add the cluster manifest verifier argocd token to bootstrap config

[droslean]

Summary by CodeRabbit

This pull request adds a new secret configuration to the CI infrastructure's secret bootstrap configuration. Specifically, it adds an entry to core-services/ci-secret-bootstrap/_config.yaml that provisions an ArgoCD token for the cluster manifest verifier component.

The change retrieves a clientSecret (specifically the token field) from Vault's cluster-manifest-verifier-argocd secret store and deploys it as a Kubernetes secret named cluster-manifest-verifier-argocd to the core-ci cluster's ci namespace. This secret is used by the cluster manifest verifier to authenticate with ArgoCD, following the same pattern as other secrets already managed through the bootstrap system (such as dex OIDC credentials).

The change enables the cluster manifest verifier component to access ArgoCD during its operation in the core CI infrastructure.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@droslean: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ebd265ef-cb88-4877-80a3-c39f18ba7af6

📥 Commits

Reviewing files that changed from the base of the PR and between ff85a82 and eca68ee.

📒 Files selected for processing (1)

• core-services/ci-secret-bootstrap/_config.yaml

---

Walkthrough

A new secret-mapping rule is added to core-services/ci-secret-bootstrap/_config.yaml. It maps the clientSecret field token sourced from cluster-manifest-verifier-argocd into the core-ci cluster under the ci namespace as a secret named cluster-manifest-verifier-argocd.

Changes

Secret Bootstrap Rule

Layer / File(s)	Summary
Secret mapping rule for cluster-manifest-verifier-argocd core-services/ci-secret-bootstrap/_config.yaml	Adds a from/to rule that reads clientSecret.token from cluster-manifest-verifier-argocd and provisions it as a secret named cluster-manifest-verifier-argocd in the core-ci cluster's ci namespace.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• openshift/release#80663: Adds the accounts.cluster-manifest-verifier API key and RBAC permissions in openshift-gitops_argocd.yaml, directly related to the ArgoCD account whose token is being bootstrapped in this PR.

Suggested reviewers

• danilo-gemoli
• hector-vido
• Prucek

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	The PR adds hack/ci-secret-bootstrap.sh with set -x (line 26) enabled after setting VAULT_TOKEN (line 11). The subsequent docker run command (lines 31-44) with -e VAULT_TOKEN="$VAULT_TOKEN" and...	Remove set -x or move it before sensitive variables are set. Use set +x before commands that handle secrets, or filter sensitive output with sed/grep before logging.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: adding a cluster manifest verifier argocd token to the bootstrap configuration file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only a YAML configuration file for secret bootstrapping, not test code. No Ginkgo tests were added or modified, so the check for stable test names is not applicable.
Test Structure And Quality	✅ Passed	PR modifies YAML configuration files only; no Ginkgo test code present, so the Ginkgo test quality check is not applicable.
Microshift Test Compatibility	✅ Passed	PR only modifies YAML configuration file for secret bootstrap; no Ginkgo e2e tests are added, so MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds configuration changes to core-services/ci-secret-bootstrap/_config.yaml for secret mapping, not Ginkgo e2e tests. The SNO compatibility check applies only to new e2e tests with Ginkgo...
Topology-Aware Scheduling Compatibility	✅ Passed	This PR only modifies a secret bootstrap configuration file (_config.yaml), not deployment manifests, operator code, or controllers. No scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML configuration file (core-services/ci-secret-bootstrap/_config.yaml), adding secret-mapping rules. No executable code, main functions, or stdout writes are introduced, so OTE B...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only a YAML configuration file (_config.yaml) for CI secret bootstrap. No Ginkgo e2e tests are added, so the IPv6/disconnected network compatibility check does not apply.
No-Weak-Crypto	✅ Passed	PR contains only YAML configuration changes with no cryptographic code, weak algorithms (MD5/SHA1/DES/RC4/3DES/Blowfish/ECB), custom crypto implementations, or timing-unsafe secret comparisons.
Container-Privileges	✅ Passed	PR modifies only secret bootstrap configuration file with no container manifests or privileged container settings (privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, runAsUser: 0, allowPri...

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: droslean, Prucek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• core-services/ci-secret-bootstrap/OWNERS [Prucek,droslean]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@droslean: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

@droslean: Updated the following 2 configmaps:

• ci-secret-bootstrap configmap in namespace ci at cluster app.ci using the following files:
  • key _config.yaml using file core-services/ci-secret-bootstrap/_config.yaml
• ci-secret-bootstrap configmap in namespace ci at cluster core-ci using the following files:
  • key _config.yaml using file core-services/ci-secret-bootstrap/_config.yaml

Details

In response to this:

Summary by CodeRabbit

This pull request adds a new secret configuration to the CI infrastructure's secret bootstrap configuration. Specifically, it adds an entry to core-services/ci-secret-bootstrap/_config.yaml that provisions an ArgoCD token for the cluster manifest verifier component.

The change retrieves a clientSecret (specifically the token field) from Vault's cluster-manifest-verifier-argocd secret store and deploys it as a Kubernetes secret named cluster-manifest-verifier-argocd to the core-ci cluster's ci namespace. This secret is used by the cluster manifest verifier to authenticate with ArgoCD, following the same pattern as other secrets already managed through the bootstrap system (such as dex OIDC credentials).

The change enables the cluster manifest verifier component to access ArgoCD during its operation in the core CI infrastructure.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.