CNTRLPLANE-2247:Adding KMS TestKMSEncryptionOnOff test for AUTH

[gangwgr]

CNTRLPLANE-2247:Adding KMS TestKMSEncryptionOnOff test for AUTH

[openshift-ci-robot]

@gangwgr: This pull request references CNTRLPLANE-2247 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

CNTRLPLANE-2247:Adding KMS TestKMSEncryptionOnOff test for AUTH

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The PR updates the openshift/library-go dependency to a newer version and implements a full end-to-end KMS encryption test, replacing a placeholder with a complete test flow that deploys a mock KMS plugin and validates token encryption and decryption workflows.

Changes

Cohort / File(s)	Summary
Dependency Updates go.mod	openshift/library-go dependency version bumped from v0.0.0-20260129122340-60005ae435eb to v0.0.0-20260205090821-b15d656dc16c.
KMS Encryption E2E Test test/e2e-encryption-kms/encryption_kms_test.go	Test body replaced with full KMS encryption flow. Adds imports for KMS operations, deploys upstream mock KMS plugin, and configures TestEncryptionTurnOnAndOff with TokenOfLife resource creation, encryption validation, and KMS provider settings.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ardaguclu]

Why do we need this change?. Isn't this out of scope?

[gangwgr]

my bad i added my network policy feature work in pr

[ardaguclu]

/lgtm

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@test/e2e-encryption-kms/encryption_kms_test.go`:
- Around line 30-33: The mock KMS deployment is not cleaned up; update
DeployUpstreamMockKMSPlugin (or the test in encryption_kms_test.go) to register
a cleanup with t.Cleanup that deletes the created namespace/resources (the
namespace is librarykms.WellKnownUpstreamMockKMSPluginNamespace and deployment
is created by librarykms.DeployUpstreamMockKMSPlugin); ensure the cleanup uses
the same clients (library.GetClients(t).Kube) to remove the deployed plugin and
namespace so resources are removed after the test to prevent leakage and
cross-test interference.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find the implementation of DeployUpstreamMockKMSPlugin
rg -n -C5 'func DeployUpstreamMockKMSPlugin' -g '**/*.go'

Repository: openshift/cluster-authentication-operator

Length of output: 1697

---

🏁 Script executed:

#!/bin/bash
# Read the full DeployUpstreamMockKMSPlugin function implementation
sed -n '54,150p' vendor/github.com/openshift/library-go/test/library/encryption/kms/k8s_mock_kms_plugin_deployer.go

Repository: openshift/cluster-authentication-operator

Length of output: 3557

---

🏁 Script executed:

#!/bin/bash
# Check the test file to see if cleanup is registered after calling DeployUpstreamMockKMSPlugin
sed -n '20,60p' test/e2e-encryption-kms/encryption_kms_test.go

Repository: openshift/cluster-authentication-operator

Length of output: 2148

---

🏁 Script executed:

#!/bin/bash
# Search for cleanup or teardown in the test file
rg -n 'Cleanup|cleanup|teardown|defer' test/e2e-encryption-kms/encryption_kms_test.go

Repository: openshift/cluster-authentication-operator

Length of output: 67

---

🏁 Script executed:

#!/bin/bash
# Find and inspect TestEncryptionTurnOnAndOff to see if it handles KMS plugin cleanup
rg -n 'func TestEncryptionTurnOnAndOff' -g '**/*.go' -A 50

Repository: openshift/cluster-authentication-operator

Length of output: 8979

---

🏁 Script executed:

#!/bin/bash
# Check if the test file has any setup/teardown or suite-level cleanup
rg -n 'TestMain|init|defer|t.Cleanup' test/e2e-encryption-kms/encryption_kms_test.go

Repository: openshift/cluster-authentication-operator

Length of output: 67

---

🏁 Script executed:

#!/bin/bash
# Search for the WellKnownUpstreamMockKMSPluginNamespace constant
rg -n 'WellKnownUpstreamMockKMSPluginNamespace' -g '**/*.go' | head -20

Repository: openshift/cluster-authentication-operator

Length of output: 688

---

Add explicit cleanup for the mock KMS plugin deployment.

DeployUpstreamMockKMSPlugin deploys resources to the "k8s-mock-plugin" namespace but does not register cleanup. The test comment mentions cleanup, but no cleanup code exists in the test or library function. Register t.Cleanup() in DeployUpstreamMockKMSPlugin to delete the namespace/resources, or add explicit cleanup in the test to prevent resource leakage and cross-test interference.

🤖 Prompt for AI Agents

In `@test/e2e-encryption-kms/encryption_kms_test.go` around lines 30 - 33, The
mock KMS deployment is not cleaned up; update DeployUpstreamMockKMSPlugin (or
the test in encryption_kms_test.go) to register a cleanup with t.Cleanup that
deletes the created namespace/resources (the namespace is
librarykms.WellKnownUpstreamMockKMSPluginNamespace and deployment is created by
librarykms.DeployUpstreamMockKMSPlugin); ensure the cleanup uses the same
clients (library.GetClients(t).Kube) to remove the deployed plugin and namespace
so resources are removed after the test to prevent leakage and cross-test
interference.

[gangwgr]

/retest-required

[ardaguclu]

I think failures look same. I suspect that tls changes in library-go causing this. Investigating...
/hold

[ardaguclu]

/retest

[ardaguclu]

/lgtm

[gangwgr]

/retest

[ardaguclu]

/lgtm
/cc @liouk

[ardaguclu]

Failure of e2e-gcp-operator-encryption-kms is expected. Because controllers are not ready to handle KMS encryption type yet (i.e. openshift/library-go#2086).
/verified by openshift/cluster-kube-apiserver-operator#2018
/hold cancel

[openshift-ci-robot]

@ardaguclu: This PR has been marked as verified by https://github.com/openshift/cluster-kube-apiserver-operator/pull/2018.

Details

In response to this:

Failure of e2e-gcp-operator-encryption-kms is expected. Because controllers are not ready to handle KMS encryption type yet (i.e. openshift/library-go#2086).
/verified by openshift/cluster-kube-apiserver-operator#2018
/hold cancel

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@gangwgr: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-operator-encryption-perf	d6826ab	link	true	/test e2e-gcp-operator-encryption-perf
ci/prow/e2e-gcp-operator-encryption-kms	ea4537d	link	false	/test e2e-gcp-operator-encryption-kms
ci/prow/e2e-gcp-operator-encryption-rotation	d6826ab	link	true	/test e2e-gcp-operator-encryption-rotation

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[gangwgr]

/assign @liouk

[liouk]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu, gangwgr, liouk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [liouk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment