telcov10n/dast: Mount GCS credential for RapidAST

[oblau]

Mount Vault-synced GCS service account into the DAST step and forward it to the RapidAST pod so scan results can upload to secaut-bucket.

Summary by CodeRabbit

• New Features

  • DAST tests can authenticate to Google Cloud Storage and upload scan results to the secaut-bucket (telco directory).
  • Credentials are mounted into the test environment as a read-only secret for RapidAST.

• Bug Fixes / Reliability

  • Added a pre-flight check to verify the GCS credential file is present before running scans.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 48b19483-047c-495b-b648-82487be03e1b

📥 Commits

Reviewing files that changed from the base of the PR and between d6bedba and dd67b72.

📒 Files selected for processing (2)

• ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh
• ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-ref.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-ref.yaml

---

Walkthrough

Adds GCS credential handling for RapidAST DAST runs: pre-flight key check on the operator step host, create a Kubernetes Secret from the key, inject GCS settings into the RapidAST ConfigMap, and mount the secret into the RapidAST pod.

Changes

GCS Integration for DAST Testing

Layer / File(s)	Summary
Credential declaration for the step ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-ref.yaml	Adds a credentials entry: namespace test-credentials, name telco-dast-rapidast-gcs, mount path /var/run/telco-dast/rapidast-gcs.
Pre-flight key check & Secret creation ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh (lines ~8–25)	Introduces GCS_KEY_NAME, GCS_KEY_ON_STEP, GCS_KEY_ON_POD variables; verifies the GCS key file is readable on the operator step host and creates rapidast-gcs-credentials Secret in the dast namespace from that file.
RapidAST ConfigMap update ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh (lines ~43–46)	Adds googleCloudStorage block to the generated RapidAST ConfigMap with keyFile pointing to the in-pod mounted path, bucketName: secaut-bucket, and directory: telco.
Pod volume and container mount ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh (lines ~86–104)	Adds a gcs-sa volume sourced from rapidast-gcs-credentials and mounts it read-only into the rapidast container at /var/run/secrets/gcs.

sequenceDiagram
  participant Operator as Operator step host
  participant K8sAPI as Kubernetes API
  participant Config as RapidAST ConfigMap
  participant Pod as RapidAST Pod
  Operator->>Operator: read GCS key file (`GCS_KEY_ON_STEP`)
  Operator->>K8sAPI: create Secret `rapidast-gcs-credentials`
  Operator->>Config: update ConfigMap with googleCloudStorage.keyFile
  K8sAPI->>Pod: schedule pod with secret-backed volume `gcs-sa`
  Pod->>Pod: mount secret at /var/run/secrets/gcs and run RapidAST

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: mounting GCS credentials for RapidAST in the telcov10n DAST tests, which aligns with the PR description and file modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies shell scripts and YAML config files, not Go test files. No Ginkgo test definitions are present, so the check is not applicable.
Test Structure And Quality	✅ Passed	Custom check not applicable. PR modifies only shell scripts and YAML CI/CD configuration files, not Ginkgo test code. Check targets Go test patterns that don't exist here.
Microshift Test Compatibility	✅ Passed	PR does not add/modify Ginkgo e2e tests. Changes are CI/CD configuration only (shell script and YAML). Check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies CI operator scripts and YAML, not Ginkgo e2e tests. No new Ginkgo tests added, so SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds credential mounting without topology constraints. No affinity, nodeSelectors, tolerations, or spread constraints. Compatible with SNO, TNF, TNA, and HyperShift.
Ote Binary Stdout Contract	✅ Passed	Check not applicable. PR modifies shell script and YAML config files in CI step registry, not OTE binary test code. OTE stdout contract only applies to binary process-level code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Check not applicable. PR modifies only CI infrastructure files (shell script for credential setup and YAML step registry configuration), not Ginkgo e2e test code. No test code present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: oblau

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/telcov10n/functional/dast/tests/OWNERS [oblau]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh (2)

86-88: 💤 Low value

Restrict the GCS key file permissions on the mounted volume.

A service-account key is sensitive credential material; the secret volume should be projected with restrictive file mode. Kubernetes' default defaultMode for secret volumes is 0644, leaving the key world-readable inside the container. Setting defaultMode: 0400 (or 0440) is a low-cost hardening step that pairs well with the readOnly: true you already have on the mount.

🔒 Proposed change

   - name: gcs-sa
     secret:
       secretName: rapidast-gcs-credentials
+      defaultMode: 0400

Also applies to: 102-104

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh`
around lines 86 - 88, The secret volume for the GCS service account (volume name
"gcs-sa" with secretName "rapidast-gcs-credentials") should set a restrictive
file mode; update the Secret projection to include defaultMode: 0400 (or 0440)
so the mounted key file is not world-readable, and apply the same defaultMode
change to the other identical secret volume definition later in the file (the
second "gcs-sa"/rapidast-gcs-credentials mount that currently uses readOnly:
true).

---

43-46: ⚡ Quick win

The RapiDAST schema is correct as written; consider parameterizing the GCS bucket and directory.

The RapiDAST schema (from the official repository) confirms that keyFile (camelCase), bucketName, and directory are the correct field names under config.googleCloudStorage, matching your code at lines 44–46. No schema mismatch exists.

However, bucketName: secaut-bucket and directory: "telco" are hardcoded. Promote these to step environment variables (with sensible defaults) so downstream teams can retarget the bucket without forking this file.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh`
around lines 43 - 46, The googleCloudStorage block currently hardcodes
bucketName and directory; change them to read from step environment variables
(e.g., RAPI_DAST_GCS_BUCKET with default "secaut-bucket" and RAPI_DAST_GCS_DIR
with default "telco") while keeping keyFile configured from ${GCS_KEY_ON_POD};
update the config.googleCloudStorage.bucketName and
config.googleCloudStorage.directory references to use those env vars so
downstream consumers can override the target GCS bucket and directory without
forking.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh`:
- Around line 18-24: Enable strict failure handling and make the secret creation
idempotent: add "set -euo pipefail" (or set -o errexit) at the top of the script
so any failing oc command bubbles up, and replace the oc create secret generic
rapidast-gcs-credentials --from-file="${GCS_KEY_NAME}=${GCS_KEY_ON_STEP}"
invocation with the dry-run/apply pattern (e.g. generate the secret YAML with oc
create secret ... --dry-run -o yaml and pipe to oc apply -f -) so the secret is
reconciled if it already exists instead of failing on AlreadyExists; keep the
existing pre-flight check of GCS_KEY_ON_STEP and ensure other oc calls (project
creation, configmap, pod apply) also fail fast under the new errexit behavior.

---

Nitpick comments:
In
`@ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh`:
- Around line 86-88: The secret volume for the GCS service account (volume name
"gcs-sa" with secretName "rapidast-gcs-credentials") should set a restrictive
file mode; update the Secret projection to include defaultMode: 0400 (or 0440)
so the mounted key file is not world-readable, and apply the same defaultMode
change to the other identical secret volume definition later in the file (the
second "gcs-sa"/rapidast-gcs-credentials mount that currently uses readOnly:
true).
- Around line 43-46: The googleCloudStorage block currently hardcodes bucketName
and directory; change them to read from step environment variables (e.g.,
RAPI_DAST_GCS_BUCKET with default "secaut-bucket" and RAPI_DAST_GCS_DIR with
default "telco") while keeping keyFile configured from ${GCS_KEY_ON_POD}; update
the config.googleCloudStorage.bucketName and config.googleCloudStorage.directory
references to use those env vars so downstream consumers can override the target
GCS bucket and directory without forking.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a994ff70-0d8a-4782-8e37-7109d96029a1

📥 Commits

Reviewing files that changed from the base of the PR and between d455cc0 and d6bedba.

📒 Files selected for processing (2)

• ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh
• ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-ref.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Make secret creation idempotent and fail fast on errors.

Two related concerns on this new block:

1. oc create secret generic is not idempotent — if this step is retried (or run against a cluster where the dast project + secret already exist) the command returns a non-zero exit code on "AlreadyExists". Because the script only sets nounset/pipefail (no errexit), the failure is silently swallowed and the loop proceeds to create pods that may mount a stale secret. Prefer the dry-run | apply pattern so the secret is reconciled regardless of prior state.
2. The pre-flight check correctly exits when the key file is missing, but every subsequent oc call (project creation, secret creation, configmap apply, pod apply) lacks the same explicit guarding. Consider enabling set -o errexit at the top of the file so genuine failures bubble up rather than being papered over by the per-pod oc wait later.

🛠️ Proposed change for idempotency

-oc create secret generic rapidast-gcs-credentials --from-file="${GCS_KEY_NAME}=${GCS_KEY_ON_STEP}" -n dast
+oc create secret generic rapidast-gcs-credentials \
+  --from-file="${GCS_KEY_NAME}=${GCS_KEY_ON_STEP}" \
+  -n dast --dry-run=client -o yaml | oc apply -f -

As per coding guidelines: "Step registry step definitions … with the command script using set -euo pipefail as default".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Copy key from this step → Secret on the test cluster so RapidAST pods can mount it
	if [[ ! -r "${GCS_KEY_ON_STEP}" ]]; then
	echo "ERROR: GCS key not found at ${GCS_KEY_ON_STEP} (check Vault sync)"
	exit 1
	fi
	oc create secret generic rapidast-gcs-credentials --from-file="${GCS_KEY_NAME}=${GCS_KEY_ON_STEP}" -n dast
	# Copy key from this step → Secret on the test cluster so RapidAST pods can mount it
	if [[ ! -r "${GCS_KEY_ON_STEP}" ]]; then
	echo "ERROR: GCS key not found at ${GCS_KEY_ON_STEP} (check Vault sync)"
	exit 1
	fi
	oc create secret generic rapidast-gcs-credentials \
	--from-file="${GCS_KEY_NAME}=${GCS_KEY_ON_STEP}" \
	-n dast --dry-run=client -o yaml | oc apply -f -

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh`
around lines 18 - 24, Enable strict failure handling and make the secret
creation idempotent: add "set -euo pipefail" (or set -o errexit) at the top of
the script so any failing oc command bubbles up, and replace the oc create
secret generic rapidast-gcs-credentials
--from-file="${GCS_KEY_NAME}=${GCS_KEY_ON_STEP}" invocation with the
dry-run/apply pattern (e.g. generate the secret YAML with oc create secret ...
--dry-run -o yaml and pipe to oc apply -f -) so the secret is reconciled if it
already exists instead of failing on AlreadyExists; keep the existing pre-flight
check of GCS_KEY_ON_STEP and ensure other oc calls (project creation, configmap,
pod apply) also fail fast under the new errexit behavior.

[oblau]

/pj-rehearse periodic-ci-openshift-kni-eco-ci-cd-main-telco-operators-dast-4.21-telco-dast-operators-ci

[openshift-merge-bot]

@oblau: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@oblau: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-kni-eco-ci-cd-main-telco-operators-dast-4.18-telco-dast-operators-ci	N/A	periodic	Registry content changed
periodic-ci-openshift-kni-eco-ci-cd-main-telco-operators-dast-4.16-telco-dast-operators-ci	N/A	periodic	Registry content changed
periodic-ci-openshift-kni-eco-ci-cd-main-telco-operators-dast-4.20-telco-dast-operators-ci	N/A	periodic	Registry content changed
periodic-ci-openshift-kni-eco-ci-cd-main-telco-operators-dast-4.21-telco-dast-operators-ci	N/A	periodic	Registry content changed
periodic-ci-openshift-kni-eco-ci-cd-main-telco-operators-dast-4.19-telco-dast-operators-ci	N/A	periodic	Registry content changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@oblau: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-kni-eco-ci-cd-main-telco-operators-dast-4.18-telco-dast-operators-ci	N/A	periodic	Registry content changed
periodic-ci-openshift-kni-eco-ci-cd-main-telco-operators-dast-4.16-telco-dast-operators-ci	N/A	periodic	Registry content changed
periodic-ci-openshift-kni-eco-ci-cd-main-telco-operators-dast-4.19-telco-dast-operators-ci	N/A	periodic	Registry content changed
periodic-ci-openshift-kni-eco-ci-cd-main-telco-operators-dast-4.20-telco-dast-operators-ci	N/A	periodic	Registry content changed
periodic-ci-openshift-kni-eco-ci-cd-main-telco-operators-dast-4.21-telco-dast-operators-ci	N/A	periodic	Registry content changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[oblau]

/pj-rehearse periodic-ci-openshift-kni-eco-ci-cd-main-telco-operators-dast-4.21-telco-dast-operators-ci

[openshift-merge-bot]

@oblau: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@oblau: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.