Skip to content

OSAC-1568: Add reusable e2e workflow with Vault JWT auth#1

Closed
eliorerz wants to merge 1 commit into
mainfrom
OSAC-1568-e2e-reusable-workflow
Closed

OSAC-1568: Add reusable e2e workflow with Vault JWT auth#1
eliorerz wants to merge 1 commit into
mainfrom
OSAC-1568-e2e-reusable-workflow

Conversation

@eliorerz

@eliorerz eliorerz commented Jun 18, 2026

Copy link
Copy Markdown

Summary

  • Adds a reusable GitHub Actions workflow (e2e-vault-secrets.yml) for running e2e tests with secrets from Vault
  • Authenticates to the self-hosted Vault via GitHub OIDC JWT -- no static secrets in GitHub
  • Retrieves pull-secret and AAP license, runs the osac-test-infra test container, cleans up

How it works

  1. GitHub mints an OIDC JWT for the workflow run
  2. vault-action sends the JWT to Vault on the self-hosted runner (localhost:8200)
  3. Vault validates the token signature and checks bound_claims (org + environment)
  4. Secrets are read from secret/osac/e2e/ and mounted into the test container

Security model

  • Fork PRs: GitHub does not grant id-token: write to fork PR events, so external contributors cannot access secrets
  • Org member PRs: Trusted by org membership; secrets masked in logs via vault-action
  • Reusable workflow: Secret handling is in this repo; callers can only pass test configuration inputs

Caller usage

jobs:
  e2e:
    uses: osac-project/.github/.github/workflows/e2e-vault-secrets.yml@main
    with:
      test-suite: vmaas

Prerequisites

Summary by CodeRabbit

  • Chores
    • Added a new reusable end-to-end testing workflow with HashiCorp Vault integration for secure secret management. The workflow supports customizable inputs for test suite selection, filtering, namespace targeting, and container images. Test results are exposed as outputs for CI/CD pipeline integration.

Reusable workflow that retrieves e2e secrets (pull-secret, AAP license)
from the self-hosted Vault instance via GitHub OIDC JWT authentication,
then runs the osac-test-infra test container against the cluster.

Callers use: uses: osac-project/.github/.github/workflows/e2e-vault-secrets.yml@main
@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

Pull request was closed or merged during review

Walkthrough

A new reusable GitHub Actions workflow (e2e-vault-secrets.yml) is added. It is callable via workflow_call, fetches two secrets from HashiCorp Vault using OIDC/JWT auth, stages them to $RUNNER_TEMP, runs pytest inside a podman container with those secrets mounted, and deletes the temporary files unconditionally on exit.

Changes

OSAC E2E Vault Secrets Workflow

Layer / File(s) Summary
Workflow call contract and job definition
.github/workflows/e2e-vault-secrets.yml
Declares the workflow_call interface with five string inputs (test-suite, test-filter, namespace, vm-template, test-image), a result output (PASSED/FAILED), and the e2e job with OIDC permissions on the osac-ci runner under the e2e-test environment.
Vault secret retrieval and temp file staging
.github/workflows/e2e-vault-secrets.yml
Uses hashicorp/vault-action@v4 with JWT auth to fetch kubeconfig and license secrets from Vault, then writes them to $RUNNER_TEMP with chmod 600, base64-decoding the license into a zip file.
Podman test execution and cleanup
.github/workflows/e2e-vault-secrets.yml
Constructs TEST_ARGS/FILTER_ARGS from inputs, runs pytest in a podman container with kubeconfig and secret file mounts plus OSAC environment variables, emits /tmp/junit.xml, and unconditionally deletes staged secret files in a final cleanup step.

Sequence Diagram

sequenceDiagram
  participant Caller as Calling Workflow
  participant Runner as osac-ci Runner
  participant Vault as HashiCorp Vault
  participant Podman as podman container

  Caller->>Runner: workflow_call(test-suite, test-filter, namespace, vm-template, test-image)
  Runner->>Vault: JWT auth → fetch kubeconfig + license secrets
  Vault-->>Runner: secret values
  Runner->>Runner: write secrets to $RUNNER_TEMP (chmod 600, base64-decode license)
  Runner->>Podman: run test-image with mounts + OSAC env vars
  Podman-->>Runner: pytest exit code + junit.xml
  Runner->>Runner: always() — delete $RUNNER_TEMP secret files
  Runner-->>Caller: result = PASSED | FAILED
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

A vault unlocks its secrets tight,
JWT whispers in the night,
Podman spins the tests around,
JUnit XML — results are found,
Then cleanup sweeps the temp away,
PASSED or FAILED — end of day! 🔐


Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (2 errors)

Check name Status Explanation Resolution
No-Injection-Vectors ❌ Error Workflow contains multiple shell injection vectors: vault outputs in unquoted echo (lines 63, 66), user inputs interpolated directly in shell without env binding (lines 73-74, 78-79, 89-90, 92). Bind vault outputs and workflow inputs via env: block; use printf instead of echo; quote all variable expansions; avoid direct template expansion in shell context.
No-Sensitive-Data-In-Logs ❌ Error Lines 63-66 use echo to output vault secrets directly in shell context, risking exposure in logs. Secrets should use env: binding with printf to avoid shell injection and logging. Replace echo statements with env: binding and printf as shown in review comments to prevent secrets logging through shell redirection.
✅ Passed checks (9 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding a reusable GitHub Actions workflow for e2e tests with Vault JWT authentication, which directly matches the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets ✅ Passed No hardcoded secrets found. Secrets are retrieved from Vault via OIDC JWT, not embedded in the workflow. No API keys, tokens, passwords, private keys, long base64 strings, or URLs with embedded cre...
No-Weak-Crypto ✅ Passed The workflow contains no weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) or custom implementations. All cryptography is delegated to GitHub OIDC JWT and HashiCorp Vault.
Container-Privileges ✅ Passed The new workflow file (.github/workflows/e2e-vault-secrets.yml) does not use privileged container configurations: no privileged: true, hostPID/IPC, SYS_ADMIN capability, root running, or allowPrivi...
Ai-Attribution ✅ Passed No AI tool usage is mentioned in commit messages, PR description, or code. The check only applies when AI is disclosed; no attribution verification is required.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch OSAC-1568-e2e-reusable-workflow

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@eliorerz eliorerz closed this Jun 18, 2026
@eliorerz eliorerz deleted the OSAC-1568-e2e-reusable-workflow branch June 18, 2026 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant