kms: Add unsupported config for vault kms plugin log level

[kevinrizza]

This pull request adds support for configuring the vault kms plugin's log-level via the unsupportedconfigoverrides API.

Additionally, it adds the wiring for unsupportedconfigoverrides in general for the kms plugin sidecars, which will allow us to add additional unsupported overrides in the future.

The shape of that object is defined to look like this:

encryption:
    kms:
      vault:
        logLevel: "debug"

For example, you can patch the openshift aggregated apiserver's config like this through a terminal:

oc patch openshiftapiserver cluster --type=merge -p '{"spec":{"unsupportedConfigOverrides":{"encryption":{"kms":{"vault":{"logLevel":"debug-extended"}}}}}}'

Summary by CodeRabbit

• New Features

  • Vault KMS plugins now accept unsupported KMS configuration to enable configurable Vault plugin log levels for improved troubleshooting.

• Refactor

  • KMS sidecar injection now propagates custom/unsupported configuration through the injection pipeline.

• Tests

  • Added unit tests covering parsing of unsupported config and sidecar behavior with/without log-level overrides.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 73a05c84-d875-4e3c-ba2c-ced78c778a6b

📥 Commits

Reviewing files that changed from the base of the PR and between b115e9e and 42a0e5f.

📒 Files selected for processing (6)

• pkg/operator/encryption/kms/pluginlifecycle/sidecar.go
• pkg/operator/encryption/kms/pluginlifecycle/sidecar_test.go
• pkg/operator/encryption/kms/pluginlifecycle/unsupported_config.go
• pkg/operator/encryption/kms/pluginlifecycle/unsupported_config_test.go
• pkg/operator/encryption/kms/pluginlifecycle/vault.go
• pkg/operator/encryption/kms/pluginlifecycle/vault_test.go

🚧 Files skipped from review as they are similar to previous changes (5)

• pkg/operator/encryption/kms/pluginlifecycle/sidecar_test.go
• pkg/operator/encryption/kms/pluginlifecycle/vault.go
• pkg/operator/encryption/kms/pluginlifecycle/vault_test.go
• pkg/operator/encryption/kms/pluginlifecycle/unsupported_config_test.go
• pkg/operator/encryption/kms/pluginlifecycle/sidecar.go

---

Walkthrough

This PR threads an unsupportedConfig []byte through KMS sidecar injection entrypoints, parses it to extract encryption.kms.vault.logLevel, and conditionally appends -log-level=... to the Vault sidecar container args; tests added/updated accordingly.

Changes

KMS Vault logLevel configuration

Layer / File(s)	Summary
Unsupported KMS config parsing pkg/operator/encryption/kms/pluginlifecycle/unsupported_config.go, pkg/operator/encryption/kms/pluginlifecycle/unsupported_config_test.go	New unexported unsupportedKMSConfig and parseUnsupportedKMSConfig convert YAML/JSON input and extract encryption.kms.vault.logLevel. Parser handles empty input, YAML->JSON conversion errors, and suppresses JSON unmarshal errors. Tests cover nil/empty, valid JSON/YAML, unrelated fields, malformed JSON, and invalid binary input.
Sidecar injection parameter threading pkg/operator/encryption/kms/pluginlifecycle/sidecar.go, pkg/operator/encryption/kms/pluginlifecycle/sidecar_test.go	Exported entry points AddKMSPluginSidecarToStaticPodSpec and AddKMSPluginSidecarToPodSpec now accept unsupportedConfig []byte and forward it through addKMSPluginSidecars -> newSidecarProvider. Test call sites updated to pass nil.
Vault provider logLevel integration pkg/operator/encryption/kms/pluginlifecycle/vault.go, pkg/operator/encryption/kms/pluginlifecycle/vault_test.go	newVaultSidecarProvider accepts unsupportedConfig, parses it, stores vault.logLevel, and BuildSidecarContainer appends -log-level=... when non-empty. Tests added for nil and explicit logLevel override.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• openshift/library-go#2275: Modifies the same addKMSPluginSidecars sidecar-injection flow and signature, on which this PR's unsupportedConfig parameter is layered.
• openshift/library-go#2252: Updates Vault sidecar lifecycle code in vault.go with credential wiring (-approle-role-id/-approle-secret-id-path), similar parameter threading pattern to this PR's logLevel args.

Suggested labels

approved, lgtm

Suggested reviewers

• dgrisonnet
• p0lyn0mial

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding support for configuring the Vault KMS plugin's log level through unsupported config, which is the primary objective of the pull request.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Tests use standard Go with table-driven patterns, not Ginkgo. All test names are static, descriptive strings without dynamic information like IDs, timestamps, or pod names.
Test Structure And Quality	✅ Passed	All test files in the PR use standard Go testing (testing.T), not Ginkgo. The check asks for Ginkgo test code review, which is not applicable here. Standard Go tests follow appropriate patterns.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. All test changes are standard Go unit tests (using func Test* pattern with testing.T), which are not subject to the MicroShift compatibility check.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests were added. Changes are only unit tests in operator code using standard Go testing patterns, not Ginkgo framework tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces no scheduling constraints, deployment manifests, or pod templates. Changes are limited to KMS sidecar injection utility functions and configuration parsing code.
Ote Binary Stdout Contract	✅ Passed	The only logging write is klog.Warning() in parseUnsupportedKMSConfig(), which writes to stderr by default (klog v2's logtostderr=true) and is called at runtime, not during process initialization.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR contains only standard Go unit tests, not Ginkgo e2e tests. Tests use fake Kubernetes clients without making actual network calls.
No-Weak-Crypto	✅ Passed	No weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons found. PR only adds config parsing for Vault KMS plugin log level.
Container-Privileges	✅ Passed	No privileged, hostPID/Network/IPC, SYS_ADMIN capabilities, or allowPrivilegeEscalation=true settings introduced. Only adds log level config for Vault KMS plugin.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data is logged. The PR only adds logLevel config and YAML parsing error handling using patterns already in the codebase.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kevinrizza
Once this PR has been reviewed and has the lgtm label, please assign ardaguclu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/operator/encryption/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/operator/encryption/kms/pluginlifecycle/unsupported_config.go`:
- Around line 33-35: The json.Unmarshal error is being swallowed in the
unsupportedKMSConfig decoding path; update the block that calls
json.Unmarshal(jsonRaw, &config) to log the error (using the same logging
mechanism used for the YAML conversion error) before returning
unsupportedKMSConfig{}, nil so malformed JSON is observable; reference the
json.Unmarshal call, the jsonRaw variable, and the unsupportedKMSConfig return
to locate and fix the code, ensuring the log message includes context that the
unsupported KMS config JSON was invalid.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 870baea6-d690-47ad-a7ec-63fa950bfad0

📥 Commits

Reviewing files that changed from the base of the PR and between 09fa75d and b115e9e.

📒 Files selected for processing (6)

• pkg/operator/encryption/kms/pluginlifecycle/sidecar.go
• pkg/operator/encryption/kms/pluginlifecycle/sidecar_test.go
• pkg/operator/encryption/kms/pluginlifecycle/unsupported_config.go
• pkg/operator/encryption/kms/pluginlifecycle/unsupported_config_test.go
• pkg/operator/encryption/kms/pluginlifecycle/vault.go
• pkg/operator/encryption/kms/pluginlifecycle/vault_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Log JSON unmarshaling errors before swallowing them.

Line 34 silently ignores JSON unmarshaling errors and returns an empty config with no error. While the test shows this lenient behavior is intentional, the error should be logged (like the YAML conversion error at line 28) so users know when their unsupported config is malformed and being ignored.

As per coding guidelines, Go code should never ignore error returns. Even when errors are intentionally not propagated, they should be logged for observability.

📋 Proposed fix to add logging

 	config := unsupportedKMSConfig{}
 	if err := json.Unmarshal(jsonRaw, &config); err != nil {
+		klog.V(4).Infof("failed to unmarshal unsupported KMS config, ignoring: %v", err)
 		return unsupportedKMSConfig{}, nil
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/operator/encryption/kms/pluginlifecycle/unsupported_config.go` around
lines 33 - 35, The json.Unmarshal error is being swallowed in the
unsupportedKMSConfig decoding path; update the block that calls
json.Unmarshal(jsonRaw, &config) to log the error (using the same logging
mechanism used for the YAML conversion error) before returning
unsupportedKMSConfig{}, nil so malformed JSON is observable; reference the
json.Unmarshal call, the jsonRaw variable, and the unsupportedKMSConfig return
to locate and fix the code, ensuring the log message includes context that the
unsupported KMS config JSON was invalid.

Source: Coding guidelines

[kevinrizza]

/retest

[openshift-ci]

@kevinrizza: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.