OSAC-1568: Add reusable e2e workflow with Vault JWT auth#1
Conversation
Reusable workflow that retrieves e2e secrets (pull-secret, AAP license) from the self-hosted Vault instance via GitHub OIDC JWT authentication, then runs the osac-test-infra test container against the cluster. Callers use: uses: osac-project/.github/.github/workflows/e2e-vault-secrets.yml@main
|
Caution Review failedPull request was closed or merged during review WalkthroughA new reusable GitHub Actions workflow ( ChangesOSAC E2E Vault Secrets Workflow
Sequence DiagramsequenceDiagram
participant Caller as Calling Workflow
participant Runner as osac-ci Runner
participant Vault as HashiCorp Vault
participant Podman as podman container
Caller->>Runner: workflow_call(test-suite, test-filter, namespace, vm-template, test-image)
Runner->>Vault: JWT auth → fetch kubeconfig + license secrets
Vault-->>Runner: secret values
Runner->>Runner: write secrets to $RUNNER_TEMP (chmod 600, base64-decode license)
Runner->>Podman: run test-image with mounts + OSAC env vars
Podman-->>Runner: pytest exit code + junit.xml
Runner->>Runner: always() — delete $RUNNER_TEMP secret files
Runner-->>Caller: result = PASSED | FAILED
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
Caution Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional.
❌ Failed checks (2 errors)
✅ Passed checks (9 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
e2e-vault-secrets.yml) for running e2e tests with secrets from VaultHow it works
vault-actionsends the JWT to Vault on the self-hosted runner (localhost:8200)secret/osac/e2e/and mounted into the test containerSecurity model
id-token: writeto fork PR events, so external contributors cannot access secretsvault-actionCaller usage
Prerequisites
osac-ciwith Vault on127.0.0.1:8200(OSAC-1568: Add local Vault infrastructure and e2e workflow osac-test-infra#72)e2e-testGitHub environment on calling repo (OSAC-1568: Add e2e-test GitHub environment to osac-test-infra github-config#107)secret/osac/e2e/pull-secretandsecret/osac/e2e/aap-licenseSummary by CodeRabbit