[release-4.21] OCPBUGS-74418: Add KMS test scenarios

[gangwgr]

Backport kms test cases to 4.21

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 310c4d4f-b115-4e69-8af8-1472c9dd19bc

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@gangwgr: This pull request references Jira Issue OCPBUGS-74418, which is valid.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.z) matches configured target version for branch (4.21.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• release note type set to "Release Note Not Required"
• dependent bug Jira Issue OCPBUGS-68343 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-68343 targets the "4.22.0" version, which is one of the valid target versions: 4.22.0
• bug has dependents

Requesting review from QA contact:
/cc @gangwgr

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Backport kms test cases to 4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@openshift-ci-robot: GitHub didn't allow me to request PR reviews from the following users: gangwgr.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

@gangwgr: This pull request references Jira Issue OCPBUGS-74418, which is valid.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.z) matches configured target version for branch (4.21.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• release note type set to "Release Note Not Required"
• dependent bug Jira Issue OCPBUGS-68343 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-68343 targets the "4.22.0" version, which is one of the valid target versions: 4.22.0
• bug has dependents

Requesting review from QA contact:
/cc @gangwgr

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Backport kms test cases to 4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ardaguclu]

@gangwgr these need to be fixed;

vet: test/e2e-encryption-kms/encryption_kms_test.go:80:132: undefined: library.SupportedStaticEncryptionProviders
make: *** [vendor/github.com/openshift/build-machinery-go/make/targets/golang/verify-update.mk:27: verify-govet] Error 1
diff -Naup vendor/github.com/openshift/api/authorization/v1/zz_generated.crd-manifests/0000_03_config-operator_01_rolebindingrestrictions.crd.yaml bindata/oauth-openshift/authorization.openshift.io_rolebindingrestrictions.yaml

I think you may need to run make update and run goimport on encryption_kms_test.go

[gangwgr]

/retest

[p0lyn0mial]

this needs to be updated.

/hold

[p0lyn0mial]

/approve
/label backport-risk-assessed

We don't need an SBAR for the TP backport.

This PR matches openshift/cluster-kube-apiserver-operator#2054 and openshift/cluster-openshift-apiserver-operator#656

/assign @liouk

[liouk]

nit: rand.Seed() is a no-op on 1.24, which is the current go version unless I'm mistaken -- we could drop this.

[p0lyn0mial]

see my previous comment.

[liouk]

Instead of randomizing manually, I wonder whether we could leverage go's -test.shuffle -- then we wouldn't have to resort to such hacks, as they're quite fragile. Has this been considered?

[p0lyn0mial]

It looks like this could be replaced.

This change would not only apply specifically to the KMS tests but to all encryption tests.

Here is my proposal since this is a backport PR, let's merge it as it is, and then apply your suggestions to the master branch for all encryption tests across all repositories that use encryption.

[liouk]

nit: list numbering starts at 2

[gangwgr]

/retest

[p0lyn0mial]

this matches the latest commit from https://github.com/openshift/library-go/commits/release-4.21/

[liouk]

/approve

[p0lyn0mial]

/hold cancel
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gangwgr, liouk, p0lyn0mial

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [liouk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@gangwgr: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-operator-encryption-rotation	8e2fc3e	link	true	/test e2e-gcp-operator-encryption-rotation
ci/prow/e2e-gcp-operator-encryption-kms	56600da	link	false	/test e2e-gcp-operator-encryption-kms

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[gangwgr]

/verified by @gangwgr

[openshift-ci-robot]

@gangwgr: This PR has been marked as verified by @gangwgr.

Details

In response to this:

/verified by @gangwgr

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@gangwgr: Jira Issue OCPBUGS-74418: Some pull requests linked via external trackers have merged:

The following pull request, linked via external tracker, has not merged:

• openshift/api#2670 is open

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-74418 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Details

In response to this:

Backport kms test cases to 4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in accepted release 4.21.0-0.nightly-2026-03-11-185944