |- diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml index 03b3daf02a1..219c856cecd 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -376,6 +376,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object latestAvailableRevision: description: |- diff --git a/operator/v1/zz_generated.deepcopy.go b/operator/v1/zz_generated.deepcopy.go index 3c244a9867e..8f7441b6c7c 100644 --- a/operator/v1/zz_generated.deepcopy.go +++ b/operator/v1/zz_generated.deepcopy.go @@ -2815,6 +2815,7 @@ func (in *KMSEncryptionStatus) DeepCopyInto(out *KMSEncryptionStatus) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + out.Preflight = in.Preflight return } @@ -2845,6 +2846,39 @@ func (in *KMSPluginHealthReport) DeepCopy() *KMSPluginHealthReport { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KMSPreflightCheck) DeepCopyInto(out *KMSPreflightCheck) { + *out = *in + out.Result = in.Result + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KMSPreflightCheck. +func (in *KMSPreflightCheck) DeepCopy() *KMSPreflightCheck { + if in == nil { + return nil + } + out := new(KMSPreflightCheck) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KMSPreflightResult) DeepCopyInto(out *KMSPreflightResult) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KMSPreflightResult. +func (in *KMSPreflightResult) DeepCopy() *KMSPreflightResult { + if in == nil { + return nil + } + out := new(KMSPreflightResult) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KubeAPIServer) DeepCopyInto(out *KubeAPIServer) { *out = *in diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/authentications.operator.openshift.io/KMSEncryption.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/authentications.operator.openshift.io/KMSEncryption.yaml index 5aef084320e..af5f5c55fb0 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/authentications.operator.openshift.io/KMSEncryption.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/authentications.operator.openshift.io/KMSEncryption.yaml @@ -271,6 +271,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object latestAvailableRevision: description: |- diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/kubeapiservers.operator.openshift.io/KMSEncryption.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/kubeapiservers.operator.openshift.io/KMSEncryption.yaml index fc3426a6fec..b93fc90aaf3 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/kubeapiservers.operator.openshift.io/KMSEncryption.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/kubeapiservers.operator.openshift.io/KMSEncryption.yaml @@ -240,6 +240,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object generations: description: generations are used to determine when an item needs diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/openshiftapiservers.operator.openshift.io/KMSEncryption.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/openshiftapiservers.operator.openshift.io/KMSEncryption.yaml index 01cf4f74a48..c9910145abd 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/openshiftapiservers.operator.openshift.io/KMSEncryption.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/openshiftapiservers.operator.openshift.io/KMSEncryption.yaml @@ -221,6 +221,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object generations: description: generations are used to determine when an item needs diff --git a/operator/v1/zz_generated.model_name.go b/operator/v1/zz_generated.model_name.go index 271665a7eca..13ab0c5f6f2 100644 --- a/operator/v1/zz_generated.model_name.go +++ b/operator/v1/zz_generated.model_name.go @@ -625,6 +625,16 @@ func (in KMSPluginHealthReport) OpenAPIModelName() string { return "com.github.openshift.api.operator.v1.KMSPluginHealthReport" } +// OpenAPIModelName returns the OpenAPI model name for this type. +func (in KMSPreflightCheck) OpenAPIModelName() string { + return "com.github.openshift.api.operator.v1.KMSPreflightCheck" +} + +// OpenAPIModelName returns the OpenAPI model name for this type. +func (in KMSPreflightResult) OpenAPIModelName() string { + return "com.github.openshift.api.operator.v1.KMSPreflightResult" +} + // OpenAPIModelName returns the OpenAPI model name for this type. func (in KubeAPIServer) OpenAPIModelName() string { return "com.github.openshift.api.operator.v1.KubeAPIServer" diff --git a/operator/v1/zz_generated.swagger_doc_generated.go b/operator/v1/zz_generated.swagger_doc_generated.go index 114b5c7a689..1dbaf9d9b96 100644 --- a/operator/v1/zz_generated.swagger_doc_generated.go +++ b/operator/v1/zz_generated.swagger_doc_generated.go @@ -1390,6 +1390,7 @@ func (InsightsReport) SwaggerDoc() map[string]string { var map_KMSEncryptionStatus = map[string]string{ "healthReports": "healthReports contains all KMS plugin health reports. When omitted, no health reports are available. Each entry must have a unique combination of nodeName and keyId.", + "preflight": "preflight contains the state of KMS preflight validation for this operator. The preflight validates the KMS provider configuration before it is used to create a new encryption key, catching configuration issues early such as incorrect login credentials or an unreachable Vault service. When omitted, no preflight validation is in progress.", } func (KMSEncryptionStatus) SwaggerDoc() map[string]string { @@ -1409,6 +1410,27 @@ func (KMSPluginHealthReport) SwaggerDoc() map[string]string { return map_KMSPluginHealthReport } +var map_KMSPreflightCheck = map[string]string{ + "": "KMSPreflightCheck describes a preflight validation request and its result.", + "observedConfigHash": "observedConfigHash is a hash of the KMS provider configuration and its referenced resources that has been observed and requires preflight validation before a new encryption key can be created. The value must be exactly 8 characters.", + "result": "result contains the outcome of the most recent preflight check. Preflight is considered passed when result.status is Succeeded and result.configHash matches observedConfigHash. When omitted, no preflight check result has been reported yet.", +} + +func (KMSPreflightCheck) SwaggerDoc() map[string]string { + return map_KMSPreflightCheck +} + +var map_KMSPreflightResult = map[string]string{ + "": "KMSPreflightResult contains the outcome of a preflight validation.", + "status": "status indicates the outcome of the preflight check. Succeeded means the KMS plugin responded to Status, Encrypt, and Decrypt calls successfully. Failed means the validation did not pass.", + "configHash": "configHash is the hash of the configuration that was validated. This is compared against observedConfigHash to confirm the result corresponds to the current configuration. The value must be exactly 8 characters.", + "remoteKeyID": "remoteKeyID is the remote key encryption key identifier from KMS v2 StatusResponse.key_id. This is not a cryptographic key, but a unique representation of the remote key used to encrypt data. The value must be between 1 and 1024 characters.", +} + +func (KMSPreflightResult) SwaggerDoc() map[string]string { + return map_KMSPreflightResult +} + var map_KubeAPIServer = map[string]string{ "": "KubeAPIServer provides information to configure an operator to manage kube-apiserver.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", diff --git a/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml index 57df5e1297f..37b6831596f 100644 --- a/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml @@ -254,6 +254,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object generations: description: generations are used to determine when an item needs diff --git a/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml index 0371d90d7a1..fa289dce14a 100644 --- a/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml @@ -254,6 +254,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object generations: description: generations are used to determine when an item needs diff --git a/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml index bdabdecd350..ea688ff4227 100644 --- a/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml @@ -254,6 +254,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object generations: description: generations are used to determine when an item needs diff --git a/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml index 0a3beba5bf3..d34b121d8e4 100644 --- a/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-CustomNoUpgrade.crd.yaml @@ -221,6 +221,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object generations: description: generations are used to determine when an item needs diff --git a/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml index 89cb665ff4d..7f1e255e78b 100644 --- a/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-DevPreviewNoUpgrade.crd.yaml @@ -221,6 +221,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object generations: description: generations are used to determine when an item needs diff --git a/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml index d380fa60f47..ee817702282 100644 --- a/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_30_openshift-apiserver_01_openshiftapiservers-TechPreviewNoUpgrade.crd.yaml @@ -221,6 +221,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object generations: description: generations are used to determine when an item needs diff --git a/payload-manifests/crds/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml index a1d80bd5d9d..666a3253960 100644 --- a/payload-manifests/crds/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml @@ -376,6 +376,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object latestAvailableRevision: description: |- diff --git a/payload-manifests/crds/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml index 9e8ba13fd55..4852e6cbcf2 100644 --- a/payload-manifests/crds/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_50_authentication_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -376,6 +376,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object latestAvailableRevision: description: |- diff --git a/payload-manifests/crds/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml index 03b3daf02a1..219c856cecd 100644 --- a/payload-manifests/crds/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_50_authentication_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -376,6 +376,73 @@ spec: - nodeName - keyId x-kubernetes-list-type: map + preflight: + description: |- + preflight contains the state of KMS preflight validation for this operator. + The preflight validates the KMS provider configuration before it is used + to create a new encryption key, catching configuration issues early such + as incorrect login credentials or an unreachable Vault service. + When omitted, no preflight validation is in progress. + minProperties: 1 + properties: + observedConfigHash: + description: |- + observedConfigHash is a hash of the KMS provider configuration and + its referenced resources that has been observed and requires preflight + validation before a new encryption key can be created. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + result: + description: |- + result contains the outcome of the most recent preflight check. + Preflight is considered passed when result.status is Succeeded and + result.configHash matches observedConfigHash. + When omitted, no preflight check result has been reported yet. + properties: + configHash: + description: |- + configHash is the hash of the configuration that was validated. + This is compared against observedConfigHash to confirm the result + corresponds to the current configuration. + The value must be exactly 8 characters. + maxLength: 8 + minLength: 8 + type: string + x-kubernetes-validations: + - message: must be a valid base64url encoded value + rule: self.matches('^[A-Za-z0-9_-]*={0,2}$') + remoteKeyID: + description: |- + remoteKeyID is the remote key encryption key identifier from KMS v2 + StatusResponse.key_id. This is not a cryptographic key, but a unique + representation of the remote key used to encrypt data. + The value must be between 1 and 1024 characters. + maxLength: 1024 + minLength: 1 + type: string + status: + description: |- + status indicates the outcome of the preflight check. + Succeeded means the KMS plugin responded to Status, Encrypt, and + Decrypt calls successfully. + Failed means the validation did not pass. + enum: + - Succeeded + - Failed + type: string + required: + - configHash + - remoteKeyID + - status + type: object + required: + - observedConfigHash + type: object type: object latestAvailableRevision: description: |-