CNTRLPLANE-3364: adding the clusterbot workflow. Its optional.

[sandeepknd]

Introduces three new clusterbot workflows that enable users to launch OpenShift clusters with HashiCorp Vault Enterprise pre-installed and configured for KMS encryption testing via Slack

Basic Commands:
Launch a cluster with Vault on AWS:

  workflow-launch etcd-encryption-hashicorp-vault-aws 5.0

Launch a cluster with Vault on GCP:

  workflow-launch etcd-encryption-hashicorp-vault-gcp 5.0

Launch a cluster with Vault on Azure:

  workflow-launch etcd-encryption-hashicorp-vault-azure 5.0

Summary

Adds three optional clusterbot workflows and supporting step-registry chains to OpenShift CI that let operators provision IPI clusters with HashiCorp Vault Enterprise pre-installed and configured for KMS-based etcd encryption testing. The changes register the workflows with the CI chat-bot (Slack) and add ownership/metadata so the workflow and its constituent chains can be reviewed and landed.

Affected areas: core-services/ci-chat-bot (workflow registration), ci-operator step-registry (new workflows, a new vault-setup chain and supporting metadata), and OWNERS files under the etcd-encryption step-registry.

What changed (practical impact)

• New clusterbot workflows (ci-operator step-registry)

  • etcd-encryption-hashicorp-vault-aws
  • etcd-encryption-hashicorp-vault-gcp
  • etcd-encryption-hashicorp-vault-azure
    Each workflow provisions an IPI cluster on the specified cloud, installs Vault Enterprise into namespace vault-kms (Helm, dev mode described in docs), enables the Transit engine, creates a KMS key, configures AppRole auth, stores credentials in a vault-credentials secret, exposes Vault endpoints (service/pod/namespace), waits for cluster readiness via clusterbot-wait, and runs platform-specific post/cleanup chains (gather-core-dump, ipi-*-post). Each workflow includes documentation and default environment variables (CLUSTER_DURATION, VAULT_VERSION, VAULT_NAMESPACE, VAULT_KMS_KEY_NAME).

• New reusable chain: etcd-encryption-vault-setup

  • Declares a chain that composes two steps: etcd-encryption-vault-install and etcd-encryption-vault-configure.
  • Accompanied by metadata and documentation describing responsibilities, expected outputs, and environment variables inherited by the install/configure steps.

• Chat-bot registration

  • Registered the three workflows in core-services/ci-chat-bot/workflows-config.yaml so they can be launched via Slack, e.g.:
    • workflow-launch etcd-encryption-hashicorp-vault-aws 5.0
    • workflow-launch etcd-encryption-hashicorp-vault-gcp 5.0
    • workflow-launch etcd-encryption-hashicorp-vault-azure 5.0

• Ownership and metadata

  • Added/updated OWNERS files for:
    • ci-operator/step-registry/etcd-encryption/hashicorp-vault (root) and per-platform paths (aws, gcp, azure): approvers/reviewers set to sandeepknd, ardaguclu, tjungblu.
    • ci-operator/step-registry/etcd-encryption/vault-setup: approvers/reviewers set to ardaguclu, benluddy, bertinatto, flavianmissi, gangwgr, p0lyn0mial, sandeepknd, tjungblu.
  • Added metadata JSON files for each workflow and for the vault-setup chain mapping the file paths to owners.

Notes for reviewers / operators

• These are optional clusterbot workflows intended for interactive/manual testing of etcd encryption with Vault; they do not change production controllers.
• The vault-setup chain groups install + configure steps; a reviewer comment recommends ensuring the vault-install and vault-configuration steps/refs are defined and available before merging.
• PR comments: openshift-ci-robot validated the Jira reference (CNTRLPLANE-3364) but warned the referenced Jira issue has no target version set (expected 5.0.0 for main). The author assigned @tjungblu and @ardaguclu for review.

[openshift-ci-robot]

@sandeepknd: This pull request references CNTRLPLANE-3364 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Introduces three new clusterbot workflows that enable users to launch OpenShift clusters with HashiCorp Vault Enterprise pre-installed and configured for KMS encryption testing via Slack

Basic Commands:
Launch a cluster with Vault on AWS:

 workflow-launch etcd-encryption-hashicorp-vault-aws 5.0

Launch a cluster with Vault on GCP:

 workflow-launch etcd-encryption-hashicorp-vault-gcp 5.0

Launch a cluster with Vault on Azure:

 workflow-launch etcd-encryption-hashicorp-vault-azure 5.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sandeepknd
Once this PR has been reviewed and has the lgtm label, please assign bradmwilliams for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• core-services/ci-chat-bot/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Adds three new etcd-encryption workflows (AWS, Azure, GCP) that provision IPI clusters and install/configure HashiCorp Vault for KMS-based encryption testing; introduces a reusable vault setup chain; and adds corresponding OWNERS, workflow metadata, and CI chat-bot workflow registrations.

Changes

etcd-encryption with HashiCorp Vault (AWS / Azure / GCP) + Vault Setup Chain

Layer / File(s)	Summary
Ownership Configuration ci-operator/step-registry/etcd-encryption/hashicorp-vault/OWNERS, ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/OWNERS, ci-operator/step-registry/etcd-encryption/hashicorp-vault/azure/OWNERS, ci-operator/step-registry/etcd-encryption/hashicorp-vault/gcp/OWNERS, ci-operator/step-registry/etcd-encryption/vault-setup/OWNERS	Add/define approvers and reviewers for vault area: sandeepknd, ardagcuclu, tjungblu; vault-setup/OWNERS populated with ardagAguclu, benluddy, bertinatto, flavianmissi, gangwgr, p0lyn0mial, sandeepknd, tjungblu.
Workflow Metadata ci-operator/step-registry/etcd-encryption/hashicorp-vault/*/etcd-encryption-hashicorp-vault-*-workflow.metadata.json, ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.metadata.json	Add JSON metadata files registering workflow/chain YAML paths and owners for AWS, Azure, GCP, and the vault-setup chain.
Vault Setup Chain Implementation ci-operator/step-registry/etcd-encryption/vault-setup/etcd-encryption-vault-setup-chain.yaml	Add new chain etcd-encryption-vault-setup composed of etcd-encryption-vault-install and etcd-encryption-vault-configure with documentation describing install/configure responsibilities, outputs, and environment variables.
Workflow Implementations ci-operator/step-registry/etcd-encryption/hashicorp-vault/aws/etcd-encryption-hashicorp-vault-aws-workflow.yaml, .../azure/...-azure-workflow.yaml, .../gcp/...-gcp-workflow.yaml	Add three workflow YAMLs (as: etcd-encryption-hashicorp-vault-<platform>) with allow_best_effort_post_steps: true, pre-chains (ipi-*-pre, etcd-encryption-vault-setup), a readiness test (clusterbot-wait), post-chains (gather-core-dump, ipi-*-post), and embedded documentation about Vault setup (Transit, KMS key, AppRole, vault-credentials) and environment variables.
CI Bot Registration core-services/ci-chat-bot/workflows-config.yaml	Register workflows etcd-encryption-hashicorp-vault-aws, etcd-encryption-hashicorp-vault-azure, etcd-encryption-hashicorp-vault-gcp with platform labels (aws, azure, gcp).

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Developer/Trigger
    participant CI as CI Operator
    participant Chat as CI Chat-Bot
    participant Prov as Cluster Provisioner (IPI)
    participant Vault as HashiCorp Vault (vault-kms)
    participant Test as clusterbot-wait / Test Harness

    Dev->>CI: push / trigger workflow (etcd-encryption-hashicorp-vault-<platform>)
    CI->>Chat: query workflows-config (platform metadata)
    CI->>Prov: run pre-chain (ipi-*-pre, etcd-encryption-vault-setup)
    Prov->>Vault: deploy Vault Enterprise, enable Transit, create KMS key, configure AppRole
    Vault->>CI: store credentials in secret `vault-credentials`
    CI->>Test: run `clusterbot-wait` (cluster readiness)
    Test->>CI: signal readiness
    CI->>CI: run post-chains (gather-core-dump, ipi-*-post) — best-effort

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title references adding a 'clusterbot workflow' but the actual changes add three HashiCorp Vault etcd-encryption workflows with supporting infrastructure (OWNERS, metadata, chains), not a single clusterbot workflow.	Update the title to accurately reflect the main change: 'CNTRLPLANE-3364: Add HashiCorp Vault etcd-encryption workflows for AWS, Azure, and GCP' or similar to represent the complete scope of changes.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains CI workflows, OWNERS files, and config files. No Ginkgo tests found. Check not applicable.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code. Only configuration files (OWNERS, YAML workflows, JSON metadata, shell scripts). The check for test code quality is not applicable.
Microshift Test Compatibility	✅ Passed	PR adds only workflow definitions, metadata, and configuration files. No Ginkgo e2e tests are added, so the MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds CI infrastructure files (workflow definitions, OWNERS files, configuration) only. No Ginkgo e2e tests are added, so the custom check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	No scheduling constraints found. PR adds CI workflows and Vault setup steps without Kubernetes deployment manifests or topology-related constraints.
Ote Binary Stdout Contract	✅ Passed	Pull request adds only configuration files (YAML, JSON, OWNERS) for CI workflows and governance. No executable code, binaries, or process-level code was added. Check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds CI/CD workflow configurations and shell setup scripts, not Ginkgo e2e tests. The check applies only to new Ginkgo e2e tests.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sandeepknd]

/assign @tjungblu
/assign @ardaguclu

[ardaguclu]

I think before this PR, it would be better to define the chain that is composed of vault-install and vault-configuration.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@sandeepknd: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[sandeepknd]

I think before this PR, it would be better to define the chain that is composed of vault-install and vault-configuration.

Wrapped the two steps into a chain, per openshift CI best practices.

[openshift-ci]

@sandeepknd: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[sandeepknd]

Once this lands. I will raise a separate follow-up PR to invoke this chain in the CI test. (PR - #78947)