Set Vault to read-only and scale down secret-collection-manager

[psalajova]

Merge this PR to "freeze" Vault on migration day.
(prerequistie ci-tools PR openshift/ci-tools#5197)

/hold

Summary by CodeRabbit

This pull request prepares the OpenShift CI infrastructure's Vault service for migration by implementing two changes:

1. Vault Read-Only Mode: The Vault subpath-proxy container is configured with a --read-only flag in the Vault StatefulSet manifest, putting the service into read-only mode to prevent any modifications during the migration window.

2. Scaling Down Secret Collection Manager: The vault-secret-collection-manager Deployment (the selfservice UI for secret management) is scaled down from 2 to 0 replicas, disabling user-facing secret management operations during migration.

These changes work together to "freeze" the Vault service on migration day—preventing both programmatic modifications (via read-only mode) and user-initiated secret management actions (by disabling the selfservice UI). The PR is held pending merge at the scheduled migration time.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@psalajova: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 878353bc-13aa-4382-9c8f-3546d38a36da

📥 Commits

Reviewing files that changed from the base of the PR and between 342ff75 and 7a0d203.

📒 Files selected for processing (2)

• clusters/app.ci/vault/manifests.yaml
• clusters/app.ci/vault/secret-collection-manager.yaml

---

Walkthrough

This PR makes two targeted configuration changes to the Vault infrastructure in the app.ci cluster: enabling read-only mode for the subpath-proxy container in the Vault StatefulSet, and scaling the secret-collection-manager Deployment to zero replicas.

Changes

Vault Infrastructure Configuration

Layer / File(s)	Summary
Vault proxy read-only mode clusters/app.ci/vault/manifests.yaml	Adds --read-only argument to the subpath-proxy container in the Vault StatefulSet for read-only Vault subpath handling.
Secret collection manager scaling clusters/app.ci/vault/secret-collection-manager.yaml	Scales the vault-secret-collection-manager Deployment from 2 replicas to 0 in the ci namespace.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding read-only flag to Vault and scaling down secret-collection-manager, matching both file modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR only modifies Kubernetes manifest YAML files (vault configuration), not Ginkgo tests. The custom check for stable test names is not applicable to this PR.
Test Structure And Quality	✅ Passed	PR contains only Kubernetes YAML manifests with no Ginkgo test code. Custom check for test code quality is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests added; PR only modifies Kubernetes deployment manifests for Vault configuration.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR contains only Kubernetes manifest modifications (Vault configuration files) with no new Ginkgo e2e tests added. The SNO test compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR changes are operational (--read-only flag, replica scaling) and do not introduce topology-incompatible scheduling constraints. Existing Vault uses soft anti-affinity only.
Ote Binary Stdout Contract	✅ Passed	PR modifies only Kubernetes YAML manifests with no executable code, main functions, or stdout logic. OTE Binary Stdout Contract check is not applicable to infrastructure configuration files.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies Kubernetes manifests only (Vault config), not Ginkgo e2e tests. Check is not applicable to infrastructure/configuration changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: psalajova

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• clusters/OWNERS [psalajova]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@psalajova: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.