Netcracker · NikolaiKuziaevQubership · Apr 17, 2026
@@ -70,26 +70,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
-            - name: GRAYLOG_USER
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.integrationTests.service.name }}-secret
-                  key: graylog-user
-            - name: GRAYLOG_PASS
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.integrationTests.service.name }}-secret
-                  key: graylog-password
-            - name: VM_USER
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.integrationTests.service.name }}-secret
-                  key: vm-user
-            - name: SSH_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.integrationTests.service.name }}-secret
-                  key: ssh-key
+            - name: INTEGRATION_TESTS_SECRETS_DIR
+              value: /run/secrets/integration-tests
             - name: GRAYLOG_INSTALL
               value: {{ .Values.graylog.install | quote }}
           {{- if .Values.integrationTests.victorialogs.url }}
@@ -98,23 +80,14 @@ spec:
           {{- end }}
           {{- if .Values.integrationTests.victorialogs.auth }}
           {{- if .Values.integrationTests.victorialogs.auth.token }}
-            - name: VL_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.integrationTests.victorialogs.auth.token.secretName | default "victorialogs-auth-secret" | quote }}
-                  key: {{ .Values.integrationTests.victorialogs.auth.token.key | default "token" | quote }}
+            - name: VL_TOKEN_FILE
+              value: /run/secrets/vl-token/vl_token
           {{- end }}
-          {{- if and .Values.integrationTests.victorialogs.auth.user .Values.integrationTests.victorialogs.auth.password | quote }}
-            - name: VL_USER
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.integrationTests.victorialogs.auth.user.secretName | default "victorialogs-http-secret" | quote }}
-                  key: {{ .Values.integrationTests.victorialogs.auth.user.key | default "username" | quote }}
-            - name: VL_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.integrationTests.victorialogs.auth.password.secretName | default "victorialogs-http-secret" | quote }}
-                  key: {{ .Values.integrationTests.victorialogs.auth.password.key | default "password" | quote }}
+          {{- if and .Values.integrationTests.victorialogs.auth.user .Values.integrationTests.victorialogs.auth.password }}
+            - name: VL_USER_FILE
+              value: /run/secrets/vl-http-user/vl_user
+            - name: VL_PASSWORD_FILE
+              value: /run/secrets/vl-http-password/vl_password
           {{- end }}
           {{- end }}
             - name: OPERATION_RETRY_INTERVAL
@@ -133,6 +106,25 @@ spec:
               value: {{ toYaml .Values.integrationTests.statusWriting.customResourcePath }}
             - name: IS_STATUS_BOOLEAN
               value: "true"
+          volumeMounts:
+            - name: integration-credentials
+              mountPath: /run/secrets/integration-tests
+              readOnly: true
+          {{- if .Values.integrationTests.victorialogs.auth }}
+          {{- if .Values.integrationTests.victorialogs.auth.token }}
+            - name: vl-token
+              mountPath: /run/secrets/vl-token
+              readOnly: true
+          {{- end }}
+          {{- if and .Values.integrationTests.victorialogs.auth.user .Values.integrationTests.victorialogs.auth.password }}
+            - name: vl-http-user
+              mountPath: /run/secrets/vl-http-user
+              readOnly: true
+            - name: vl-http-password
+              mountPath: /run/secrets/vl-http-password
+              readOnly: true
+          {{- end }}
+          {{- end }}
           resources:
             requests:
               memory: {{ default "128Mi" .Values.integrationTests.resources.requests.memory }}
@@ -142,4 +134,35 @@ spec:
               cpu: {{ default "200m" .Values.integrationTests.resources.limits.cpu }}
           terminationMessagePath: /dev/termination-log
           imagePullPolicy: IfNotPresent
+      volumes:
+        - name: integration-credentials
+          secret:
+            secretName: {{ .Values.integrationTests.service.name }}-secret
+      {{- if .Values.integrationTests.victorialogs.auth }}
+      {{- if .Values.integrationTests.victorialogs.auth.token }}
+        - name: vl-token
+          secret:
+            secretName: {{ .Values.integrationTests.victorialogs.auth.token.secretName | default "victorialogs-auth-secret" }}
+            optional: true
+            items:
+              - key: {{ .Values.integrationTests.victorialogs.auth.token.key | default "token" }}
+                path: vl_token
+      {{- end }}
+      {{- if and .Values.integrationTests.victorialogs.auth.user .Values.integrationTests.victorialogs.auth.password }}
+        - name: vl-http-user
+          secret:
+            secretName: {{ .Values.integrationTests.victorialogs.auth.user.secretName | default "victorialogs-http-secret" }}
+            optional: true
+            items:
+              - key: {{ .Values.integrationTests.victorialogs.auth.user.key | default "username" }}
+                path: vl_user
+        - name: vl-http-password
+          secret:
+            secretName: {{ .Values.integrationTests.victorialogs.auth.password.secretName | default "victorialogs-http-secret" }}
+            optional: true
+            items:
+              - key: {{ .Values.integrationTests.victorialogs.auth.password.key | default "password" }}
+                path: vl_password
+      {{- end }}
+      {{- end }}
 {{- end }}
@@ -2,21 +2,18 @@
 ${GRAYLOG_PROTOCOL}             %{GRAYLOG_PROTOCOL}
 ${GRAYLOG_HOST}                 %{GRAYLOG_HOST}
 ${GRAYLOG_PORT}                 %{GRAYLOG_PORT}
-${GRAYLOG_USER}                 %{GRAYLOG_USER}
-${GRAYLOG_PASS}                 %{GRAYLOG_PASS}
 ${OPERATION_RETRY_COUNT}        %{OPERATION_RETRY_COUNT}
 ${OPERATION_RETRY_INTERVAL}     %{OPERATION_RETRY_INTERVAL}
 ${VICTORIALOGS_URL}             %{VICTORIALOGS_URL=}
-${VL_USER}                      %{VL_USER=}
-${VL_PASSWORD}                  %{VL_PASSWORD=}
-${VL_TOKEN}                     %{VL_TOKEN=}
 
 
 *** Settings ***
 Library  String
-Suite Setup    Run Keywords  Setup
-...  AND  Check Fluentbit And Fluentd
+Resource        secrets.robot
 Resource        keywords.robot
+Suite Setup    Run Keywords  Load Integration Test Secrets
+...  AND  Setup
+...  AND  Check Fluentbit And Fluentd
 
 *** Keywords ***
 Setup

@@ -3,12 +3,7 @@ ${GRAYLOG_PROTOCOL}             %{GRAYLOG_PROTOCOL}
 ${GRAYLOG_HOST}                 %{GRAYLOG_HOST}
 ${OPENSHIFT_DEPLOY}             %{OPENSHIFT_DEPLOY}
 ${GRAYLOG_PORT}                 %{GRAYLOG_PORT}
-${GRAYLOG_USER}                 %{GRAYLOG_USER}
-${GRAYLOG_PASS}                 %{GRAYLOG_PASS}
 ${VICTORIALOGS_URL}             %{VICTORIALOGS_URL=}
-${VL_USER}                      %{VL_USER=}
-${VL_PASSWORD}                  %{VL_PASSWORD=}
-${VL_TOKEN}                     %{VL_TOKEN=}
 ${OPERATION_RETRY_COUNT}        %{OPERATION_RETRY_COUNT}
 ${RETRY_COUNT_FOR_FIRST_TEST}   250x
 ${OPERATION_RETRY_INTERVAL}     %{OPERATION_RETRY_INTERVAL}
@@ -30,12 +25,14 @@ Library  OperatingSystem
 Library  String
 Library    Collections
 Library    BuiltIn
-Suite Setup  Run Keywords  Setup
+Resource        secrets.robot
+Resource        keywords.robot
+Suite Setup  Run Keywords  Load Integration Test Secrets
+...  AND  Setup
 ...  AND  Create Config
 ...  AND  Create Log Generators
 Suite Teardown  Run Keywords  Delete Log Generators
 ...  AND  Delete Config Map
-Resource        keywords.robot
 
 *** Keywords ***
 Setup

@@ -5,18 +5,16 @@ Library         DateTime
 Library	        Collections
 Library         OperatingSystem
 Library         lib/LoggingLibrary.py
-Suite Setup     Setup
+Resource        secrets.robot
+Suite Setup     Run Keywords  Load Integration Test Secrets
+...  AND  Setup
 
 *** Variables ***
 ${GRAYLOG_PROTOCOL}             %{GRAYLOG_PROTOCOL}
 ${GRAYLOG_HOST}                 %{GRAYLOG_HOST}
 ${GRAYLOG_PORT}                 %{GRAYLOG_PORT}
-${GRAYLOG_USER}                 %{GRAYLOG_USER}
-${GRAYLOG_PASS}                 %{GRAYLOG_PASS}
 ${OPERATION_RETRY_COUNT}        30x
 ${OPERATION_RETRY_INTERVAL}     5s
-${SSH_KEY}                      %{SSH_KEY}
-${VM_USER}                      %{VM_USER}
 
 *** Keywords ***
 Setup

@@ -0,0 +1,54 @@
+*** Settings ***
+Library  OperatingSystem
+Library  BuiltIn
+Library  String
+
+*** Variables ***
+${GRAYLOG_USER}      ${EMPTY}
+${GRAYLOG_PASS}      ${EMPTY}
+${VM_USER}           ${EMPTY}
+${SSH_KEY}           ${EMPTY}
+${VL_TOKEN}          ${EMPTY}
+${VL_USER}           ${EMPTY}
+${VL_PASSWORD}       ${EMPTY}
+
+*** Keywords ***
+Load Integration Test Secrets
+    ${dir}=  Get Environment Variable  INTEGRATION_TESTS_SECRETS_DIR  ${EMPTY}
+    Should Not Be Equal  ${dir}  ${EMPTY}
+    ...  INTEGRATION_TESTS_SECRETS_DIR must be set to the mounted secret directory (sensitive values are not read from process environment)
+    ${gu}=  Get Required Secret From Dir  ${dir}  graylog-user
+    ${gp}=  Get Required Secret From Dir  ${dir}  graylog-password
+    ${vu}=  Get Required Secret From Dir  ${dir}  vm-user
+    ${sk}=  Get Required Secret From Dir  ${dir}  ssh-key
+    ${vlt}=  Get Optional Secret From Path File Env  VL_TOKEN_FILE
+    ${vlu}=  Get Optional Secret From Path File Env  VL_USER_FILE
+    ${vlp}=  Get Optional Secret From Path File Env  VL_PASSWORD_FILE
+    Set Suite Variable  ${GRAYLOG_USER}  ${gu}
+    Set Suite Variable  ${GRAYLOG_PASS}  ${gp}
+    Set Suite Variable  ${VM_USER}  ${vu}
+    Set Suite Variable  ${SSH_KEY}  ${sk}
+    Set Suite Variable  ${VL_TOKEN}  ${vlt}
+    Set Suite Variable  ${VL_USER}  ${vlu}
+    Set Suite Variable  ${VL_PASSWORD}  ${vlp}
+
+Get Required Secret From Dir
+    [Arguments]  ${secrets_dir}  ${filename}
+    ${fullpath}=  Catenate  SEPARATOR=/  ${secrets_dir}  ${filename}
+    OperatingSystem.File Should Exist  ${fullpath}
+    ...  msg=Missing secret file ${fullpath}. Sensitive values must be supplied as mounted files under ${secrets_dir}.
+    ${content}=  OperatingSystem.Get File  ${fullpath}
+    ${stripped}=  Strip String  ${content}
+    Return From Keyword  ${stripped}
+
+Get Optional Secret From Path File Env
+    [Arguments]  ${path_env_name}
+    ${filepath}=  Get Environment Variable  ${path_env_name}  ${EMPTY}
+    IF  '${filepath}' == '${EMPTY}'
+        Return From Keyword  ${EMPTY}
+    END
+    OperatingSystem.File Should Exist  ${filepath}
+    ...  msg=${path_env_name} points to ${filepath} but file is missing
+    ${content}=  OperatingSystem.Get File  ${filepath}
+    ${stripped}=  Strip String  ${content}
+    Return From Keyword  ${stripped}
@@ -1,6 +1,28 @@
+import os
+
+
+def _read_file_strip(path: str) -> str:
+    try:
+        with open(path, encoding="utf-8") as handle:
+            return handle.read().strip()
+    except OSError:
+        return ""
+
+
+def _read_secret_file(environ: dict, filename: str) -> str:
+    secrets_dir = environ.get("INTEGRATION_TESTS_SECRETS_DIR", "")
+    if not secrets_dir:
+        return ""
+    path = os.path.join(secrets_dir, filename)
+    if not os.path.isfile(path):
+        return ""
+    return _read_file_strip(path)
+
+
 def get_excluded_tags(environ) -> list:
-    external_graylog = environ.get('EXTERNAL_GRAYLOG_SERVER')
-    ssh_key = environ.get('SSH_KEY')
-    vm_user = environ.get('VM_USER')
-    if external_graylog == 'false' or not ssh_key or not vm_user:
-        return ['archiving-plugin']
+    external_graylog = environ.get("EXTERNAL_GRAYLOG_SERVER")
+    ssh_key = _read_secret_file(environ, "ssh-key")
+    vm_user = _read_secret_file(environ, "vm-user")
+    if external_graylog == "false" or not ssh_key or not vm_user:
+        return ["archiving-plugin"]
+    return []