secret manager fix: mount files into container for -f/--from-file

[psalajova]

The -f/--from-file flag passes a host path to the secret-manager tool running inside a container, where the path doesn't exist. Fixed by intercepting the flag, bind-mounting the file into the container, and rewriting the argument to the container path.

Summary by CodeRabbit

This PR enhances the hack/secret-manager.sh script, which is a wrapper for running the OpenShift CI secret-manager tool in a container. It fixes an issue where the -f/--from-file flag would fail when users pass a host file path, since that path doesn't exist inside the container environment.

Changes Made

The script now preprocesses CLI arguments before invoking the container:

1. Path Resolution: Adds a resolve_path() helper function that converts relative file paths to absolute paths based on the current working directory.

2. Argument Parsing: Implements a loop to parse and intercept both -f|--from-file <path> and --from-file=<path> argument formats.

3. Dynamic Bind-Mounting: When a file specified in the --from-file flag exists on the host:

   • The script bind-mounts the file into the container under /input/<basename> as read-only with SELinux context binding (:ro,z)
   • Rewrites the corresponding argument to reference the container path
   • Non-existent files are passed through unchanged

4. Argument Forwarding: Changes the container execution to use the parsed and rewritten argument list ("${args[@]}") instead of the original arguments ("$@"), ensuring only the processed arguments are forwarded to the containerized tool.

This allows the secret-manager tool to work seamlessly regardless of whether it's executed on the host or in a container, properly handling file inputs from the host environment.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@psalajova: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[coderabbitai]

Walkthrough

hack/secret-manager.sh gains a resolve_path() helper and an argument-parsing loop that detects -f/--from-file flags, resolves the referenced path to absolute, mounts existing host files into the container at /input/<basename> (read-only), and rewrites the argument to the container path. The container exec call is updated to forward the rewritten args array and conditionally expand file_mount.

Changes

--from-file host-path mounting in secret-manager.sh

Layer / File(s)	Summary
resolve_path helper and --from-file argument rewriting loop hack/secret-manager.sh	Adds resolve_path() to canonicalize relative paths. Replaces $@ passthrough with a loop that builds an args array, handles -f/--from-file <path> and --from-file=<path> forms, sets file_mount for existing host paths (mapping to /input/<basename>), and rewrites the forwarded argument to the container path. Non-existent paths are passed through unchanged.
Container exec wired to rewritten args hack/secret-manager.sh	Updates the podman/container-engine run invocation to conditionally expand file_mount and forward ${args[@]} instead of the original "$@".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: mounting files into the container for the -f/--from-file flag, which directly addresses the core issue fixed in this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies hack/secret-manager.sh (shell script). No Ginkgo tests are introduced, modified, or affected. Check is not applicable to this PR.
Test Structure And Quality	✅ Passed	PR modifies only hack/secret-manager.sh (shell script), not Ginkgo test code. Custom check for Ginkgo test quality is not applicable.
Microshift Test Compatibility	✅ Passed	PR does not add any Ginkgo e2e tests. The check applies only to new test definitions; this PR only modifies a shell script utility and documentation.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only hack/secret-manager.sh (shell script) with no new Ginkgo e2e tests added; SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies a shell script utility (hack/secret-manager.sh), not deployment manifests, operator code, or controllers. The check is inapplicable.
Ote Binary Stdout Contract	✅ Passed	The PR modifies hack/secret-manager.sh, a shell script utility wrapper, not an OTE binary or Go test. The OTE Binary Stdout Contract check is not applicable to shell script utilities.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The PR modifies only hack/secret-manager.sh, a Bash utility script, not Ginkgo e2e tests. The check applies only when new Ginkgo e2e tests are added.
No-Weak-Crypto	✅ Passed	No weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons found in the modified hack/secret-manager.sh file.
Container-Privileges	✅ Passed	The PR does not introduce any container privilege escalation. The script uses standard unprivileged container flags with read-only mounts and no privilege-escalating options.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data logging detected. The script processes file paths and credentials but never logs arguments, file paths, or sensitive variables to stdout/stderr.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: psalajova

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [psalajova]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/secret-manager.sh`:
- Around line 43-68: The file_mount variable is being overwritten instead of
appended to in both the -f|--from-file case and the --from-file=* case, which
means only the last file mount is preserved when multiple --from-file arguments
are provided. Additionally, the container path construction using
/input/$(basename ...) creates collisions when files with identical basenames
exist in different directories. Fix this by changing the file_mount assignments
from = to += to accumulate all mounts, and modify the container path logic to
use unique identifiers (such as a counter or index) or preserve relative
directory structure to avoid collisions between files with the same basename
from different source directories.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6f07ee9e-33fd-4272-a32f-bdeb09e98782

📥 Commits

Reviewing files that changed from the base of the PR and between a38254b and 09bb930.

📒 Files selected for processing (1)

• hack/secret-manager.sh

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

--from-file handling drops earlier mounts and can mis-map files with duplicate basenames.

file_mount is overwritten on each match, so only the last --from-file file is mounted. Also, mapping to /input/$(basename ...) can collide across different directories, causing wrong file selection.

Suggested fix

 args=()
 file_mount=()
+from_file_idx=0
 while [[ $# -gt 0 ]]; do
     case "$1" in
         -f|--from-file)
             if [[ -n "${2:-}" ]]; then
                 host_path="$(resolve_path "$2")"
                 if [[ -f "$host_path" ]]; then
-                    container_path="/input/$(basename "$host_path")"
-                    file_mount=(-v "$host_path:$container_path:ro,z")
+                    from_file_idx=$((from_file_idx + 1))
+                    container_path="/input/${from_file_idx}-$(basename "$host_path")"
+                    file_mount+=(-v "$host_path:$container_path:ro,z")
                     args+=("$1" "$container_path")
                 else
                     args+=("$1" "$2")
                 fi
                 shift 2
@@
         --from-file=*)
             file_arg="${1#--from-file=}"
             host_path="$(resolve_path "$file_arg")"
             if [[ -f "$host_path" ]]; then
-                container_path="/input/$(basename "$host_path")"
-                file_mount=(-v "$host_path:$container_path:ro,z")
+                from_file_idx=$((from_file_idx + 1))
+                container_path="/input/${from_file_idx}-$(basename "$host_path")"
+                file_mount+=(-v "$host_path:$container_path:ro,z")
                 args+=("--from-file=$container_path")
             else
                 args+=("$1")
             fi
             shift

Also applies to: 86-89

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/secret-manager.sh` around lines 43 - 68, The file_mount variable is
being overwritten instead of appended to in both the -f|--from-file case and the
--from-file=* case, which means only the last file mount is preserved when
multiple --from-file arguments are provided. Additionally, the container path
construction using /input/$(basename ...) creates collisions when files with
identical basenames exist in different directories. Fix this by changing the
file_mount assignments from = to += to accumulate all mounts, and modify the
container path logic to use unique identifiers (such as a counter or index) or
preserve relative directory structure to avoid collisions between files with the
same basename from different source directories.

[openshift-ci]

@psalajova: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.