Skip to content

telcov10n/dast: Mount GCS credential for RapidAST #79302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
oblau wants to merge 1 commit into
base: main
Choose a base branch
from
+26 −0
Open

telcov10n/dast: Mount GCS credential for RapidAST #79302

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions ...step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,24 @@ set -o pipefail
export KUBECONFIG="${SHARED_DIR}/kubeconfig"
unset NAMESPACE

GCS_KEY_NAME="rapidast-sa-telco_key.json"
GCS_KEY_ON_STEP="/var/run/telco-dast/rapidast-gcs/${GCS_KEY_NAME}"
GCS_KEY_ON_POD="/var/run/secrets/gcs/${GCS_KEY_NAME}"

# Setup
oc new-project dast
oc create serviceaccount rapidast -n dast
oc adm policy add-cluster-role-to-user cluster-admin -z rapidast -n dast
oc adm policy add-scc-to-user anyuid -z rapidast -n dast

# Copy key from this step → Secret on the test cluster so RapidAST pods can mount it
if [[ ! -r "${GCS_KEY_ON_STEP}" ]]; then
echo "ERROR: GCS key not found at ${GCS_KEY_ON_STEP} (check Vault sync)"
exit 1
fi

oc create secret generic rapidast-gcs-credentials --from-file="${GCS_KEY_NAME}=${GCS_KEY_ON_STEP}" -n dast
Comment on lines +18 to +24
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Make secret creation idempotent and fail fast on errors.

Two related concerns on this new block:

  1. oc create secret generic is not idempotent — if this step is retried (or run against a cluster where the dast project + secret already exist) the command returns a non-zero exit code on "AlreadyExists". Because the script only sets nounset/pipefail (no errexit), the failure is silently swallowed and the loop proceeds to create pods that may mount a stale secret. Prefer the dry-run | apply pattern so the secret is reconciled regardless of prior state.
  2. The pre-flight check correctly exits when the key file is missing, but every subsequent oc call (project creation, secret creation, configmap apply, pod apply) lacks the same explicit guarding. Consider enabling set -o errexit at the top of the file so genuine failures bubble up rather than being papered over by the per-pod oc wait later.
🛠️ Proposed change for idempotency 
-oc create secret generic rapidast-gcs-credentials --from-file="${GCS_KEY_NAME}=${GCS_KEY_ON_STEP}" -n dast
+oc create secret generic rapidast-gcs-credentials \
+  --from-file="${GCS_KEY_NAME}=${GCS_KEY_ON_STEP}" \
+  -n dast --dry-run=client -o yaml | oc apply -f -

As per coding guidelines: "Step registry step definitions … with the command script using set -euo pipefail as default".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Copy key from this step → Secret on the test cluster so RapidAST pods can mount it
if [[ ! -r "${GCS_KEY_ON_STEP}" ]]; then
echo "ERROR: GCS key not found at ${GCS_KEY_ON_STEP} (check Vault sync)"
exit 1
fi
oc create secret generic rapidast-gcs-credentials --from-file="${GCS_KEY_NAME}=${GCS_KEY_ON_STEP}" -n dast
# Copy key from this step → Secret on the test cluster so RapidAST pods can mount it
if [[ ! -r "${GCS_KEY_ON_STEP}" ]]; then
echo "ERROR: GCS key not found at ${GCS_KEY_ON_STEP} (check Vault sync)"
exit 1
fi
oc create secret generic rapidast-gcs-credentials \
--from-file="${GCS_KEY_NAME}=${GCS_KEY_ON_STEP}" \
-n dast --dry-run=client -o yaml | oc apply -f -
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh`
around lines 18 - 24, Enable strict failure handling and make the secret
creation idempotent: add "set -euo pipefail" (or set -o errexit) at the top of
the script so any failing oc command bubbles up, and replace the oc create
secret generic rapidast-gcs-credentials
--from-file="${GCS_KEY_NAME}=${GCS_KEY_ON_STEP}" invocation with the
dry-run/apply pattern (e.g. generate the secret YAML with oc create secret ...
--dry-run -o yaml and pipe to oc apply -f -) so the secret is reconciled if it
already exists instead of failing on AlreadyExists; keep the existing pre-flight
check of GCS_KEY_ON_STEP and ensure other oc calls (project creation, configmap,
pod apply) also fail fast under the new errexit behavior.


OVERALL_RC=0

while read -r OPERATOR_NAME OPERATOR_API_PATH; do
Expand All @@ -28,6 +40,10 @@ data:
rapidast-config.yaml: |
config:
configVersion: 6
googleCloudStorage:
keyFile: "${GCS_KEY_ON_POD}"
bucketName: secaut-bucket
directory: "telco"
application:
shortName: "${OPERATOR_NAME}"
url: "https://kubernetes.default.svc:443"
Expand Down Expand Up @@ -67,6 +83,9 @@ spec:
- name: config
configMap:
name: rapidast-config-${OPERATOR_NAME}
- name: gcs-sa
secret:
secretName: rapidast-gcs-credentials
containers:
- name: rapidast
image: quay.io/redhatproductsecurity/rapidast:latest
Expand All @@ -80,6 +99,9 @@ spec:
volumeMounts:
- name: config
mountPath: /opt/rapidast/config
- name: gcs-sa
mountPath: /var/run/secrets/gcs
readOnly: true
EOF

# Wait for pod to be running
Expand Down
4 changes: 4 additions & 0 deletions ...or/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-ref.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@ ref:
from: cli
commands: telcov10n-functional-dast-tests-commands.sh
timeout: 4h
credentials:
- namespace: test-credentials
name: telco-dast-rapidast-gcs
mount_path: /var/run/telco-dast/rapidast-gcs
env:
- name: OPERATORS_DAST
default: |
Expand Down