openshift
diff --git a/‎go.mod‎
Lines changed: 2 additions & 2 deletions b/‎go.mod‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎pkg/operator/encryption/controllers/key_controller.go‎
Lines changed: 68 additions & 12 deletions b/‎pkg/operator/encryption/controllers/key_controller.go‎
Lines changed: 68 additions & 12 deletions
diff --git a/‎pkg/operator/encryption/controllers/key_controller_test.go‎
Lines changed: 45 additions & 1 deletion b/‎pkg/operator/encryption/controllers/key_controller_test.go‎
Lines changed: 45 additions & 1 deletion
diff --git a/‎pkg/operator/encryption/encryptionconfig/config.go‎
Lines changed: 24 additions & 0 deletions b/‎pkg/operator/encryption/encryptionconfig/config.go‎
Lines changed: 24 additions & 0 deletions
@@ -34,6 +34,7 @@ require (
 	golang.org/x/net v0.43.0
 	golang.org/x/sys v0.36.0
 	golang.org/x/time v0.9.0
+	google.golang.org/grpc v1.72.1
 	gopkg.in/evanphx/json-patch.v4 v4.12.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	k8s.io/api v0.34.1
@@ -43,6 +44,7 @@ require (
 	k8s.io/client-go v0.34.1
 	k8s.io/component-base v0.34.1
 	k8s.io/klog/v2 v2.130.1
+	k8s.io/kms v0.34.1
 	k8s.io/kube-aggregator v0.34.1
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
 	sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96
@@ -125,11 +127,9 @@ require (
 	golang.org/x/tools v0.36.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/grpc v1.72.1 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/kms v0.34.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 
@@ -20,13 +20,15 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/utils/ptr"
 
+	configv1 "github.com/openshift/api/config/v1"
 	operatorv1 "github.com/openshift/api/operator/v1"
 	configv1client "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
 	configv1informers "github.com/openshift/client-go/config/informers/externalversions/config/v1"
 	applyoperatorv1 "github.com/openshift/client-go/operator/applyconfigurations/operator/v1"
 
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/operator/encryption/crypto"
+	"github.com/openshift/library-go/pkg/operator/encryption/kms"
 	"github.com/openshift/library-go/pkg/operator/encryption/secrets"
 	"github.com/openshift/library-go/pkg/operator/encryption/state"
 	"github.com/openshift/library-go/pkg/operator/encryption/statemachine"
@@ -159,11 +161,46 @@ func (c *keyController) sync(ctx context.Context, syncCtx factory.SyncContext) (
 }
 
 func (c *keyController) checkAndCreateKeys(ctx context.Context, syncContext factory.SyncContext, encryptedGRs []schema.GroupResource) error {
-	currentMode, externalReason, err := c.getCurrentModeAndExternalReason(ctx)
+	currentMode, externalReason, kmsConfig, err := c.getCurrentModeAndExternalReason(ctx)
 	if err != nil {
 		return err
 	}
 
+	// Compute KMS hashes if using KMS mode
+	var kmsConfigHash, kmsKeyIDHash string
+	if currentMode == state.KMS && kmsConfig != nil {
+		kmsConfigHash, err = kms.ComputeKMSConfigHash(kmsConfig)
+		if err != nil {
+			return fmt.Errorf("failed to compute KMS config hash: %w", err)
+		}
+
+		// Generate unix socket path from KMS config
+		socketPath, err := kms.GenerateUnixSocketPath(kmsConfig)
+		if err != nil {
+			return fmt.Errorf("failed to generate KMS unix socket path: %w", err)
+		}
+
+		// Create KMS client and call Status endpoint
+		kmsClient, err := kms.NewKMSClient(ctx, socketPath)
+		if err != nil {
+			return fmt.Errorf("failed to create KMS client: %w", err)
+		}
+		defer kmsClient.Close()
+
+		statusResp, err := kmsClient.Status(ctx)
+		if err != nil {
+			return fmt.Errorf("failed to call KMS Status endpoint: %w", err)
+		}
+
+		// Check if KMS plugin is healthy
+		if statusResp.Healthz != "ok" {
+			return fmt.Errorf("KMS plugin is unhealthy: %s", statusResp.Healthz)
+		}
+
+		// Compute hash of the KeyID returned by KMS
+		kmsKeyIDHash = kms.ComputeKMSKeyIDHash(statusResp.KeyID)
+	}
+
 	currentConfig, desiredEncryptionState, secrets, isProgressingReason, err := statemachine.GetEncryptionConfigAndState(ctx, c.deployer, c.secretClient, c.encryptionSecretSelector, encryptedGRs)
 	if err != nil {
 		return err
@@ -191,7 +228,7 @@ func (c *keyController) checkAndCreateKeys(ctx context.Context, syncContext fact
 
 	var commonReason *string
 	for gr, grKeys := range desiredEncryptionState {
-		latestKeyID, internalReason, needed := needsNewKey(grKeys, currentMode, externalReason, encryptedGRs)
+		latestKeyID, internalReason, needed := needsNewKey(grKeys, currentMode, externalReason, encryptedGRs, kmsConfigHash, kmsKeyIDHash)
 		if !needed {
 			continue
 		}
@@ -218,7 +255,7 @@ func (c *keyController) checkAndCreateKeys(ctx context.Context, syncContext fact
 
 	sort.Sort(sort.StringSlice(reasons))
 	internalReason := strings.Join(reasons, ", ")
-	keySecret, err := c.generateKeySecret(newKeyID, currentMode, internalReason, externalReason)
+	keySecret, err := c.generateKeySecret(newKeyID, currentMode, internalReason, externalReason, kmsConfigHash, kmsKeyIDHash)
 	if err != nil {
 		return fmt.Errorf("failed to create key: %v", err)
 	}
@@ -255,7 +292,7 @@ func (c *keyController) validateExistingSecret(ctx context.Context, keySecret *c
 	return nil // we made this key earlier
 }
 
-func (c *keyController) generateKeySecret(keyID uint64, currentMode state.Mode, internalReason, externalReason string) (*corev1.Secret, error) {
+func (c *keyController) generateKeySecret(keyID uint64, currentMode state.Mode, internalReason, externalReason, kmsConfigHash, kmsKeyIDHash string) (*corev1.Secret, error) {
 	bs := crypto.ModeToNewKeyFunc[currentMode]()
 	ks := state.KeyState{
 		Key: apiserverv1.Key{
@@ -265,40 +302,44 @@ func (c *keyController) generateKeySecret(keyID uint64, currentMode state.Mode,
 		Mode:           currentMode,
 		InternalReason: internalReason,
 		ExternalReason: externalReason,
+		KMSConfigHash:  kmsConfigHash,
+		KMSKeyIDHash:   kmsKeyIDHash,
 	}
 	return secrets.FromKeyState(c.instanceName, ks)
 }
 
-func (c *keyController) getCurrentModeAndExternalReason(ctx context.Context) (state.Mode, string, error) {
+func (c *keyController) getCurrentModeAndExternalReason(ctx context.Context) (state.Mode, string, *configv1.KMSConfig, error) {
 	apiServer, err := c.apiServerClient.Get(ctx, "cluster", metav1.GetOptions{})
 	if err != nil {
-		return "", "", err
+		return "", "", nil, err
 	}
 
 	operatorSpec, _, _, err := c.operatorClient.GetOperatorState()
 	if err != nil {
-		return "", "", err
+		return "", "", nil, err
 	}
 
 	encryptionConfig, err := structuredUnsupportedConfigFrom(operatorSpec.UnsupportedConfigOverrides.Raw, c.unsupportedConfigPrefix)
 	if err != nil {
-		return "", "", err
+		return "", "", nil, err
 	}
 
 	reason := encryptionConfig.Encryption.Reason
 	switch currentMode := state.Mode(apiServer.Spec.Encryption.Type); currentMode {
 	case state.AESCBC, state.AESGCM, state.Identity: // secretbox is disabled for now
-		return currentMode, reason, nil
+		return currentMode, reason, nil, nil
+	case state.KMS:
+		return currentMode, reason, apiServer.Spec.Encryption.KMS, nil
 	case "": // unspecified means use the default (which can change over time)
-		return state.DefaultMode, reason, nil
+		return state.DefaultMode, reason, nil, nil
 	default:
-		return "", "", fmt.Errorf("unknown encryption mode configured: %s", currentMode)
+		return "", "", nil, fmt.Errorf("unknown encryption mode configured: %s", currentMode)
 	}
 }
 
 // needsNewKey checks whether a new key must be created for the given resource. If true, it also returns the latest
 // used key ID and a reason string.
-func needsNewKey(grKeys state.GroupResourceState, currentMode state.Mode, externalReason string, encryptedGRs []schema.GroupResource) (uint64, string, bool) {
+func needsNewKey(grKeys state.GroupResourceState, currentMode state.Mode, externalReason string, encryptedGRs []schema.GroupResource, kmsConfigHash, kmsKeyIDHash string) (uint64, string, bool) {
 	// we always need to have some encryption keys unless we are turned off
 	if len(grKeys.ReadKeys) == 0 {
 		return 0, "key-does-not-exist", currentMode != state.Identity
@@ -346,6 +387,21 @@ func needsNewKey(grKeys state.GroupResourceState, currentMode state.Mode, extern
 		return latestKeyID, "external-reason-changed", true
 	}
 
+	// if we are using KMS, check if the KMS configuration or key ID hash has changed
+	if currentMode == state.KMS {
+		if latestKey.KMSConfigHash != kmsConfigHash && len(kmsConfigHash) != 0 {
+			return latestKeyID, "kms-config-changed", true
+		}
+
+		if latestKey.KMSKeyIDHash != kmsKeyIDHash && len(kmsKeyIDHash) != 0 {
+			return latestKeyID, "kms-key-id-changed", true
+		}
+
+		// For KMS mode, we don't do time-based rotation
+		// KMS keys are rotated externally by the KMS system
+		return 0, "", false
+	}
+
 	// we check for encryptionSecretMigratedTimestamp set by migration controller to determine when migration completed
 	// this also generates back pressure for key rotation when migration takes a long time or was recently completed
 	return latestKeyID, "rotation-interval-has-passed", time.Since(latestKey.Migrated.Timestamp) > encryptionSecretMigrationInterval
 
@@ -495,7 +495,7 @@ func TestGetCurrentModeAndExternalReason(t *testing.T) {
 
 			// act
 			target := keyController{unsupportedConfigPrefix: scenario.prefix, operatorClient: fakeOperatorClient, apiServerClient: fakeApiServerClient}
-			_, externalReason, err := target.getCurrentModeAndExternalReason(context.TODO())
+			_, externalReason, _, err := target.getCurrentModeAndExternalReason(context.TODO())
 
 			// validate
 			if err != nil {
@@ -507,3 +507,47 @@ func TestGetCurrentModeAndExternalReason(t *testing.T) {
 		})
 	}
 }
+
+func TestGetCurrentModeAndExternalReasonWithKMS(t *testing.T) {
+	apiServerWithKMS := &configv1.APIServer{
+		ObjectMeta: metav1.ObjectMeta{Name: "cluster"},
+		Spec: configv1.APIServerSpec{
+			Encryption: configv1.APIServerEncryption{
+				Type: "kms",
+				KMS: &configv1.KMSConfig{
+					Type: configv1.AWSKMSProvider,
+					AWS: &configv1.AWSKMSConfig{
+						KeyARN: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012",
+						Region: "us-east-1",
+					},
+				},
+			},
+		},
+	}
+
+	fakeOperatorClient := v1helpers.NewFakeStaticPodOperatorClient(
+		&operatorv1.StaticPodOperatorSpec{
+			OperatorSpec: operatorv1.OperatorSpec{},
+		}, &operatorv1.StaticPodOperatorStatus{}, nil, nil,
+	)
+	fakeConfigClient := configv1clientfake.NewSimpleClientset(apiServerWithKMS)
+	fakeApiServerClient := fakeConfigClient.ConfigV1().APIServers()
+
+	// act
+	target := keyController{operatorClient: fakeOperatorClient, apiServerClient: fakeApiServerClient}
+	mode, _, kmsConfig, err := target.getCurrentModeAndExternalReason(context.TODO())
+
+	// validate
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+	if mode != "kms" {
+		t.Errorf("expected mode to be 'kms', got %q", mode)
+	}
+	if kmsConfig == nil {
+		t.Error("expected kmsConfig to be returned, got nil")
+	}
+	if kmsConfig != nil && kmsConfig.Type != configv1.AWSKMSProvider {
+		t.Errorf("expected AWS KMS provider, got %v", kmsConfig.Type)
+	}
+}
@@ -10,6 +10,7 @@ import (
 	"k8s.io/klog/v2"
 
 	"github.com/openshift/library-go/pkg/operator/encryption/crypto"
+	"github.com/openshift/library-go/pkg/operator/encryption/kms"
 	"github.com/openshift/library-go/pkg/operator/encryption/secrets"
 	"github.com/openshift/library-go/pkg/operator/encryption/state"
 )
@@ -106,6 +107,18 @@ func ToEncryptionState(encryptionConfig *apiserverconfigv1.EncryptionConfigurati
 					Mode: s,
 				}
 
+			case provider.KMS != nil:
+				// Extract the config hash from the KMS endpoint path
+				configHash := kms.ExtractHashFromSocketPath(provider.KMS.Endpoint)
+				ks = state.KeyState{
+					Key: apiserverconfigv1.Key{
+						// TODO: we must set key.Name
+						Secret: "",
+					},
+					Mode:          state.KMS,
+					KMSConfigHash: configHash,
+				}
+
 			default:
 				klog.Infof("skipping invalid provider index %d for resource %s", i, resourceConfig.Resources[0])
 				continue // should never happen
@@ -192,6 +205,17 @@ func stateToProviders(desired state.GroupResourceState) []apiserverconfigv1.Prov
 					Keys: []apiserverconfigv1.Key{key.Key},
 				},
 			})
+		case state.KMS:
+			// Generate unix socket endpoint from the config hash
+			endpoint := kms.GenerateUnixSocketPathFromHash(key.KMSConfigHash)
+			providerName := "kms-provider-" + key.KMSConfigHash[:8]
+			providers = append(providers, apiserverconfigv1.ProviderConfiguration{
+				KMS: &apiserverconfigv1.KMSConfiguration{
+					APIVersion: "v2",
+					Name:       providerName,
+					Endpoint:   endpoint,
+				},
+			})
 		default:
 			// this should never happen because our input should always be valid
 			klog.Infof("skipping key %s as it has invalid mode %s", key.Key.Name, key.Mode)