diff --git a/pkg/api/constant.go b/pkg/api/constant.go index 799a415440..527cda0404 100644 --- a/pkg/api/constant.go +++ b/pkg/api/constant.go @@ -18,6 +18,10 @@ const ( ManifestToolLocalPusherSecret = "manifest-tool-local-pusher" ManifestToolLocalPusherSecretMountPath = "/secrets/manifest-tool" + GSMConfigConfigMap = "gsm-config" + GSMConfigMountPath = "/etc/gsm-config" + GSMConfigFileParameter = "--gsm-config=/etc/gsm-config/gsm-config.yaml" + PromotionQuayTaggerKubeconfigSecret = "promotion-quay-tagger-kubeconfig" ReleaseAnnotationSoftDelete = "release.openshift.io/soft-delete" diff --git a/pkg/prowgen/jobbase.go b/pkg/prowgen/jobbase.go index cc6b9c7b27..cec4e29430 100644 --- a/pkg/prowgen/jobbase.go +++ b/pkg/prowgen/jobbase.go @@ -149,7 +149,10 @@ func NewProwJobBaseBuilderForTest(configSpec *cioperatorapi.ReleaseBuildConfigur p.PodSpec.Add(CIPullSecret()) } if info.Config.EnableSecretsStoreCSIDriver { - p.PodSpec.Add(Arg("enable-secrets-store-csi-driver", "true")) + p.PodSpec.Add( + Arg("enable-secrets-store-csi-driver", "true"), + GSMConfig(), + ) } case test.MultiStageTestConfiguration != nil: if clusterProfile := test.MultiStageTestConfiguration.ClusterProfile; clusterProfile != "" { @@ -161,7 +164,10 @@ func NewProwJobBaseBuilderForTest(configSpec *cioperatorapi.ReleaseBuildConfigur p.PodSpec.Add(CIPullSecret()) } if info.Config.EnableSecretsStoreCSIDriver { - p.PodSpec.Add(Arg("enable-secrets-store-csi-driver", "true")) + p.PodSpec.Add( + Arg("enable-secrets-store-csi-driver", "true"), + GSMConfig(), + ) } case test.OpenshiftAnsibleClusterTestConfiguration != nil: p.PodSpec.Add( diff --git a/pkg/prowgen/podspec.go b/pkg/prowgen/podspec.go index 44f67993ba..5aa0b95dac 100644 --- a/pkg/prowgen/podspec.go +++ b/pkg/prowgen/podspec.go @@ -558,6 +558,42 @@ func GitHubToken(reuseDecorationVolume bool) PodSpecMutator { } } +var ( + gsmConfigVolume = corev1.Volume{ + Name: cioperatorapi.GSMConfigConfigMap, + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: cioperatorapi.GSMConfigConfigMap, + }, + }, + }, + } + gsmConfigVolumeMount = corev1.VolumeMount{ + Name: cioperatorapi.GSMConfigConfigMap, + MountPath: cioperatorapi.GSMConfigMountPath, + ReadOnly: true, + } + gsmConfigParameter = cioperatorapi.GSMConfigFileParameter +) + +// GSMConfig mounts the gsm-config ConfigMap and configures ci-operator to use +// it via the --gsm-config flag. This mapping file defines how GSM secrets are +// bundled and consumed, supporting bundle references and auto-discovery of fields. +func GSMConfig() PodSpecMutator { + return func(spec *corev1.PodSpec) error { + container := &spec.Containers[0] + if err := addVolume(spec, gsmConfigVolume); err != nil { + return err + } + if err := addVolumeMount(container, gsmConfigVolumeMount); err != nil { + return err + } + addUniqueParameter(container, gsmConfigParameter) + return nil + } +} + func Variant(variant string) PodSpecMutator { return func(spec *corev1.PodSpec) error { if len(variant) > 0 { diff --git a/pkg/prowgen/podspec_test.go b/pkg/prowgen/podspec_test.go index fda168f56e..a6e4e7fb1d 100644 --- a/pkg/prowgen/podspec_test.go +++ b/pkg/prowgen/podspec_test.go @@ -514,3 +514,17 @@ func TestInjectTestFrom(t *testing.T) { }) } } + +func TestGSMConfig(t *testing.T) { + t.Parallel() + t.Run("add gsm-config volume and mount", func(t *testing.T) { + t.Parallel() + g := NewCiOperatorPodSpecGenerator() + g.Add(GSMConfig()) + podspec, err := g.Build() + if err != nil { + t.Fatalf("Unexpected error: %v", err) + } + testhelper.CompareWithFixture(t, podspec) + }) +} diff --git a/pkg/prowgen/testdata/zz_fixture_TestGSMConfig_add_gsm_config_volume_and_mount.yaml b/pkg/prowgen/testdata/zz_fixture_TestGSMConfig_add_gsm_config_volume_and_mount.yaml new file mode 100644 index 0000000000..617ab93d02 --- /dev/null +++ b/pkg/prowgen/testdata/zz_fixture_TestGSMConfig_add_gsm_config_volume_and_mount.yaml @@ -0,0 +1,44 @@ +containers: +- args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --gsm-config=/etc/gsm-config/gsm-config.yaml + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /etc/gsm-config + name: gsm-config + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true +serviceAccountName: ci-operator +volumes: +- configMap: + name: gsm-config + name: gsm-config +- name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher +- name: pull-secret + secret: + secretName: registry-pull-credentials +- name: result-aggregator + secret: + secretName: result-aggregator diff --git a/pkg/prowgen/testdata/zz_fixture_TestNewProwJobBaseBuilderForTest_multi_stage_test_with_CSI_enabled.yaml b/pkg/prowgen/testdata/zz_fixture_TestNewProwJobBaseBuilderForTest_multi_stage_test_with_CSI_enabled.yaml index a95099392a..a0aecbdc67 100644 --- a/pkg/prowgen/testdata/zz_fixture_TestNewProwJobBaseBuilderForTest_multi_stage_test_with_CSI_enabled.yaml +++ b/pkg/prowgen/testdata/zz_fixture_TestNewProwJobBaseBuilderForTest_multi_stage_test_with_CSI_enabled.yaml @@ -8,6 +8,7 @@ spec: - args: - --enable-secrets-store-csi-driver=true - --gcs-upload-secret=/secrets/gcs/service-account.json + - --gsm-config=/etc/gsm-config/gsm-config.yaml - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - --report-credentials-file=/etc/report/credentials - --target=simple @@ -23,6 +24,9 @@ spec: - mountPath: /secrets/gcs name: gcs-credentials readOnly: true + - mountPath: /etc/gsm-config + name: gsm-config + readOnly: true - mountPath: /secrets/manifest-tool name: manifest-tool-local-pusher readOnly: true @@ -34,6 +38,9 @@ spec: readOnly: true serviceAccountName: ci-operator volumes: + - configMap: + name: gsm-config + name: gsm-config - name: manifest-tool-local-pusher secret: secretName: manifest-tool-local-pusher