Skip to content

CORS-4337: allow AWS Europe Sovereign Cloud partition #2708

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tthvo wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CORS-4337: allow AWS Europe Sovereign Cloud partition #2708

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 89 additions & 1 deletion config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,81 @@ tests:
aws:
keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
region: us-east-1
- name: Should be able to create encrypt with KMS for AWS with aws-cn partition
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: KMS
kms:
type: AWS
aws:
keyARN: arn:aws-cn:kms:cn-north-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
region: cn-north-1
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: KMS
kms:
type: AWS
aws:
keyARN: arn:aws-cn:kms:cn-north-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
region: cn-north-1
- name: Should be able to create encrypt with KMS for AWS with aws-us-gov partition
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: KMS
kms:
type: AWS
aws:
keyARN: arn:aws-us-gov:kms:us-gov-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
region: us-gov-east-1
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: KMS
kms:
type: AWS
aws:
keyARN: arn:aws-us-gov:kms:us-gov-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
region: us-gov-east-1
- name: Should be able to create encrypt with KMS for AWS with aws-eusc partition
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: KMS
kms:
type: AWS
aws:
keyARN: arn:aws-eusc:kms:eusc-de-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
region: eusc-de-east-1
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
encryption:
type: KMS
kms:
type: AWS
aws:
keyARN: arn:aws-eusc:kms:eusc-de-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
region: eusc-de-east-1
- name: Should fail to create encrypt with KMS for AWS without region
initial: |
apiVersion: config.openshift.io/v1
Expand Down Expand Up @@ -98,7 +173,20 @@ tests:
aws:
keyARN: not-a-kms-arn
region: us-east-1
expectedError: "keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)."
expectedError: "keyARN must follow the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)."
- name: Should fail to create AWS KMS with invalid partition
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
encryption:
type: KMS
kms:
type: AWS
aws:
keyARN: arn:aws-invalid:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a
region: us-east-1
expectedError: "keyARN must follow the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)."
- name: Should fail to create AWS KMS with empty region
initial: |
apiVersion: config.openshift.io/v1
Expand Down
65 changes: 64 additions & 1 deletion config/v1/tests/dnses.config.openshift.io/AAA_ungated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,57 @@ tests:
type: AWS
aws:
privateZoneIAMRole: arn:aws:iam::123456789012:role/foo
- name: Should be able to specify an AWS role ARN with aws-cn partition
initial: |
apiVersion: config.openshift.io/v1
kind: DNS
spec:
platform:
type: AWS
aws:
privateZoneIAMRole: arn:aws-cn:iam::123456789012:role/foo
expected: |
apiVersion: config.openshift.io/v1
kind: DNS
spec:
platform:
type: AWS
aws:
privateZoneIAMRole: arn:aws-cn:iam::123456789012:role/foo
- name: Should be able to specify an AWS role ARN with aws-us-gov partition
initial: |
apiVersion: config.openshift.io/v1
kind: DNS
spec:
platform:
type: AWS
aws:
privateZoneIAMRole: arn:aws-us-gov:iam::123456789012:role/foo
expected: |
apiVersion: config.openshift.io/v1
kind: DNS
spec:
platform:
type: AWS
aws:
privateZoneIAMRole: arn:aws-us-gov:iam::123456789012:role/foo
- name: Should be able to specify an AWS role ARN with aws-eusc partition
initial: |
apiVersion: config.openshift.io/v1
kind: DNS
spec:
platform:
type: AWS
aws:
privateZoneIAMRole: arn:aws-eusc:iam::123456789012:role/foo
expected: |
apiVersion: config.openshift.io/v1
kind: DNS
spec:
platform:
type: AWS
aws:
privateZoneIAMRole: arn:aws-eusc:iam::123456789012:role/foo
- name: Should not be able to specify unsupported platform
initial: |
apiVersion: config.openshift.io/v1
Expand All @@ -50,7 +101,19 @@ tests:
type: AWS
aws:
privateZoneIAMRole: arn:aws:iam:bad:123456789012:role/foo
expectedError: "DNS.config.openshift.io \"cluster\" is invalid: spec.platform.aws.privateZoneIAMRole: Invalid value: \"arn:aws:iam:bad:123456789012:role/foo\": spec.platform.aws.privateZoneIAMRole in body should match '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\\/.*$'"
expectedError: "DNS.config.openshift.io \"cluster\" is invalid: spec.platform.aws.privateZoneIAMRole: Invalid value: \"arn:aws:iam:bad:123456789012:role/foo\": spec.platform.aws.privateZoneIAMRole in body should match '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\\/.*$'"
- name: Should not be able to specify invalid AWS partition
initial: |
apiVersion: config.openshift.io/v1
kind: DNS
metadata:
name: cluster
spec:
platform:
type: AWS
aws:
privateZoneIAMRole: arn:aws-invalid:iam::123456789012:role/foo
expectedError: "DNS.config.openshift.io \"cluster\" is invalid: spec.platform.aws.privateZoneIAMRole: Invalid value: \"arn:aws-invalid:iam::123456789012:role/foo\": spec.platform.aws.privateZoneIAMRole in body should match '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\\/.*$'"
- name: Should not be able to specify different type and platform
initial: |
apiVersion: config.openshift.io/v1
Expand Down
2 changes: 1 addition & 1 deletion config/v1/types_dns.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ type AWSDNSSpec struct {
// privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing
// operations on the cluster's private hosted zone specified in the cluster DNS config.
// When left empty, no role should be assumed.
// +kubebuilder:validation:Pattern:=`^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$`
// +kubebuilder:validation:Pattern:=`^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\/.*$`
Copy link

@qodo-code-review qodo-code-review bot Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. privatezoneiamrole pattern undocumented 📘 Rule violation ✓ Correctness

The PrivateZoneIAMRole field comment does not document the updated kubebuilder Pattern constraint
(including the newly-allowed aws-eusc partition). This violates the requirement that validation
markers and their constraints be described in field comments.
Agent Prompt 
## Issue description
`PrivateZoneIAMRole` has a kubebuilder `Pattern` validation that was modified to include `aws-eusc`, but the field comment does not document the constraint as required.

## Issue Context
Compliance requires that all kubebuilder validation markers and their constraints be documented in the corresponding field comments.

## Fix Focus Areas
- config/v1/types_dns.go[134-140]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

// +optional
PrivateZoneIAMRole string `json:"privateZoneIAMRole"`
}
5 changes: 3 additions & 2 deletions config/v1/types_kmsencryption.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,15 @@ type KMSConfig struct {
// AWSKMSConfig defines the KMS config specific to AWS KMS provider
type AWSKMSConfig struct {
// keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
// The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
// The value must adhere to the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`, where:
// - `<partition>` is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc).
// - `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
// - `<account_id>` is a 12-digit numeric identifier for the AWS account.
// - `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
//
// +kubebuilder:validation:MaxLength=128
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:XValidation:rule="self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)."
// +kubebuilder:validation:XValidation:rule="self.matches('^arn:(aws|aws-cn|aws-us-gov|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)."
Copy link

@qodo-code-review qodo-code-review bot Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

2. keyarn message mismatches regex 📘 Rule violation ⛯ Reliability

The keyARN validation error message claims the region must be lowercase hexadecimal, but the
validation regex allows broader values; this is misleading and reduces actionable context. Users
will receive incorrect guidance when validation fails.
Agent Prompt 
## Issue description
The `keyARN` validation message is misleading: it says the region must be lowercase hexadecimal characters, but the validation rule allows broader region formats.

## Issue Context
This message is user-facing (as seen in config schema validation tests) and must provide accurate, actionable guidance.

## Fix Focus Areas
- config/v1/types_kmsencryption.go[26-36]
- config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml[173-189]
- config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml[177-193]
- config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml[177-193]
- config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml[177-193]
- payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml[177-193]
- payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml[177-193]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment on lines +27 to +35
Copy link

@qodo-code-review qodo-code-review bot Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

3. Partition support incomplete 🐞 Bug ✓ Correctness

This PR adds aws-eusc support for APIServer KMS keyARN and DNS role ARNs, but AWS CSI driver
kmsKeyARN validation still rejects aws-eusc, creating inconsistent behavior for EUSC clusters. Users
may successfully configure control-plane encryption but be blocked from configuring storage-class
KMS encryption via the CSI driver config CRD validation.
Agent Prompt 
### Issue description
aws-eusc is now allowed for APIServer KMS `keyARN`, but AWS CSI driver `kmsKeyARN` still rejects aws-eusc because its partition allowlist omits it. This creates inconsistent AWS partition support across APIs on EUSC clusters.

### Issue Context
EUSC ARNs start with `arn:aws-eusc:`. After this PR, APIServer KMS config will accept that partition, but `clustercsidrivers.operator.openshift.io` schema validation will still reject it for `spec.driverConfig.aws.kmsKeyARN`.

### Fix Focus Areas
- operator/v1/types_csi_cluster_driver.go[161-168]
- operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml[120-130]
- payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml[120-130]
- operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml[100-112]

### Notes
After updating the kubebuilder Pattern, re-run generators so all generated CRDs/manifests stay in sync.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

// +required
Comment on lines 26 to 36
Copy link

@coderabbitai coderabbitai bot Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix the keyARN validation message: region isn’t “hexadecimal.”
The regex allows lowercase letters/digits/hyphens for region, so the message should reflect that (and keep hex for key ID).

🛠️ Suggested message tweak 
-// +kubebuilder:validation:XValidation:rule="self.matches('^arn:(aws|aws-cn|aws-us-gov|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)."
+// +kubebuilder:validation:XValidation:rule="self.matches('^arn:(aws|aws-cn|aws-us-gov|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number; the region must contain lowercase letters, digits, and hyphens (-); and the key ID must contain lowercase hexadecimal characters and hyphens (-)."
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
// The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
// The value must adhere to the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`, where:
// - `<partition>` is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc).
// - `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
// - `<account_id>` is a 12-digit numeric identifier for the AWS account.
// - `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
//
// +kubebuilder:validation:MaxLength=128
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:XValidation:rule="self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)."
// +kubebuilder:validation:XValidation:rule="self.matches('^arn:(aws|aws-cn|aws-us-gov|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)."
// +required
// keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
// The value must adhere to the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`, where:
// - `<partition>` is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc).
// - `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
// - `<account_id>` is a 12-digit numeric identifier for the AWS account.
// - `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
//
// +kubebuilder:validation:MaxLength=128
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:XValidation:rule="self.matches('^arn:(aws|aws-cn|aws-us-gov|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`. The account ID must be a 12 digit number; the region must contain lowercase letters, digits, and hyphens (-); and the key ID must contain lowercase hexadecimal characters and hyphens (-)."
// +required
🤖 Prompt for AI Agents 
In `@config/v1/types_kmsencryption.go` around lines 26 - 36, Update the
XValidation message for keyARN to accurately describe allowed characters:
reference the keyARN field and its +kubebuilder:validation:XValidation rule and
change the message text to state that the region may contain lowercase letters,
digits and hyphens and that the key ID must be lowercase hexadecimal characters
and hyphens; ensure the new message keeps the format example
`arn:<partition>:kms:<region>:<account_id>:key/<key_id>` and mentions the
account ID must be 12 digits and the region is lowercase letters/digits/hyphens
while the key ID is lowercase hex and hyphens.

KeyARN string `json:"keyARN"`
// region specifies the AWS region where the KMS instance exists, and follows the format
Expand Down
7 changes: 4 additions & 3 deletions ...zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,19 +177,20 @@ spec:
keyARN:
description: |-
keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
The value must adhere to the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`, where:
- `<partition>` is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc).
- `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
- `<account_id>` is a 12-digit numeric identifier for the AWS account.
- `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
maxLength: 128
minLength: 1
type: string
x-kubernetes-validations:
- message: keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`.
- message: keyARN must follow the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`.
The account ID must be a 12 digit number and the region
and key ID should consist only of lowercase hexadecimal
characters and hyphens (-).
rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
rule: self.matches('^arn:(aws|aws-cn|aws-us-gov|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
region:
description: |-
region specifies the AWS region where the KMS instance exists, and follows the format
Expand Down
7 changes: 4 additions & 3 deletions ...enerated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,19 +177,20 @@ spec:
keyARN:
description: |-
keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
The value must adhere to the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`, where:
- `<partition>` is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc).
- `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
- `<account_id>` is a 12-digit numeric identifier for the AWS account.
- `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
maxLength: 128
minLength: 1
type: string
x-kubernetes-validations:
- message: keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`.
- message: keyARN must follow the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`.
The account ID must be a 12 digit number and the region
and key ID should consist only of lowercase hexadecimal
characters and hyphens (-).
rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
rule: self.matches('^arn:(aws|aws-cn|aws-us-gov|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
region:
description: |-
region specifies the AWS region where the KMS instance exists, and follows the format
Expand Down
2 changes: 1 addition & 1 deletion config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ spec:
privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing
operations on the cluster's private hosted zone specified in the cluster DNS config.
When left empty, no role should be assumed.
pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$
pattern: ^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\/.*$
type: string
type: object
type:
Expand Down
7 changes: 4 additions & 3 deletions ...ated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,19 +177,20 @@ spec:
keyARN:
description: |-
keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
The value must adhere to the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`, where:
- `<partition>` is the AWS partition (aws, aws-cn, aws-us-gov, or aws-eusc).
- `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
- `<account_id>` is a 12-digit numeric identifier for the AWS account.
- `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
maxLength: 128
minLength: 1
type: string
x-kubernetes-validations:
- message: keyARN must follow the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`.
- message: keyARN must follow the format `arn:<partition>:kms:<region>:<account_id>:key/<key_id>`.
The account ID must be a 12 digit number and the region
and key ID should consist only of lowercase hexadecimal
characters and hyphens (-).
rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
rule: self.matches('^arn:(aws|aws-cn|aws-us-gov|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')
region:
description: |-
region specifies the AWS region where the KMS instance exists, and follows the format
Expand Down
2 changes: 1 addition & 1 deletion config/v1/zz_generated.featuregated-crd-manifests/dnses.config.openshift.io/AAA_ungated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ spec:
privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing
operations on the cluster's private hosted zone specified in the cluster DNS config.
When left empty, no role should be assumed.
pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$
pattern: ^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\/.*$
type: string
type: object
type:
Expand Down
2 changes: 1 addition & 1 deletion config/v1/zz_generated.swagger_doc_generated.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion ...erated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ spec:
privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing
operations on the cluster's private hosted zone specified in the cluster DNS config.
When left empty, no role should be assumed.
pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$
pattern: ^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\/.*$
type: string
type: object
type:
Expand Down
2 changes: 1 addition & 1 deletion ...1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ spec:
privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing
operations on the cluster's private hosted zone specified in the cluster DNS config.
When left empty, no role should be assumed.
pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$
pattern: ^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role\/.*$
type: string
type: object
type:
Expand Down
Loading