Mock KMS status call and add extensive KMS tests

ardaguclu · ardaguclu · commit 34f1117e5ead · 2025-10-27T11:16:05.000+03:00
diff --git a/pkg/operator/encryption/controllers/key_controller.go b/pkg/operator/encryption/controllers/key_controller.go
@@ -41,6 +41,11 @@ import (
 // greater than the last key's ID (the first key has a key ID of 1).
 const encryptionSecretMigrationInterval = time.Hour * 24 * 7 // one week
 
+// kmsHashesGetter is a function type for getting KMS config and key ID hashes
+type kmsHashesGetter func(ctx context.Context, kmsConfig *configv1.KMSConfig) (configHash string, keyIDHash string, err error)
+
+var kmsHashesGetterFunc kmsHashesGetter
+
 // keyController creates new keys if necessary. It
 // * watches
 //   - secrets in openshift-config-managed
@@ -106,6 +111,8 @@ func NewKeyController(
 		secretClient:             secretClient,
 	}
 
+	kmsHashesGetterFunc = defaultGetKMSHashes
+
 	return factory.New().
 		WithSync(c.sync).
 		WithControllerInstanceName(c.controllerInstanceName).
@@ -169,7 +176,7 @@ func (c *keyController) checkAndCreateKeys(ctx context.Context, syncContext fact
 	// Compute KMS hashes if using KMS mode
 	var kmsConfigHash, kmsKeyIDHash string
 	if currentMode == state.KMS && kmsConfig != nil {
-		kmsConfigHash, kmsKeyIDHash, err = c.getKMSHashes(ctx, kmsConfig)
+		kmsConfigHash, kmsKeyIDHash, err = kmsHashesGetterFunc(ctx, kmsConfig)
 		if err != nil {
 			return err
 		}
@@ -311,7 +318,9 @@ func (c *keyController) getCurrentModeAndExternalReason(ctx context.Context) (st
 	}
 }
 
-func (c *keyController) getKMSHashes(ctx context.Context, kmsConfig *configv1.KMSConfig) (string, string, error) {
+// defaultGetKMSHashes is the default implementation of getting KMS hashes
+// It calls the real KMS client to get the status and compute hashes
+func defaultGetKMSHashes(ctx context.Context, kmsConfig *configv1.KMSConfig) (string, string, error) {
 	// Generate unix socket path from KMS config and get the hash
 	socketPath, configHash, err := kms.GenerateUnixSocketPath(kmsConfig)
 	if err != nil {
diff --git a/pkg/operator/encryption/controllers/key_controller_test.go b/pkg/operator/encryption/controllers/key_controller_test.go
@@ -53,6 +53,8 @@ func TestKeyController(t *testing.T) {
 		validateFunc               func(ts *testing.T, actions []clientgotesting.Action, targetNamespace string, targetGRs []schema.GroupResource)
 		validateOperatorClientFunc func(ts *testing.T, operatorClient v1helpers.OperatorClient)
 		expectedError              error
+		kmsConfigHash              string
+		kmsKeyIDHash               string
 	}{
 		{
 			name: "no apiservers config",
@@ -324,6 +326,253 @@ func TestKeyController(t *testing.T) {
 				}
 			},
 		},
+
+		// KMS mode test cases
+		{
+			name: "KMS: creates first encryption key when none exists",
+			targetGRs: []schema.GroupResource{
+				{Group: "", Resource: "secrets"},
+			},
+			kmsConfigHash: "config-hash-12345678",
+			kmsKeyIDHash:  "key-id-hash-abcdefgh",
+			initialObjects: []runtime.Object{
+				encryptiontesting.CreateDummyKubeAPIPod("kube-apiserver-1", "kms", "node-1"),
+			},
+			apiServerObjects: []runtime.Object{
+				func() *configv1.APIServer {
+					apiServer := &configv1.APIServer{ObjectMeta: metav1.ObjectMeta{Name: "cluster"}}
+					apiServer.Spec.Encryption = configv1.APIServerEncryption{
+						Type: "kms",
+						KMS: &configv1.KMSConfig{
+							Type: configv1.AWSKMSProvider,
+							AWS: &configv1.AWSKMSConfig{
+								KeyARN: "arn:aws:kms:us-east-1:123456789012:key/test-key",
+								Region: "us-east-1",
+							},
+						},
+					}
+					return apiServer
+				}(),
+			},
+			targetNamespace: "kms",
+			expectedActions: []string{
+				"list:pods:kms",
+				"get:secrets:kms",
+				"list:secrets:openshift-config-managed",
+				"create:secrets:openshift-config-managed",
+				"create:events:kms",
+			},
+			validateFunc: func(ts *testing.T, actions []clientgotesting.Action, targetNamespace string, targetGRs []schema.GroupResource) {
+				wasSecretValidated := false
+				for _, action := range actions {
+					if action.Matches("create", "secrets") {
+						createAction := action.(clientgotesting.CreateAction)
+						actualSecret := createAction.GetObject().(*corev1.Secret)
+
+						// Verify KMS annotations are set
+						if actualSecret.Annotations["encryption.apiserver.operator.openshift.io/kms-config-hash"] == "" {
+							ts.Error("expected KMS config hash annotation to be set")
+						}
+						if actualSecret.Annotations["encryption.apiserver.operator.openshift.io/kms-key-id-hash"] == "" {
+							ts.Error("expected KMS key ID hash annotation to be set")
+						}
+						if actualSecret.Annotations["encryption.apiserver.operator.openshift.io/mode"] != "kms" {
+							ts.Errorf("expected mode to be 'kms', got '%s'", actualSecret.Annotations["encryption.apiserver.operator.openshift.io/mode"])
+						}
+
+						wasSecretValidated = true
+						break
+					}
+				}
+				if !wasSecretValidated {
+					ts.Errorf("the secret wasn't created and validated")
+				}
+			},
+		},
+
+		{
+			name: "KMS: creates new key when KMS config hash changes",
+			targetGRs: []schema.GroupResource{
+				{Group: "", Resource: "secrets"},
+			},
+			kmsConfigHash: "new-config-hash-xyz", // Different hash for new key ARN
+			kmsKeyIDHash:  "key-id-hash-abcd1234",
+			initialObjects: []runtime.Object{
+				encryptiontesting.CreateDummyKubeAPIPod("kube-apiserver-1", "kms", "node-1"),
+				func() *corev1.Secret {
+					s := encryptiontesting.CreateEncryptionKeySecretNoDataWithMode("kms", []schema.GroupResource{{Group: "", Resource: "secrets"}}, 1, "kms")
+					s.Annotations["encryption.apiserver.operator.openshift.io/kms-config-hash"] = "old-config-hash-1234"
+					s.Annotations["encryption.apiserver.operator.openshift.io/kms-key-id-hash"] = "key-id-hash-abcd1234"
+					return s
+				}(),
+			},
+			apiServerObjects: []runtime.Object{
+				func() *configv1.APIServer {
+					apiServer := &configv1.APIServer{ObjectMeta: metav1.ObjectMeta{Name: "cluster"}}
+					apiServer.Spec.Encryption = configv1.APIServerEncryption{
+						Type: "kms",
+						KMS: &configv1.KMSConfig{
+							Type: configv1.AWSKMSProvider,
+							AWS: &configv1.AWSKMSConfig{
+								KeyARN: "arn:aws:kms:us-east-1:123456789012:key/new-key", // Different key
+								Region: "us-east-1",
+							},
+						},
+					}
+					return apiServer
+				}(),
+			},
+			targetNamespace: "kms",
+			expectedActions: []string{
+				"list:pods:kms",
+				"get:secrets:kms",
+				"list:secrets:openshift-config-managed",
+				"create:secrets:openshift-config-managed",
+				"create:events:kms",
+			},
+			validateFunc: func(ts *testing.T, actions []clientgotesting.Action, targetNamespace string, targetGRs []schema.GroupResource) {
+				wasSecretValidated := false
+				for _, action := range actions {
+					if action.Matches("create", "secrets") {
+						createAction := action.(clientgotesting.CreateAction)
+						actualSecret := createAction.GetObject().(*corev1.Secret)
+
+						// Verify new KMS config hash is set and different from old
+						newConfigHash := actualSecret.Annotations["encryption.apiserver.operator.openshift.io/kms-config-hash"]
+						if newConfigHash == "" || newConfigHash == "old-config-hash-1234" {
+							ts.Errorf("expected new KMS config hash, got '%s'", newConfigHash)
+						}
+
+						// Verify internal reason mentions config change
+						internalReason := actualSecret.Annotations["encryption.apiserver.operator.openshift.io/internal-reason"]
+						if internalReason != "secrets-kms-config-changed" {
+							ts.Errorf("expected internal reason 'secrets-kms-config-changed', got '%s'", internalReason)
+						}
+
+						wasSecretValidated = true
+						break
+					}
+				}
+				if !wasSecretValidated {
+					ts.Errorf("the secret wasn't created and validated")
+				}
+			},
+		},
+
+		{
+			name: "KMS: creates new key when KMS key ID hash changes (key rotation)",
+			targetGRs: []schema.GroupResource{
+				{Group: "", Resource: "secrets"},
+			},
+			kmsConfigHash: "config-hash-12345678",
+			kmsKeyIDHash:  "new-key-id-hash-xyz",
+			initialObjects: []runtime.Object{
+				encryptiontesting.CreateDummyKubeAPIPod("kube-apiserver-1", "kms", "node-1"),
+				func() *corev1.Secret {
+					s := encryptiontesting.CreateEncryptionKeySecretNoDataWithMode("kms", []schema.GroupResource{{Group: "", Resource: "secrets"}}, 1, "kms")
+					s.Annotations["encryption.apiserver.operator.openshift.io/kms-config-hash"] = "config-hash-12345678"
+					s.Annotations["encryption.apiserver.operator.openshift.io/kms-key-id-hash"] = "old-key-id-hash-abc"
+					return s
+				}(),
+			},
+			apiServerObjects: []runtime.Object{
+				func() *configv1.APIServer {
+					apiServer := &configv1.APIServer{ObjectMeta: metav1.ObjectMeta{Name: "cluster"}}
+					apiServer.Spec.Encryption = configv1.APIServerEncryption{
+						Type: "kms",
+						KMS: &configv1.KMSConfig{
+							Type: configv1.AWSKMSProvider,
+							AWS: &configv1.AWSKMSConfig{
+								KeyARN: "arn:aws:kms:us-east-1:123456789012:key/test-key",
+								Region: "us-east-1",
+							},
+						},
+					}
+					return apiServer
+				}(),
+			},
+			targetNamespace: "kms",
+			expectedActions: []string{
+				"list:pods:kms",
+				"get:secrets:kms",
+				"list:secrets:openshift-config-managed",
+				"create:secrets:openshift-config-managed",
+				"create:events:kms",
+			},
+			validateFunc: func(ts *testing.T, actions []clientgotesting.Action, targetNamespace string, targetGRs []schema.GroupResource) {
+				wasSecretValidated := false
+				for _, action := range actions {
+					if action.Matches("create", "secrets") {
+						createAction := action.(clientgotesting.CreateAction)
+						actualSecret := createAction.GetObject().(*corev1.Secret)
+
+						// Verify new KMS key ID hash is set and different from old
+						newKeyIDHash := actualSecret.Annotations["encryption.apiserver.operator.openshift.io/kms-key-id-hash"]
+						if newKeyIDHash == "" || newKeyIDHash == "old-key-id-hash-abc" {
+							ts.Errorf("expected new KMS key ID hash, got '%s'", newKeyIDHash)
+						}
+
+						// Verify config hash stays the same
+						configHash := actualSecret.Annotations["encryption.apiserver.operator.openshift.io/kms-config-hash"]
+						if configHash != "config-hash-12345678" {
+							ts.Errorf("expected config hash to remain 'config-hash-12345678', got '%s'", configHash)
+						}
+
+						// Verify internal reason mentions key ID change
+						internalReason := actualSecret.Annotations["encryption.apiserver.operator.openshift.io/internal-reason"]
+						if internalReason != "secrets-kms-key-id-changed" {
+							ts.Errorf("expected internal reason 'secrets-kms-key-id-changed', got '%s'", internalReason)
+						}
+
+						wasSecretValidated = true
+						break
+					}
+				}
+				if !wasSecretValidated {
+					ts.Errorf("the secret wasn't created and validated")
+				}
+			},
+		},
+
+		{
+			name: "KMS: no-op when hashes match and key is migrated",
+			targetGRs: []schema.GroupResource{
+				{Group: "", Resource: "secrets"},
+			},
+			kmsConfigHash: "config-hash-12345678",
+			kmsKeyIDHash:  "key-id-hash-abcdefgh",
+			initialObjects: []runtime.Object{
+				encryptiontesting.CreateDummyKubeAPIPod("kube-apiserver-1", "kms", "node-1"),
+				func() *corev1.Secret {
+					s := encryptiontesting.CreateEncryptionKeySecretNoDataWithMode("kms", []schema.GroupResource{{Group: "", Resource: "secrets"}}, 1, "kms")
+					s.Annotations["encryption.apiserver.operator.openshift.io/kms-config-hash"] = "config-hash-12345678"
+					s.Annotations["encryption.apiserver.operator.openshift.io/kms-key-id-hash"] = "key-id-hash-abcdefgh"
+					return s
+				}(),
+			},
+			apiServerObjects: []runtime.Object{
+				func() *configv1.APIServer {
+					apiServer := &configv1.APIServer{ObjectMeta: metav1.ObjectMeta{Name: "cluster"}}
+					apiServer.Spec.Encryption = configv1.APIServerEncryption{
+						Type: "kms",
+						KMS: &configv1.KMSConfig{
+							Type: configv1.AWSKMSProvider,
+							AWS: &configv1.AWSKMSConfig{
+								KeyARN: "arn:aws:kms:us-east-1:123456789012:key/test-key",
+								Region: "us-east-1",
+							},
+						},
+					}
+					return apiServer
+				}(),
+			},
+			targetNamespace: "kms",
+			expectedActions: []string{
+				"list:pods:kms",
+				"get:secrets:kms",
+				"list:secrets:openshift-config-managed",
+			},
+		},
 	}
 
 	for _, scenario := range scenarios {
@@ -375,6 +624,12 @@ func TestKeyController(t *testing.T) {
 
 			target := NewKeyController(scenario.targetNamespace, nil, provider, deployer, alwaysFulfilledPreconditions, fakeOperatorClient, fakeApiServerClient, fakeApiServerInformer, kubeInformers, fakeSecretClient, scenario.encryptionSecretSelector, eventRecorder)
 
+			if scenario.kmsConfigHash != "" || scenario.kmsKeyIDHash != "" {
+				kmsHashesGetterFunc = func(ctx context.Context, kmsConfig *configv1.KMSConfig) (string, string, error) {
+					return scenario.kmsConfigHash, scenario.kmsKeyIDHash, nil
+				}
+			}
+
 			// act
 			err = target.Sync(context.TODO(), factory.NewSyncContext("test", eventRecorder))
 
