Add gsm-config ConfigMap to prowgen

pkg/api/constant.go

@@ -18,6 +18,10 @@ const (
 	ManifestToolLocalPusherSecret          = "manifest-tool-local-pusher"
 	ManifestToolLocalPusherSecretMountPath = "/secrets/manifest-tool"
 
+	GSMConfigConfigMap     = "gsm-config"
+	GSMConfigMountPath     = "/etc/gsm-config"
+	GSMConfigFileParameter = "--gsm-config=/etc/gsm-config/gsm-config.yaml"
+
 	PromotionQuayTaggerKubeconfigSecret = "promotion-quay-tagger-kubeconfig"
 
 	ReleaseAnnotationSoftDelete = "release.openshift.io/soft-delete"

pkg/prowgen/jobbase.go

@@ -149,7 +149,10 @@ func NewProwJobBaseBuilderForTest(configSpec *cioperatorapi.ReleaseBuildConfigur
 			p.PodSpec.Add(CIPullSecret())
 		}
 		if info.Config.EnableSecretsStoreCSIDriver {
-			p.PodSpec.Add(Arg("enable-secrets-store-csi-driver", "true"))
+			p.PodSpec.Add(
+				Arg("enable-secrets-store-csi-driver", "true"),
+				GSMConfig(),
+			)
 		}
 	case test.MultiStageTestConfiguration != nil:
 		if clusterProfile := test.MultiStageTestConfiguration.ClusterProfile; clusterProfile != "" {
@@ -161,7 +164,10 @@ func NewProwJobBaseBuilderForTest(configSpec *cioperatorapi.ReleaseBuildConfigur
 			p.PodSpec.Add(CIPullSecret())
 		}
 		if info.Config.EnableSecretsStoreCSIDriver {
-			p.PodSpec.Add(Arg("enable-secrets-store-csi-driver", "true"))
+			p.PodSpec.Add(
+				Arg("enable-secrets-store-csi-driver", "true"),
+				GSMConfig(),
+			)
 		}
 	case test.OpenshiftAnsibleClusterTestConfiguration != nil:
 		p.PodSpec.Add(

pkg/prowgen/podspec.go

@@ -558,6 +558,42 @@ func GitHubToken(reuseDecorationVolume bool) PodSpecMutator {
 	}
 }
 
+var (
+	gsmConfigVolume = corev1.Volume{
+		Name: cioperatorapi.GSMConfigConfigMap,
+		VolumeSource: corev1.VolumeSource{
+			ConfigMap: &corev1.ConfigMapVolumeSource{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: cioperatorapi.GSMConfigConfigMap,
+				},
+			},
+		},
+	}
+	gsmConfigVolumeMount = corev1.VolumeMount{
+		Name:      cioperatorapi.GSMConfigConfigMap,
+		MountPath: cioperatorapi.GSMConfigMountPath,
+		ReadOnly:  true,
+	}
+	gsmConfigParameter = cioperatorapi.GSMConfigFileParameter
+)
+
+// GSMConfig mounts the gsm-config ConfigMap and configures ci-operator to use
+// it via the --gsm-config flag. This mapping file defines how GSM secrets are
+// bundled and consumed, supporting bundle references and auto-discovery of fields.
+func GSMConfig() PodSpecMutator {
+	return func(spec *corev1.PodSpec) error {
+		container := &spec.Containers[0]
+		if err := addVolume(spec, gsmConfigVolume); err != nil {
+			return err
+		}
+		if err := addVolumeMount(container, gsmConfigVolumeMount); err != nil {
+			return err
+		}
+		addUniqueParameter(container, gsmConfigParameter)
+		return nil
+	}
+}
+
 func Variant(variant string) PodSpecMutator {
 	return func(spec *corev1.PodSpec) error {
 		if len(variant) > 0 {

pkg/prowgen/podspec_test.go

@@ -514,3 +514,17 @@ func TestInjectTestFrom(t *testing.T) {
 		})
 	}
 }
+
+func TestGSMConfig(t *testing.T) {
+	t.Parallel()
+	t.Run("add gsm-config volume and mount", func(t *testing.T) {
+		t.Parallel()
+		g := NewCiOperatorPodSpecGenerator()
+		g.Add(GSMConfig())
+		podspec, err := g.Build()
+		if err != nil {
+			t.Fatalf("Unexpected error: %v", err)
+		}
+		testhelper.CompareWithFixture(t, podspec)
+	})
+}

pkg/prowgen/testdata/zz_fixture_TestGSMConfig_add_gsm_config_volume_and_mount.yaml

@@ -0,0 +1,44 @@
+containers:
+- args:
+  - --gcs-upload-secret=/secrets/gcs/service-account.json
+  - --gsm-config=/etc/gsm-config/gsm-config.yaml
+  - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+  - --report-credentials-file=/etc/report/credentials
+  command:
+  - ci-operator
+  image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+  imagePullPolicy: Always
+  name: ""
+  resources:
+    requests:
+      cpu: 10m
+  volumeMounts:
+  - mountPath: /secrets/gcs
+    name: gcs-credentials
+    readOnly: true
+  - mountPath: /etc/gsm-config
+    name: gsm-config
+    readOnly: true
+  - mountPath: /secrets/manifest-tool
+    name: manifest-tool-local-pusher
+    readOnly: true
+  - mountPath: /etc/pull-secret
+    name: pull-secret
+    readOnly: true
+  - mountPath: /etc/report
+    name: result-aggregator
+    readOnly: true
+serviceAccountName: ci-operator
+volumes:
+- configMap:
+    name: gsm-config
+  name: gsm-config
+- name: manifest-tool-local-pusher
+  secret:
+    secretName: manifest-tool-local-pusher
+- name: pull-secret
+  secret:
+    secretName: registry-pull-credentials
+- name: result-aggregator
+  secret:
+    secretName: result-aggregator

pkg/prowgen/testdata/zz_fixture_TestNewProwJobBaseBuilderForTest_multi_stage_test_with_CSI_enabled.yaml

@@ -8,6 +8,7 @@ spec:
   - args:
     - --enable-secrets-store-csi-driver=true
     - --gcs-upload-secret=/secrets/gcs/service-account.json
+    - --gsm-config=/etc/gsm-config/gsm-config.yaml
     - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
     - --report-credentials-file=/etc/report/credentials
     - --target=simple
@@ -23,6 +24,9 @@ spec:
     - mountPath: /secrets/gcs
       name: gcs-credentials
       readOnly: true
+    - mountPath: /etc/gsm-config
+      name: gsm-config
+      readOnly: true
     - mountPath: /secrets/manifest-tool
       name: manifest-tool-local-pusher
       readOnly: true
@@ -34,6 +38,9 @@ spec:
       readOnly: true
   serviceAccountName: ci-operator
   volumes:
+  - configMap:
+      name: gsm-config
+    name: gsm-config
   - name: manifest-tool-local-pusher
     secret:
       secretName: manifest-tool-local-pusher