From d86e72202c4b039e1dceccbfbae559fb1c54471d Mon Sep 17 00:00:00 2001
From: Rita Zhang <rita.z.zhang@gmail.com>
Date: Tue, 1 Aug 2023 10:17:01 -0700
Subject: [PATCH] kmsv2 test feature enablement unit test

Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
---
 .../options/encryptionconfig/config_test.go   | 149 ++++++++++++++++++
 .../kmsv2_transformation_test.go              |   8 -
 2 files changed, 149 insertions(+), 8 deletions(-)

diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
index 16db1538f4d..6380269782e 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
@@ -351,6 +351,155 @@ func TestKMSv1Deprecation(t *testing.T) {
 	}
 }
 
+func TestKMSvsEnablement(t *testing.T) {
+	testCases := []struct {
+		name         string
+		kmsv2Enabled bool
+		filePath     string
+		expectedErr  string
+	}{
+		{
+			name:         "config with kmsv2 and kmsv1, KMSv2=false",
+			kmsv2Enabled: false,
+			filePath:     "testdata/valid-configs/kms/multiple-providers-kmsv2.yaml",
+			expectedErr:  "KMSv2 feature is not enabled",
+		},
+		{
+			name:         "config with kmsv2 and kmsv1, KMSv2=true",
+			kmsv2Enabled: true,
+			filePath:     "testdata/valid-configs/kms/multiple-providers-kmsv2.yaml",
+			expectedErr:  "",
+		},
+		{
+			name:         "config with kmsv1, KMSv2=false",
+			kmsv2Enabled: false,
+			filePath:     "testdata/valid-configs/kms/multiple-providers.yaml",
+			expectedErr:  "",
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			// Just testing KMSv2 feature flag
+			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv1, true)()
+
+			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv2, testCase.kmsv2Enabled)()
+			_, err := LoadEncryptionConfig(testContext(t), testCase.filePath, false)
+
+			if !strings.Contains(errString(err), testCase.expectedErr) {
+				t.Fatalf("expected error %q, got %q", testCase.expectedErr, errString(err))
+			}
+
+		})
+	}
+	tts := []struct {
+		name            string
+		kmsv2Enabled    bool
+		expectedErr     string
+		expectedTimeout time.Duration
+		config          apiserverconfig.EncryptionConfiguration
+		wantV2Used      bool
+	}{
+		{
+			name:         "with kmsv1 and kmsv2, KMSv2=false",
+			kmsv2Enabled: false,
+			config: apiserverconfig.EncryptionConfiguration{
+				Resources: []apiserverconfig.ResourceConfiguration{
+					{
+						Resources: []string{"secrets"},
+						Providers: []apiserverconfig.ProviderConfiguration{
+							{
+								KMS: &apiserverconfig.KMSConfiguration{
+									Name:       "kms",
+									APIVersion: "v1",
+									Timeout: &metav1.Duration{
+										Duration: 1 * time.Second,
+									},
+									Endpoint:  "unix:///tmp/testprovider.sock",
+									CacheSize: pointer.Int32(1000),
+								},
+							},
+							{
+								KMS: &apiserverconfig.KMSConfiguration{
+									Name:       "another-kms",
+									APIVersion: "v2",
+									Timeout: &metav1.Duration{
+										Duration: 1 * time.Second,
+									},
+									Endpoint:  "unix:///tmp/anothertestprovider.sock",
+									CacheSize: pointer.Int32(1000),
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedErr: "KMSv2 feature is not enabled",
+			wantV2Used:  false,
+		},
+		{
+			name:         "with kmsv1 and kmsv2, KMSv2=true",
+			kmsv2Enabled: true,
+			config: apiserverconfig.EncryptionConfiguration{
+				Resources: []apiserverconfig.ResourceConfiguration{
+					{
+						Resources: []string{"secrets"},
+						Providers: []apiserverconfig.ProviderConfiguration{
+							{
+								KMS: &apiserverconfig.KMSConfiguration{
+									Name:       "kms",
+									APIVersion: "v1",
+									Timeout: &metav1.Duration{
+										Duration: 1 * time.Second,
+									},
+									Endpoint:  "unix:///tmp/testprovider.sock",
+									CacheSize: pointer.Int32(1000),
+								},
+							},
+							{
+								KMS: &apiserverconfig.KMSConfiguration{
+									Name:       "another-kms",
+									APIVersion: "v2",
+									Timeout: &metav1.Duration{
+										Duration: 1 * time.Second,
+									},
+									Endpoint:  "unix:///tmp/anothertestprovider.sock",
+									CacheSize: pointer.Int32(1000),
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedErr: "",
+			wantV2Used:  true,
+		},
+	}
+
+	for _, tt := range tts {
+		t.Run(tt.name, func(t *testing.T) {
+			// Just testing KMSv2 feature flag
+			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv1, true)()
+
+			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv2, tt.kmsv2Enabled)()
+
+			ctx, cancel := context.WithCancel(context.Background())
+			cancel() // cancel this upfront so the kms v2 checks do not block
+
+			_, _, kmsUsed, err := getTransformerOverridesAndKMSPluginHealthzCheckers(ctx, &tt.config)
+			if err == nil {
+				if kmsUsed == nil || kmsUsed.v2Used != tt.wantV2Used {
+					t.Fatalf("unexpected kmsUsed value, expected: %v, got: %v", tt.wantV2Used, kmsUsed)
+				}
+
+			}
+			if !strings.Contains(errString(err), tt.expectedErr) {
+				t.Fatalf("expecting error calling prefixTransformersAndProbes, expected: %s, got: %s", tt.expectedErr, errString(err))
+			}
+		})
+	}
+}
+
 func TestKMSMaxTimeout(t *testing.T) {
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv2, true)()
 
diff --git a/test/integration/controlplane/transformation/kmsv2_transformation_test.go b/test/integration/controlplane/transformation/kmsv2_transformation_test.go
index c41db9726d0..ebdb295e5be 100644
--- a/test/integration/controlplane/transformation/kmsv2_transformation_test.go
+++ b/test/integration/controlplane/transformation/kmsv2_transformation_test.go
@@ -870,14 +870,6 @@ resources:
        name: kms-provider
        endpoint: unix:///@kms-provider.sock
 `
-	// TOODO: This test requires changes in the apiserver lifecycle code to correctly clean up goroutines after a server failure.
-	// When feature flag is not enabled, loading a encryptionConfig with KMSv2 should fail
-	// defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv2, false)()
-	// _, err := newTransformTest(t, encryptionConfig, true, "", nil)
-	// if err == nil || !strings.Contains(err.Error(), "KMSv2 feature is not enabled") {
-	// 	t.Fatalf("when feature flag is not enabled, loading a encryptionConfig with KMSv2 should have failed with: KMSv2 feature is not enabled, encryptionConfig:\n%s\n actual error: %v", encryptionConfig, err)
-	// }
-
 	providerName := "kms-provider"
 	pluginMock := kmsv2mock.NewBase64Plugin(t, "@kms-provider.sock")
 	storageConfig := framework.SharedEtcd()