NO-JIRA: Run 2 Vault instances in different namespaces

[ardaguclu]

Summary by CodeRabbit

This PR updates OpenShift CI's etcd-encryption ci-operator step-registry to install and configure two independent Vault Enterprise instances (primary and secondary) in separate namespaces so CI can expose two distinct KMS endpoints for etcd encryption testing.

What changed in practical terms

• Where: ci-operator step-registry for etcd-encryption (install, configure, and chain docs).
• Behavior: Vault install/configure logic was refactored into parameterized helper functions and run twice — once for the primary Vault and once for a secondary Vault — producing separate CA ConfigMaps and per-instance credentials.

Key implementation highlights

• vault-install commands script
  • Added install_helm() and a parameterized install_vault(ns, ca_configmap, release_name).
  • Installs Vault Enterprise into two namespaces, waits for each release's pod, extracts each in-pod CA, and creates/updates two CA ConfigMaps (e.g., vault-ca-bundle and vault-ca-bundle-2) in openshift-config.
  • Moves KUBECONFIG initialization earlier and introduces VAULT_LICENSE_SECRET_NAME handling.
• vault-configure commands script
  • Introduced configure_vault(ns, key_name, pod_name) to parameterize transit key, policy, AppRole, and secret creation per namespace/pod.
  • Enables transit engine, writes a namespaced transit key, creates a kms-policy scoped to that key, enables AppRole, retrieves role_id/secret_id, and creates a vault-credentials secret in the target namespace.
  • Invoked twice (primary and secondary), with per-instance completion output.
• Step refs and chain docs
  • Added VAULT_SECONDARY_NAMESPACE (default: vault-kms-2) and VAULT_SECONDARY_KMS_KEY_NAME (default: kms-key-2) to step ref YAMLs and documented that the secondary key must differ from the primary.
  • Updated vault-install ref outputs to include the secondary Vault service endpoint and CA ConfigMap.
  • Revised etcd-encryption-vault-setup chain text and outputs to list separate primary and secondary instance artifacts (service/pod, CA ConfigMap, vault-credentials secret).

Practical impact

• CI can now deploy two isolated Vault Enterprise KMS endpoints for etcd encryption testing, each with its own namespace, CA bundle, transit key, and AppRole credentials — enabling isolated KEKs, redundancy, and multi-instance test scenarios.

Files of note

• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

This PR refactors Vault install/configure scripts into parameterized functions and adds support for a secondary Vault Enterprise instance: two installs with separate CA ConfigMaps and two configure runs that create per-namespace transit keys and vault-credentials secrets. Documentation and step refs updated accordingly.

Changes

Vault Dual Namespace Support

Layer / File(s)	Summary
Vault Installation Functions and Dual-Namespace Setup ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh	KUBECONFIG initialization, install_helm() function encapsulation, and parameterized install_vault(ns, ca_configmap, release_name) enable installation of Vault into both primary and secondary namespaces with distinct CA ConfigMaps. Orchestration calls the function twice with different namespace and ConfigMap name parameters.
Install Step Configuration and Outputs ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml	YAML step definition adds VAULT_SECONDARY_NAMESPACE environment variable and extends Outputs to declare both Vault service endpoints and CA ConfigMap names (vault-ca-bundle and vault-ca-bundle-2).
Vault Configuration Function and Dual-Namespace Invocation ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh	Vault KMS configuration is parameterized into configure_vault(ns, key_name, pod_name) function that handles enterprise namespace creation, transit engine/key creation, AppRole auth and kms-policy, role/secret retrieval, and creation of vault-credentials secrets. Script invokes the function for both primary and secondary namespaces using explicit pod names.
Configure Step Configuration and Outputs ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml	YAML step definition adds VAULT_SECONDARY_NAMESPACE and VAULT_SECONDARY_KMS_KEY_NAME environment variables and documents that the secondary key name must differ from the primary key name.
Chain Documentation for Dual Vault Instances ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml	Chain documentation is updated to describe two-instance installation and configuration: creating two CA bundle ConfigMaps and storing per-namespace vault-credentials secrets; outputs organized into primary and secondary instance groups.

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 warnings)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Line 103 of vault-configure-commands.sh logs ROLE_ID (AppRole credential) to CI logs: "echo ' - ROLE_ID: ${ROLE_ID}'". AppRole credentials are sensitive auth material and must not be exposed.	Remove the ROLE_ID echo statement or redact it with '[REDACTED]'. AppRole credentials should never be logged per security guidelines.
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Topology-Aware Scheduling Compatibility	⚠️ Warning	The PR deploys Vault using the Helm chart with default pod anti-affinity rules (requiredDuringSchedulingIgnoredDuringExecution on kubernetes.io/hostname) without overrides. These rules assume 3+ no...	Override default affinity with --set server.affinity=null or prefer anti-affinity, verify on topology-aware CI jobs (SNO, two-node, HyperShift), or check ControlPlaneTopology before installation.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objective: running 2 Vault instances in different namespaces, which aligns with all file changes including dual namespace support and parameterized install/configure functions.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR contains no Ginkgo tests. Changes are limited to bash scripts and YAML configuration files for CI step registry; the custom check for stable Ginkgo test names does not apply.
Test Structure And Quality	✅ Passed	This PR contains only bash scripts and YAML configuration files (step registry definitions and CI chain configurations). The custom check for "Test Structure and Quality" specifically requires revi...
Microshift Test Compatibility	✅ Passed	PR adds no Ginkgo e2e tests; only bash scripts and YAML configs. MicroShift Test Compatibility check applies only to new tests, so it is not applicable here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests added in this PR. All changes are CI infrastructure scripts (.sh) and YAML configs for Vault setup automation, not test definitions.
Ote Binary Stdout Contract	✅ Passed	This PR modifies bash scripts and YAML config files in ci-operator/step-registry, not OTE binaries. The OTE Binary Stdout Contract check applies only to Go binaries, which are not present in this PR.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not add Ginkgo e2e tests; it only modifies CI step-registry bash scripts and YAML configuration files for Vault setup. Custom check is not applicable.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons found in the modified files.
Container-Privileges	✅ Passed	No privileged container settings (privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation) found in PR. Only security configuration present is restricted SCC applied to...

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh (2)

50-52: 💤 Low value

Same idempotency consideration applies to secret creation.

For consistency with the ConfigMap pattern, this could also use the apply approach:

- oc create secret generic "${VAULT_LICENSE_SECRET_NAME}" \
-   --from-file=license=/var/run/vault/tests-private-account/kms-vault-license \
-   -n "${ns}"
+ oc create secret generic "${VAULT_LICENSE_SECRET_NAME}" \
+   --from-file=license=/var/run/vault/tests-private-account/kms-vault-license \
+   -n "${ns}" \
+   --dry-run=client -o yaml | oc apply -f -

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh`
around lines 50 - 52, The secret creation for VAULT_LICENSE_SECRET_NAME is not
idempotent; change the oc create call to an apply-style pattern so repeated runs
update or create the secret safely (e.g. generate the secret YAML with oc create
secret generic "${VAULT_LICENSE_SECRET_NAME}"
--from-file=license=/var/run/vault/tests-private-account/kms-vault-license
--dry-run=client -o yaml | oc apply -n "${ns}" -f -) so the operation is
consistent with the ConfigMap pattern and uses the same
VAULT_LICENSE_SECRET_NAME and ns variables.

---

44-44: ⚡ Quick win

Namespace creation is not idempotent—consider apply pattern for retry resilience.

If a previous run failed after creating the namespace but before completion, a retry will fail here. Using the apply pattern would make this step idempotent:

- oc create namespace "${ns}"
+ oc create namespace "${ns}" --dry-run=client -o yaml | oc apply -f -

This aligns with the pattern already used for ConfigMap creation on lines 88-91.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh`
at line 44, The direct call oc create namespace "${ns}" is not idempotent;
replace it with the apply pattern used for the ConfigMap (so retries are safe).
Locate the oc create namespace "${ns}" invocation and change it to apply a
Namespace manifest (e.g., construct a small YAML with apiVersion: v1, kind:
Namespace, metadata.name: "${ns}" and pipe it to oc apply -f -) so the step
becomes idempotent and tolerant of previous partial runs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh`:
- Line 87: Remove the sensitive echo that prints the AppRole credential by
eliminating or redacting the line that prints ROLE_ID (the echo "  - ROLE_ID:
${role_id}") in the etcd-encryption-vault-configure-commands.sh script; instead
log a non-sensitive confirmation such as "  - ROLE_ID: [REDACTED]" or omit the
ROLE_ID output entirely so the role_id variable is never written to CI logs
while preserving other non-sensitive log output.
- Line 33: Quote the transit key path when calling vault write and stop leaking
secrets: change the vault write invocation to pass a quoted path like
"transit/keys/${VAULT_KMS_KEY_NAME}" (i.e. env VAULT_TOKEN="${ROOT_TOKEN}" vault
write -namespace="${VAULT_ENTERPRISE_NS}" -f
"transit/keys/${VAULT_KMS_KEY_NAME}"), and ensure any AppRole identifiers/tokens
(ROLE_ID, secret_id, ROOT_TOKEN) are not echoed or traced — disable shell xtrace
around secret usage (set +x / restore afterwards) and suppress or redirect
command output (e.g. redirect stdout/stderr or write to a secure file) so
secrets are never printed to CI logs.

---

Nitpick comments:
In
`@ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh`:
- Around line 50-52: The secret creation for VAULT_LICENSE_SECRET_NAME is not
idempotent; change the oc create call to an apply-style pattern so repeated runs
update or create the secret safely (e.g. generate the secret YAML with oc create
secret generic "${VAULT_LICENSE_SECRET_NAME}"
--from-file=license=/var/run/vault/tests-private-account/kms-vault-license
--dry-run=client -o yaml | oc apply -n "${ns}" -f -) so the operation is
consistent with the ConfigMap pattern and uses the same
VAULT_LICENSE_SECRET_NAME and ns variables.
- Line 44: The direct call oc create namespace "${ns}" is not idempotent;
replace it with the apply pattern used for the ConfigMap (so retries are safe).
Locate the oc create namespace "${ns}" invocation and change it to apply a
Namespace manifest (e.g., construct a small YAML with apiVersion: v1, kind:
Namespace, metadata.name: "${ns}" and pipe it to oc apply -f -) so the step
becomes idempotent and tolerant of previous partial runs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 014e06bb-f032-4a2e-830f-090d4f8c52ce

📥 Commits

Reviewing files that changed from the base of the PR and between a359b7b and b0e082d.

📒 Files selected for processing (5)

• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the unquoted interpolation site in this script
rg -n 'transit/keys/\$\{VAULT_KMS_KEY_NAME\}' ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh

Repository: openshift/release

Length of output: 235

---

Quote the Vault transit key path argument
Line 33 passes ${VAULT_KMS_KEY_NAME} unquoted; quote the transit/keys/... path in the vault write -f command.

Suggested fix

-    env VAULT_TOKEN="${ROOT_TOKEN}" vault write -namespace="${VAULT_ENTERPRISE_NS}" -f transit/keys/${VAULT_KMS_KEY_NAME}
+    env VAULT_TOKEN="${ROOT_TOKEN}" vault write -namespace="${VAULT_ENTERPRISE_NS}" -f "transit/keys/${VAULT_KMS_KEY_NAME}"

Avoid leaking AppRole identifiers in logs
Ensure ROLE_ID/secret_id/tokens are not echoed to CI logs (or are protected by disabling tracing and keeping output off stdout).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	env VAULT_TOKEN="${ROOT_TOKEN}" vault write -namespace="${VAULT_ENTERPRISE_NS}" -f transit/keys/${VAULT_KMS_KEY_NAME}
	env VAULT_TOKEN="${ROOT_TOKEN}" vault write -namespace="${VAULT_ENTERPRISE_NS}" -f "transit/keys/${VAULT_KMS_KEY_NAME}"

🧰 Tools

🪛 Shellcheck (0.11.0)

[info] 33-33: Double quote to prevent globbing and word splitting.

(SC2086)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh`
at line 33, Quote the transit key path when calling vault write and stop leaking
secrets: change the vault write invocation to pass a quoted path like
"transit/keys/${VAULT_KMS_KEY_NAME}" (i.e. env VAULT_TOKEN="${ROOT_TOKEN}" vault
write -namespace="${VAULT_ENTERPRISE_NS}" -f
"transit/keys/${VAULT_KMS_KEY_NAME}"), and ensure any AppRole identifiers/tokens
(ROLE_ID, secret_id, ROOT_TOKEN) are not echoed or traced — disable shell xtrace
around secret usage (set +x / restore afterwards) and suppress or redirect
command output (e.g. redirect stdout/stderr or write to a secure file) so
secrets are never printed to CI logs.

Source: Linters/SAST tools

[ardaguclu]

/pj-rehearse

[openshift-merge-bot]

@ardaguclu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml (1)

34-59: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update documentation to reflect dual-instance configuration.

The step documentation describes configuring "an already-installed Vault instance" (singular) and lists outputs only for the primary namespace, but the script now configures two instances—primary (${VAULT_NAMESPACE}) and secondary (${VAULT_SECONDARY_NAMESPACE}).

The configuration steps (lines 39-47) and outputs (lines 53-58) should clarify that these operations occur for both instances, and that credentials are stored in both namespaces.

📝 Suggested documentation structure

   documentation: |-
-    Configures an already-installed Vault instance for Kubernetes KMS encryption.
+    Configures two already-installed Vault instances for Kubernetes KMS encryption.
 
     This step should run after etcd-encryption-vault-install.
 
-    Configuration steps:
+    Configuration steps (performed for both primary and secondary instances):
     - Creates Vault Enterprise namespace (${VAULT_ENTERPRISE_NS})
     - Enables transit secret engine in ${VAULT_ENTERPRISE_NS}
-    - Creates transit encryption key (name: ${VAULT_KMS_KEY_NAME}) in ${VAULT_ENTERPRISE_NS}
+    - Creates transit encryption key in ${VAULT_ENTERPRISE_NS}
     - Enables AppRole authentication in ${VAULT_ENTERPRISE_NS}
     - Creates KMS policy with encrypt/decrypt permissions in ${VAULT_ENTERPRISE_NS}
     - Creates AppRole role (kms-plugin) in ${VAULT_ENTERPRISE_NS}
     - Retrieves AppRole credentials from ${VAULT_ENTERPRISE_NS}
     - Stores credentials in vault-credentials secret
 
     Prerequisites:
-    - Vault must be installed and pods Ready (run etcd-encryption-vault-install first)
-    - OpenShift cluster with vault-0 pod running in ${VAULT_NAMESPACE}
+    - Both Vault instances must be installed and pods Ready (run etcd-encryption-vault-install first)
+    - OpenShift cluster with vault-0 pods running in ${VAULT_NAMESPACE} and ${VAULT_SECONDARY_NAMESPACE}
 
     Outputs:
-    - Credentials stored in: vault-credentials secret (namespace: ${VAULT_NAMESPACE})
+    - Credentials stored in vault-credentials secrets in both ${VAULT_NAMESPACE} and ${VAULT_SECONDARY_NAMESPACE}
       * role-id: AppRole role ID
       * secret-id: AppRole secret ID
       * root-token: Vault root token
       * unseal-key: Vault unseal key

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml`
around lines 34 - 59, Update the step documentation to reflect that
configuration runs against two Vault instances (primary ${VAULT_NAMESPACE} and
secondary ${VAULT_SECONDARY_NAMESPACE}): change the opening sentence to say
"instances" not "instance", update the Configuration steps block (the list that
references ${VAULT_ENTERPRISE_NS} and ${VAULT_KMS_KEY_NAME}) to state each
action is performed in both namespaces (primary and secondary), and update the
Outputs block to indicate vault-credentials secrets are created/stored in both
namespaces (include role-id, secret-id, root-token, unseal-key for each
namespace).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml`:
- Around line 32-33: Update the explanatory sentence for the secondary transit
key so it no longer claims differing names produce distinct key material;
instead state that because configure_vault runs in separate Vault instances
(e.g., vault-0 in vault-kms vs vault-0 in vault-kms-2) their KEKs are stored
separately and cryptographically independent regardless of name, and that using
a different name from VAULT_KMS_KEY_NAME is recommended only for
clarity/organization and to avoid naming collisions; modify the text referencing
VAULT_KMS_KEY_NAME accordingly.

---

Outside diff comments:
In
`@ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml`:
- Around line 34-59: Update the step documentation to reflect that configuration
runs against two Vault instances (primary ${VAULT_NAMESPACE} and secondary
${VAULT_SECONDARY_NAMESPACE}): change the opening sentence to say "instances"
not "instance", update the Configuration steps block (the list that references
${VAULT_ENTERPRISE_NS} and ${VAULT_KMS_KEY_NAME}) to state each action is
performed in both namespaces (primary and secondary), and update the Outputs
block to indicate vault-credentials secrets are created/stored in both
namespaces (include role-id, secret-id, root-token, unseal-key for each
namespace).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 91d142bb-22d4-4780-8492-8b02fac40b8b

📥 Commits

Reviewing files that changed from the base of the PR and between f2fba76 and e3fadfa.

📒 Files selected for processing (5)

• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml

✅ Files skipped from review due to trivial changes (1)

• ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Clarify the rationale for distinct key names.

The documentation states the key names must differ "to ensure each instance uses a distinct KEK," but this reasoning is incorrect. Since configure_vault runs on separate Vault pods (vault-0 in vault-kms vs vault-0 in vault-kms-2), the key encryption keys are cryptographically distinct regardless of their names—they're stored in separate Vault instances with separate datastores.

Different key names aid clarity and organization, not key material distinctness.

📝 Suggested documentation fix

   - name: VAULT_SECONDARY_KMS_KEY_NAME
     default: "kms-key-2"
     documentation: |-
       Name of the transit encryption key for the secondary Vault instance.
-      Must differ from VAULT_KMS_KEY_NAME to ensure each instance uses a distinct KEK.
+      Should differ from VAULT_KMS_KEY_NAME for clarity and to avoid confusion when managing multiple instances.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Name of the transit encryption key for the secondary Vault instance.
	Must differ from VAULT_KMS_KEY_NAME to ensure each instance uses a distinct KEK.
	Name of the transit encryption key for the secondary Vault instance.
	Should differ from VAULT_KMS_KEY_NAME for clarity and to avoid confusion when managing multiple instances.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml`
around lines 32 - 33, Update the explanatory sentence for the secondary transit
key so it no longer claims differing names produce distinct key material;
instead state that because configure_vault runs in separate Vault instances
(e.g., vault-0 in vault-kms vs vault-0 in vault-kms-2) their KEKs are stored
separately and cryptographically independent regardless of name, and that using
a different name from VAULT_KMS_KEY_NAME is recommended only for
clarity/organization and to avoid naming collisions; modify the text referencing
VAULT_KMS_KEY_NAME accordingly.

[ardaguclu]

We have discussed this with @sandeepknd and we will move forward with this PR, if the CI is green
/retitle NO-JIRA: Run 2 Vault instances in different namespaces
/hold
until seeing the CI

[openshift-ci-robot]

@ardaguclu: This pull request explicitly references no jira issue.

Details

In response to this:

Summary by CodeRabbit

This PR updates the OpenShift CI etcd-encryption step-registry to install and configure two independent Vault Enterprise instances (primary and secondary) in separate namespaces so CI can expose two distinct KMS endpoints for etcd encryption testing.

What changed in practical terms

• Where: ci-operator step-registry for etcd-encryption (install, configure, and chain documentation).
• Behavior: Vault installation and configuration were refactored into parameterized functions and the steps now run twice — once for the primary Vault and once for a secondary Vault — producing separate CA ConfigMaps and credentials for each instance.

Key implementation highlights

• Vault install script (ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh)

• Added install_helm() and parameterized install_vault(ns, ca_configmap).

• Installs Vault Enterprise into two namespaces and creates two CA ConfigMaps (vault-ca-bundle and vault-ca-bundle-2).

• Adds strict bash error handling (set -euo pipefail) and moves KUBECONFIG initialization earlier.

• Waits for vault-0 readiness, extracts the in-pod CA, and applies it to the specified openshift-config ConfigMap for each instance.

• Vault configure script (ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh)

• Introduced configure_vault(namespace, key_name) that parameterizes all oc exec calls, policy contents, transit key creation, AppRole enablement, and secret creation.

• Writes a kms-policy scoped to the provided transit key name, creates transit keys, enables AppRole, retrieves role_id/secret_id, and creates a vault-credentials secret in the target namespace.

• Invoked for both primary and secondary namespaces/key names; per-instance completion output is printed from inside the function.

• Step refs and chain docs

• Added VAULT_SECONDARY_NAMESPACE (default vault-kms-2) and VAULT_SECONDARY_KMS_KEY_NAME (default kms-key-2) to the step ref YAMLs.

• Updated vault-install ref to document the secondary CA ConfigMap and secondary Vault service endpoint.

• Updated the etcd-encryption-vault-setup chain text and outputs to describe primary and secondary instances and their separate outputs (service/pod, CA ConfigMap, vault-credentials secret).

Practical impact

• CI can now deploy two isolated Vault Enterprise instances for KMS encryption testing. Each instance has its own namespace, CA bundle, transit key, and AppRole credentials (vault-credentials), enabling isolated KEKs and parallel/multi-tenant or redundancy test scenarios.

Files of note

• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sandeepknd]

Thanks @ardaguclu .
This one is lot cleaner and simpler.
looks absolutely good to me.
waiting for the ci results.
/lgtm.

[ardaguclu]

Thanks @ardaguclu . This one is lot cleaner and simpler. looks absolutely good to me. waiting for the ci results. /lgtm.

Thank you @sandeepknd

[sandeepknd]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu, sandeepknd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/etcd-encryption/vault-configure/OWNERS [ardaguclu,sandeepknd]
• ci-operator/step-registry/etcd-encryption/vault-install/OWNERS [ardaguclu,sandeepknd]
• ci-operator/step-registry/etcd-encryption/vault-setup/OWNERS [ardaguclu,sandeepknd]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@ardaguclu: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cluster-authentication-operator-master-e2e-aws-operator-encryption-kms	openshift/cluster-authentication-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-authentication-operator-release-5.1-e2e-aws-operator-encryption-kms	openshift/cluster-authentication-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-authentication-operator-release-5.0-e2e-aws-operator-encryption-kms	openshift/cluster-authentication-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-authentication-operator-release-4.23-e2e-aws-operator-encryption-kms	openshift/cluster-authentication-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-openshift-apiserver-operator-main-e2e-aws-operator-encryption-kms	openshift/cluster-openshift-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-openshift-apiserver-operator-release-5.1-e2e-aws-operator-encryption-kms	openshift/cluster-openshift-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-openshift-apiserver-operator-release-5.0-e2e-aws-operator-encryption-kms	openshift/cluster-openshift-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-openshift-apiserver-operator-release-4.23-e2e-aws-operator-encryption-kms	openshift/cluster-openshift-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-kube-apiserver-operator-main-e2e-aws-operator-encryption-kms	openshift/cluster-kube-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-kube-apiserver-operator-main-e2e-gcp-operator-encryption-kms-rotation	openshift/cluster-kube-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-kube-apiserver-operator-release-5.1-e2e-aws-operator-encryption-kms	openshift/cluster-kube-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-kube-apiserver-operator-release-5.1-e2e-gcp-operator-encryption-kms-rotation	openshift/cluster-kube-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-kube-apiserver-operator-release-5.0-e2e-aws-operator-encryption-kms	openshift/cluster-kube-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-kube-apiserver-operator-release-5.0-e2e-gcp-operator-encryption-kms-rotation	openshift/cluster-kube-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-kube-apiserver-operator-release-4.23-e2e-aws-operator-encryption-kms	openshift/cluster-kube-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-kube-apiserver-operator-release-4.23-e2e-gcp-operator-encryption-kms-rotation	openshift/cluster-kube-apiserver-operator	presubmit	Registry content changed
periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-aws-encryption-kms-single-node	N/A	periodic	Registry content changed
periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-aws-encryption-kms	N/A	periodic	Registry content changed
periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-azure-encryption-kms	N/A	periodic	Registry content changed
periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-gcp-encryption-kms	N/A	periodic	Registry content changed
periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-vsphere-encryption-kms	N/A	periodic	Registry content changed
periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-metal-encryption-kms	N/A	periodic	Registry content changed
periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-metal-encryption-kms-ipv6	N/A	periodic	Registry content changed
periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-metal-encryption-kms-dual	N/A	periodic	Registry content changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh`:
- Line 103: Remove the sensitive AppRole credential output: delete or comment
out the echo that prints ROLE_ID (the line "echo \"  - ROLE_ID: ${ROLE_ID}\"")
in the etcd-encryption-vault-configure-commands.sh summary block, or if you must
keep it for debugging, redact the value (e.g., replace ${ROLE_ID} with a fixed
"[REDACTED]" placeholder) so no secret is written to CI logs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4fa10162-80ba-4d9b-ac94-ef2b074c78c8

📥 Commits

Reviewing files that changed from the base of the PR and between e3fadfa and 4ac8efa.

📒 Files selected for processing (5)

• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml

✅ Files skipped from review due to trivial changes (1)

• ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove AppRole credential from logs.

Line 103 prints the ROLE_ID (AppRole role identifier) to CI logs. AppRole credentials are sensitive authentication material and should not be logged. As per coding guidelines, step-registry command scripts must never echo or print sensitive information such as passwords, tokens, or API keys.

A similar issue at the previous line 87 was addressed in an earlier commit, but this echo statement remains in the refactored summary block.

🔒 Proposed fix

Remove the ROLE_ID echo from the summary:

   echo "  - Vault Enterprise Namespace: ${VAULT_ENTERPRISE_NS}"
   echo "  - Transit Key: ${key_name}"
-  echo "  - ROLE_ID: ${ROLE_ID}"
   echo ""

Alternatively, if the line is kept for debugging purposes, redact the value:

-  echo "  - ROLE_ID: ${ROLE_ID}"
+  echo "  - ROLE_ID: [REDACTED]"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	echo " - ROLE_ID: ${ROLE_ID}"
	echo " - ROLE_ID: [REDACTED]"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh`
at line 103, Remove the sensitive AppRole credential output: delete or comment
out the echo that prints ROLE_ID (the line "echo \"  - ROLE_ID: ${ROLE_ID}\"")
in the etcd-encryption-vault-configure-commands.sh summary block, or if you must
keep it for debugging, redact the value (e.g., replace ${ROLE_ID} with a fixed
"[REDACTED]" placeholder) so no secret is written to CI logs.

Source: Coding guidelines

[ardaguclu]

/pj-rehearse

[openshift-merge-bot]

@ardaguclu: your /pj-rehearse request was not processed because the request waited in queue for longer than 5 minutes. Please retry in a few minutes.

[ardaguclu]

/pj-rehearse

[openshift-merge-bot]

@ardaguclu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@ardaguclu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift/cluster-kube-apiserver-operator/main/e2e-gcp-operator-encryption-kms-rotation	4ac8efa	link	unknown	/pj-rehearse pull-ci-openshift-cluster-kube-apiserver-operator-main-e2e-gcp-operator-encryption-kms-rotation
ci/rehearse/openshift/cluster-kube-apiserver-operator/release-5.1/e2e-aws-operator-encryption-kms	4ac8efa	link	unknown	/pj-rehearse pull-ci-openshift-cluster-kube-apiserver-operator-release-5.1-e2e-aws-operator-encryption-kms
ci/rehearse/openshift/cluster-kube-apiserver-operator/release-5.1/e2e-gcp-operator-encryption-kms-rotation	4ac8efa	link	unknown	/pj-rehearse pull-ci-openshift-cluster-kube-apiserver-operator-release-5.1-e2e-gcp-operator-encryption-kms-rotation
ci/rehearse/openshift/cluster-kube-apiserver-operator/release-5.0/e2e-aws-operator-encryption-kms	4ac8efa	link	unknown	/pj-rehearse pull-ci-openshift-cluster-kube-apiserver-operator-release-5.0-e2e-aws-operator-encryption-kms
ci/rehearse/openshift/cluster-kube-apiserver-operator/release-5.0/e2e-gcp-operator-encryption-kms	e3fadfa	link	unknown	/pj-rehearse pull-ci-openshift-cluster-kube-apiserver-operator-release-5.0-e2e-gcp-operator-encryption-kms
ci/rehearse/openshift/cluster-kube-apiserver-operator/main/e2e-aws-operator-encryption-kms	4ac8efa	link	unknown	/pj-rehearse pull-ci-openshift-cluster-kube-apiserver-operator-main-e2e-aws-operator-encryption-kms
ci/rehearse/openshift/cluster-kube-apiserver-operator/release-5.1/e2e-gcp-operator-encryption-kms	e3fadfa	link	unknown	/pj-rehearse pull-ci-openshift-cluster-kube-apiserver-operator-release-5.1-e2e-gcp-operator-encryption-kms

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ardaguclu]

#80457 supersedes this
/close

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@ardaguclu: Closed this PR.

Details

In response to this:

#80457 supersedes this
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.