NO-JIRA: Support multiple Vault instance deployment

[ardaguclu]

This PR wraps the functionality in vault install/configure into functions to make them reusable for installation of multiple Vault instances. We need it in our KMS to KMS migration scenarios.

This PR supersedes #80405

Summary by CodeRabbit

This PR refactors the etcd-encryption Vault install/configuration steps in the OpenShift CI (openshift/release) to support deploying and configuring multiple Vault Enterprise instances side-by-side, enabling KMS-to-KMS migration scenarios.

What changed in practical terms

• Converted single-instance, inline Vault install/config logic into reusable, parameterized functions so the same steps can run for a primary and a secondary Vault instance:
  • Vault install: introduced setup_vault_namespace() and install_vault() to create namespaces, apply SCCs, create license secrets, install Vault via Helm, wait for readiness, extract CA certs, and populate CA ConfigMaps for each instance.
  • Vault config: introduced configure_vault(namespace, kms_key_name, pod_name) to enable transit engine, create transit keys, enable AppRole auth, write per-key policies, create AppRole credentials, and create vault-credentials secrets per namespace.
• CI step definitions and documentation updated to expose secondary-instance variables (VAULT_SECONDARY_NAMESPACE, VAULT_SECONDARY_KMS_KEY_NAME), document the additional prerequisites/outputs (secondary pod, service endpoint, CA ConfigMap, credentials), and describe the two-instance workflow in the etcd-encryption-vault-setup chain.
• The install/config scripts now invoke the new functions twice to provision/configure both a primary (vault) and secondary (vault-secondary) instance instead of only the primary.

Scope / Impact

• Affects openshift/release CI configuration for the etcd-encryption Vault setup steps used by OpenShift CI jobs that provision Vault for KMS-backed encryption testing.
• Enables automated side-by-side Vault deployments with distinct transit keys and per-namespace credentials, which is required for KMS-to-KMS migration and related encryption/operator tests.
• The change updates step outputs and environment variables consumed by downstream jobs; reviewers should verify variable names and resource names match callers and rehearsals (the author requested multiple rehearsals for relevant e2e/periodic jobs).

Notes for reviewers

• Function extraction and parameterization introduce more reuse but increase complexity; attention to naming, defaults, and error handling across both instances is recommended.
• Ensure the secondary variables are propagated to any jobs or scripts that previously assumed a single Vault instance.

[openshift-ci-robot]

@ardaguclu: This pull request explicitly references no jira issue.

Details

In response to this:

This PR wraps the functionality in vault install/configure into functions to make them reusable for installation of multiple Vault instances. We need it in our KMS to KMS migration scenarios.

This PR supersedes #80405

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 688ff968-18b5-44ed-ab78-7730b75a5da8

📥 Commits

Reviewing files that changed from the base of the PR and between e030d65 and 3efb74d.

📒 Files selected for processing (5)

• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml

✅ Files skipped from review due to trivial changes (1)

• ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh

---

Walkthrough

This PR refactors Vault Enterprise setup scripts to support two instances (primary and secondary) by introducing parameterized functions for installation and KMS configuration. The install script is split into reusable setup_vault_namespace and install_vault functions; the configure script wraps KMS setup in a parameterized configure_vault function. Both are invoked twice with distinct namespaces and KMS keys, and step definitions and chain documentation are updated accordingly.

Changes

Dual Vault Instance Setup Refactoring

Layer / File(s)	Summary
Vault installation functions and dual deployment ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh, ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml	Vault Enterprise install refactored into setup_vault_namespace (namespace, SCC, license) and install_vault (Helm deploy, CA extraction, ConfigMap creation) functions, each invoked for both primary and secondary instances. Install ref YAML adds VAULT_SECONDARY_NAMESPACE environment variable and documents secondary install action and outputs.
Vault KMS configuration functions and dual setup ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh, ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml	KMS setup (transit engine, encryption keys, AppRole auth, policy, credentials secret) wrapped in parameterized configure_vault function invoked for both primary and secondary Vault instances. Script initializes KUBECONFIG and root token constant. Configure ref YAML adds VAULT_SECONDARY_NAMESPACE and VAULT_SECONDARY_KMS_KEY_NAME environment variables.
Chain documentation and environment variables ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml	Chain documentation expanded to describe two-instance Vault installation and KMS configuration workflow, including mirrored actions, per-namespace deployment, CA ConfigMaps, and secondary instance outputs. Environment variable documentation extended to include secondary namespace and secondary KMS key name.

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels: lgtm, rehearsals-ack

Suggested reviewers:

• bertinatto
• tjungblu

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	etcd-encryption-vault-configure-commands.sh echoes internal Vault service DNS and prints ROLE_ID in its log summary, exposing AppRole credential data.	Stop logging sensitive values: remove the ROLE_ID echo and avoid printing full internal service/DNS endpoints (e.g., *.svc:8200) or mask/obfuscate them in the summary.
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: refactoring to support deploying multiple Vault instances instead of a single instance.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR 80457 only changes step-registry .sh/.yaml files for Vault setup/config; no Ginkgo test files or any It/Describe/Context titles are present to review.
Test Structure And Quality	✅ Passed	The PR modifies shell scripts and YAML configuration files only, containing no Ginkgo test code. The custom check explicitly requires reviewing "Ginkgo test code," making it not applicable to this PR.
Microshift Test Compatibility	✅ Passed	PASS: PR 80457 only changes vault install/config scripts and YAML; no new/modified Ginkgo e2e tests (no g.It/Describe/Context/When blocks) found in changed files.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR changes only ci-operator vault install/config scripts + step YAML; the touched files contain no Ginkgo e2e constructs (no It/Describe/Context). No SNO multi-node assumptions to evaluate.
Topology-Aware Scheduling Compatibility	✅ Passed	Validated the only PR-touched CI step scripts/docs (vault install/configure) contain no pod scheduling constraints (no affinity/anti-affinity/topologySpread/nodeSelectors).
Ote Binary Stdout Contract	✅ Passed	PR changes Vault bash scripts/YAML only; repo contains no OTE/openshift-tests extension main/init/RunSpecs Go binaries to violate the stdout JSON contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR #80457 changes only Vault .sh scripts and .yaml step/chain docs (no *_test.go/Ginkgo e2e test code), so no IPv4/IPv6 or external-connectivity assumptions to flag.
No-Weak-Crypto	✅ Passed	Scanned PR-related vault-install/config scripts & docs: no md5/sha1/DES/RC4/3DES/Blowfish/ECB/openssl usage found, and no secret/token non-constant comparisons (==/!=) detected.
Container-Privileges	✅ Passed	Scanned the PR’s changed etcd-encryption Vault scripts/YAML and recursively searched ci-operator/step-registry/etcd-encryption for privileged/hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEsc...

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ardaguclu]

/pj-rehearse pull-ci-openshift-cluster-kube-apiserver-operator-main-e2e-aws-operator-encryption-kms periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-metal-encryption-kms-ipv6 pull-ci-openshift-cluster-openshift-apiserver-operator-main-e2e-aws-operator-encryption-kms periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-aws-encryption-kms-single-node periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-gcp-encryption-kms

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh`:
- Around line 11-16: The function configure_vault() currently hardcodes the
Vault service host as "vault.${namespace}.svc:8200" causing wrong endpoint logs
for secondary instances; change the function signature to accept a Vault service
name (add local service_name="$4" or replace an arg), update all internal uses
that assemble the endpoint (the echo/log lines that build
"vault.${namespace}.svc:8200" — referenced around configure_vault() and the
print sites at the blocks noted ~98-100 and ~107-108) to use
"${service_name}.${namespace}.svc:8200" (or accept a full host:port and use
"${service_name}" directly), and ensure callers that invoke configure_vault pass
the correct service name for primary vs secondary.

In
`@ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml`:
- Around line 25-33: Update the ref docs to reflect dual-Vault behavior: replace
any single-namespace text referencing ${VAULT_NAMESPACE} with explicit
descriptions for both VAULT_NAMESPACE and VAULT_SECONDARY_NAMESPACE and note
that two Vault instances are configured; update key docs to mention
VAULT_KMS_KEY_NAME and VAULT_SECONDARY_KMS_KEY_NAME (and that they must differ)
and remove the stale "unseal-key" output since
etcd-encryption-vault-configure-commands.sh does not emit it, instead list only
the secret keys and outputs that the script actually creates. Reference the env
var names VAULT_NAMESPACE, VAULT_SECONDARY_NAMESPACE, VAULT_KMS_KEY_NAME,
VAULT_SECONDARY_KMS_KEY_NAME and the script
etcd-encryption-vault-configure-commands.sh when making these edits.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 199fa81a-62b7-4a48-9d06-f0e671ea3be7

📥 Commits

Reviewing files that changed from the base of the PR and between 9cc3a79 and e030d65.

📒 Files selected for processing (5)

• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-configure/etcd-encryption-vault-configure-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-commands.sh
• ci-operator/step-registry/etcd-encryption/vault-install/etcd-encryption-vault-install-ref.yaml
• ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml

[openshift-merge-bot]

@ardaguclu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[ardaguclu]

/pj-rehearse pull-ci-openshift-cluster-kube-apiserver-operator-main-e2e-aws-operator-encryption-kms periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-metal-encryption-kms-ipv6 pull-ci-openshift-cluster-openshift-apiserver-operator-main-e2e-aws-operator-encryption-kms periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-aws-encryption-kms-single-node periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-gcp-encryption-kms

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@ardaguclu: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cluster-authentication-operator-master-e2e-aws-operator-encryption-kms	openshift/cluster-authentication-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-authentication-operator-release-5.1-e2e-aws-operator-encryption-kms	openshift/cluster-authentication-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-authentication-operator-release-5.0-e2e-aws-operator-encryption-kms	openshift/cluster-authentication-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-authentication-operator-release-4.23-e2e-aws-operator-encryption-kms	openshift/cluster-authentication-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-openshift-apiserver-operator-main-e2e-aws-operator-encryption-kms	openshift/cluster-openshift-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-openshift-apiserver-operator-release-5.1-e2e-aws-operator-encryption-kms	openshift/cluster-openshift-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-openshift-apiserver-operator-release-5.0-e2e-aws-operator-encryption-kms	openshift/cluster-openshift-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-openshift-apiserver-operator-release-4.23-e2e-aws-operator-encryption-kms	openshift/cluster-openshift-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-kube-apiserver-operator-main-e2e-aws-operator-encryption-kms	openshift/cluster-kube-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-kube-apiserver-operator-main-e2e-gcp-operator-encryption-kms-rotation	openshift/cluster-kube-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-kube-apiserver-operator-release-5.1-e2e-aws-operator-encryption-kms	openshift/cluster-kube-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-kube-apiserver-operator-release-5.1-e2e-gcp-operator-encryption-kms-rotation	openshift/cluster-kube-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-kube-apiserver-operator-release-5.0-e2e-aws-operator-encryption-kms	openshift/cluster-kube-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-kube-apiserver-operator-release-5.0-e2e-gcp-operator-encryption-kms-rotation	openshift/cluster-kube-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-kube-apiserver-operator-release-4.23-e2e-aws-operator-encryption-kms	openshift/cluster-kube-apiserver-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-kube-apiserver-operator-release-4.23-e2e-gcp-operator-encryption-kms-rotation	openshift/cluster-kube-apiserver-operator	presubmit	Registry content changed
periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-metal-encryption-kms-dual	N/A	periodic	Registry content changed
periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-aws-encryption-kms-single-node	N/A	periodic	Registry content changed
periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-aws-encryption-kms	N/A	periodic	Registry content changed
periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-azure-encryption-kms	N/A	periodic	Registry content changed
periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-gcp-encryption-kms	N/A	periodic	Registry content changed
periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-vsphere-encryption-kms	N/A	periodic	Registry content changed
periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-metal-encryption-kms	N/A	periodic	Registry content changed
periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-metal-encryption-kms-ipv6	N/A	periodic	Registry content changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-merge-bot]

@ardaguclu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[ardaguclu]

Periodic failures are unrelated. KMS tests passed.

[ardaguclu]

https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/80457/rehearse-80457-pull-ci-openshift-cluster-openshift-apiserver-operator-main-e2e-aws-operator-encryption-kms/2065339632731557888
/pj-rehearse ack

[openshift-merge-bot]

@ardaguclu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[sandeepknd]

waiting for CI to pass.
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu, sandeepknd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/etcd-encryption/vault-configure/OWNERS [ardaguclu,sandeepknd]
• ci-operator/step-registry/etcd-encryption/vault-install/OWNERS [ardaguclu,sandeepknd]
• ci-operator/step-registry/etcd-encryption/vault-setup/OWNERS [ardaguclu,sandeepknd]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tjungblu]

yep lgtm for me too.
/hold

[tjungblu]

/hold cancel

one of the kms jobs finished, sorry!

[ardaguclu]

/hold

[ardaguclu]

/hold cancel
I'll fix any issues in followup PR

[openshift-ci]

@ardaguclu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-gcp-encryption-kms	3efb74d	link	unknown	/pj-rehearse periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-gcp-encryption-kms
ci/rehearse/periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-metal-encryption-kms-ipv6	3efb74d	link	unknown	/pj-rehearse periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-metal-encryption-kms-ipv6
ci/rehearse/periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-aws-encryption-kms-single-node	3efb74d	link	unknown	/pj-rehearse periodic-ci-openshift-cluster-kube-apiserver-operator-main-periodics-e2e-aws-encryption-kms-single-node

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.