Vault ci

[gangwgr]

Summary

This PR adds support for parameterized Vault deployments in OpenShift CI and introduces new TLS testing configuration.

Vault Deployment Flexibility

The primary changes make the Vault installation and configuration steps in the etcd-encryption CI suite more flexible by introducing a VAULT_RELEASE_NAME parameter. Previously, Vault was hardcoded to use the release name vault, which prevented running multiple Vault instances simultaneously. Changes include:

• vault-install step: Now accepts VAULT_RELEASE_NAME (default: "vault") to control the Helm release name, allowing deployment of multiple Vault instances with different names (e.g., vault-1, vault-2)
• vault-configure step: Updated to use the configurable release name when accessing Vault pods and services, replacing hardcoded vault-0 references with ${VAULT_RELEASE_NAME}-0

TLS Testing Configuration

Added new CI test jobs for TLS testing in OpenShift origin:

• e2e-aws-tls-observed-config: New optional test job in both openshift-origin-main and openshift-origin-release-4.22 configurations that runs TLS observed configuration testing on the openshift-org-aws cluster profile with resource watching enabled

TLS Scanner Configuration Updates

Updated the tls-scanner CI configurations to restructure periodic test definitions:

• Removed reporter_config blocks from tls-scanner configurations
• Reorganized periodic test jobs to explicitly specify cluster profiles, environment variables, and test steps for TLS scanning and TLS 1.3 conformance testing

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

The PR adds a new TLS observer e2e test to OpenShift origin CI configurations, restructures periodic TLS scanner job definitions, and parametrizes Vault deployment names across etcd-encryption step registry commands and references by introducing a configurable VAULT_RELEASE_NAME variable.

Changes

TLS Observed Configuration E2E Tests

Layer / File(s)	Summary
New TLS observed-config e2e test job ci-operator/config/openshift/origin/openshift-origin-main.yaml, ci-operator/config/openshift/origin/openshift-origin-release-4.22.yaml	Adds optional e2e-aws-tls-observed-config job to tests list with cluster profile openshift-org-aws, TEST_SUITE openshift/tls-observed-config, observers-resource-watch enabled, and openshift-e2e-aws-serial workflow.

TLS Scanner Periodic Job Restructuring

Layer / File(s)	Summary
Periodic TLS scanning workflow updates ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml, ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-release-4.22.yaml	Removes reporter_config blocks from periodic test definitions and restructures periodic jobs to include steps with cluster profile openshift-org-aws, env configuration (PQC_CHECK, TLS 1.3 adherence variables), and tls-scanner-run test references. Updates periodic job intervals to 72h.

Vault Helm Release Name Parametrization

Layer / File(s)	Summary
Vault install step parametrization ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh, ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml	Introduces VAULT_RELEASE_NAME environment variable (default "vault") and updates Helm installation to use --install "${VAULT_RELEASE_NAME}" instead of hardcoded vault. Pod readiness checks and summary output reference the release name dynamically.
Vault configure step parametrization ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh, ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml	Adds VAULT_RELEASE_NAME input variable (default "vault") and replaces all hardcoded vault-0 pod references with ${VAULT_RELEASE_NAME}-0 for vault exec commands (transit engine, KMS policy, AppRole auth). Updates service endpoint output to use parameterized release name.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Vault ci' is vague and generic; it does not clearly convey what specific changes were made to the codebase.	Use a more descriptive title that specifies the main change, such as 'Parametrize Vault release name in CI configuration' or 'Add TLS configuration tests and vault release name parametrization'.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR does not modify Ginkgo test files. All CI/CD test names added are static and deterministic with no dynamic content.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test files. The custom check applies only to Go test code with It/Describe blocks. PR modifies CI configs (YAML) and helper scripts (Bash).
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. Changes are limited to CI configuration files, step registry commands, and manifests—not test code. The custom check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains no new Ginkgo test code. Only CI configuration and vault setup scripts are modified. SNO check applies only to new test code.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only CI test infrastructure (test configs, step definitions). No deployment manifests, operator code, or controllers introduced. Topology-aware scheduling check not applicable.
Ote Binary Stdout Contract	✅ Passed	The custom check applies to OTE binary Go source code. This PR only modifies YAML CI configs, Bash scripts, and step registry definitions—no Go source code is changed. The check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added or modified in this PR. Changes consist only of CI configuration YAML and Bash helper scripts. The check does not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gangwgr
Once this PR has been reviewed and has the lgtm label, please assign bertinatto, rhmdnd for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/origin/OWNERS
• ci-operator/config/openshift/tls-scanner/OWNERS
• ci-operator/jobs/openshift/origin/OWNERS
• ci-operator/step-registry/etcd-encryption/vault-configure/OWNERS [gangwgr]
• ci-operator/step-registry/etcd-encryption/vault-install/OWNERS [gangwgr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@gangwgr: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-origin-main-e2e-agnostic-ovn-cmd	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-e2e-aws-tls-observed-config	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-e2e-azure	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-e2e-azure-ovn-etcd-scaling	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-e2e-azure-ovn-upgrade	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-e2e-hypershift-conformance	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-e2e-metal-ovn-single-node-live-iso	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-e2e-metal-ovn-single-node-with-worker-live-iso	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-e2e-openstack-dualstack-v6primary	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-go-verify-deps	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-images	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-lint	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-okd-scos-images	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-unit	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-verify	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-verify-deps	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-verify-image-manifest-lists	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-release-4.22-e2e-agnostic-ovn-cmd	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-release-4.22-e2e-aws-tls-observed-config	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-release-4.22-e2e-azure	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-release-4.22-e2e-azure-ovn-etcd-scaling	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-release-4.22-e2e-azure-ovn-upgrade	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-release-4.22-e2e-hypershift-conformance	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-release-4.22-e2e-metal-ovn-single-node-live-iso	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-release-4.22-e2e-metal-ovn-single-node-with-worker-live-iso	openshift/origin	presubmit	Presubmit changed

A total of 46 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here
Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh`:
- Line 23: Quote the pod reference variable in each oc exec invocation to
prevent word splitting/globbing; replace unquoted ${VAULT_RELEASE_NAME}-0 with a
quoted form like "${VAULT_RELEASE_NAME}-0" in every oc exec occurrence (the
lines currently using oc exec ${VAULT_RELEASE_NAME}-0 -n "${VAULT_NAMESPACE}" --
\ and the six other similar invocations at lines noted in the review) so all
seven oc exec commands consistently use the quoted pod name.
- Line 88: The script currently prints the sensitive AppRole credential ROLE_ID
via the echo line (echo "  - ROLE_ID: ${ROLE_ID}"); remove that echo (or replace
it with a non-sensitive message such as "  - ROLE_ID: redacted" or "  - ROLE_ID:
(set)") so the ROLE_ID value is not written to CI logs; locate the echo that
references the ROLE_ID variable in the
etcd-encryption-vault-configure-commands.sh and delete or redact that single log
line to prevent leaking authentication credentials.

In
`@ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh`:
- Line 75: The oc wait command uses an unquoted variable substitution
pod/${VAULT_RELEASE_NAME}-0 which can be subject to word splitting or globbing;
update the command that builds the pod name (the oc wait invocation referencing
VAULT_RELEASE_NAME and VAULT_NAMESPACE) to quote the pod argument (e.g.
"pod/${VAULT_RELEASE_NAME}-0") so the entire pod name is treated as a single
token while keeping the existing -n "${VAULT_NAMESPACE}" and --timeout options
unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6d97d5a9-ca4a-41a2-954c-6e3d8ea31678

📥 Commits

Reviewing files that changed from the base of the PR and between f0aa19b and 85b1bb1.

⛔ Files ignored due to path filters (2)

• ci-operator/jobs/openshift/origin/openshift-origin-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/origin/openshift-origin-release-4.22-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (8)

• ci-operator/config/openshift/origin/openshift-origin-main.yaml
• ci-operator/config/openshift/origin/openshift-origin-release-4.22.yaml
• ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml
• ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-release-4.22.yaml
• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml

💤 Files with no reviewable changes (2)

• ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml
• ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-release-4.22.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Quote variables to prevent word splitting.

Multiple oc exec commands use unquoted ${VAULT_RELEASE_NAME}-0 pod references. While Helm release names typically don't contain spaces, defensive coding practices require quoting variables to prevent potential word splitting or globbing issues.

🛡️ Proposed fix

-oc exec ${VAULT_RELEASE_NAME}-0 -n "${VAULT_NAMESPACE}" -- \
+oc exec "${VAULT_RELEASE_NAME}-0" -n "${VAULT_NAMESPACE}" -- \
   env VAULT_TOKEN="${ROOT_TOKEN}" vault secrets enable -path=transit transit

Apply the same quoting pattern to all seven oc exec invocations at lines 23, 28, 33, 38, 56, 64, and 66.

Also applies to: 28-28, 33-33, 38-38, 56-56, 64-64, 66-66

🧰 Tools

🪛 Shellcheck (0.11.0)

[info] 23-23: Double quote to prevent globbing and word splitting.

(SC2086)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh`
at line 23, Quote the pod reference variable in each oc exec invocation to
prevent word splitting/globbing; replace unquoted ${VAULT_RELEASE_NAME}-0 with a
quoted form like "${VAULT_RELEASE_NAME}-0" in every oc exec occurrence (the
lines currently using oc exec ${VAULT_RELEASE_NAME}-0 -n "${VAULT_NAMESPACE}" --
\ and the six other similar invocations at lines noted in the review) so all
seven oc exec commands consistently use the quoted pod name.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove ROLE_ID from log output.

The AppRole ROLE_ID is part of the authentication credentials and should not be logged to CI outputs. While it cannot authenticate alone (requires the SECRET_ID), exposing authentication components in logs increases the attack surface. As per coding guidelines, step registry command scripts must protect sensitive information from leaking into CI logs.

🔒 Proposed fix

 echo "Summary:"
 echo "  - Vault Service: ${VAULT_RELEASE_NAME}.${VAULT_NAMESPACE}.svc:8200"
 echo "  - Credentials Secret: vault-credentials (namespace: ${VAULT_NAMESPACE})"
 echo "  - Transit Key: ${VAULT_KMS_KEY_NAME}"
-echo "  - ROLE_ID: ${ROLE_ID}"
 echo ""

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	echo " - ROLE_ID: ${ROLE_ID}"
	echo "Summary:"
	echo " - Vault Service: ${VAULT_RELEASE_NAME}.${VAULT_NAMESPACE}.svc:8200"
	echo " - Credentials Secret: vault-credentials (namespace: ${VAULT_NAMESPACE})"
	echo " - Transit Key: ${VAULT_KMS_KEY_NAME}"
	echo ""

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh`
at line 88, The script currently prints the sensitive AppRole credential ROLE_ID
via the echo line (echo "  - ROLE_ID: ${ROLE_ID}"); remove that echo (or replace
it with a non-sensitive message such as "  - ROLE_ID: redacted" or "  - ROLE_ID:
(set)") so the ROLE_ID value is not written to CI logs; locate the echo that
references the ROLE_ID variable in the
etcd-encryption-vault-configure-commands.sh and delete or redact that single log
line to prevent leaking authentication credentials.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Quote variable to prevent word splitting.

While Helm release names typically don't contain spaces, defensive coding practices require quoting variables in command arguments to prevent potential word splitting or globbing issues.

🛡️ Proposed fix

-oc wait --for=condition=ready pod/${VAULT_RELEASE_NAME}-0 -n "${VAULT_NAMESPACE}" --timeout=5m
+oc wait --for=condition=ready "pod/${VAULT_RELEASE_NAME}-0" -n "${VAULT_NAMESPACE}" --timeout=5m

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	oc wait --for=condition=ready pod/${VAULT_RELEASE_NAME}-0 -n "${VAULT_NAMESPACE}" --timeout=5m
	oc wait --for=condition=ready "pod/${VAULT_RELEASE_NAME}-0" -n "${VAULT_NAMESPACE}" --timeout=5m

🧰 Tools

🪛 Shellcheck (0.11.0)

[info] 75-75: Double quote to prevent globbing and word splitting.

(SC2086)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh`
at line 75, The oc wait command uses an unquoted variable substitution
pod/${VAULT_RELEASE_NAME}-0 which can be subject to word splitting or globbing;
update the command that builds the pod name (the oc wait invocation referencing
VAULT_RELEASE_NAME and VAULT_NAMESPACE) to quote the pod argument (e.g.
"pod/${VAULT_RELEASE_NAME}-0") so the entire pod name is treated as a single
token while keeping the existing -n "${VAULT_NAMESPACE}" and --timeout options
unchanged.