From 136b82249477a5f4e825487bbfcedce5d0bdf3ac Mon Sep 17 00:00:00 2001
From: Srikrishna Iyer <srikrishna.iyer@hashicorp.com>
Date: Mon, 11 May 2026 17:03:26 +0530
Subject: [PATCH] Refine e2e-enterprise pipeline and scripts

---
 .github/workflows/build.yml |  9 +++++++--
 scripts/.functions          | 35 +++++++++++++++++++++++++++++++++++
 scripts/gen-tls-certs.sh    | 22 ++++++++++++++--------
 3 files changed, 56 insertions(+), 10 deletions(-)
 create mode 100644 scripts/.functions

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6a83e05..88ae3f3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -205,9 +205,14 @@ jobs:
 
       - name: Generate TLS Certificates
         if: ${{ !env.ACT }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_GET_RETRIES: 3
         run: |
-          curl -sSfL https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssl_1.6.5_linux_amd64 -o /usr/local/bin/cfssl
-          curl -sSfL https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssljson_1.6.5_linux_amd64 -o /usr/local/bin/cfssljson
+          # Source the getGH function for authenticated GitHub downloads with retries
+          source ./scripts/.functions
+          getGH https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssl_1.6.5_linux_amd64 /usr/local/bin/cfssl
+          getGH https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssljson_1.6.5_linux_amd64 /usr/local/bin/cfssljson
           chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson
           ./scripts/gen-tls-certs.sh
           cat .build/e2e-tls.env >> "$GITHUB_ENV"
diff --git a/scripts/.functions b/scripts/.functions
new file mode 100644
index 0000000..dcb7a9b
--- /dev/null
+++ b/scripts/.functions
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2019, 2025
+# SPDX-License-Identifier: MIT
+
+# Adapted from: https://github.com/hashicorp/vault-secrets-operator/blob/main/hack/.functions
+
+# getGH downloads files from GitHub with optional authentication
+# Usage: getGH <url> [dest_file] [num_retries]
+function getGH() {
+  local url="$1"
+  local dest="$2"
+  local num_retries="${3:-${GH_GET_RETRIES}}"
+
+  headers=(
+      '--header' "Accept: application/vnd.github+json"
+      '--header' "X-GitHub-Api-Version: 2022-11-28"
+  )
+  if [ -n "${GITHUB_TOKEN}" ]; then
+      headers+=(
+          '--header' "Authorization: Bearer ${GITHUB_TOKEN}"
+      )
+  fi
+  cmd=curl
+  opts=('-sfSL')
+  echo "Fetching ${url}"
+  if [ -z "${dest}" ]; then
+    opts+=('-O')
+  else
+    opts+=('-o' "${dest}")
+  fi
+  if [ -n "${num_retries}" ]; then
+    opts+=('--retry' "${num_retries}")
+  fi
+  ${cmd} "${opts[@]}" "${headers[@]}" "${url}"
+}
diff --git a/scripts/gen-tls-certs.sh b/scripts/gen-tls-certs.sh
index 3d9a774..6b6a68b 100755
--- a/scripts/gen-tls-certs.sh
+++ b/scripts/gen-tls-certs.sh
@@ -11,17 +11,19 @@
 
 set -euo pipefail
 
-REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
-OUTDIR="$REPO_ROOT/.build/certs"
-ENVFILE="$REPO_ROOT/.build/e2e-tls.env"
+pushd "$(git rev-parse --show-toplevel || echo .)" > /dev/null
+
+OUTDIR=".build/certs"
+ENVFILE=".build/e2e-tls.env"
 
 if ! command -v cfssl &>/dev/null || ! command -v cfssljson &>/dev/null; then
     echo "error: cfssl and cfssljson are required." >&2
+    popd > /dev/null
     exit 1
 fi
 
 mkdir -p "$OUTDIR"
-cd "$OUTDIR"
+pushd "$OUTDIR" > /dev/null
 
 # ── cfssl signing config ──────────────────────────────────────────────────────
 cat > cfssl-config.json <<'EOF'
@@ -92,15 +94,19 @@ rm -f ca.csr server.csr client.csr ca-key.pem cfssl-config.json
 # Ensure files are readable by the vault container user
 chmod 644 ./*.crt ./*.key
 
+popd > /dev/null
+
 # ── Copy vault server config ──────────────────────────────────────────────────
-cp "$REPO_ROOT/integrationTests/e2e-tls/configs/config.hcl" config.hcl
+cp "integrationTests/e2e-tls/configs/config.hcl" "$OUTDIR/config.hcl"
 
 # ── Write env file for local act usage ───────────────────────────────────────
 {
-    printf 'VAULTCA=%s\n'          "$(base64 < ca.crt     | tr -d '\n')"
-    printf 'VAULT_CLIENT_CERT=%s\n' "$(base64 < client.crt | tr -d '\n')"
-    printf 'VAULT_CLIENT_KEY=%s\n'  "$(base64 < client.key | tr -d '\n')"
+    printf 'VAULTCA=%s\n'          "$(base64 < "$OUTDIR/ca.crt"     | tr -d '\n')"
+    printf 'VAULT_CLIENT_CERT=%s\n' "$(base64 < "$OUTDIR/client.crt" | tr -d '\n')"
+    printf 'VAULT_CLIENT_KEY=%s\n'  "$(base64 < "$OUTDIR/client.key" | tr -d '\n')"
 } > "$ENVFILE"
 
 echo "Certs generated in $OUTDIR"
 echo "Env file written to $ENVFILE"
+
+popd > /dev/null