test: update env vars for qdrant and readme added generic secrets

Bobbins228 · Bobbins228 · commit 8da9dfb2f46e · 2026-01-19T17:03:32.000Z
diff --git a/tests/fixtures/vector_io.py b/tests/fixtures/vector_io.py
@@ -31,19 +31,26 @@
 PGVECTOR_USER = os.getenv("LLS_VECTOR_IO_PGVECTOR_USER", "vector_user")
 PGVECTOR_PASSWORD = os.getenv("LLS_VECTOR_IO_PGVECTOR_PASSWORD", "yourpassword")
 
+# qdrant v1 unprivileged latest
 QDRANT_IMAGE = os.getenv(
     "LLS_VECTOR_IO_QDRANT_IMAGE",
     (
         "docker.io/qdrant/qdrant@sha256:"
-        "26509b92c44ded1ad344e18a005383c20bb3fbf9dbf4d337265a230b2aa89e79"  # pragma: allowlist secret"
+        "9dfabc51ededc48158899a288a19a04de1ab54a11d8c512e1c40eebbd5e2bc92"  # pragma: allowlist secret
     ),
 )
 
+QDRANT_API_KEY = os.getenv("LLS_VECTOR_IO_QDRANT_API_KEY", "yourapikey")
+QDRANT_URL = os.getenv("LLS_VECTOR_IO_QDRANT_URL", "http://vector-io-qdrant-service:6333")
+
 
 @pytest.fixture(scope="class")
 def vector_io_provider_deployment_config_factory(
+    unprivileged_client: DynamicClient,
+    unprivileged_model_namespace: Namespace,
+    vector_io_secret: Secret,
     request: FixtureRequest,
-) -> Callable[[str], list[Dict[str, str]]]:
+) -> Callable[[str], list[Dict[str, Any]]]:
     """
     Factory fixture for deploying vector I/O providers and returning their configuration.
 
@@ -85,17 +92,25 @@ def test_with_milvus(vector_io_provider_deployment_config_factory):
             env_vars = vector_io_provider_deployment_config_factory("milvus-remote")
             # env_vars contains MILVUS_ENDPOINT, MILVUS_TOKEN, etc.
     """
+    _ = unprivileged_client
+    _ = unprivileged_model_namespace
+    _ = vector_io_secret
 
-    def _factory(provider_name: str) -> list[Dict[str, str]]:
-        env_vars: list[dict[str, str]] = []
+    def _factory(provider_name: str) -> list[Dict[str, Any]]:
+        env_vars: list[dict[str, Any]] = []
 
         if provider_name is None or provider_name == "milvus":
             # Default case - no additional environment variables needed
             pass
         elif provider_name == "milvus-remote":
             request.getfixturevalue(argname="milvus_service")
             env_vars.append({"name": "MILVUS_ENDPOINT", "value": "http://vector-io-milvus-service:19530"})
-            env_vars.append({"name": "MILVUS_TOKEN", "value": MILVUS_TOKEN})
+            env_vars.append(
+                {
+                    "name": "MILVUS_TOKEN",
+                    "valueFrom": {"secretKeyRef": {"name": "vector-io-secret", "key": "milvus-token"}},
+                },
+            )
             env_vars.append({"name": "MILVUS_CONSISTENCY_LEVEL", "value": "Bounded"})
         elif provider_name == "faiss":
             env_vars.append({"name": "ENABLE_FAISS", "value": "faiss"})
@@ -108,23 +123,54 @@ def _factory(provider_name: str) -> list[Dict[str, str]]:
             env_vars.append({"name": "ENABLE_PGVECTOR", "value": "true"})
             env_vars.append({"name": "PGVECTOR_HOST", "value": "vector-io-pgvector-service"})
             env_vars.append({"name": "PGVECTOR_PORT", "value": "5432"})
-            env_vars.append({"name": "PGVECTOR_USER", "value": PGVECTOR_USER})
-            env_vars.append({"name": "PGVECTOR_PASSWORD", "value": PGVECTOR_PASSWORD})
+            env_vars.append(
+                {
+                    "name": "PGVECTOR_USER",
+                    "valueFrom": {"secretKeyRef": {"name": "vector-io-secret", "key": "pgvector-user"}},
+                },
+            )
+            env_vars.append(
+                {
+                    "name": "PGVECTOR_PASSWORD",
+                    "valueFrom": {"secretKeyRef": {"name": "vector-io-secret", "key": "pgvector-password"}},
+                },
+            )
             env_vars.append({"name": "PGVECTOR_DB", "value": "pgvector"})
         elif provider_name == "qdrant-remote":
             request.getfixturevalue(argname="qdrant_service")
             env_vars.append({"name": "ENABLE_QDRANT", "value": "true"})
-            env_vars.append({"name": "QDRANT_URL", "value": "http://vector-io-qdrant-service:6333"})
+            env_vars.append({"name": "QDRANT_URL", "value": QDRANT_URL})
             env_vars.append({
                 "name": "QDRANT_API_KEY",
-                "valueFrom": {"secretKeyRef": {"name": "qdrant-secret", "key": "api-key"}},
+                "valueFrom": {"secretKeyRef": {"name": "vector-io-secret", "key": "qdrant-api-key"}},
             })
 
         return env_vars
 
     return _factory
 
 
+@pytest.fixture(scope="class")
+def vector_io_secret(
+    unprivileged_client: DynamicClient,
+    unprivileged_model_namespace: Namespace,
+) -> Generator[Secret, Any, Any]:
+    """Create a secret for the vector I/O providers"""
+    with Secret(
+        client=unprivileged_client,
+        namespace=unprivileged_model_namespace.name,
+        name="vector-io-secret",
+        type="Opaque",
+        string_data={
+            "qdrant-api-key": QDRANT_API_KEY,
+            "pgvector-user": PGVECTOR_USER,
+            "pgvector-password": PGVECTOR_PASSWORD,
+            "milvus-token": MILVUS_TOKEN,
+        },
+    ) as secret:
+        yield secret
+
+
 @pytest.fixture(scope="class")
 def etcd_deployment(
     unprivileged_client: DynamicClient,
@@ -346,8 +392,14 @@ def get_pgvector_deployment_template() -> Dict[str, Any]:
                     "ports": [{"containerPort": 5432}],
                     "env": [
                         {"name": "POSTGRES_DB", "value": "pgvector"},
-                        {"name": "POSTGRES_USER", "value": PGVECTOR_USER},
-                        {"name": "POSTGRES_PASSWORD", "value": PGVECTOR_PASSWORD},
+                        {
+                            "name": "POSTGRES_USER",
+                            "valueFrom": {"secretKeyRef": {"name": "vector-io-secret", "key": "pgvector-user"}},
+                        },
+                        {
+                            "name": "POSTGRES_PASSWORD",
+                            "valueFrom": {"secretKeyRef": {"name": "vector-io-secret", "key": "pgvector-password"}},
+                        },
                         {"name": "PGDATA", "value": "/var/lib/postgresql/data/pgdata"},
                     ],
                     "lifecycle": {
@@ -377,7 +429,6 @@ def get_pgvector_deployment_template() -> Dict[str, Any]:
 def qdrant_deployment(
     unprivileged_client: DynamicClient,
     unprivileged_model_namespace: Namespace,
-    qdrant_secret: Secret,
 ) -> Generator[Deployment, Any, Any]:
     """Deploy a Qdrant instance for vector I/O provider testing."""
     with Deployment(
@@ -402,6 +453,8 @@ def qdrant_service(
     qdrant_deployment: Deployment,
 ) -> Generator[Service, Any, Any]:
     """Create a service for the Qdrant deployment."""
+    _ = qdrant_deployment
+
     with Service(
         client=unprivileged_client,
         namespace=unprivileged_model_namespace.name,
@@ -424,28 +477,11 @@ def qdrant_service(
         yield service
 
 
-@pytest.fixture(scope="class")
-def qdrant_secret(
-    unprivileged_client: DynamicClient,
-    unprivileged_model_namespace: Namespace,
-) -> Generator[Secret, Any, Any]:
-    """Return a Kubernetes Secret for Qdrant"""
-    with Secret(
-        client=unprivileged_client,
-        namespace=unprivileged_model_namespace.name,
-        name="qdrant-secret",
-        type="Opaque",
-        string_data={"api-key": "yourapikey"},
-    ) as secret:
-        yield secret
-
-
 def get_qdrant_deployment_template() -> Dict[str, Any]:
     """Return a Kubernetes deployment for Qdrant"""
     return {
         "metadata": {"labels": {"app": "qdrant"}},
         "spec": {
-            "securityContext": {"runAsNonRoot": True, "seccompProfile": {"type": "RuntimeDefault"}},
             "containers": [
                 {
                     "name": "qdrant",
@@ -465,8 +501,8 @@ def get_qdrant_deployment_template() -> Dict[str, Any]:
                             "name": "QDRANT__SERVICE__API_KEY",
                             "valueFrom": {
                                 "secretKeyRef": {
-                                    "name": "qdrant-secret",
-                                    "key": "api-key",
+                                    "name": "vector-io-secret",
+                                    "key": "qdrant-api-key",
                                 },
                             },
                         },
diff --git a/tests/llama_stack/README.md b/tests/llama_stack/README.md
@@ -71,6 +71,9 @@ LLS_VECTOR_IO_ETCD_IMAGE=<CUSTOM-ETCD-IMAGE>      # Optional
 LLS_VECTOR_IO_PGVECTOR_IMAGE=<CUSTOM-PGVECTOR-IMAGE> # Optional
 LLS_VECTOR_IO_PGVECTOR_USER=<CUSTOM-PGVECTOR-USER> # Optional
 LLS_VECTOR_IO_PGVECTOR_PASSWORD=<CUSTOM-PGVECTOR-PASSWORD> # Optional
+LLS_VECTOR_IO_QDRANT_IMAGE=<CUSTOM-QDRANT-IMAGE> # Optional
+LLS_VECTOR_IO_QDRANT_API_KEY=<CUSTOM-QDRANT-API-KEY> # Optional
+LLS_VECTOR_IO_QDRANT_URL=<QDRANT_URL_WITH_PROTOCOL> # Optional
 
 # Red Hat Llama Stack Distribution requires PostgreSQL (replacing SQLite)
 LLS_VECTOR_IO_POSTGRES_IMAGE=<CUSTOM-POSTGRES-IMAGE> # Optional
diff --git a/tests/llama_stack/conftest.py b/tests/llama_stack/conftest.py
@@ -28,6 +28,7 @@
     ModelInfo,
 )
 from ocp_resources.service import Service
+from ocp_resources.secret import Secret
 
 LOGGER = get_logger(name=__name__)
 
@@ -42,6 +43,11 @@
 POSTGRESQL_USER = os.getenv("LLS_VECTOR_IO_POSTGRESQL_USER", "ps_user")
 POSTGRESQL_PASSWORD = os.getenv("LLS_VECTOR_IO_POSTGRESQL_PASSWORD", "ps_password")
 
+LLAMA_STACK_DISTRIBUTION_SECRET_DATA = {
+    "postgres-user": POSTGRESQL_USER,
+    "postgres-password": POSTGRESQL_PASSWORD,
+}
+
 LLS_CORE_INFERENCE_MODEL = os.getenv("LLS_CORE_INFERENCE_MODEL", "")
 LLS_CORE_VLLM_URL = os.getenv("LLS_CORE_VLLM_URL", "")
 LLS_CORE_VLLM_API_TOKEN = os.getenv("LLS_CORE_VLLM_API_TOKEN", "")
@@ -290,8 +296,18 @@ def test_with_remote_milvus(llama_stack_server_config):
     # POSTGRESQL environment variables for sql_default and kvstore_default
     env_vars.append({"name": "POSTGRES_HOST", "value": "vector-io-postgres-service"})
     env_vars.append({"name": "POSTGRES_PORT", "value": "5432"})
-    env_vars.append({"name": "POSTGRES_USER", "value": POSTGRESQL_USER})
-    env_vars.append({"name": "POSTGRES_PASSWORD", "value": POSTGRESQL_PASSWORD})
+    env_vars.append(
+        {
+            "name": "POSTGRES_USER",
+            "valueFrom": {"secretKeyRef": {"name": "llamastack-distribution-secret", "key": "postgres-user"}},
+        },
+    )
+    env_vars.append(
+        {
+            "name": "POSTGRES_PASSWORD",
+            "valueFrom": {"secretKeyRef": {"name": "llamastack-distribution-secret", "key": "postgres-password"}},
+        },
+    )
     env_vars.append({"name": "POSTGRES_DB", "value": "ps_db"})
     env_vars.append({"name": "POSTGRES_TABLE_NAME", "value": "llamastack_kvstore"})
 
@@ -325,6 +341,36 @@ def test_with_remote_milvus(llama_stack_server_config):
     return server_config
 
 
+@pytest.fixture(scope="class")
+def llama_stack_distribution_secret(
+    admin_client: DynamicClient,
+    model_namespace: Namespace,
+) -> Generator[Secret, Any, Any]:
+    with Secret(
+        client=admin_client,
+        namespace=model_namespace.name,
+        name="llamastack-distribution-secret",
+        type="Opaque",
+            string_data=LLAMA_STACK_DISTRIBUTION_SECRET_DATA,
+    ) as secret:
+        yield secret
+
+
+@pytest.fixture(scope="class")
+def unprivileged_llama_stack_distribution_secret(
+    unprivileged_client: DynamicClient,
+    unprivileged_model_namespace: Namespace,
+) -> Generator[Secret, Any, Any]:
+    with Secret(
+        client=unprivileged_client,
+        namespace=unprivileged_model_namespace.name,
+        name="llamastack-distribution-secret",
+        type="Opaque",
+        string_data=LLAMA_STACK_DISTRIBUTION_SECRET_DATA,
+    ) as secret:
+        yield secret
+
+
 @pytest.fixture(scope="class")
 def unprivileged_llama_stack_distribution(
     unprivileged_client: DynamicClient,
@@ -337,6 +383,7 @@ def unprivileged_llama_stack_distribution(
     ci_s3_bucket_region: str,
     aws_access_key_id: str,
     aws_secret_access_key: str,
+    unprivileged_llama_stack_distribution_secret: Secret,
     unprivileged_postgres_deployment: Deployment,
     unprivileged_postgres_service: Service,
 ) -> Generator[LlamaStackDistribution, None, None]:
@@ -384,6 +431,7 @@ def llama_stack_distribution(
     ci_s3_bucket_region: str,
     aws_access_key_id: str,
     aws_secret_access_key: str,
+    llama_stack_distribution_secret: Secret,
     postgres_deployment: Deployment,
     postgres_service: Service,
 ) -> Generator[LlamaStackDistribution, None, None]:
@@ -858,8 +906,18 @@ def get_postgres_deployment_template() -> Dict[str, Any]:
                     "ports": [{"containerPort": 5432}],
                     "env": [
                         {"name": "POSTGRESQL_DATABASE", "value": "ps_db"},
-                        {"name": "POSTGRESQL_USER", "value": POSTGRESQL_USER},
-                        {"name": "POSTGRESQL_PASSWORD", "value": POSTGRESQL_PASSWORD},
+                        {
+                            "name": "POSTGRESQL_USER",
+                            "valueFrom": {
+                                "secretKeyRef": {"name": "llamastack-distribution-secret", "key": "postgres-user"}
+                            },
+                        },
+                        {
+                            "name": "POSTGRESQL_PASSWORD",
+                            "valueFrom": {
+                                "secretKeyRef": {"name": "llamastack-distribution-secret", "key": "postgres-password"}
+                            },
+                        },
                     ],
                     "volumeMounts": [{"name": "postgresdata", "mountPath": "/var/lib/pgsql/data"}],
                 },
