Skip to content

CNTRLPLANE-3070: Support KMS on self-managed Azure without affecting ARO HCP #8088

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 7 commits into from
May 19, 2026
Merged

CNTRLPLANE-3070: Support KMS on self-managed Azure without affecting ARO HCP #8088

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
3f801ea
feat(api): support both managed and self-managed KMS authentication
bryan-cox May 19, 2026
9a21610
chore(api): regenerate CRDs, clients, deepcopy, and vendor
bryan-cox May 19, 2026
76de18b
feat(cli): support KMS encryption on self-managed Azure cluster creation
bryan-cox May 19, 2026
bdd7f5d
feat(hypershift-operator): support Azure KMS encryption on self-manag…
bryan-cox May 19, 2026
c71936f
feat(control-plane-operator): support Azure KMS encryption on self-ma…
bryan-cox May 19, 2026
165c790
test(e2e): add Azure KMS tests for self-managed clusters
bryan-cox May 19, 2026
c313825
docs: add KMS encryption documentation for self-managed Azure
bryan-cox May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 15 additions & 2 deletions api/hypershift/v1beta1/azure.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -810,6 +810,9 @@ const (
// AzureKMSSpec defines metadata about the configuration of the Azure KMS Secret Encryption provider using Azure key vault
//
// +kubebuilder:validation:XValidation:rule="!has(self.backupKey) || self.backupKey.keyVaultName == self.activeKey.keyVaultName",message="backupKey.keyVaultName must match activeKey.keyVaultName; both keys must reside in the same Key Vault"
// +kubebuilder:validation:XValidation:rule="!(has(self.kms) && has(self.workloadIdentity))",message="kms and workloadIdentity are mutually exclusive"
// +kubebuilder:validation:XValidation:rule="has(self.kms) || has(self.workloadIdentity)",message="one of kms or workloadIdentity must be set"
// +kubebuilder:validation:XValidation:rule="has(self.kms) == has(oldSelf.kms)",message="the KMS authentication mode is immutable once set"
type AzureKMSSpec struct {
// activeKey defines the active key used to encrypt new secrets
//
Expand All @@ -821,9 +824,19 @@ type AzureKMSSpec struct {
BackupKey *AzureKMSKey `json:"backupKey,omitempty"`

// kms is a pre-existing managed identity used to authenticate with Azure KMS.
// This is used for managed Azure (ARO HCP) clusters.
// kms and workloadIdentity are mutually exclusive.
//
// +required
KMS ManagedIdentity `json:"kms"`
// +optional
KMS ManagedIdentity `json:"kms,omitzero"`

@muraee muraee May 19, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this field was added before, but why is it called kms? with the new field, it should be called managedIdentity or smth

@muraee muraee May 19, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.spec.secretEncryption.kms.azure.kms doesn't sound correct.

@bryan-cox bryan-cox May 19, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure how we can change this now since ARO HCP is in flight other than introducing a new field and trying to deprecated this.


// workloadIdentity contains the workload identity used to authenticate
// with Azure Key Vault for KMS encryption via a token-minter sidecar.
// This identity must have "Key Vault Crypto User" role on the Key Vault.
// kms and workloadIdentity are mutually exclusive.
//
// +optional

@enxebre enxebre May 18, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather don't introduce this naming pattern until we decide if we want to introduce a semantic for product and have a detailed plan for it.
Can we name this after the targeted auth mechanism e.g. kmsFederatedTokenIdentity

@bryan-cox bryan-cox May 18, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Renamed to kmsFederatedTokenIdentity / AzureKMSFederatedTokenIdentity across the board — API types, CEL rules, envtests, CLI, controllers, and docs.

WorkloadIdentity WorkloadIdentity `json:"workloadIdentity,omitzero"`

// keyVaultAccess specifies how the Key Vault should be accessed.
// When set to "Private", the control plane routes Key Vault traffic through
Expand Down
1 change: 1 addition & 0 deletions api/hypershift/v1beta1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

35 changes: 32 additions & 3 deletions ...erated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6046,8 +6046,10 @@ spec:
- ""
type: string
kms:
description: kms is a pre-existing managed identity used
to authenticate with Azure KMS.
description: |-
kms is a pre-existing managed identity used to authenticate with Azure KMS.
This is used for managed Azure (ARO HCP) clusters.
kms and workloadIdentity are mutually exclusive.
properties:
clientID:
description: |-
Expand Down Expand Up @@ -6096,15 +6098,42 @@ spec:
- credentialsSecretName
- objectEncoding
type: object
workloadIdentity:
description: |-
workloadIdentity contains the workload identity used to authenticate
with Azure Key Vault for KMS encryption via a token-minter sidecar.
This identity must have "Key Vault Crypto User" role on the Key Vault.
kms and workloadIdentity are mutually exclusive.
properties:
clientID:
description: clientID is client ID of a federated
managed identity used in workload identity authentication
maxLength: 36
minLength: 36
pattern: ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
type: string
x-kubernetes-validations:
- message: the client ID of a managed identity must
be a valid UUID. It should be 5 groups of hyphen
separated hexadecimal characters in the form 8-4-4-4-12.
rule: self.matches('^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$')
required:
- clientID
type: object
required:
- activeKey
- kms
type: object
x-kubernetes-validations:
- message: backupKey.keyVaultName must match activeKey.keyVaultName;
both keys must reside in the same Key Vault
rule: '!has(self.backupKey) || self.backupKey.keyVaultName
== self.activeKey.keyVaultName'
- message: kms and workloadIdentity are mutually exclusive
rule: '!(has(self.kms) && has(self.workloadIdentity))'
- message: one of kms or workloadIdentity must be set
rule: has(self.kms) || has(self.workloadIdentity)
- message: the KMS authentication mode is immutable once set
rule: has(self.kms) == has(oldSelf.kms)
ibmcloud:
description: ibmcloud defines metadata for the IBM Cloud KMS
encryption strategy
Expand Down
35 changes: 32 additions & 3 deletions ...egated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6029,8 +6029,10 @@ spec:
- ""
type: string
kms:
description: kms is a pre-existing managed identity used
to authenticate with Azure KMS.
description: |-
kms is a pre-existing managed identity used to authenticate with Azure KMS.
This is used for managed Azure (ARO HCP) clusters.
kms and workloadIdentity are mutually exclusive.
properties:
clientID:
description: |-
Expand Down Expand Up @@ -6079,15 +6081,42 @@ spec:
- credentialsSecretName
- objectEncoding
type: object
workloadIdentity:
description: |-
workloadIdentity contains the workload identity used to authenticate
with Azure Key Vault for KMS encryption via a token-minter sidecar.
This identity must have "Key Vault Crypto User" role on the Key Vault.
kms and workloadIdentity are mutually exclusive.
properties:
clientID:
description: clientID is client ID of a federated
managed identity used in workload identity authentication
maxLength: 36
minLength: 36
pattern: ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
type: string
x-kubernetes-validations:
- message: the client ID of a managed identity must
be a valid UUID. It should be 5 groups of hyphen
separated hexadecimal characters in the form 8-4-4-4-12.
rule: self.matches('^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$')
required:
- clientID
type: object
required:
- activeKey
- kms
type: object
x-kubernetes-validations:
- message: backupKey.keyVaultName must match activeKey.keyVaultName;
both keys must reside in the same Key Vault
rule: '!has(self.backupKey) || self.backupKey.keyVaultName
== self.activeKey.keyVaultName'
- message: kms and workloadIdentity are mutually exclusive
rule: '!(has(self.kms) && has(self.workloadIdentity))'
- message: one of kms or workloadIdentity must be set
rule: has(self.kms) || has(self.workloadIdentity)
- message: the KMS authentication mode is immutable once set
rule: has(self.kms) == has(oldSelf.kms)
ibmcloud:
description: ibmcloud defines metadata for the IBM Cloud KMS
encryption strategy
Expand Down
35 changes: 32 additions & 3 deletions ...manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6049,8 +6049,10 @@ spec:
- ""
type: string
kms:
description: kms is a pre-existing managed identity used
to authenticate with Azure KMS.
description: |-
kms is a pre-existing managed identity used to authenticate with Azure KMS.
This is used for managed Azure (ARO HCP) clusters.
kms and workloadIdentity are mutually exclusive.
properties:
clientID:
description: |-
Expand Down Expand Up @@ -6099,15 +6101,42 @@ spec:
- credentialsSecretName
- objectEncoding
type: object
workloadIdentity:
description: |-
workloadIdentity contains the workload identity used to authenticate
with Azure Key Vault for KMS encryption via a token-minter sidecar.
This identity must have "Key Vault Crypto User" role on the Key Vault.
kms and workloadIdentity are mutually exclusive.
properties:
clientID:
description: clientID is client ID of a federated
managed identity used in workload identity authentication
maxLength: 36
minLength: 36
pattern: ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
type: string
x-kubernetes-validations:
- message: the client ID of a managed identity must
be a valid UUID. It should be 5 groups of hyphen
separated hexadecimal characters in the form 8-4-4-4-12.
rule: self.matches('^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$')
required:
- clientID
type: object
required:
- activeKey
- kms
type: object
x-kubernetes-validations:
- message: backupKey.keyVaultName must match activeKey.keyVaultName;
both keys must reside in the same Key Vault
rule: '!has(self.backupKey) || self.backupKey.keyVaultName
== self.activeKey.keyVaultName'
- message: kms and workloadIdentity are mutually exclusive
rule: '!(has(self.kms) && has(self.workloadIdentity))'
- message: one of kms or workloadIdentity must be set
rule: has(self.kms) || has(self.workloadIdentity)
- message: the KMS authentication mode is immutable once set
rule: has(self.kms) == has(oldSelf.kms)
ibmcloud:
description: ibmcloud defines metadata for the IBM Cloud KMS
encryption strategy
Expand Down
35 changes: 32 additions & 3 deletions ...rated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6361,8 +6361,10 @@ spec:
- ""
type: string
kms:
description: kms is a pre-existing managed identity used
to authenticate with Azure KMS.
description: |-
kms is a pre-existing managed identity used to authenticate with Azure KMS.
This is used for managed Azure (ARO HCP) clusters.
kms and workloadIdentity are mutually exclusive.
properties:
clientID:
description: |-
Expand Down Expand Up @@ -6411,15 +6413,42 @@ spec:
- credentialsSecretName
- objectEncoding
type: object
workloadIdentity:
description: |-
workloadIdentity contains the workload identity used to authenticate
with Azure Key Vault for KMS encryption via a token-minter sidecar.
This identity must have "Key Vault Crypto User" role on the Key Vault.
kms and workloadIdentity are mutually exclusive.
properties:
clientID:
description: clientID is client ID of a federated
managed identity used in workload identity authentication
maxLength: 36
minLength: 36
pattern: ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
type: string
x-kubernetes-validations:
- message: the client ID of a managed identity must
be a valid UUID. It should be 5 groups of hyphen
separated hexadecimal characters in the form 8-4-4-4-12.
rule: self.matches('^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$')
required:
- clientID
type: object
required:
- activeKey
- kms
type: object
x-kubernetes-validations:
- message: backupKey.keyVaultName must match activeKey.keyVaultName;
both keys must reside in the same Key Vault
rule: '!has(self.backupKey) || self.backupKey.keyVaultName
== self.activeKey.keyVaultName'
- message: kms and workloadIdentity are mutually exclusive
rule: '!(has(self.kms) && has(self.workloadIdentity))'
- message: one of kms or workloadIdentity must be set
rule: has(self.kms) || has(self.workloadIdentity)
- message: the KMS authentication mode is immutable once set
rule: has(self.kms) == has(oldSelf.kms)
ibmcloud:
description: ibmcloud defines metadata for the IBM Cloud KMS
encryption strategy
Expand Down
35 changes: 32 additions & 3 deletions ...ests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6501,8 +6501,10 @@ spec:
- ""
type: string
kms:
description: kms is a pre-existing managed identity used
to authenticate with Azure KMS.
description: |-
kms is a pre-existing managed identity used to authenticate with Azure KMS.
This is used for managed Azure (ARO HCP) clusters.
kms and workloadIdentity are mutually exclusive.
properties:
clientID:
description: |-
Expand Down Expand Up @@ -6551,15 +6553,42 @@ spec:
- credentialsSecretName
- objectEncoding
type: object
workloadIdentity:
description: |-
workloadIdentity contains the workload identity used to authenticate
with Azure Key Vault for KMS encryption via a token-minter sidecar.
This identity must have "Key Vault Crypto User" role on the Key Vault.
kms and workloadIdentity are mutually exclusive.
properties:
clientID:
description: clientID is client ID of a federated
managed identity used in workload identity authentication
maxLength: 36
minLength: 36
pattern: ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
type: string
x-kubernetes-validations:
- message: the client ID of a managed identity must
be a valid UUID. It should be 5 groups of hyphen
separated hexadecimal characters in the form 8-4-4-4-12.
rule: self.matches('^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$')
required:
- clientID
type: object
required:
- activeKey
- kms
type: object
x-kubernetes-validations:
- message: backupKey.keyVaultName must match activeKey.keyVaultName;
both keys must reside in the same Key Vault
rule: '!has(self.backupKey) || self.backupKey.keyVaultName
== self.activeKey.keyVaultName'
- message: kms and workloadIdentity are mutually exclusive
rule: '!(has(self.kms) && has(self.workloadIdentity))'
- message: one of kms or workloadIdentity must be set
rule: has(self.kms) || has(self.workloadIdentity)
- message: the KMS authentication mode is immutable once set
rule: has(self.kms) == has(oldSelf.kms)
ibmcloud:
description: ibmcloud defines metadata for the IBM Cloud KMS
encryption strategy
Expand Down
Loading
Loading