CNTRLPLANE-3364: adding the clusterbot workflow. Its optional.

[sandeepknd]

Introduces three new clusterbot workflows that enable users to launch OpenShift clusters with HashiCorp Vault Enterprise pre-installed and configured for KMS encryption testing via Slack

Basic Commands:
Launch a cluster with Vault on AWS:

  workflow-launch etcd-encryption-hashicorp-vault-aws 5.0

Launch a cluster with Vault on GCP:

  workflow-launch etcd-encryption-hashicorp-vault-gcp 5.0

Launch a cluster with Vault on Azure:

  workflow-launch etcd-encryption-hashicorp-vault-azure 5.0

Summary

Adds three optional clusterbot workflows to the OpenShift CI infrastructure that provision IPI clusters with HashiCorp Vault Enterprise pre-installed and configured for KMS-based etcd encryption testing. These workflows enable on-demand cluster provisioning via the CI chat-bot (Slack) for AWS, GCP, and Azure.

What changed (practical impact)

• New clusterbot workflows (ci-operator step-registry):

  • etcd-encryption-hashicorp-vault-aws
  • etcd-encryption-hashicorp-vault-gcp
  • etcd-encryption-hashicorp-vault-azure
    Each workflow provisions an IPI cluster on the target cloud, installs Vault Enterprise in namespace vault-kms (via Helm), enables the Transit engine, creates a KMS key, configures AppRole auth, stores credentials in a vault-credentials secret, waits for cluster readiness (clusterbot-wait), and runs platform-specific post/cleanup chains (gather-core-dump, ipi-*-post). Documentation and environment variable defaults (CLUSTER_DURATION, VAULT_VERSION, VAULT_NAMESPACE, VAULT_KMS_KEY_NAME) are embedded in each YAML.

• Ownership and metadata:

  • Added/updated OWNERS files for the vault step-registry (root and per-platform) declaring approvers and reviewers: sandeepknd, ardaguclu, tjungblu.
  • Added workflow metadata JSON files that register each workflow path and owners.

• Chat-bot registration:

  • Registered the three workflows in core-services/ci-chat-bot/workflows-config.yaml so they can be launched via Slack commands, e.g.:
    • workflow-launch etcd-encryption-hashicorp-vault-aws 5.0
    • workflow-launch etcd-encryption-hashicorp-vault-gcp 5.0
    • workflow-launch etcd-encryption-hashicorp-vault-azure 5.0

Notes for reviewers / operators

• Workflows are optional clusterbot entries intended for interactive testing of etcd encryption with Vault.
• OWNERS additions set the contacts for review/approval of these workflow files.

[openshift-ci-robot]

@sandeepknd: This pull request references CNTRLPLANE-3364 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Introduces three new clusterbot workflows that enable users to launch OpenShift clusters with HashiCorp Vault Enterprise pre-installed and configured for KMS encryption testing via Slack

Basic Commands:
Launch a cluster with Vault on AWS:

 workflow-launch etcd-encryption-hashicorp-vault-aws 5.0

Launch a cluster with Vault on GCP:

 workflow-launch etcd-encryption-hashicorp-vault-gcp 5.0

Launch a cluster with Vault on Azure:

 workflow-launch etcd-encryption-hashicorp-vault-azure 5.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sandeepknd
Once this PR has been reviewed and has the lgtm label, please assign bradmwilliams for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• core-services/ci-chat-bot/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a9ceff1d-522f-45e2-b779-8f22997c8b0c

📥 Commits

Reviewing files that changed from the base of the PR and between 949420f and 4fe153f.

📒 Files selected for processing (11)

• ci-operator/step-registry/etcd-encryption/hashicorp-vault/OWNERS
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/OWNERS
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/etcd-encryption-hashicorp-vault-aws-workflow.metadata.json
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/etcd-encryption-hashicorp-vault-aws-workflow.yaml
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/OWNERS
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.metadata.json
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.yaml
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/OWNERS
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.metadata.json
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.yaml
• core-services/ci-chat-bot/workflows-config.yaml

✅ Files skipped from review due to trivial changes (8)

• ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.metadata.json
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/OWNERS
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/OWNERS
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/OWNERS
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/OWNERS
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.metadata.json
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/etcd-encryption-hashicorp-vault-aws-workflow.metadata.json
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.yaml
• core-services/ci-chat-bot/workflows-config.yaml
• ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/etcd-encryption-hashicorp-vault-aws-workflow.yaml

---

Walkthrough

Adds three new etcd-encryption workflows (AWS, Azure, GCP) that provision IPI clusters and install/configure HashiCorp Vault for KMS-based encryption testing, plus corresponding OWNERS and workflow metadata entries and CI chat-bot workflow registrations.

Changes

etcd-encryption with HashiCorp Vault (AWS / Azure / GCP)

Layer / File(s)	Summary
Ownership Configuration ci-operator/step-registry/etcd-encryption/hashicorp-vault/OWNERS, ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/OWNERS, ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/OWNERS, ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/OWNERS	Add approvers and reviewers: sandeepknd, ardagcuclu, tjungblu.
Workflow Metadata ci-operator/step-registry/etcd-encryption/hashicorp-vault/*/etcd-encryption-hashicorp-vault-*-workflow.metadata.json	Add metadata registering workflow YAML paths and owners for AWS, Azure, GCP.
Workflow Implementations ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/etcd-encryption-hashicorp-vault-aws-workflow.yaml, .../azure/...-azure-workflow.yaml, .../gcp/...-gcp-workflow.yaml	Add three workflow YAMLs (as: etcd-encryption-hashicorp-vault-<platform>) defining pre chains (IPI pre, Vault install/configure), a test step (clusterbot-wait), allow_best_effort_post_steps, and post chains; include embedded documentation about Vault setup (Transit, KMS key, AppRole, vault-credentials) and environment variables.
CI Bot Registration core-services/ci-chat-bot/workflows-config.yaml	Register workflows etcd-encryption-hashicorp-vault-aws, etcd-encryption-hashicorp-vault-azure, etcd-encryption-hashicorp-vault-gcp with platform labels.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Developer/Trigger
    participant CI as CI Operator
    participant Chat as CI Chat-Bot
    participant Prov as Cluster Provisioner (IPI)
    participant Vault as HashiCorp Vault (vault-kms)
    participant Test as clusterbot-wait / Test Harness

    Dev->>CI: push / trigger workflow (etcd-encryption-hashicorp-vault-<platform>)
    CI->>Chat: query workflows-config (platform metadata)
    CI->>Prov: run pre-chain (ipi-*-pre)
    Prov->>Vault: deploy Vault Enterprise (vault-kms), enable Transit, create KMS key, configure AppRole
    Vault->>CI: store credentials in secret `vault-credentials`
    CI->>Test: run `clusterbot-wait` (cluster readiness)
    Test->>CI: signal readiness
    CI->>CI: run post-chains (gather-core-dump, ipi-*-post) — best-effort

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title specifically references adding clusterbot workflows for HashiCorp Vault, which directly matches the main changes across multiple files adding three new workflows (AWS, Azure, GCP) with corresponding metadata and OWNERS files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The custom check for stable and deterministic Ginkgo test names is not applicable to this PR. The PR only adds CI/CD configuration files, workflow definitions, and OWNERS files—no Ginkgo test code.
Test Structure And Quality	✅ Passed	Check is not applicable. PR contains only workflow definitions, metadata files, and configuration files (YAML, JSON, OWNERS). No Ginkgo test code is present in the PR.
Microshift Test Compatibility	✅ Passed	Check not applicable. PR adds only CI/CD workflow configuration (OWNERS, metadata JSON, workflow YAML), not Ginkgo e2e tests. No test code with Ginkgo patterns found.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes consist of CI/CD workflow definitions (YAML/JSON/OWNERS files). SNO compatibility check does not apply to infrastructure configuration.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR adds only CI workflow definitions and configuration, not Kubernetes deployment manifests, operators, or controllers. No scheduling constraints are defined. Check does not apply.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check applies only to Go binaries and process-level code. This PR adds only configuration files (YAML, JSON, OWNERS) with no Go source code or binaries.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests present. Changes are YAML/JSON configuration for workflows, OWNERS, and metadata. Check requires Ginkgo tests to apply—not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@sandeepknd: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@sandeepknd: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.