openshift · flavianmissi · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
diff --git a/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml b/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml
@@ -3,7 +3,6 @@ name: "APIServer"
 crdName: apiservers.config.openshift.io
 featureGates:
 - KMSEncryption
-- -KMSEncryptionProvider
 tests:
   onCreate:
     - name: Should be able to create with KMS type without kms config

diff --git a/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
diff --git a/config/v1/types_apiserver.go b/config/v1/types_apiserver.go
@@ -209,7 +209,7 @@ type APIServerNamedServingCert struct {
 }
 
 // APIServerEncryption is used to encrypt sensitive resources on the cluster.
-// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="has(self.type) && self.type == 'KMS' ?  has(self.kms) : !has(self.kms)",message="kms config is required when encryption type is KMS, and forbidden otherwise"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryption,rule="has(self.type) && self.type == 'KMS' ?  has(self.kms) : !has(self.kms)",message="kms config is required when encryption type is KMS and KMSEncryption feature gate is enabled, and forbidden otherwise"
 // +union
 type APIServerEncryption struct {
 	// type defines what encryption type should be used to encrypt resources at the datastore layer.
@@ -238,14 +238,13 @@ type APIServerEncryption struct {
 	// managing the lifecyle of the encryption keys outside of the control plane.
 	// This allows integration with an external provider to manage the data encryption keys securely.
 	//
-	// +openshift:enable:FeatureGate=KMSEncryptionProvider
+	// +openshift:enable:FeatureGate=KMSEncryption
 	// +unionMember
 	// +optional
 	KMS *KMSConfig `json:"kms,omitempty"`
 }
 
 // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";identity;aescbc;aesgcm
-// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryptionProvider,enum="";identity;aescbc;aesgcm;KMS
 // +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryption,enum="";identity;aescbc;aesgcm;KMS
 type EncryptionType string
 

diff --git a/config/v1/types_kmsencryption.go b/config/v1/types_kmsencryption.go
@@ -1,55 +1,144 @@
 package v1
 
 // KMSConfig defines the configuration for the KMS instance
-// that will be used with KMSEncryptionProvider encryption
-// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'AWS' ?  has(self.aws) : !has(self.aws)",message="aws config is required when kms provider type is AWS, and forbidden otherwise"
+// that will be used with KMS encryption
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryption,rule="has(self.type) && self.type == 'Vault' ?  (has(self.vault) && self.vault.vaultAddress != \"\") : !has(self.vault)",message="vault config is required when kms provider type is Vault, and forbidden otherwise"
 // +union
 type KMSConfig struct {
 	// type defines the kind of platform for the KMS provider.
-	// Available provider types are AWS only.
+	// Valid values are:
+	// - "Vault": HashiCorp Vault KMS (available when KMSEncryption feature gate is enabled)
 	//
 	// +unionDiscriminator
 	// +required
 	Type KMSProviderType `json:"type"`
 
-	// aws defines the key config for using an AWS KMS instance
-	// for the encryption. The AWS KMS instance is managed
+	// vault defines the configuration for the Vault KMS plugin.
+	// The plugin connects to a Vault Enterprise server that is managed
 	// by the user outside the purview of the control plane.
+	// This field must be set when type is Vault, and must be unset otherwise.
 	//
+	// +openshift:enable:FeatureGate=KMSEncryption
 	// +unionMember
 	// +optional
-	AWS *AWSKMSConfig `json:"aws,omitempty"`
+	Vault *VaultKMSConfig `json:"vault,omitempty,omitzero"`
 }
 
-// AWSKMSConfig defines the KMS config specific to AWS KMS provider
-type AWSKMSConfig struct {
-	// keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
-	// The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
-	// - `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
-	// - `<account_id>` is a 12-digit numeric identifier for the AWS account.
-	// - `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
+// KMSProviderType is a specific supported KMS provider
+// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryption,enum=Vault
+type KMSProviderType string
+
+const (
+	// VaultKMSProvider represents a supported KMS provider for use with HashiCorp Vault
+	VaultKMSProvider KMSProviderType = "Vault"
+)
+
+// VaultKMSConfig defines the KMS plugin configuration specific to Vault KMS
+type VaultKMSConfig struct {
+	// kmsPluginImage specifies the container image for the HashiCorp Vault KMS plugin.
+	// The image must be specified using a digest reference (not a tag).
+	//
+	// Consult the OpenShift documentation for compatible plugin versions with your cluster version,
+	// then obtain the image digest for that version from HashiCorp's container registry.
+	//
+	// For disconnected environments, mirror the plugin image to an accessible registry and
+	// reference the mirrored location with its digest.
+	//
+	// The minimum length is 75 characters (e.g., "r/i@sha256:" + 64 hex characters).
+	// The maximum length is 512 characters to accommodate long registry names and repository paths.
+	//
+	// +kubebuilder:validation:XValidation:rule="self.matches(r'^([a-zA-Z0-9.-]+)(:[0-9]+)?/[a-zA-Z0-9._/-]+@sha256:[a-f0-9]{64}$')",message="vaultKMSPluginImage must be a valid image reference with a SHA256 digest (e.g., 'registry.example.com/vault-plugin@sha256:0123...abcd'). Use '@sha256:<64-character-hex-digest>' instead of image tags like ':latest' or ':v1.0.0'."
+	// +kubebuilder:validation:MinLength=75
+	// +kubebuilder:validation:MaxLength=512
+	// +required
+	KMSPluginImage string `json:"kmsPluginImage,omitempty"`
+
+	// vaultAddress specifies the address of the HashiCorp Vault instance.
+	// The value must be a valid URL with scheme (https://) and can be up to 512 characters.
+	// Example: https://vault.example.com:8200
 	//
-	// +kubebuilder:validation:MaxLength=128
+	// +kubebuilder:validation:XValidation:rule="self.matches('^https://')",message="vaultAddress must be a valid URL starting with 'https://' (e.g., 'https://vault.example.com:8200')."
+	// +kubebuilder:validation:MaxLength=512
 	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:XValidation:rule="self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)."
 	// +required
-	KeyARN string `json:"keyARN"`
-	// region specifies the AWS region where the KMS instance exists, and follows the format
-	// `<region-prefix>-<region-name>-<number>`, e.g.: `us-east-1`.
-	// Only lowercase letters and hyphens followed by numbers are allowed.
+	VaultAddress string `json:"vaultAddress,omitempty"`
+
+	// vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted.
+	// This is only applicable for Vault Enterprise installations.
+	// The value can be between 1 and 4096 characters.
+	// When this field is not set, no namespace is used.
 	//
-	// +kubebuilder:validation:MaxLength=64
 	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:XValidation:rule="self.matches('^[a-z0-9]+(-[a-z0-9]+)*$')",message="region must be a valid AWS region, consisting of lowercase characters, digits and hyphens (-) only."
+	// +kubebuilder:validation:MaxLength=4096
+	// +optional
+	VaultNamespace string `json:"vaultNamespace,omitempty"`
+
+	// tls contains the TLS configuration for connecting to the Vault server.
+	// When this field is not set, system default TLS settings are used.
+	// +optional
+	TLS *VaultTLSConfig `json:"tls,omitempty"`
+
+	// approleSecretRef references a secret in the openshift-config namespace containing
+	// the AppRole credentials used to authenticate with Vault.
+	// The secret must contain the following keys:
+	//   - "roleID": The AppRole Role ID
+	//   - "secretID": The AppRole Secret ID
+	//
+	// The namespace for the secret referenced by approleSecretRef is openshift-config.
+	//
 	// +required
-	Region string `json:"region"`
+	ApproleSecretRef SecretNameReference `json:"approleSecretRef,omitempty"`
+
+	// transitMount specifies the mount path of the Vault Transit engine.
+	// The value can be between 1 and 1024 characters.
+	// When this field is not set, it defaults to "transit".
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=1024
+	// +kubebuilder:default="transit"
+	// +optional
+	TransitMount string `json:"transitMount,omitempty"`
+
+	// transitKey specifies the name of the encryption key in Vault's Transit engine.
+	// This key is used to encrypt and decrypt data.
+	// The value must be between 1 and 512 characters.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=512
+	// +required
+	TransitKey string `json:"transitKey,omitempty"`
 }
 
-// KMSProviderType is a specific supported KMS provider
-// +kubebuilder:validation:Enum=AWS
-type KMSProviderType string
+// VaultTLSConfig contains TLS configuration for connecting to Vault.
+type VaultTLSConfig struct {
+	// caBundle references a ConfigMap in the openshift-config namespace containing
+	// the CA certificate bundle used to verify the TLS connection to the Vault server.
+	// The ConfigMap must contain the CA bundle in the key "ca-bundle.crt".
+	// When this field is not set, the system's trusted CA certificates are used.
+	//
+	// The namespace for the ConfigMap is openshift-config.
+	//
+	// Example ConfigMap:
+	//   apiVersion: v1
+	//   kind: ConfigMap
+	//   metadata:
+	//     name: vault-ca-bundle
+	//     namespace: openshift-config
+	//   data:
+	//     ca-bundle.crt: |
+	//       -----BEGIN CERTIFICATE-----
+	//       ...
+	//       -----END CERTIFICATE-----
+	//
+	// +optional
+	CABundle ConfigMapNameReference `json:"caBundle,omitempty"`
 
-const (
-	// AWSKMSProvider represents a supported KMS provider for use with AWS KMS
-	AWSKMSProvider KMSProviderType = "AWS"
-)
+	// serverName specifies the Server Name Indication (SNI) to use when connecting to Vault via TLS.
+	// This is useful when the Vault server's hostname doesn't match its TLS certificate.
+	// When this field is not set, the hostname from vaultAddress is used for SNI.
+	//
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:MinLength=1
+	// +optional
+	ServerName string `json:"serverName,omitempty"`
+}