diff --git a/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index 59386f7de22..6e9a325a9a0 100644 --- a/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -5,7 +5,7 @@ featureGates: - KMSEncryptionProvider tests: onCreate: - - name: Should be able to create encrypt with KMS for AWS with valid values + - name: Should be able to create encrypt with KMS for External with valid endpoint initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -13,10 +13,8 @@ tests: encryption: type: KMS kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: us-east-1 + managementModel: External + endpoint: unix:///var/run/kmsplugin/socket.sock expected: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -26,11 +24,9 @@ tests: encryption: type: KMS kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: us-east-1 - - name: Should fail to create encrypt with KMS for AWS without region + managementModel: External + endpoint: unix:///var/run/kmsplugin/socket.sock + - name: Should fail to create KMS with endpoint not starting with unix:/// initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -38,10 +34,9 @@ tests: encryption: type: KMS kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - expectedError: "spec.encryption.kms.aws.region: Required value" + managementModel: External + endpoint: /var/run/kmsplugin/socket.sock + expectedError: "endpoint must follow the format 'unix:///path'" - name: Should not allow kms config with encrypt aescbc initial: | apiVersion: config.openshift.io/v1 @@ -50,10 +45,8 @@ tests: encryption: type: aescbc kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: us-east-1 + managementModel: External + endpoint: unix:///var/run/kmsplugin/socket.sock expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise" - name: Should fail to create with an empty KMS config initial: | @@ -63,8 +56,8 @@ tests: encryption: type: KMS kms: {} - expectedError: "spec.encryption.kms.type: Required value" - - name: Should fail to create with kms type AWS but without aws config + expectedError: "spec.encryption.kms.endpoint: Required value" + - name: Should be able to create with default type when endpoint is provided initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -72,9 +65,29 @@ tests: encryption: type: KMS kms: - type: AWS - expectedError: "aws config is required when kms provider type is AWS, and forbidden otherwise" - - name: Should fail to create AWS KMS without a keyARN + endpoint: unix:///var/run/kmsplugin/socket.sock + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + encryption: + type: KMS + kms: + managementModel: External + endpoint: unix:///var/run/kmsplugin/socket.sock + - name: Should fail to create KMS without endpoint + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + managementModel: External + expectedError: "spec.encryption.kms.endpoint: Required value" + - name: Should fail to create KMS with abstract socket endpoint initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -82,11 +95,10 @@ tests: encryption: type: KMS kms: - type: AWS - aws: - region: us-east-1 - expectedError: "spec.encryption.kms.aws.keyARN: Required value" - - name: Should fail to create AWS KMS with invalid keyARN format + managementModel: External + endpoint: unix:///@abstractsocket + expectedError: "endpoint must follow the format 'unix:///path'" + - name: Should fail to create KMS with empty endpoint initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -94,12 +106,10 @@ tests: encryption: type: KMS kms: - type: AWS - aws: - keyARN: not-a-kms-arn - region: us-east-1 - expectedError: "keyARN must follow the format `arn:aws:kms:::key/`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)." - - name: Should fail to create AWS KMS with empty region + managementModel: External + endpoint: "" + expectedError: "spec.encryption.kms.endpoint in body should be at least 9 chars long" + - name: Should fail to create KMS with endpoint containing spaces initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -107,12 +117,10 @@ tests: encryption: type: KMS kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: "" - expectedError: "spec.encryption.kms.aws.region in body should be at least 1 chars long" - - name: Should fail to create AWS KMS with invalid region format + managementModel: External + endpoint: unix:///var/run/kms plugin/socket.sock + expectedError: "endpoint must follow the format 'unix:///path'" + - name: Should fail to create KMS with abstract socket containing slash initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -120,8 +128,6 @@ tests: encryption: type: KMS kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: "INVALID-REGION" - expectedError: "region must be a valid AWS region, consisting of lowercase characters, digits and hyphens (-) only." + managementModel: External + endpoint: unix:///@abstract/socket + expectedError: "endpoint must follow the format 'unix:///path'" diff --git a/config/v1/types_kmsencryption.go b/config/v1/types_kmsencryption.go index 3293204fa4e..4cfbc96d374 100644 --- a/config/v1/types_kmsencryption.go +++ b/config/v1/types_kmsencryption.go @@ -2,54 +2,33 @@ package v1 // KMSConfig defines the configuration for the KMS instance // that will be used with KMSEncryptionProvider encryption -// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'AWS' ? has(self.aws) : !has(self.aws)",message="aws config is required when kms provider type is AWS, and forbidden otherwise" -// +union type KMSConfig struct { - // type defines the kind of platform for the KMS provider. - // Available provider types are AWS only. + // managementModel defines how KMS plugins are managed. + // Valid values are "External". + // When set to External, encryption keys are managed by a user-deployed + // KMS plugin that communicates via UNIX domain socket using KMS V2 API. // - // +unionDiscriminator - // +required - Type KMSProviderType `json:"type"` - - // aws defines the key config for using an AWS KMS instance - // for the encryption. The AWS KMS instance is managed - // by the user outside the purview of the control plane. - // - // +unionMember + // +kubebuilder:validation:Enum=External + // +kubebuilder:default=External // +optional - AWS *AWSKMSConfig `json:"aws,omitempty"` -} + ManagementModel ManagementModel `json:"managementModel,omitempty"` -// AWSKMSConfig defines the KMS config specific to AWS KMS provider -type AWSKMSConfig struct { - // keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - // The value must adhere to the format `arn:aws:kms:::key/`, where: - // - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - // - `` is a 12-digit numeric identifier for the AWS account. - // - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - // - // +kubebuilder:validation:MaxLength=128 - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:XValidation:rule="self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:aws:kms:::key/`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)." - // +required - KeyARN string `json:"keyARN"` - // region specifies the AWS region where the KMS instance exists, and follows the format - // `--`, e.g.: `us-east-1`. - // Only lowercase letters and hyphens followed by numbers are allowed. + // endpoint specifies the UNIX domain socket endpoint for communicating with the external KMS plugin. + // The endpoint must follow the format "unix:///path". + // Abstract Linux sockets (i.e. "unix:///@abstractname") are not supported. // - // +kubebuilder:validation:MaxLength=64 - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:XValidation:rule="self.matches('^[a-z0-9]+(-[a-z0-9]+)*$')",message="region must be a valid AWS region, consisting of lowercase characters, digits and hyphens (-) only." + // +kubebuilder:validation:MaxLength=120 + // +kubebuilder:validation:MinLength=9 + // +kubebuilder:validation:XValidation:rule="self.matches('^unix:///[^@ ][^ ]*$')",message="endpoint must follow the format 'unix:///path'" // +required - Region string `json:"region"` + Endpoint string `json:"endpoint,omitempty"` } -// KMSProviderType is a specific supported KMS provider -// +kubebuilder:validation:Enum=AWS -type KMSProviderType string +// ManagementModel describes how the KMS plugin is managed. +// Valid values are "External". +type ManagementModel string const ( - // AWSKMSProvider represents a supported KMS provider for use with AWS KMS - AWSKMSProvider KMSProviderType = "AWS" + // External represents a KMS plugin that is managed externally and accessed via unix domain socket + External ManagementModel = "External" ) diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index f4416bf9b3c..2bc013d5b7f 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -168,59 +168,30 @@ spec: managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely. properties: - aws: + endpoint: description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - type: + endpoint specifies the UNIX domain socket endpoint for communicating with the external KMS plugin. + The endpoint must follow the format "unix:///path". + Abstract Linux sockets (i.e. "unix:///@abstractname") are not supported. + maxLength: 120 + minLength: 9 + type: string + x-kubernetes-validations: + - message: endpoint must follow the format 'unix:///path' + rule: self.matches('^unix:///[^@ ][^ ]*$') + managementModel: + default: External description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + managementModel defines how KMS plugins are managed. + Valid values are "External". + When set to External, encryption keys are managed by a user-deployed + KMS plugin that communicates via UNIX domain socket using KMS V2 API. enum: - - AWS + - External type: string required: - - type + - endpoint type: object - x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index bfeefa11f36..06234ec145e 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -168,59 +168,30 @@ spec: managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely. properties: - aws: + endpoint: description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - type: + endpoint specifies the UNIX domain socket endpoint for communicating with the external KMS plugin. + The endpoint must follow the format "unix:///path". + Abstract Linux sockets (i.e. "unix:///@abstractname") are not supported. + maxLength: 120 + minLength: 9 + type: string + x-kubernetes-validations: + - message: endpoint must follow the format 'unix:///path' + rule: self.matches('^unix:///[^@ ][^ ]*$') + managementModel: + default: External description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + managementModel defines how KMS plugins are managed. + Valid values are "External". + When set to External, encryption keys are managed by a user-deployed + KMS plugin that communicates via UNIX domain socket using KMS V2 API. enum: - - AWS + - External type: string required: - - type + - endpoint type: object - x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index a49976e0dfd..42cc785cf53 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -168,59 +168,30 @@ spec: managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely. properties: - aws: + endpoint: description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - type: + endpoint specifies the UNIX domain socket endpoint for communicating with the external KMS plugin. + The endpoint must follow the format "unix:///path". + Abstract Linux sockets (i.e. "unix:///@abstractname") are not supported. + maxLength: 120 + minLength: 9 + type: string + x-kubernetes-validations: + - message: endpoint must follow the format 'unix:///path' + rule: self.matches('^unix:///[^@ ][^ ]*$') + managementModel: + default: External description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + managementModel defines how KMS plugins are managed. + Valid values are "External". + When set to External, encryption keys are managed by a user-deployed + KMS plugin that communicates via UNIX domain socket using KMS V2 API. enum: - - AWS + - External type: string required: - - type + - endpoint type: object - x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go index fe8c1122735..083a00ff747 100644 --- a/config/v1/zz_generated.deepcopy.go +++ b/config/v1/zz_generated.deepcopy.go @@ -45,7 +45,7 @@ func (in *APIServerEncryption) DeepCopyInto(out *APIServerEncryption) { if in.KMS != nil { in, out := &in.KMS, &out.KMS *out = new(KMSConfig) - (*in).DeepCopyInto(*out) + **out = **in } return } @@ -216,22 +216,6 @@ func (in *AWSIngressSpec) DeepCopy() *AWSIngressSpec { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AWSKMSConfig) DeepCopyInto(out *AWSKMSConfig) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSKMSConfig. -func (in *AWSKMSConfig) DeepCopy() *AWSKMSConfig { - if in == nil { - return nil - } - out := new(AWSKMSConfig) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AWSPlatformSpec) DeepCopyInto(out *AWSPlatformSpec) { *out = *in @@ -3568,11 +3552,6 @@ func (in *IntermediateTLSProfile) DeepCopy() *IntermediateTLSProfile { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KMSConfig) DeepCopyInto(out *KMSConfig) { *out = *in - if in.AWS != nil { - in, out := &in.AWS, &out.AWS - *out = new(AWSKMSConfig) - **out = **in - } return } diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index a3919b9a489..244696dee5c 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -168,59 +168,30 @@ spec: managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely. properties: - aws: + endpoint: description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - type: + endpoint specifies the UNIX domain socket endpoint for communicating with the external KMS plugin. + The endpoint must follow the format "unix:///path". + Abstract Linux sockets (i.e. "unix:///@abstractname") are not supported. + maxLength: 120 + minLength: 9 + type: string + x-kubernetes-validations: + - message: endpoint must follow the format 'unix:///path' + rule: self.matches('^unix:///[^@ ][^ ]*$') + managementModel: + default: External description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + managementModel defines how KMS plugins are managed. + Valid values are "External". + When set to External, encryption keys are managed by a user-deployed + KMS plugin that communicates via UNIX domain socket using KMS V2 API. enum: - - AWS + - External type: string required: - - type + - endpoint type: object - x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 766ac5ddab3..a68f9ce1c52 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -2191,20 +2191,10 @@ func (LoadBalancer) SwaggerDoc() map[string]string { return map_LoadBalancer } -var map_AWSKMSConfig = map[string]string{ - "": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", - "keyARN": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", - "region": "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", -} - -func (AWSKMSConfig) SwaggerDoc() map[string]string { - return map_AWSKMSConfig -} - var map_KMSConfig = map[string]string{ - "": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", - "type": "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", - "aws": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", + "": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", + "managementModel": "managementModel defines how KMS plugins are managed. Valid values are \"External\". When set to External, encryption keys are managed by a user-deployed KMS plugin that communicates via UNIX domain socket using KMS V2 API.", + "endpoint": "endpoint specifies the UNIX domain socket endpoint for communicating with the external KMS plugin. The endpoint must follow the format \"unix:///path\". Abstract Linux sockets (i.e. \"unix:///@abstractname\") are not supported.", } func (KMSConfig) SwaggerDoc() map[string]string { diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 7cbc39c9a45..cdd8f3b905b 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -150,7 +150,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.APIServerStatus": schema_openshift_api_config_v1_APIServerStatus(ref), "github.com/openshift/api/config/v1.AWSDNSSpec": schema_openshift_api_config_v1_AWSDNSSpec(ref), "github.com/openshift/api/config/v1.AWSIngressSpec": schema_openshift_api_config_v1_AWSIngressSpec(ref), - "github.com/openshift/api/config/v1.AWSKMSConfig": schema_openshift_api_config_v1_AWSKMSConfig(ref), "github.com/openshift/api/config/v1.AWSPlatformSpec": schema_openshift_api_config_v1_AWSPlatformSpec(ref), "github.com/openshift/api/config/v1.AWSPlatformStatus": schema_openshift_api_config_v1_AWSPlatformStatus(ref), "github.com/openshift/api/config/v1.AWSResourceTag": schema_openshift_api_config_v1_AWSResourceTag(ref), @@ -8647,36 +8646,6 @@ func schema_openshift_api_config_v1_AWSIngressSpec(ref common.ReferenceCallback) } } -func schema_openshift_api_config_v1_AWSKMSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "AWSKMSConfig defines the KMS config specific to AWS KMS provider", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "keyARN": { - SchemaProps: spec.SchemaProps{ - Description: "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "region": { - SchemaProps: spec.SchemaProps{ - Description: "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"keyARN", "region"}, - }, - }, - } -} - func schema_openshift_api_config_v1_AWSPlatformSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -15168,38 +15137,24 @@ func schema_openshift_api_config_v1_KMSConfig(ref common.ReferenceCallback) comm Description: "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "type": { + "managementModel": { SchemaProps: spec.SchemaProps{ - Description: "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", - Default: "", + Description: "managementModel defines how KMS plugins are managed. Valid values are \"External\". When set to External, encryption keys are managed by a user-deployed KMS plugin that communicates via UNIX domain socket using KMS V2 API.", Type: []string{"string"}, Format: "", }, }, - "aws": { + "endpoint": { SchemaProps: spec.SchemaProps{ - Description: "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", - Ref: ref("github.com/openshift/api/config/v1.AWSKMSConfig"), - }, - }, - }, - Required: []string{"type"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "type", - "fields-to-discriminateBy": map[string]interface{}{ - "aws": "AWS", - }, + Description: "endpoint specifies the UNIX domain socket endpoint for communicating with the external KMS plugin. The endpoint must follow the format \"unix:///path\". Abstract Linux sockets (i.e. \"unix:///@abstractname\") are not supported.", + Type: []string{"string"}, + Format: "", }, }, }, + Required: []string{"endpoint"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.AWSKMSConfig"}, } } diff --git a/openapi/openapi.json b/openapi/openapi.json index 38dd8f68ff7..020b44c8496 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -4176,26 +4176,6 @@ } ] }, - "com.github.openshift.api.config.v1.AWSKMSConfig": { - "description": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", - "type": "object", - "required": [ - "keyARN", - "region" - ], - "properties": { - "keyARN": { - "description": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", - "type": "string", - "default": "" - }, - "region": { - "description": "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", - "type": "string", - "default": "" - } - } - }, "com.github.openshift.api.config.v1.AWSPlatformSpec": { "description": "AWSPlatformSpec holds the desired state of the Amazon Web Services infrastructure provider. This only includes fields that can be modified in the cluster.", "type": "object", @@ -7991,27 +7971,18 @@ "description": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", "type": "object", "required": [ - "type" + "endpoint" ], "properties": { - "aws": { - "description": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", - "$ref": "#/definitions/com.github.openshift.api.config.v1.AWSKMSConfig" + "endpoint": { + "description": "endpoint specifies the UNIX domain socket endpoint for communicating with the external KMS plugin. The endpoint must follow the format \"unix:///path\". Abstract Linux sockets (i.e. \"unix:///@abstractname\") are not supported.", + "type": "string" }, - "type": { - "description": "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", - "type": "string", - "default": "" - } - }, - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "aws": "AWS" - } + "managementModel": { + "description": "managementModel defines how KMS plugins are managed. Valid values are \"External\". When set to External, encryption keys are managed by a user-deployed KMS plugin that communicates via UNIX domain socket using KMS V2 API.", + "type": "string" } - ] + } }, "com.github.openshift.api.config.v1.KeystoneIdentityProvider": { "description": "KeystonePasswordIdentityProvider provides identities for users authenticating using keystone password credentials", @@ -9881,7 +9852,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1.PKI" }, "policyType": { - "description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + "description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).", "type": "string", "default": "" }, diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index f4416bf9b3c..2bc013d5b7f 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -168,59 +168,30 @@ spec: managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely. properties: - aws: + endpoint: description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - type: + endpoint specifies the UNIX domain socket endpoint for communicating with the external KMS plugin. + The endpoint must follow the format "unix:///path". + Abstract Linux sockets (i.e. "unix:///@abstractname") are not supported. + maxLength: 120 + minLength: 9 + type: string + x-kubernetes-validations: + - message: endpoint must follow the format 'unix:///path' + rule: self.matches('^unix:///[^@ ][^ ]*$') + managementModel: + default: External description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + managementModel defines how KMS plugins are managed. + Valid values are "External". + When set to External, encryption keys are managed by a user-deployed + KMS plugin that communicates via UNIX domain socket using KMS V2 API. enum: - - AWS + - External type: string required: - - type + - endpoint type: object - x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index bfeefa11f36..06234ec145e 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -168,59 +168,30 @@ spec: managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely. properties: - aws: + endpoint: description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - type: + endpoint specifies the UNIX domain socket endpoint for communicating with the external KMS plugin. + The endpoint must follow the format "unix:///path". + Abstract Linux sockets (i.e. "unix:///@abstractname") are not supported. + maxLength: 120 + minLength: 9 + type: string + x-kubernetes-validations: + - message: endpoint must follow the format 'unix:///path' + rule: self.matches('^unix:///[^@ ][^ ]*$') + managementModel: + default: External description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + managementModel defines how KMS plugins are managed. + Valid values are "External". + When set to External, encryption keys are managed by a user-deployed + KMS plugin that communicates via UNIX domain socket using KMS V2 API. enum: - - AWS + - External type: string required: - - type + - endpoint type: object - x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index a49976e0dfd..42cc785cf53 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -168,59 +168,30 @@ spec: managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely. properties: - aws: + endpoint: description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - type: + endpoint specifies the UNIX domain socket endpoint for communicating with the external KMS plugin. + The endpoint must follow the format "unix:///path". + Abstract Linux sockets (i.e. "unix:///@abstractname") are not supported. + maxLength: 120 + minLength: 9 + type: string + x-kubernetes-validations: + - message: endpoint must follow the format 'unix:///path' + rule: self.matches('^unix:///[^@ ][^ ]*$') + managementModel: + default: External description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + managementModel defines how KMS plugins are managed. + Valid values are "External". + When set to External, encryption keys are managed by a user-deployed + KMS plugin that communicates via UNIX domain socket using KMS V2 API. enum: - - AWS + - External type: string required: - - type + - endpoint type: object - x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer.