ci-tools
ci-tools copied to clipboard
openshift
[WIP] ci-operator: Implement 3-level naming hierarchy changes to CSI mechanism
This PR implements support for the 3-level GSM secret naming structure (collection__group__field) in ci-operator, as per the design document.
Changes
3-level hierarchy
Secrets now use collection__group__field naming instead of collection__name:
Before:
credentials:
- name: aws-creds
collection: test-platform-infra
mount_path: /tmp/aws
After:
credentials:
- collection: test-platform-infra
group: cluster-init
field: aws-creds
mount_path: /tmp/aws
Supported credential resolution modes
There are three ways one can reference credentials:
- Bundle reference (via
gsm-config.yaml):
credentials:
- bundle: aws-bundle
mount_path: /tmp/aws
- Auto-discovery (lists all fields for collection+group):
credentials:
- collection: test-platform-infra
group: cluster-init
mount_path: /tmp/secrets
- Explicit field:
credentials:
- collection: test-platform-infra
group: cluster-init
field: aws-creds
mount_path: /tmp/aws
Implementation details
- Wired gsmConfig through main.go → defaults → multi_stage chain
- Credentials are resolved once during createSPCs() before SecretProviderClass creation
- Added validation to prevent file collisions when different groups share the same mount path
- Censoring SPCs now track credentials by full secret name (collection__group__field)
- Updated all tests to use 3-level structure
- A separate PR needs to be done which will make sure ci-operator has
gsm-config.yamlavailable at all times, as this is critical for bundle resolution.
Jira: https://issues.redhat.com/browse/DPTP-4656
