From 3d2743693e5b70b9b62ab0a87337e8146e726c60 Mon Sep 17 00:00:00 2001 From: Elior Erez Date: Thu, 18 Jun 2026 11:25:12 -0400 Subject: [PATCH] OSAC-1568: Add reusable e2e workflow with Vault JWT auth Reusable workflow that retrieves e2e secrets (pull-secret, AAP license) from the self-hosted Vault instance via GitHub OIDC JWT authentication, then runs the osac-test-infra test container against the cluster. Callers use: uses: osac-project/.github/.github/workflows/e2e-vault-secrets.yml@main --- .github/workflows/e2e-vault-secrets.yml | 99 +++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 .github/workflows/e2e-vault-secrets.yml diff --git a/.github/workflows/e2e-vault-secrets.yml b/.github/workflows/e2e-vault-secrets.yml new file mode 100644 index 0000000..59e69f7 --- /dev/null +++ b/.github/workflows/e2e-vault-secrets.yml @@ -0,0 +1,99 @@ +--- +name: OSAC E2E — Vault Secrets + +on: + workflow_call: + inputs: + test-suite: + description: "Test suite to run: vmaas, caas, or empty string for all" + required: false + type: string + default: "vmaas" + test-filter: + description: "pytest -k filter expression (optional)" + required: false + type: string + default: "" + namespace: + description: "OSAC namespace on the cluster" + required: false + type: string + default: "osac-e2e-ci" + vm-template: + description: "VM template for compute instances" + required: false + type: string + default: "osac.templates.ocp_virt_vm" + test-image: + description: "Test container image override" + required: false + type: string + default: "ghcr.io/osac-project/osac-test-infra:latest" + outputs: + result: + description: "Test result: PASSED or FAILED" + value: ${{ jobs.e2e.outputs.result }} + +jobs: + e2e: + runs-on: osac-ci + environment: e2e-test + permissions: + contents: read + id-token: write + outputs: + result: ${{ steps.test.outcome == 'success' && 'PASSED' || 'FAILED' }} + + steps: + - name: Retrieve secrets from Vault + id: vault + uses: hashicorp/vault-action@v4 + with: + url: http://127.0.0.1:8200 + method: jwt + role: osac-e2e + jwtGithubAudience: https://github.com/osac-project + exportEnv: false + secrets: | + secret/data/osac/e2e/pull-secret dockerconfigjson | PULL_SECRET ; + secret/data/osac/e2e/aap-license license | AAP_LICENSE + + - name: Write secrets to files + run: | + echo '${{ steps.vault.outputs.PULL_SECRET }}' > "$RUNNER_TEMP/pull-secret.json" + chmod 600 "$RUNNER_TEMP/pull-secret.json" + + echo '${{ steps.vault.outputs.AAP_LICENSE }}' | base64 -d > "$RUNNER_TEMP/aap-license.zip" + chmod 600 "$RUNNER_TEMP/aap-license.zip" + + - name: Run E2E tests + id: test + run: | + TEST_ARGS="tests/" + if [ -n "${{ inputs.test-suite }}" ]; then + TEST_ARGS="tests/${{ inputs.test-suite }}/" + fi + + FILTER_ARGS="" + if [ -n "${{ inputs.test-filter }}" ]; then + FILTER_ARGS="-k ${{ inputs.test-filter }}" + fi + + podman run --rm \ + --network host \ + -v "${HOME}/.kube/config:/root/.kube/config:ro,Z" \ + -v "${RUNNER_TEMP}/pull-secret.json:/root/pull-secret:ro,Z" \ + -v "${RUNNER_TEMP}/aap-license.zip:/root/aap-license.zip:ro,Z" \ + -e KUBECONFIG=/root/.kube/config \ + -e OSAC_VM_KUBECONFIG=/root/.kube/config \ + -e OSAC_NAMESPACE=${{ inputs.namespace }} \ + -e OSAC_VM_TEMPLATE=${{ inputs.vm-template }} \ + -e OSAC_PULL_SECRET_PATH=/root/pull-secret \ + ${{ inputs.test-image }} \ + pytest ${TEST_ARGS} ${FILTER_ARGS} \ + --junitxml=/tmp/junit.xml -v + + - name: Clean up secrets + if: always() + run: | + rm -f "$RUNNER_TEMP/pull-secret.json" "$RUNNER_TEMP/aap-license.zip"