CORS-4405: Add GCPKMSEncryptionInstall feature gate

[barbacbd]

Introduces a new feature gate to enable GCP KMS encryption during cluster installation.
The gate is enabled in TechPreviewNoUpgrade and DevPreviewNoUpgrade feature sets for both Hypershift and SelfManagedHA cluster profiles.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@barbacbd: This pull request references CORS-4405 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Introduces a new feature gate to enable GCP KMS encryption during cluster installation.
The gate is enabled in TechPreviewNoUpgrade and DevPreviewNoUpgrade feature sets for both Hypershift and SelfManagedHA cluster profiles.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Hello @barbacbd! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 501ca881-7698-4e2a-9646-cbebe09e5050

📥 Commits

Reviewing files that changed from the base of the PR and between 3c6b218 and 4a3e977.

📒 Files selected for processing (10)

• features.md
• features/features.go
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml

---

📝 Walkthrough

Walkthrough

This change introduces a new feature gate named GCPKMSEncryptionInstall across the feature gate system. The feature gate is defined in code with Installer component context and configured to be enabled for TechPreviewNoUpgrade and DevPreviewNoUpgrade phases. Documentation for the gate is added to the features table. The feature gate is then registered in deployment manifests for both Hypershift and SelfManagedHA cluster topologies, configured as disabled in default and OKD variants while enabled in preview-level scenarios.

🚥 Pre-merge checks | ✅ 10

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a new feature gate named GCPKMSEncryptionInstall, which directly corresponds to the changeset's core objective.
Description check	✅ Passed	The description is directly related to the changeset, explaining that a new feature gate is introduced to enable GCP KMS encryption during cluster installation, which matches the implemented changes across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	This PR contains no Ginkgo test files or test code modifications, only documentation, feature gate declarations, and YAML configurations.
Test Structure And Quality	✅ Passed	The pull request contains only configuration and documentation changes with no Ginkgo test file modifications, making the test quality check not applicable.
Microshift Test Compatibility	✅ Passed	PR adds only feature gate definitions and YAML manifests; no new Ginkgo e2e tests are present.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. The changes are exclusively feature gate definitions and configuration updates: a new feature gate named GCPKMSEncryptionInstall is added to features/features.go, documentation is updated in features.md, and multiple feature gate manifest YAML files are modified to enable or disable the feature gate for different deployment profiles. Since no e2e tests are introduced in this PR, there are no test-specific SNO compatibility concerns to address.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces only feature gate declarations with no deployment manifests, pod specifications, or scheduling constraints affecting topology compatibility.
Ote Binary Stdout Contract	✅ Passed	PR adds feature gate initialization using builder pattern with silent field assignments, no stdout writes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This pull request does not introduce any new Ginkgo e2e tests, containing only feature gate definitions, YAML manifest updates, and documentation changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[everettraven]

Just a note that as of more recently, the guidance is that feature gates can only merge as enabled in TechPreviewNoUpgrade once the linked enhancement has been merged with consensus that it is techpreview implementable.

Merging the feature gate as enabled in DevPreviewNoUpgrade has no requirements regarding EP merged status.

[openshift-ci]

@barbacbd: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.