CNTRLPLANE-3070: Support KMS on self-managed Azure without affecting ARO HCP

[bryan-cox]

What this PR does / why we need it:

Enables Azure Key Vault KMS encryption (etcd encryption at rest) for self-managed Azure HyperShift clusters using workload identity federation, without breaking the existing ARO HCP (managed Azure) KMS path that uses managed identities with CSI secret store volumes.

Key Changes

API: Added SelfManagedKMS field (type SelfManagedAzureKMS) to AzureKMSSpec with a ClientID for the workload identity that has Key Vault Crypto User role on the Key Vault. CEL validation rules enforce mutual exclusivity between kms (managed) and selfManagedKMS (self-managed), and immutability once set.

Control Plane Operator:

• Azure KMS provider now supports both ARO HCP and self-managed paths
• ARO HCP: CSI secret store volume for managed identity (unchanged)
• Self-managed: token-minter sidecar + emptyDir cloud token volume for workload identity federation
• KMS cloud config secret sets federated identity fields (UseWorkloadIdentityExtension) for self-managed

HyperShift Operator:

• KMS config secret reconciliation branches on managed vs self-managed, returning an error when neither credential is configured
• Credential reconciliation for self-managed Azure workload identities

CLI:

• create cluster azure: Only sets ManagedIdentity KMS creds for managed Azure; self-managed uses AzureKMSSpec.SelfManagedKMS
• create iam azure: Creates KMS workload identity with federated credential for kms-provider service account

E2E: Updated TestCreateClusterCustomConfig to handle self-managed Azure KMS assertions. Added envtest coverage for CEL validation rules (mutual exclusivity, immutability).

Documentation: Added KMS encryption section to self-managed Azure cluster guide with Key Vault setup and workload identity federation instructions.

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-3070

Special notes for your reviewer:

The self-managed Azure KMS authentication pattern follows the same approach used by Cloud Controller Manager (CCM) and Azure CSI storage drivers, which already support self-managed Azure with workload identity federation.

The token-minter sidecar mints OIDC tokens for the kms-provider service account in kube-system namespace, matching the pattern used by AWS KMS.

kms and selfManagedKMS are mutually exclusive and immutable once set — switching between managed and self-managed KMS auth after cluster creation is not supported.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@bryan-cox: This pull request references CNTRLPLANE-3070 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Enables Azure Key Vault KMS encryption (etcd encryption at rest) for self-managed Azure HyperShift clusters using workload identity federation, without breaking the existing ARO HCP (managed Azure) KMS path that uses managed identities with CSI secret store volumes.

Key Changes

API: Added optional KMS field to AzureWorkloadIdentities for specifying a workload identity client ID that has Key Vault Crypto User role on the Key Vault.

Control Plane Operator:

• Azure KMS provider now supports both ARO HCP and self-managed paths
• ARO HCP: CSI secret store volume for managed identity (unchanged)
• Self-managed: token-minter sidecar + emptyDir cloud token volume for workload identity federation
• KMS cloud config secret sets federated identity fields (UseFederatedWorkloadIdentityExtension, AADClientID, AADFederatedTokenFile) for self-managed

HyperShift Operator:

• KMS config secret reconciliation branches on managed vs self-managed
• HCP controller validates KMS config for self-managed (sets condition True with runtime validation note since CPO lacks KMS identity credentials)

CLI:

• create cluster azure: Only sets ManagedIdentity KMS creds for managed Azure; self-managed uses WorkloadIdentities.KMS
• create iam azure: Creates KMS workload identity with federated credential for kms-provider service account

E2E: Updated TestCreateClusterCustomConfig to handle self-managed Azure KMS assertions.

Documentation: Added KMS encryption section to self-managed Azure cluster guide with Key Vault setup instructions.

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-3070

Special notes for your reviewer:

The self-managed Azure KMS authentication pattern follows the same approach used by Cloud Controller Manager (CCM) and Azure CSI storage drivers, which already support self-managed Azure with workload identity federation.

The token-minter sidecar mints OIDC tokens for the kms-provider service account in kube-system namespace, matching the pattern used by AWS KMS.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

---

🤖 Generated with Claude Code via /jira:solve [CNTRLPLANE-3070](https://redhat.atlassian.net/browse/CNTRLPLANE-3070)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This pull request adds support for self-managed Azure KMS encryption at rest and wiring for KMS workload identities. Changes include making AzureKMSSpec.KMS optional and adding a mutually-exclusive SelfManagedKMS; adding --enable-kms to IAM creation and plumbing kmsClientID through IAM/infra outputs; conditionally including a kms workload identity; control-plane/operator changes to detect self-managed Azure and render token-minter/cloud-token or managed secret-store CSI volumes accordingly; centralizing the cloud token mount path with CloudTokenMountPath; and extensive tests and docs for both managed and self-managed Azure KMS flows.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant CLI as CLI/IAM Cmd
    participant WI as Workload Identity Mgr
    participant Infra as Infra Manager
    participant Secret as K8s Secrets

    User->>CLI: hypershift create iam azure --enable-kms
    CLI->>WI: CreateWorkloadIdentitiesFromIAMOptions(enableKMS=true)
    WI->>WI: GetWorkloadIdentityDefinitions(opts={IncludeKMS:true})
    WI->>Infra: Create Azure identities (includes kms)
    Infra->>Infra: Assign roles (if applicable)
    Infra-->>WI: Return identities + kmsClientID
    WI-->>CLI: Return IAM output with kmsClientID
    CLI->>Secret: Write workload-identities.json (includes kmsClientID)

Loading

sequenceDiagram
    participant User
    participant Cluster as Cluster Create
    participant Infra as Infra Extract
    participant CPO as Control Plane Operator
    participant KMS as KMS Provider

    User->>Infra: Load workload-identities.json
    Infra->>Infra: Extract kmsClientID from JSON
    Infra-->>Cluster: Pass infra output (kmsClientID)
    User->>Cluster: hypershift create cluster azure --encryption-key-id=<key>
    Cluster->>Cluster: Build AzureKMSSpec (SelfManagedKMS if kmsClientID present else KMS)
    Cluster-->>CPO: Apply SecretEncryption with AzureKMSSpec
    CPO->>CPO: Detect self-managed vs managed
    alt Self-Managed
        CPO->>KMS: Add token-minter container + cloud-token volume
        CPO->>KMS: Set AZURE_CLIENT_ID/AZURE_TENANT_ID and federated token file
        KMS->>KMS: Mint federated token at runtime and authenticate to Key Vault
    else Managed
        CPO->>KMS: Mount credentials secret via Secret Store CSI
        KMS->>KMS: Use credentials secret to authenticate to Key Vault
    end

Loading

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❌ Error	Found violation: TestGenerateKMSPodConfig_LivenessProbe uses fmt.Sprintf to construct test name at line 536 of azure_test.go. Test names must be static, never dynamically constructed.	Replace fmt.Sprintf("When %s is created...", tc.name) with static test names for each case.
Docstring Coverage	⚠️ Warning	Docstring coverage is 17.65% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main objective: adding KMS support for self-managed Azure clusters while preserving ARO HCP functionality.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Test Structure And Quality	✅ Passed	Custom check reviews Ginkgo test code (Describe/Context/It blocks), but this PR contains only traditional Go testing.T tests. Check is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added. PR contains only standard Go unit tests (testing.T) and modifications to existing standard Go e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. All new tests are unit tests using standard Go testing package, not Ginkgo patterns (It, Describe, Context, When).
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds Azure KMS encryption with sidecars and token-minter. No topology issues: no required anti-affinity, spread constraints, control-plane nodeSelectors, or problematic tolerations detected.
Ote Binary Stdout Contract	✅ Passed	All modified test files use standard Go testing.T pattern. No process-level stdout writes detected. No init(), TestMain(), BeforeSuite(), or OTE suite patterns found.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests (Describe/Context/It/When) were added in this PR. All test modifications are to standard Go testing.T tests. Custom check is not applicable.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@bryan-cox: This pull request references CNTRLPLANE-3070 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Enables Azure Key Vault KMS encryption (etcd encryption at rest) for self-managed Azure HyperShift clusters using workload identity federation, without breaking the existing ARO HCP (managed Azure) KMS path that uses managed identities with CSI secret store volumes.

Key Changes

API: Added optional KMS field to AzureWorkloadIdentities for specifying a workload identity client ID that has Key Vault Crypto User role on the Key Vault.

Control Plane Operator:

• Azure KMS provider now supports both ARO HCP and self-managed paths
• ARO HCP: CSI secret store volume for managed identity (unchanged)
• Self-managed: token-minter sidecar + emptyDir cloud token volume for workload identity federation
• KMS cloud config secret sets federated identity fields (UseFederatedWorkloadIdentityExtension, AADClientID, AADFederatedTokenFile) for self-managed

HyperShift Operator:

• KMS config secret reconciliation branches on managed vs self-managed
• HCP controller validates KMS config for self-managed (sets condition True with runtime validation note since CPO lacks KMS identity credentials)

CLI:

• create cluster azure: Only sets ManagedIdentity KMS creds for managed Azure; self-managed uses WorkloadIdentities.KMS
• create iam azure: Creates KMS workload identity with federated credential for kms-provider service account

E2E: Updated TestCreateClusterCustomConfig to handle self-managed Azure KMS assertions.

Documentation: Added KMS encryption section to self-managed Azure cluster guide with Key Vault setup instructions.

Which issue(s) this PR fixes:

Fixes CNTRLPLANE-3070

Special notes for your reviewer:

The self-managed Azure KMS authentication pattern follows the same approach used by Cloud Controller Manager (CCM) and Azure CSI storage drivers, which already support self-managed Azure with workload identity federation.

The token-minter sidecar mints OIDC tokens for the kms-provider service account in kube-system namespace, matching the pattern used by AWS KMS.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

---

🤖 Generated with Claude Code via /jira:solve [CNTRLPLANE-3070](https://redhat.atlassian.net/browse/CNTRLPLANE-3070)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[codecov]

Codecov Report

❌ Patch coverage is 62.44131% with 80 lines in your changes missing coverage. Please review.
✅ Project coverage is 40.34%. Comparing base (76bbefc) to head (c313825).
⚠️ Report is 56 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/cluster/azure/create.go	0.00%	23 Missing ⚠️
cmd/infra/azure/identities.go	44.11%	19 Missing ⚠️
...ostedcontrolplane/hostedcontrolplane_controller.go	0.00%	15 Missing ⚠️
cmd/infra/azure/create.go	0.00%	6 Missing ⚠️
...rator/controllers/hostedcontrolplane/v2/kas/kms.go	57.14%	5 Missing and 1 partial ⚠️
...ers/hostedcluster/internal/platform/azure/azure.go	68.75%	5 Missing ⚠️
cmd/infra/azure/create_iam.go	0.00%	4 Missing ⚠️
...or/controllers/hostedcontrolplane/manifests/kas.go	0.00%	1 Missing ⚠️
...ontrollers/hostedcontrolplane/v2/kas/deployment.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8088      +/-   ##
==========================================
+ Coverage   40.00%   40.34%   +0.33%     
==========================================
  Files         751      753       +2     
  Lines       92838    93134     +296     
==========================================
+ Hits        37137    37572     +435     
+ Misses      53014    52862     -152     
- Partials     2687     2700      +13     

Files with missing lines	Coverage Δ
...r/controllers/hostedcontrolplane/v2/kas/kms/aws.go	92.26% <100.00%> (ø)
...controllers/hostedcontrolplane/v2/kas/kms/azure.go	97.56% <100.00%> (+90.37%)	⬆️
support/azureutil/azureutil.go	44.23% <100.00%> (+1.37%)	⬆️
...t/controlplane-component/token-minter-container.go	89.09% <100.00%> (ø)
...or/controllers/hostedcontrolplane/manifests/kas.go	0.00% <0.00%> (ø)
...ontrollers/hostedcontrolplane/v2/kas/deployment.go	26.78% <0.00%> (ø)
cmd/infra/azure/create_iam.go	16.66% <0.00%> (-0.23%)	⬇️
...ers/hostedcluster/internal/platform/azure/azure.go	29.86% <68.75%> (+7.70%)	⬆️
cmd/infra/azure/create.go	7.69% <0.00%> (-0.17%)	⬇️
...rator/controllers/hostedcontrolplane/v2/kas/kms.go	33.33% <57.14%> (+9.52%)	⬆️
... and 3 more

... and 7 files with indirect coverage changes

Flag	Coverage Δ
cmd-support	34.30% <30.66%> (+0.21%)	⬆️
cpo-hostedcontrolplane	41.75% <81.14%> (+1.19%)	⬆️
cpo-other	40.14% <ø> (ø)
hypershift-operator	50.72% <68.75%> (+0.19%)	⬆️
other	31.54% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[enxebre]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, enxebre

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox,enxebre]
• api/OWNERS [enxebre]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Nirshal]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks-4-22
/test e2e-aws-4-22
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

[bryan-cox]

/verified by @bryan-cox

I verified this works and the report verification report is located here - https://redhat.atlassian.net/browse/CNTRLPLANE-3070?focusedCommentId=16980328

[openshift-ci-robot]

@bryan-cox: This PR has been marked as verified by @bryan-cox.

Details

In response to this:

/verified by @bryan-cox

I verified this works and the report verification report is located here - https://redhat.atlassian.net/browse/CNTRLPLANE-3070?focusedCommentId=16980328

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[muraee]

I know this field was added before, but why is it called kms? with the new field, it should be called managedIdentity or smth

[muraee]

.spec.secretEncryption.kms.azure.kms doesn't sound correct.

[bryan-cox]

I'm not sure how we can change this now since ARO HCP is in flight other than introducing a new field and trying to deprecated this.

[bryan-cox]

/override "Red Hat Konflux / hypershift-operator-main-enterprise-contract / hypershift-operator-main"

[bryan-cox]

/override "Red Hat Konflux / hypershift-operator-enterprise-contract / hypershift-operator-main"

[openshift-ci]

@bryan-cox: Overrode contexts on behalf of bryan-cox: Red Hat Konflux / hypershift-operator-main-enterprise-contract / hypershift-operator-main

Details

In response to this:

/override "Red Hat Konflux / hypershift-operator-main-enterprise-contract / hypershift-operator-main"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@bryan-cox: Overrode contexts on behalf of bryan-cox: Red Hat Konflux / hypershift-operator-enterprise-contract / hypershift-operator-main

Details

In response to this:

/override "Red Hat Konflux / hypershift-operator-enterprise-contract / hypershift-operator-main"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@bryan-cox: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.