Add SHARED_DIR kubeconfig support for benchmark-runner

[arpsharm]

Summary

• Add SHARED_DIR kubeconfig as first-priority cluster access path for external teams
• Vault secrets not read when SHARED_DIR is present
• Existing SSH + Vault flow unchanged

Summary by CodeRabbit

This PR updates the OpenShift CI redhat-performance benchmark-runner to support a high-priority, external-workload kubeconfig input via the SHARED_DIR environment variable, and extends CI test coverage for new AWS pod workloads.

Key changes (benchmark-runner step script):

• Added a first-priority authentication path: if SHARED_DIR/kubeconfig exists, the script copies it to /tmp/kubeconfig and sets KUBECONFIG accordingly.
• If SHARED_DIR/kubeadmin-password is present, it is read and exported as KUBEADMIN_PASSWORD.
• When SHARED_DIR is used, the script bypasses the SSH/Vault-based cluster access and the /secret/kubeconfig fallback, avoiding redundant secret retrieval.
• The existing SSH/Vault//secret logic remains the fallback when SHARED_DIR/kubeconfig is not available, preserving backward compatibility.

Key changes (CI test-step configuration):

• Added two new generated CI test entries to run redhat-performance-benchmark-runner using the ipi-aws workflow:
  • aws-sysbench-pod (WORKLOAD: sysbench_pod)
  • aws-uperf-pod (WORKLOAD: uperf_pod)
• Both are configured with cluster_profile: aws-rhdh-performance and the AWS IPI-related environment variables appropriate for the benchmark pods.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0b871a5e-5736-4cdc-97d7-89a97fa6a0b9

📥 Commits

Reviewing files that changed from the base of the PR and between 526604b and ea7c23d.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/redhat-performance/benchmark-runner/redhat-performance-benchmark-runner-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/redhat-performance/benchmark-runner/redhat-performance-benchmark-runner-main__test-step.yaml

---

Walkthrough

The benchmark runner shell script adds a USE_SHARED_DIR flag. When true, it loads KUBECONFIG (and optionally KUBEADMIN_PASSWORD) from SHARED_DIR, then skips all SSH-based credential fetching, the /secret/kubeconfig fallback, the "no cluster access" error guard, and the Vault secrets export loop—each of which is now gated behind USE_SHARED_DIR=false. Two new AWS benchmark test cases are added to exercise this updated runner.

Changes

SHARED_DIR kubeconfig mode and AWS benchmark tests

Layer / File(s)	Summary
SHARED_DIR kubeconfig mode implementation ci-operator/step-registry/redhat-performance/benchmark-runner/redhat-performance-benchmark-runner-commands.sh	Introduces USE_SHARED_DIR variable and a priority branch that sets KUBECONFIG from ${SHARED_DIR}/kubeconfig and optionally loads KUBEADMIN_PASSWORD (lines 6–19). Wraps SSH-based credential fetch (lines 33–62), proxy/export and /secret/kubeconfig fallback (lines 63–73), and "no cluster access" error plus Vault secrets loop (lines 82–87) inside USE_SHARED_DIR == false guards.
AWS benchmark test cases ci-operator/config/redhat-performance/benchmark-runner/redhat-performance-benchmark-runner-main__test-step.yaml	Adds aws-sysbench-pod and aws-uperf-pod test entries configured for AWS IPI workflow with cluster profile aws-rhdh-performance, node sizing, base domain, user tags, and respective workload types (lines 304–335).

Sequence Diagram(s)

sequenceDiagram
  participant Caller
  participant BenchmarkRunner as benchmark-runner script
  participant SharedDir as SHARED_DIR
  participant SecretMounts as /secret mounts
  participant Vault

  Caller->>BenchmarkRunner: Execute with USE_SHARED_DIR flag
  
  alt USE_SHARED_DIR == true
    BenchmarkRunner->>SharedDir: Read KUBECONFIG
    SharedDir-->>BenchmarkRunner: kubeconfig
    BenchmarkRunner->>SharedDir: Read KUBEADMIN_PASSWORD (optional)
    SharedDir-->>BenchmarkRunner: password
    BenchmarkRunner-->>Caller: Ready (SHARED_DIR mode)
  else USE_SHARED_DIR == false
    BenchmarkRunner->>SecretMounts: Fetch SSH credentials
    SecretMounts-->>BenchmarkRunner: credentials
    BenchmarkRunner->>SecretMounts: Read /secret/kubeconfig
    SecretMounts-->>BenchmarkRunner: kubeconfig
    BenchmarkRunner->>Vault: Export Vault-backed secrets
    Vault-->>BenchmarkRunner: secrets
    BenchmarkRunner-->>Caller: Ready (/secret mode)
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding SHARED_DIR kubeconfig support to the benchmark-runner, which aligns directly with the PR objectives and file modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies CI configuration and shell scripts only, not Ginkgo test files. The custom check for Ginkgo test name stability is not applicable to this PR.
Test Structure And Quality	✅ Passed	The PR modifies shell script and YAML CI config files only. No Ginkgo test code is present, so the test structure quality check does not apply.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The changes only include a shell script for kubeconfig handling and YAML CI configuration files, which are not subject to the MicroShift test compatibility...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR does not add Ginkgo e2e tests; changes are limited to a bash script and CI YAML configuration file. Custom check for SNO test compatibility is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only shell script and CI config files, not deployment manifests, operator code, or controllers. No scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR contains no OTE binaries or Go test code. Changes are to bash script and YAML config only. Check not applicable to non-OTE artifacts.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The changes are CI/infrastructure configuration files (bash script and YAML config) with no test code subject to IPv6/disconnected network compatibility re...
No-Weak-Crypto	✅ Passed	No weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected in the modified files.
Container-Privileges	✅ Passed	Files contain no container privilege escalation settings (no privileged: true, hostPID/Network/IPC, SYS_ADMIN capability, or allowPrivilegeEscalation: true) detected in bash script, CI config, or s...
No-Sensitive-Data-In-Logs	✅ Passed	Script properly handles KUBEADMIN_PASSWORD and kubeconfig: reads from files, uses with output redirection (>/dev/null), never echoed or logged. No set -x debugging enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/step-registry/redhat-performance/benchmark-runner/redhat-performance-benchmark-runner-commands.sh (1)

8-18: 💤 Low value

Consider explicitly checking SHARED_DIR is set before file test.

The current condition ${SHARED_DIR:-}/kubeconfig will check /kubeconfig if SHARED_DIR is unset. While this is extremely unlikely to cause issues in CI, a more explicit check is clearer:

-if [[ -s "${SHARED_DIR:-}/kubeconfig" ]]; then
+if [[ -n "${SHARED_DIR:-}" ]] && [[ -s "${SHARED_DIR}/kubeconfig" ]]; then

This makes the intent explicit and avoids the edge case entirely.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/redhat-performance/benchmark-runner/redhat-performance-benchmark-runner-commands.sh`
around lines 8 - 18, The condition checking for the kubeconfig file does not
explicitly verify that SHARED_DIR is set before using it. Currently, if
SHARED_DIR is unset, the condition evaluates to checking `/kubeconfig` due to
the empty default expansion. Replace the current file test condition with an
explicit check that SHARED_DIR is non-empty (using -n or by checking that the
variable is not null) combined with the file existence test for the kubeconfig
file, making the intent clear and avoiding the edge case entirely.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/step-registry/redhat-performance/benchmark-runner/redhat-performance-benchmark-runner-commands.sh`:
- Around line 8-18: The condition checking for the kubeconfig file does not
explicitly verify that SHARED_DIR is set before using it. Currently, if
SHARED_DIR is unset, the condition evaluates to checking `/kubeconfig` due to
the empty default expansion. Replace the current file test condition with an
explicit check that SHARED_DIR is non-empty (using -n or by checking that the
variable is not null) combined with the file existence test for the kubeconfig
file, making the intent clear and avoiding the edge case entirely.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0fce211a-ab6e-4fe0-941a-844d53074b58

📥 Commits

Reviewing files that changed from the base of the PR and between 9fcddd9 and dfdc670.

📒 Files selected for processing (1)

• ci-operator/step-registry/redhat-performance/benchmark-runner/redhat-performance-benchmark-runner-commands.sh

[arpsharm]

/ok-to-test

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: arpsharm
Once this PR has been reviewed and has the lgtm label, please assign robertkrawitz for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/redhat-performance/benchmark-runner/OWNERS
• ci-operator/jobs/redhat-performance/benchmark-runner/OWNERS
• ci-operator/step-registry/redhat-performance/benchmark-runner/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[arpsharm]

/pj-rehearse pull-ci-redhat-performance-benchmark-runner-main-test-step-aws-sysbench-pod

[openshift-merge-bot]

@arpsharm: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[arpsharm]

/pj-rehearse pull-ci-redhat-performance-benchmark-runner-main-test-step-aws-sysbench-pod

[openshift-merge-bot]

@arpsharm: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@arpsharm: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-redhat-performance-benchmark-runner-main-test-step-aws-sysbench-pod	redhat-performance/benchmark-runner	presubmit	Presubmit changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-aws-uperf-pod	redhat-performance/benchmark-runner	presubmit	Presubmit changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-uperf-pod	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-uperf-vm	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-hammerdb-pod-mariadb	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-hammerdb-vm-mariadb	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-hammerdb-pod-mariadb-lso	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-hammerdb-vm-mariadb-lso	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-hammerdb-pod-postgres	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-hammerdb-vm-postgres	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-hammerdb-pod-postgres-lso	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-hammerdb-vm-postgres-lso	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-hammerdb-pod-mssql	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-hammerdb-vm-mssql	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-hammerdb-pod-mssql-lso	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-hammerdb-vm-mssql-lso	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-vdbench-pod	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-vdbench-vm	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-bootstorm-vm	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-winmssql-vm	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-vdbench-pod-scale	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-vdbench-vm-scale	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-bootstorm-vm-scale	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-sysbench-pod	redhat-performance/benchmark-runner	presubmit	Registry content changed
pull-ci-redhat-performance-benchmark-runner-main-test-step-sysbench-vm	redhat-performance/benchmark-runner	presubmit	Registry content changed

A total of 33 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@arpsharm: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.