Skip to content

feat: add KeyVaultCryptoOfficer assignment to CI bot#6014

Open
ahitacat wants to merge 1 commit into
Azure:mainfrom
ahitacat:grant-bot-keyvault-dp-permissions
Open

feat: add KeyVaultCryptoOfficer assignment to CI bot#6014
ahitacat wants to merge 1 commit into
Azure:mainfrom
ahitacat:grant-bot-keyvault-dp-permissions

Conversation

@ahitacat

@ahitacat ahitacat commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

What

Assign KeyVaultCryptoOfficer role to the CI Bot. This is the more restrictive role that grants data plane keyVault permissions.

Why

New E2E tests (introduced in this PR #5629) requires of keyVault data plane permissions to create/rotate/disable keys in the "customer" keyVault

Testing

I am not sure if this requires any test.

Special notes for your reviewer

PR Checklist

  • PR is scoped to a single task (no mixed concerns)
  • Title follows Conventional Commits format
  • Summary explains the "Why" behind the change
  • Linked to relevant ticket/issue
  • Screenshots included (if graph/UI/metrics changes)
  • Self-reviewed the diff
  • CI/CD checks are passing (ignore Tide)
  • Draft PR used for WIP (if applicable)
  • Commit history is clean (rebased/squashed)
  • Tricky code blocks are commented
  • Specific reviewers tagged
  • All comment threads resolved before merge

Copilot AI review requested due to automatic review settings July 10, 2026 07:55
@ahitacat

Copy link
Copy Markdown
Collaborator Author

/assign @roivaz

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Azure RBAC grants so the CI bot can call Key Vault data-plane APIs needed by upcoming E2E coverage around customer-managed keys.

Changes:

  • Adds a subscription-scope Key Vault Crypto User role assignment for the CI bot in the Bicep RBAC template.
  • Updates the DEV bootstrap script to grant the same role to the OpenShift Release Bot service principal across the listed subscriptions.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
dev-infrastructure/templates/ci-bot-rbac-subscription.bicep Adds a Key Vault Crypto User role definition ID and a new role assignment at subscription scope.
dev-infrastructure/openshift-ci/grant-openshift-release-bot-dev.sh Grants Key Vault Crypto User via az role assignment create during DEV setup.

Comment thread dev-infrastructure/templates/ci-bot-rbac-subscription.bicep Outdated
Comment thread dev-infrastructure/templates/ci-bot-rbac-subscription.bicep Outdated
Comment thread dev-infrastructure/openshift-ci/grant-openshift-release-bot-dev.sh Outdated
Comment thread dev-infrastructure/openshift-ci/grant-openshift-release-bot-dev.sh Outdated
Copilot AI review requested due to automatic review settings July 10, 2026 08:17
@ahitacat ahitacat force-pushed the grant-bot-keyvault-dp-permissions branch from 095cdb6 to c24afd0 Compare July 10, 2026 08:17
@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ahitacat
Once this PR has been reviewed and has the lgtm label, please ask for approval from roivaz. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ahitacat ahitacat force-pushed the grant-bot-keyvault-dp-permissions branch from c24afd0 to 5070d02 Compare July 10, 2026 08:18
@ahitacat ahitacat changed the title feat: add KeyVaultCryptoUser assignment to CI bot feat: add KeyVaultCryptoOfficer assignment to CI bot Jul 10, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

Comment thread dev-infrastructure/templates/ci-bot-rbac-subscription.bicep
Comment thread dev-infrastructure/templates/ci-bot-rbac-subscription.bicep
Comment thread dev-infrastructure/openshift-ci/grant-openshift-release-bot-dev.sh Outdated
Copilot AI review requested due to automatic review settings July 10, 2026 08:20

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

Comment thread dev-infrastructure/templates/ci-bot-rbac-subscription.bicep Outdated
Comment thread dev-infrastructure/openshift-ci/grant-openshift-release-bot-dev.sh Outdated
Copilot AI review requested due to automatic review settings July 10, 2026 08:51
@ahitacat ahitacat force-pushed the grant-bot-keyvault-dp-permissions branch from 5070d02 to e6766e6 Compare July 10, 2026 08:51

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

Comment thread dev-infrastructure/templates/ci-bot-rbac-subscription.bicep Outdated
Comment on lines +153 to +157
echo " Assigning Key Vault Crypto Officer role..."
az role assignment create \
--assignee "${APP_ID}" \
--role "Key Vault Crypto Officer" \
--scope "/subscriptions/${SUBSCRIPTION_ID}" 2>/dev/null || echo " (already assigned)"
Comment on lines +77 to +80
resource keyVaultCryptoOfficerAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(subscription().id, botPrincipalId, keyVaultCryptoOfficerRole)
scope: subscription()
properties: {
Signed-off-by: Alba Hita Catala <ahitacat@redhat.com>
Copilot AI review requested due to automatic review settings July 10, 2026 09:08
@ahitacat ahitacat force-pushed the grant-bot-keyvault-dp-permissions branch from e6766e6 to d82f816 Compare July 10, 2026 09:08

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

Comment on lines +79 to +83
scope: subscription()
properties: {
principalId: botPrincipalId
principalType: 'ServicePrincipal'
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', keyVaultCryptoOfficerRole)
Comment on lines +153 to +157
echo " Assigning Key Vault Crypto Officer role..."
az role assignment create \
--assignee "${APP_ID}" \
--role "Key Vault Crypto Officer" \
--scope "/subscriptions/${SUBSCRIPTION_ID}" 2>/dev/null || echo " (already assigned)"
@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown

@ahitacat: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-parallel d82f816 link true /test e2e-parallel

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants