test/kms: add reusable Vault KMS helpers and KMSTestProvider abstraction

[gangwgr]

Move the Vault KMS encryption config and AppRole secret setup from cluster-kube-apiserver-operator into library-go so any operator can reuse them.

Add KMSTestProvider type that pairs an encryption config with its setup function, enabling the same test cases to run against multiple KMS provider without duplicating test logic.

Summary by CodeRabbit

• Tests
  • Added a standardized test framework for KMS provider encryption end-to-end testing with built-in Vault support.
  • Provided a default Vault KMS encryption template using enterprise namespace and AppRole-based credentials.
  • Added utilities to run provider setup hooks across providers and to collect encryption configurations for test suites.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b00e5471-f4ad-438f-bcc6-14d8688a7fd7

📥 Commits

Reviewing files that changed from the base of the PR and between 0af0751 and aef73c8.

📒 Files selected for processing (2)

• test/library/encryption/kms/provider.go
• test/library/encryption/kms/vault.go

🚧 Files skipped from review as they are similar to previous changes (2)

• test/library/encryption/kms/vault.go
• test/library/encryption/kms/provider.go

---

Walkthrough

This PR adds a KMSTestProvider type and helper utilities for e2e KMS testing, plus Vault-specific defaults and EnsureVaultAppRoleSecret to sync Vault AppRole credentials from a source secret into the openshift-config namespace.

Changes

KMS Test Provider Infrastructure

Layer / File(s)	Summary
KMS test provider contract and utilities test/library/encryption/kms/provider.go	KMSTestProvider struct holds a name, configv1.APIServerEncryption and optional Setup hook. Adds DefaultVaultTestProvider, SetupAll to run non-nil setup hooks, and EncryptionConfigs to extract configs.
Vault configuration and AppRole secret management test/library/encryption/kms/vault.go	Adds Vault CI defaults (including enterprise namespace), DefaultVaultKMSEncryptionConfig, and EnsureVaultAppRoleSecret which reads vault-credentials and creates/updates the AppRole secret in openshift-config.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• openshift/library-go#2220: Refactors encryption scenarios and helpers to work with configv1.APIServerEncryption and adds Vault test KMS plugin config, directly complementing the KMSTestProvider and DefaultVaultKMSEncryptionConfig introduced here.

Suggested reviewers

• dgrisonnet
• p0lyn0mial

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Topology-Aware Scheduling Compatibility	⚠️ Warning	Daemonset manifest uses nodeSelector targeting control-plane nodes (fails on HyperShift) and wildcard toleration 'operator: Exists' (inadvertently schedules on arbiter nodes on TNA).	Replace wildcard toleration with specific ones excluding arbiter. Add topology-awareness for control-plane nodeSelectors or use topology-aware deployment strategies for different ControlPlaneTopology values.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: adding reusable Vault KMS helpers and a KMSTestProvider abstraction to the test library, which directly corresponds to the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo test definitions found in modified files. These are helper utility modules for KMS testing infrastructure, not test files with test names.
Test Structure And Quality	✅ Passed	The PR does not contain Ginkgo test code (*_test.go files). It adds helper/utility modules with configuration constants and setup functions. The custom check is not applicable to helper modules.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests added. PR adds only helper functions and types to test/library/encryption/kms/. Check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests added. PR adds test helper utilities (KMSTestProvider struct and setup functions) only, not test implementations. Check does not apply.
Ote Binary Stdout Contract	✅ Passed	No OTE Stdout Contract violations. Files contain test helper functions with no process-level stdout writes, logging, or initialization-time side effects.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds helper utilities, not Ginkgo tests. No test patterns found. No IPv4 assumptions or external connectivity requirements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gangwgr
Once this PR has been reviewed and has the lgtm label, please assign dgrisonnet for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• test/library/encryption/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/library/encryption/kms/vault.go`:
- Around line 80-83: Before creating the target secret, validate that creds.Data
contains non-empty "role-id" and "secret-id" values: check creds.Data["role-id"]
and creds.Data["secret-id"] exist and have length > 0 (or non-empty string/byte
slice), and if either is missing/empty, fail early (return an error or call
t.Fatalf in the test) instead of proceeding to build the Data map used in the
secret write; update the code around the Data: map[string][]byte{...}
construction in vault.go to perform this validation on creds and only populate
roleID/secretID when valid.
- Around line 85-88: When creating the secret via
cs.Kube.CoreV1().Secrets(DefaultAppRoleTargetNamespace).Create(...,
appRoleSecret, ...), don't blindly call Update on any error; instead check if
the error is an AlreadyExists error
(k8s.io/apimachinery/pkg/api/errors.IsAlreadyExists(err)); if so, fetch the
existing secret with
cs.Kube.CoreV1().Secrets(DefaultAppRoleTargetNamespace).Get(ctx,
appRoleSecret.Name, metav1.GetOptions{}), copy its ResourceVersion into
appRoleSecret.ObjectMeta.ResourceVersion, then call Update; for other create
errors return/fail as before. Ensure you use the same ctx and metav1 types and
handle Get/Update errors with require.NoError where appropriate.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d5651548-77ce-4c42-b3f5-f47dbe458712

📥 Commits

Reviewing files that changed from the base of the PR and between 2291b96 and 0af0751.

📒 Files selected for processing (2)

• test/library/encryption/kms/provider.go
• test/library/encryption/kms/vault.go