Skip to content

secret manager fix: mount files into container for -f/--from-file #80914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
psalajova wants to merge 1 commit into
base: main
Choose a base branch
from
+49 −1
Open

secret manager fix: mount files into container for -f/--from-file #80914

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 49 additions & 1 deletion hack/secret-manager.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,59 @@ if [ -t 0 ] && [ -t 1 ]; then
tty_flags=(-it)
fi

resolve_path() {
if [[ "$1" = /* ]]; then
echo "$1"
else
echo "$(pwd)/$1"
fi
}

args=()
file_mount=()
while [[ $# -gt 0 ]]; do
case "$1" in
-f|--from-file)
if [[ -n "${2:-}" ]]; then
host_path="$(resolve_path "$2")"
if [[ -f "$host_path" ]]; then
container_path="/input/$(basename "$host_path")"
file_mount=(-v "$host_path:$container_path:ro,z")
args+=("$1" "$container_path")
else
args+=("$1" "$2")
fi
shift 2
else
args+=("$1")
shift
fi
;;
--from-file=*)
file_arg="${1#--from-file=}"
host_path="$(resolve_path "$file_arg")"
if [[ -f "$host_path" ]]; then
container_path="/input/$(basename "$host_path")"
file_mount=(-v "$host_path:$container_path:ro,z")
args+=("--from-file=$container_path")
Comment on lines +43 to +68

@coderabbitai coderabbitai Bot Jun 23, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

--from-file handling drops earlier mounts and can mis-map files with duplicate basenames.

file_mount is overwritten on each match, so only the last --from-file file is mounted. Also, mapping to /input/$(basename ...) can collide across different directories, causing wrong file selection.

Suggested fix 
 args=()
 file_mount=()
+from_file_idx=0
 while [[ $# -gt 0 ]]; do
     case "$1" in
         -f|--from-file)
             if [[ -n "${2:-}" ]]; then
                 host_path="$(resolve_path "$2")"
                 if [[ -f "$host_path" ]]; then
-                    container_path="/input/$(basename "$host_path")"
-                    file_mount=(-v "$host_path:$container_path:ro,z")
+                    from_file_idx=$((from_file_idx + 1))
+                    container_path="/input/${from_file_idx}-$(basename "$host_path")"
+                    file_mount+=(-v "$host_path:$container_path:ro,z")
                     args+=("$1" "$container_path")
                 else
                     args+=("$1" "$2")
                 fi
                 shift 2
@@
         --from-file=*)
             file_arg="${1#--from-file=}"
             host_path="$(resolve_path "$file_arg")"
             if [[ -f "$host_path" ]]; then
-                container_path="/input/$(basename "$host_path")"
-                file_mount=(-v "$host_path:$container_path:ro,z")
+                from_file_idx=$((from_file_idx + 1))
+                container_path="/input/${from_file_idx}-$(basename "$host_path")"
+                file_mount+=(-v "$host_path:$container_path:ro,z")
                 args+=("--from-file=$container_path")
             else
                 args+=("$1")
             fi
             shift

Also applies to: 86-89

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/secret-manager.sh` around lines 43 - 68, The file_mount variable is
being overwritten instead of appended to in both the -f|--from-file case and the
--from-file=* case, which means only the last file mount is preserved when
multiple --from-file arguments are provided. Additionally, the container path
construction using /input/$(basename ...) creates collisions when files with
identical basenames exist in different directories. Fix this by changing the
file_mount assignments from = to += to accumulate all mounts, and modify the
container path logic to use unique identifiers (such as a counter or index) or
preserve relative directory structure to avoid collisions between files with the
same basename from different source directories.

else
args+=("$1")
fi
shift
;;
*)
args+=("$1")
shift
;;
esac
done

if ! "$CONTAINER_ENGINE" image exists "$IMAGE" 2>/dev/null; then
"$CONTAINER_ENGINE" pull "$IMAGE" >/dev/null
fi
exec "$CONTAINER_ENGINE" run --rm "${tty_flags[@]}" \
-v "$GCLOUD_CONFIG_PATH:/gcloud:z" \
${file_mount[@]+"${file_mount[@]}"} \
-e CLOUDSDK_CONFIG=/gcloud \
-e GOOGLE_CLOUD_QUOTA_PROJECT=openshift-ci-secrets \
"$IMAGE" "$@"
"$IMAGE" "${args[@]}"