Refactoring: use yaml file instead of env vars to load GSM project config

Author: psalajova

cmd/ci-operator/main.go

@@ -458,6 +458,8 @@ type options struct {
 	enableSecretsStoreCSIDriver bool
 	gsmConfigPath               string
 	gsmConfig                   api.GSMConfig
+	gsmProjectConfigPath        string
+	gsmProjectConfig            gsm.Config
 	gsmCredentialsFile          string
 
 	metricsAgent *metrics.MetricsAgent
@@ -514,7 +516,8 @@ func bindOptions(flag *flag.FlagSet) *options {
 	flag.StringVar(&opt.impersonateUser, "as", "", "Username to impersonate")
 	flag.BoolVar(&opt.restrictNetworkAccess, "restrict-network-access", false, "Restrict network access to 10.0.0.0/8 (RedHat intranet).")
 	flag.BoolVar(&opt.enableSecretsStoreCSIDriver, "enable-secrets-store-csi-driver", false, "Use Secrets Store CSI driver for accessing multi-stage credentials.")
-	flag.StringVar(&opt.gsmConfigPath, "gsm-config", "", "Path to the gsm config file.")
+	flag.StringVar(&opt.gsmConfigPath, "gsm-config", "", "Path to the gsm secrets config file.")
+	flag.StringVar(&opt.gsmProjectConfigPath, "gsm-project-config", "", "Path to the GSM project config file.")
 	flag.StringVar(&opt.gsmCredentialsFile, "gsm-credentials-file", "", "Path to GCP service account credentials.")
 
 	// flags needed for the configresolver
@@ -769,8 +772,10 @@ func (o *options) Complete() error {
 	handleTargetAdditionalSuffix(o)
 
 	if o.enableSecretsStoreCSIDriver {
-		err := api.LoadGSMConfigFromFile(o.gsmConfigPath, &o.gsmConfig)
-		if err != nil {
+		if err := api.LoadGSMConfigFromFile(o.gsmConfigPath, &o.gsmConfig); err != nil {
+			return err
+		}
+		if err = api.LoadGSMProjectConfigFromFile(o.gsmProjectConfigPath, &o.gsmProjectConfig); err != nil {
 			return err
 		}
 	}
@@ -1062,10 +1067,6 @@ func (o *options) Run() (errs []error) {
 
 	var gsmConfig *multi_stage.GSMConfiguration
 	if o.enableSecretsStoreCSIDriver {
-		gsmProjectConfig, err := gsm.GetConfigFromEnv()
-		if err != nil {
-			return []error{results.ForReason("gsm_config").WithError(err).Errorf("failed to get GSM project config from environment: %v", err)}
-		}
 		var opts []option.ClientOption
 		if o.gsmCredentialsFile != "" {
 			opts = append(opts, option.WithCredentialsFile(o.gsmCredentialsFile))
@@ -1082,7 +1083,7 @@ func (o *options) Run() (errs []error) {
 		gsmConfig = &multi_stage.GSMConfiguration{
 			Config:          &o.gsmConfig,
 			CredentialsFile: o.gsmCredentialsFile,
-			ProjectConfig:   gsmProjectConfig,
+			ProjectConfig:   o.gsmProjectConfig,
 			Client:          gsmClient,
 		}
 	}

pkg/api/gsm.go

@@ -9,6 +9,7 @@ import (
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"sigs.k8s.io/yaml"
 
+	gsm "github.com/openshift/ci-tools/pkg/gsm-secrets"
 	gsmvalidation "github.com/openshift/ci-tools/pkg/gsm-validation"
 	"github.com/openshift/ci-tools/pkg/util/gzip"
 )
@@ -91,6 +92,15 @@ func LoadGSMConfigFromFile(file string, config *GSMConfig) error {
 	return yaml.UnmarshalStrict(bytes, config)
 }
 
+// LoadGSMProjectConfigFromFile loads a GSM project configuration from a YAML file
+func LoadGSMProjectConfigFromFile(file string, config *gsm.Config) error {
+	bytes, err := gzip.ReadFileMaybeGZIP(file)
+	if err != nil {
+		return fmt.Errorf("couldn't read GSM project config file: %w", err)
+	}
+	return yaml.UnmarshalStrict(bytes, config)
+}
+
 func (c *GSMConfig) UnmarshalJSON(d []byte) error {
 	type Alias GSMConfig
 	aux := (*Alias)(c)

pkg/gsm-secrets/types.go

@@ -34,13 +34,8 @@ const (
 )
 
 type Config struct {
-	ProjectIdString string
-	ProjectIdNumber string
-}
-
-var Production = Config{
-	ProjectIdString: "openshift-ci-secrets",
-	ProjectIdNumber: "384486694155",
+	ProjectIdString string `json:"GCP_PROJECT_ID" yaml:"GCP_PROJECT_ID"`
+	ProjectIdNumber string `json:"GCP_PROJECT_NUMBER" yaml:"GCP_PROJECT_NUMBER"`
 }
 
 func (c Config) GetSecretAccessorRole() string {