CNTRLPLANE-3364: adding the clusterbot workflow. Its optional.

ci-operator/step-registry/etcd-encryption/hashicorp-vault/OWNERS

@@ -0,0 +1,8 @@
+approvers:
+- sandeepknd
+- ardaguclu
+- tjungblu
+reviewers:
+- sandeepknd
+- ardaguclu
+- tjungblu

ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/OWNERS

@@ -0,0 +1,8 @@
+approvers:
+- sandeepknd
+- ardaguclu
+- tjungblu
+reviewers:
+- sandeepknd
+- ardaguclu
+- tjungblu

ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/etcd-encryption-hashicorp-vault-aws-workflow.metadata.json

@@ -0,0 +1,15 @@
+{
+	"path": "etcd-encryption/hashicorp-vault/aws/etcd-encryption-hashicorp-vault-aws-workflow.yaml",
+	"owners": {
+		"approvers": [
+			"sandeepknd",
+			"ardaguclu",
+			"tjungblu"
+		],
+		"reviewers": [
+			"sandeepknd",
+			"ardaguclu",
+			"tjungblu"
+		]
+	}
+}

ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/etcd-encryption-hashicorp-vault-aws-workflow.yaml

@@ -0,0 +1,39 @@
+workflow:
+  as: etcd-encryption-hashicorp-vault-aws
+  steps:
+    allow_best_effort_post_steps: true
+    pre:
+    - chain: ipi-aws-pre
+    - ref: etcd-encryption-vault-install
+    - ref: etcd-encryption-vault-configure
+    test:
+    - ref: clusterbot-wait
+    post:
+    - chain: gather-core-dump
+    - chain: ipi-aws-post
+  documentation: |-
+    Provisions an AWS cluster with HashiCorp Vault Enterprise installed and
+    configured for KMS encryption testing.
+
+    This workflow is designed for use with clusterbot to provide interactive access
+    to a cluster with Vault pre-installed and configured.
+
+    What's installed:
+    - OpenShift cluster on AWS (IPI)
+    - HashiCorp Vault Enterprise (via Helm) in namespace: vault-kms
+    - Vault initialized and configured with:
+      * Transit secret engine enabled
+      * KMS encryption key created
+      * AppRole authentication configured
+      * Credentials stored in vault-credentials secret
+
+    Access details:
+    - Vault service: vault.vault-kms.svc:8200
+    - Vault pod: vault-0
+    - Credentials secret: vault-credentials (namespace: vault-kms)
+
+    Environment variables:
+    - CLUSTER_DURATION: How long to keep the cluster alive (default: 9000 seconds)
+    - VAULT_VERSION: Vault Enterprise version (default: 2.0.0-ent)
+    - VAULT_NAMESPACE: Namespace for Vault (default: vault-kms)
+    - VAULT_KMS_KEY_NAME: Name of the transit encryption key (default: kms-key)

ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/OWNERS

@@ -0,0 +1,8 @@
+approvers:
+- sandeepknd
+- ardaguclu
+- tjungblu
+reviewers:
+- sandeepknd
+- ardaguclu
+- tjungblu

ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.metadata.json

@@ -0,0 +1,15 @@
+{
+	"path": "etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.yaml",
+	"owners": {
+		"approvers": [
+			"sandeepknd",
+			"ardaguclu",
+			"tjungblu"
+		],
+		"reviewers": [
+			"sandeepknd",
+			"ardaguclu",
+			"tjungblu"
+		]
+	}
+}

ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/etcd-encryption-hashicorp-vault-azure-workflow.yaml

@@ -0,0 +1,39 @@
+workflow:
+  as: etcd-encryption-hashicorp-vault-azure
+  steps:
+    allow_best_effort_post_steps: true
+    pre:
+    - chain: ipi-azure-pre
+    - ref: etcd-encryption-vault-install
+    - ref: etcd-encryption-vault-configure
+    test:
+    - ref: clusterbot-wait
+    post:
+    - chain: gather-core-dump
+    - chain: ipi-azure-post
+  documentation: |-
+    Provisions an Azure cluster with HashiCorp Vault Enterprise installed and
+    configured for KMS encryption testing.
+
+    This workflow is designed for use with clusterbot to provide interactive access
+    to a cluster with Vault pre-installed and configured.
+
+    What's installed:
+    - OpenShift cluster on Azure (IPI)
+    - HashiCorp Vault Enterprise (via Helm) in namespace: vault-kms
+    - Vault initialized and configured with:
+      * Transit secret engine enabled
+      * KMS encryption key created
+      * AppRole authentication configured
+      * Credentials stored in vault-credentials secret
+
+    Access details:
+    - Vault service: vault.vault-kms.svc:8200
+    - Vault pod: vault-0
+    - Credentials secret: vault-credentials (namespace: vault-kms)
+
+    Environment variables:
+    - CLUSTER_DURATION: How long to keep the cluster alive (default: 9000 seconds)
+    - VAULT_VERSION: Vault Enterprise version (default: 2.0.0-ent)
+    - VAULT_NAMESPACE: Namespace for Vault (default: vault-kms)
+    - VAULT_KMS_KEY_NAME: Name of the transit encryption key (default: kms-key)

ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/OWNERS

@@ -0,0 +1,8 @@
+approvers:
+- sandeepknd
+- ardaguclu
+- tjungblu
+reviewers:
+- sandeepknd
+- ardaguclu
+- tjungblu

ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.metadata.json

@@ -0,0 +1,15 @@
+{
+	"path": "etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.yaml",
+	"owners": {
+		"approvers": [
+			"sandeepknd",
+			"ardaguclu",
+			"tjungblu"
+		],
+		"reviewers": [
+			"sandeepknd",
+			"ardaguclu",
+			"tjungblu"
+		]
+	}
+}

ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/etcd-encryption-hashicorp-vault-gcp-workflow.yaml

@@ -0,0 +1,39 @@
+workflow:
+  as: etcd-encryption-hashicorp-vault-gcp
+  steps:
+    allow_best_effort_post_steps: true
+    pre:
+    - chain: ipi-gcp-pre
+    - ref: etcd-encryption-vault-install
+    - ref: etcd-encryption-vault-configure
+    test:
+    - ref: clusterbot-wait
+    post:
+    - chain: gather-core-dump
+    - chain: ipi-gcp-post
+  documentation: |-
+    Provisions a GCP cluster with HashiCorp Vault Enterprise installed and
+    configured for KMS encryption testing.
+
+    This workflow is designed for use with clusterbot to provide interactive access
+    to a cluster with Vault pre-installed and configured.
+
+    What's installed:
+    - OpenShift cluster on GCP (IPI)
+    - HashiCorp Vault Enterprise (via Helm) in namespace: vault-kms
+    - Vault initialized and configured with:
+      * Transit secret engine enabled
+      * KMS encryption key created
+      * AppRole authentication configured
+      * Credentials stored in vault-credentials secret
+
+    Access details:
+    - Vault service: vault.vault-kms.svc:8200
+    - Vault pod: vault-0
+    - Credentials secret: vault-credentials (namespace: vault-kms)
+
+    Environment variables:
+    - CLUSTER_DURATION: How long to keep the cluster alive (default: 9000 seconds)
+    - VAULT_VERSION: Vault Enterprise version (default: 2.0.0-ent)
+    - VAULT_NAMESPACE: Namespace for Vault (default: vault-kms)
+    - VAULT_KMS_KEY_NAME: Name of the transit encryption key (default: kms-key)

core-services/ci-chat-bot/workflows-config.yaml

@@ -721,6 +721,12 @@ workflows:
     platform: nutanix
   cucushift-installer-rehearse-ibmcloud-ipi:
     platform: ibmcloud
+  etcd-encryption-hashicorp-vault-aws:
+    platform: aws
+  etcd-encryption-hashicorp-vault-azure:
+    platform: azure
+  etcd-encryption-hashicorp-vault-gcp:
+    platform: gcp
   hypershift-aws-e2e-external:
     platform: aws
   hypershift-aws-e2e-nested: