diff --git a/ci-operator/step-registry/etcd-encryption/hashicorp-vault/OWNERS b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/OWNERS new file mode 100644 index 0000000000000..c623fb098f163 --- /dev/null +++ b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/OWNERS @@ -0,0 +1,8 @@ +approvers: +- sandeepknd +- ardaguclu +- tjungblu +reviewers: +- sandeepknd +- ardaguclu +- tjungblu diff --git a/ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/OWNERS b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/OWNERS new file mode 100644 index 0000000000000..c623fb098f163 --- /dev/null +++ b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/OWNERS @@ -0,0 +1,8 @@ +approvers: +- sandeepknd +- ardaguclu +- tjungblu +reviewers: +- sandeepknd +- ardaguclu +- tjungblu diff --git a/ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/etcd-encryption-hashicorp-vault-aws-workflow.metadata.json b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/etcd-encryption-hashicorp-vault-aws-workflow.metadata.json new file mode 100644 index 0000000000000..bb9ca6799f2e6 --- /dev/null +++ b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/etcd-encryption-hashicorp-vault-aws-workflow.metadata.json @@ -0,0 +1,15 @@ +{ + "path": "etcd-encryption/hashicorp-vault/aws/etcd-encryption-hashicorp-vault-aws-workflow.yaml", + "owners": { + "approvers": [ + "sandeepknd", + "ardaguclu", + "tjungblu" + ], + "reviewers": [ + "sandeepknd", + "ardaguclu", + "tjungblu" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/etcd-encryption-hashicorp-vault-aws-workflow.yaml b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/etcd-encryption-hashicorp-vault-aws-workflow.yaml new file mode 100644 index 0000000000000..dfba8f704d9c1 --- /dev/null +++ b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/etcd-encryption-hashicorp-vault-aws-workflow.yaml @@ -0,0 +1,38 @@ +workflow: + as: etcd-encryption-hashicorp-vault-aws + steps: + allow_best_effort_post_steps: true + pre: + - chain: ipi-aws-pre + - chain: etcd-encryption-vault-setup + test: + - ref: clusterbot-wait + post: + - chain: gather-core-dump + - chain: ipi-aws-post + documentation: |- + Provisions an AWS cluster with HashiCorp Vault Enterprise installed and + configured for KMS encryption testing. + + This workflow is designed for use with clusterbot to provide interactive access + to a cluster with Vault pre-installed and configured. + + What's installed: + - OpenShift cluster on AWS (IPI) + - HashiCorp Vault Enterprise (via Helm) in namespace: vault-kms + - Vault initialized and configured with: + * Transit secret engine enabled + * KMS encryption key created + * AppRole authentication configured + * Credentials stored in vault-credentials secret + + Access details: + - Vault service: vault.vault-kms.svc:8200 + - Vault pod: vault-0 + - Credentials secret: vault-credentials (namespace: vault-kms) + + Environment variables: + - CLUSTER_DURATION: How long to keep the cluster alive (default: 9000 seconds) + - VAULT_VERSION: Vault Enterprise version (default: 2.0.0-ent) + - VAULT_NAMESPACE: Namespace for Vault (default: vault-kms) + - VAULT_KMS_KEY_NAME: Name of the transit encryption key (default: kms-key) diff --git a/ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/OWNERS b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/OWNERS new file mode 100644 index 0000000000000..c623fb098f163 --- /dev/null +++ b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/OWNERS @@ -0,0 +1,8 @@ +approvers: +- sandeepknd +- ardaguclu +- tjungblu +reviewers: +- sandeepknd +- ardaguclu +- tjungblu diff --git a/ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.metadata.json b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.metadata.json new file mode 100644 index 0000000000000..ee38203f709e7 --- /dev/null +++ b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.metadata.json @@ -0,0 +1,15 @@ +{ + "path": "etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.yaml", + "owners": { + "approvers": [ + "sandeepknd", + "ardaguclu", + "tjungblu" + ], + "reviewers": [ + "sandeepknd", + "ardaguclu", + "tjungblu" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.yaml b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.yaml new file mode 100644 index 0000000000000..dc200280daa5f --- /dev/null +++ b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.yaml @@ -0,0 +1,38 @@ +workflow: + as: etcd-encryption-hashicorp-vault-azure + steps: + allow_best_effort_post_steps: true + pre: + - chain: ipi-azure-pre + - chain: etcd-encryption-vault-setup + test: + - ref: clusterbot-wait + post: + - chain: gather-core-dump + - chain: ipi-azure-post + documentation: |- + Provisions an Azure cluster with HashiCorp Vault Enterprise installed and + configured for KMS encryption testing. + + This workflow is designed for use with clusterbot to provide interactive access + to a cluster with Vault pre-installed and configured. + + What's installed: + - OpenShift cluster on Azure (IPI) + - HashiCorp Vault Enterprise (via Helm) in namespace: vault-kms + - Vault initialized and configured with: + * Transit secret engine enabled + * KMS encryption key created + * AppRole authentication configured + * Credentials stored in vault-credentials secret + + Access details: + - Vault service: vault.vault-kms.svc:8200 + - Vault pod: vault-0 + - Credentials secret: vault-credentials (namespace: vault-kms) + + Environment variables: + - CLUSTER_DURATION: How long to keep the cluster alive (default: 9000 seconds) + - VAULT_VERSION: Vault Enterprise version (default: 2.0.0-ent) + - VAULT_NAMESPACE: Namespace for Vault (default: vault-kms) + - VAULT_KMS_KEY_NAME: Name of the transit encryption key (default: kms-key) diff --git a/ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/OWNERS b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/OWNERS new file mode 100644 index 0000000000000..c623fb098f163 --- /dev/null +++ b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/OWNERS @@ -0,0 +1,8 @@ +approvers: +- sandeepknd +- ardaguclu +- tjungblu +reviewers: +- sandeepknd +- ardaguclu +- tjungblu diff --git a/ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.metadata.json b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.metadata.json new file mode 100644 index 0000000000000..e2487f1259612 --- /dev/null +++ b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.metadata.json @@ -0,0 +1,15 @@ +{ + "path": "etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.yaml", + "owners": { + "approvers": [ + "sandeepknd", + "ardaguclu", + "tjungblu" + ], + "reviewers": [ + "sandeepknd", + "ardaguclu", + "tjungblu" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.yaml b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.yaml new file mode 100644 index 0000000000000..e146ddc91c126 --- /dev/null +++ b/ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.yaml @@ -0,0 +1,38 @@ +workflow: + as: etcd-encryption-hashicorp-vault-gcp + steps: + allow_best_effort_post_steps: true + pre: + - chain: ipi-gcp-pre + - chain: etcd-encryption-vault-setup + test: + - ref: clusterbot-wait + post: + - chain: gather-core-dump + - chain: ipi-gcp-post + documentation: |- + Provisions a GCP cluster with HashiCorp Vault Enterprise installed and + configured for KMS encryption testing. + + This workflow is designed for use with clusterbot to provide interactive access + to a cluster with Vault pre-installed and configured. + + What's installed: + - OpenShift cluster on GCP (IPI) + - HashiCorp Vault Enterprise (via Helm) in namespace: vault-kms + - Vault initialized and configured with: + * Transit secret engine enabled + * KMS encryption key created + * AppRole authentication configured + * Credentials stored in vault-credentials secret + + Access details: + - Vault service: vault.vault-kms.svc:8200 + - Vault pod: vault-0 + - Credentials secret: vault-credentials (namespace: vault-kms) + + Environment variables: + - CLUSTER_DURATION: How long to keep the cluster alive (default: 9000 seconds) + - VAULT_VERSION: Vault Enterprise version (default: 2.0.0-ent) + - VAULT_NAMESPACE: Namespace for Vault (default: vault-kms) + - VAULT_KMS_KEY_NAME: Name of the transit encryption key (default: kms-key) diff --git a/ci-operator/step-registry/etcd-encryption/vault-setup/OWNERS b/ci-operator/step-registry/etcd-encryption/vault-setup/OWNERS new file mode 100644 index 0000000000000..44170dcae9371 --- /dev/null +++ b/ci-operator/step-registry/etcd-encryption/vault-setup/OWNERS @@ -0,0 +1,18 @@ +approvers: +- ardaguclu +- benluddy +- bertinatto +- flavianmissi +- gangwgr +- p0lyn0mial +- sandeepknd +- tjungblu +reviewers: +- ardaguclu +- benluddy +- bertinatto +- flavianmissi +- gangwgr +- p0lyn0mial +- sandeepknd +- tjungblu diff --git a/ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.metadata.json b/ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.metadata.json new file mode 100644 index 0000000000000..480c7a7ecd352 --- /dev/null +++ b/ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.metadata.json @@ -0,0 +1,25 @@ +{ + "path": "etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml", + "owners": { + "approvers": [ + "ardaguclu", + "benluddy", + "bertinatto", + "flavianmissi", + "gangwgr", + "p0lyn0mial", + "sandeepknd", + "tjungblu" + ], + "reviewers": [ + "ardaguclu", + "benluddy", + "bertinatto", + "flavianmissi", + "gangwgr", + "p0lyn0mial", + "sandeepknd", + "tjungblu" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml b/ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml new file mode 100644 index 0000000000000..bbc25f95a0ea6 --- /dev/null +++ b/ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml @@ -0,0 +1,44 @@ +chain: + as: etcd-encryption-vault-setup + steps: + - ref: etcd-encryption-vault-install + - ref: etcd-encryption-vault-configure + documentation: |- + Installs and configures HashiCorp Vault Enterprise for KMS encryption testing. + + This chain combines the vault installation and configuration steps into a single + reusable component that can be used across different platform workflows. + + What this chain does: + 1. Installs HashiCorp Vault Enterprise via Helm (vault-install step) + - Deploys Vault in dev mode to vault-kms namespace + - Creates vault-license secret from mounted credentials + - Waits for Vault pod to be ready + + 2. Configures Vault for KMS encryption (vault-configure step) + - Enables transit secret engine + - Creates KMS encryption key + - Configures AppRole authentication + - Stores credentials in vault-credentials secret + + Prerequisites: + - OpenShift cluster with adequate resources + - Vault Enterprise license secret named 'tests-private-account' in test-credentials namespace + containing the license file at key 'kms-vault-license' + + Outputs: + - Vault service: vault.vault-kms.svc:8200 + - Vault pod: vault-0 (Ready state) + - Credentials secret: vault-credentials in vault-kms namespace + * role-id: AppRole role ID for KMS plugin + * secret-id: AppRole secret ID for KMS plugin + * root-token: Vault root token (dev mode) + + Environment variables (inherited from vault-install step): + - VAULT_VERSION: Vault Enterprise version (default: 2.0.0-ent) + - VAULT_CHART_VERSION: Helm chart version (default: 0.28.1) + - VAULT_NAMESPACE: Vault namespace (default: vault-kms) + - VAULT_IMAGE_REPOSITORY: Container image repo (default: docker.io/hashicorp/vault-enterprise) + + Environment variables (inherited from vault-configure step): + - VAULT_KMS_KEY_NAME: Transit encryption key name (default: kms-key) diff --git a/core-services/ci-chat-bot/workflows-config.yaml b/core-services/ci-chat-bot/workflows-config.yaml index 6dcb97042ca2d..701ac6aa94066 100644 --- a/core-services/ci-chat-bot/workflows-config.yaml +++ b/core-services/ci-chat-bot/workflows-config.yaml @@ -721,6 +721,12 @@ workflows: platform: nutanix cucushift-installer-rehearse-ibmcloud-ipi: platform: ibmcloud + etcd-encryption-hashicorp-vault-aws: + platform: aws + etcd-encryption-hashicorp-vault-azure: + platform: azure + etcd-encryption-hashicorp-vault-gcp: + platform: gcp hypershift-aws-e2e-external: platform: aws hypershift-aws-e2e-nested: