WIP - working on CPO creating the seed and passing it to the KMS provider

Author: bryan-cox

control-plane-operator/controllers/hostedcontrolplane/manifests/azure.go

@@ -1,6 +1,8 @@
 package manifests
 
 import (
+	"github.com/openshift/hypershift/support/config"
+
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -51,3 +53,12 @@ func AzureFileConfigWithCredentials(ns string) *corev1.Secret {
 		},
 	}
 }
+
+func AzureKMSSeed(ns string) *corev1.Secret {
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      config.AzureKMSSeedSecretName,
+			Namespace: ns,
+		},
+	}
+}

control-plane-operator/controllers/hostedcontrolplane/v2/assets/kube-apiserver/azure-kms-seed.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+data:
+  kubeconfig: ""
+kind: Secret
+metadata:
+  # This name is hardcoded everyone else. It's listed as AzureKMSSeedSecretName in constants.go.
+  name: azure-kms-provider-seed-active
+  namespace: HCP_NAMESPACE
+type: Opaque

control-plane-operator/controllers/hostedcontrolplane/v2/kas/component.go

@@ -115,6 +115,10 @@ func NewComponent() component.ControlPlaneComponent {
 			component.WithAdaptFunction(kms.AdaptAzureSecretProvider),
 			component.WithPredicate(enableAzureKMSSecretProvider),
 		).
+		WithManifestAdapter(
+			"azure-kms-seed.yaml",
+			component.WithAdaptFunction(kms.AdaptAzureKMSSeed),
+		).
 		Build()
 }
 

control-plane-operator/controllers/hostedcontrolplane/v2/kas/deployment.go

@@ -81,7 +81,7 @@ func adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Dep
 		applyGenericSecretEncryptionConfig(&deployment.Spec.Template.Spec)
 		switch secretEncryption.Type {
 		case hyperv1.KMS:
-			if err := applyKMSConfig(&deployment.Spec.Template.Spec, secretEncryption, newKMSImages(hcp)); err != nil {
+			if err := applyKMSConfig(hcp.Namespace, &deployment.Spec.Template.Spec, secretEncryption, newKMSImages(hcp)); err != nil {
 				return err
 			}
 		}

control-plane-operator/controllers/hostedcontrolplane/v2/kas/kms.go

@@ -12,12 +12,12 @@ import (
 	corev1 "k8s.io/api/core/v1"
 )
 
-func applyKMSConfig(podSpec *corev1.PodSpec, secretEncryptionData *hyperv1.SecretEncryptionSpec, images kmsImages) error {
+func applyKMSConfig(namespace string, podSpec *corev1.PodSpec, secretEncryptionData *hyperv1.SecretEncryptionSpec, images kmsImages) error {
 	if secretEncryptionData.KMS == nil {
 		return fmt.Errorf("kms metadata not specified")
 	}
 
-	provider, err := getKMSProvider(secretEncryptionData.KMS, images)
+	provider, err := getKMSProvider(namespace, secretEncryptionData.KMS, images)
 	if err != nil {
 		return err
 	}
@@ -34,8 +34,8 @@ func applyKMSConfig(podSpec *corev1.PodSpec, secretEncryptionData *hyperv1.Secre
 	return nil
 }
 
-func generateKMSEncryptionConfig(kmsSpec *hyperv1.KMSSpec, apiVersion string) ([]byte, error) {
-	provider, err := getKMSProvider(kmsSpec, kmsImages{})
+func generateKMSEncryptionConfig(namespace string, kmsSpec *hyperv1.KMSSpec, apiVersion string) ([]byte, error) {
+	provider, err := getKMSProvider(namespace, kmsSpec, kmsImages{})
 	if err != nil {
 		return nil, err
 	}
@@ -53,14 +53,14 @@ func generateKMSEncryptionConfig(kmsSpec *hyperv1.KMSSpec, apiVersion string) ([
 	return bufferInstance.Bytes(), nil
 }
 
-func getKMSProvider(kmsSpec *hyperv1.KMSSpec, images kmsImages) (kms.KMSProvider, error) {
+func getKMSProvider(namespace string, kmsSpec *hyperv1.KMSSpec, images kmsImages) (kms.KMSProvider, error) {
 	switch kmsSpec.Provider {
 	case hyperv1.IBMCloud:
 		return kms.NewIBMCloudKMSProvider(kmsSpec.IBMCloud, images.IBMCloudKMS)
 	case hyperv1.AWS:
 		return kms.NewAWSKMSProvider(kmsSpec.AWS, images.AWSKMS, images.TokenMinterImage)
 	case hyperv1.AZURE:
-		return kms.NewAzureKMSProvider(kmsSpec.Azure, images.AzureKMS)
+		return kms.NewAzureKMSProvider(namespace, kmsSpec.Azure, images.AzureKMS)
 	default:
 		return nil, fmt.Errorf("unrecognized kms provider %s", kmsSpec.Provider)
 	}