NO-JIRA: Encapsulate provider specific logic in key controller

[ardaguclu]

As requested in #2192 (comment)

Summary by CodeRabbit

• Refactor
  • Restructured KMS provider configuration handling with improved abstraction layer for encryption key controller.

[openshift-ci-robot]

@ardaguclu: This pull request explicitly references no jira issue.

Details

In response to this:

As requested in #2192 (comment)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f53d5d77-06f8-4f01-a309-92f4ccce2a46

📥 Commits

Reviewing files that changed from the base of the PR and between 7fd5f33 and 6436dde.

📒 Files selected for processing (2)

• pkg/operator/encryption/controllers/key_controller.go
• pkg/operator/encryption/controllers/key_controller_test.go

---

Walkthrough

The PR refactors KMS provider configuration handling in the encryption key controller by introducing a provider-agnostic abstraction layer. Direct helper function calls are replaced with a kmsProviderConfig interface and newKMSProviderConfig factory, with a Vault-specific implementation handling authentication and TLS validation.

Changes

KMS Provider Configuration Abstraction

Layer / File(s)	Summary
KMS Provider Configuration Abstraction pkg/operator/encryption/controllers/key_controller.go	Introduces kmsProviderConfig interface and newKMSProviderConfig factory function with plugin type validation; implements vaultProviderConfig with Vault AppRole and CABundle configuration logic and unsupported authentication type error handling.
Key-Secret Generation Integration pkg/operator/encryption/controllers/key_controller.go	generateKeySecret now constructs provider configuration via the factory and retrieves referenced Secret/ConfigMap names and expected keys through provider interface methods instead of standalone helpers; error propagation and resource lookup logic remain unchanged.
Provider Configuration Tests pkg/operator/encryption/controllers/key_controller_test.go	TestReferencedSecretName and TestReferencedConfigMapName now test the new factory function and provider config interface methods, with early-return error handling for factory construction failures and unchanged assertions for referenced resource names and data keys.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main refactoring objective: encapsulating provider-specific logic through a new KMS provider abstraction and factory pattern in the key controller.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The test file contains only traditional Go unit tests (TestKeyController, TestReferencedSecretName, TestReferencedConfigMapName, TestGetCurrentModeReasonAndEncryptionConfig), not Ginkgo tests. No G...
Test Structure And Quality	✅ Passed	Test file uses standard Go testing library, not Ginkgo. Custom check is specifically for Ginkgo test code and is therefore not applicable to this PR.
Microshift Test Compatibility	✅ Passed	The custom check for MicroShift test compatibility applies only to new Ginkgo e2e tests. This PR contains no new Ginkgo e2e tests—it only refactors existing Go unit tests in pkg/operator/encryption...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are limited to standard Go unit tests in key_controller_test.go, which are refactored to use a new KMS provider config abstraction. Check not a...
Topology-Aware Scheduling Compatibility	✅ Passed	PR refactors KMS provider logic in the encryption key controller. It contains no deployment manifests, pod scheduling constraints, affinity rules, replica counts, or topology-related features.
Ote Binary Stdout Contract	✅ Passed	The PR modifies controller library code in openshift/library-go, which is a shared library package with no OTE binary entry points. The check applies only to OTE binaries with process-level entry p...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The modified tests are standard Go unit tests using fake Kubernetes clients with no IPv4 assumptions or external connectivity requirements.
No-Weak-Crypto	✅ Passed	PR introduces KMS provider abstraction in key_controller.go/test.go with no weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), no custom crypto implementations, and no non-constant-time secret...
Container-Privileges	✅ Passed	PR contains only Go source code refactoring in encryption controller package, with no Kubernetes manifest files or container security context configurations being modified or introduced.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data logging detected. PR only logs resource names, key names, encryption modes, and provider types—never exposing actual secret values, tokens, credentials, or authentication data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[p0lyn0mial]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu, p0lyn0mial

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/operator/encryption/OWNERS [ardaguclu,p0lyn0mial]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@ardaguclu: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.