Add destroy previous secret versions functionality when updating a secret

[psalajova]

I identified that GSM costs were getting high by accumulating secret versions (~150 per secret across ~550 secrets in the test-platform-infra collection), all using automatic replication. I ran a one-time cleanup script to destroy all non-latest versions, and modified CreateOrUpdateSecret to accept a destroyPreviousVersions flag — enabled for ci-secret-generator — so old versions are automatically destroyed after each update, preventing future cost buildup.

This PR adds an option to destroy previous Google Secret Manager (GSM) secret versions when a secret is updated and enables that option for the ci-secret-generator, preventing future accumulation of old secret versions and related billing growth.

Changes and practical impact

• Core behavior (pkg/gsm-secrets/execution.go)

  • CreateOrUpdateSecret now accepts destroyPreviousVersions bool.
  • When destroyPreviousVersions=true, after creating a new secret version the function lists existing ENABLED versions (excluding the newly-created version) and calls DestroySecretVersion on each prior enabled version. Any failure during listing or destroying is returned and causes CreateOrUpdateSecret to fail (cleanup is not best-effort).
  • SecretManagerClient interface gained ListSecretVersions and DestroySecretVersion to support this flow.
  • The existing CreateSecrets workflow remains unchanged and calls CreateOrUpdateSecret(..., false).

• Integration into CI tooling (pkg/secrets/gsm.go)

  • The ci-secret-generator path (SetFieldOnItem and UpdateIndexSecret) now calls CreateOrUpdateSecret with destroyPreviousVersions=true. As a result, when ci-secret-generator updates GSM secrets it will automatically destroy previous enabled versions, preventing accumulation and reducing GSM storage/cost.
  • The Vault write path behavior is unchanged: GSM errors are logged and do not block Vault writes.

• Tests and mocks

  • Test fakes and the generated GoMock (MockSecretManagerClient) were extended to include ListSecretVersions and DestroySecretVersion so tests compile and can exercise the new behavior.

Who is affected / operational notes

• CI operators and maintainers running ci-secret-generator: future secret updates will remove prior enabled secret versions automatically, lowering GSM version counts and costs.
• Because failures in listing or destroying are treated as errors, callers that enable destroyPreviousVersions must handle possible CreateOrUpdateSecret failures. This PR enables the behavior only for ci-secret-generator; other callers keep prior behavior unless they opt in.
• The author ran a one-time cleanup to remove existing excess versions; this change prevents re-accumulation going forward.

Compatibility

• Backward compatibility preserved for callers that do not opt into destroying previous versions (CreateSecrets still uses false).
• Behavioral change is scoped to components that pass destroyPreviousVersions=true (currently ci-secret-generator).

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

📝 Walkthrough

Walkthrough

CreateOrUpdateSecret gains a boolean to optionally destroy previously enabled GSM secret versions after adding a new version. The SecretManagerClient interface, mocks, and test fakes are updated to include ListSecretVersions and DestroySecretVersion. Two call sites enable destruction; CreateSecrets preserves prior behavior (destruction disabled).

Changes

GSM Secret Version Cleanup

Layer / File(s)	Summary
Interface contract and function signature pkg/gsm-secrets/execution.go	SecretManagerClient interface gains DestroySecretVersion; CreateOrUpdateSecret signature extended with destroyPreviousVersions boolean and related import adjustment.
Version destruction implementation pkg/gsm-secrets/execution.go	After adding a new secret version, CreateOrUpdateSecret conditionally lists enabled versions and destroys prior enabled versions via destroyPreviousSecretVersions; failures during list/iteration or destroy are returned as errors (not best-effort).
Call site integration pkg/secrets/gsm.go, pkg/gsm-secrets/execution.go	SetFieldOnItem and UpdateIndexSecret now call CreateOrUpdateSecret(..., true) to enable destruction; CreateSecrets calls with false to preserve previous behavior.
Mock and test fake implementations pkg/gsm-secrets/execution_mock.go, cmd/ci-secret-bootstrap/main_test.go, pkg/steps/multi_stage/gsm_bundle_resolver_test.go	Generated GoMock now includes ListSecretVersions and DestroySecretVersion; test fakes updated with stub implementations to satisfy the expanded interface.

---

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 12 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Coverage For New Features	⚠️ Warning	New destroyPreviousVersions functionality and DestroySecretVersion interface method lack unit test coverage. No tests for CreateOrUpdateSecret with cleanup flag or the version destruction logic.	Add unit tests for CreateOrUpdateSecret with destroyPreviousVersions flag, test destroyPreviousSecretVersions error cases, and verify interface method invocation.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding functionality to destroy previous secret versions when updating a secret in GSM.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Go Error Handling	✅ Passed	All errors in production code properly wrapped with fmt.Errorf %w. Nil checks precede dereferencing. No panic in non-test code.
Stable And Deterministic Test Names	✅ Passed	This repository uses standard Go testing (*testing.T), not Ginkgo. No Ginkgo test declarations (It, Describe, Context, When) exist in modified files.
Test Structure And Quality	✅ Passed	Modified test files use standard Go testing, not Ginkgo. The custom check for Ginkgo test quality is not applicable to this PR, which only adds stub implementations to test double structs.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. All modified test files contain only standard Go unit tests, not Ginkgo tests. Changes only update test doubles.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds no new Ginkgo e2e tests (zero It/Describe/Context/When blocks found). Changes are unit tests and mocks for GSM secret management—SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only Go backend code for GSM secret operations, tests, and mocks. No deployment manifests, operator code, controllers, or scheduling constraints are introduced or modified.
Ote Binary Stdout Contract	✅ Passed	PR modifies only library code, test doubles, and mocks with no stdout writes in process-level code; all logging uses logrus (stderr) not stdout.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added by this PR. All test files use Go's standard testing package (testing.T), making the IPv6/disconnected network compatibility check not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/gsm-secrets/execution.go`:
- Around line 72-98: The cleanup currently deletes all enabled versions except
currentVersionName, which can remove newer versions created concurrently; update
destroyPreviousSecretVersions to first retrieve the current version's creation
timestamp (call GetSecretVersion for currentVersionName) and then only destroy
versions whose CreateTime is strictly before that timestamp (keep skipping when
v.Name == currentVersionName or when v.CreateTime is nil or not before current's
CreateTime); use the created timestamp comparison instead of deleting every
enabled version and still log errors from DestroySecretVersion as before
(references: destroyPreviousSecretVersions, currentVersionName, v.Name,
client.GetSecretVersion, client.DestroySecretVersion,
ListSecretVersionsRequest).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: add70176-a6c7-429e-979d-5d6292846f2b

📥 Commits

Reviewing files that changed from the base of the PR and between cd299ac and 5ae92dd.

📒 Files selected for processing (5)

• cmd/ci-secret-bootstrap/main_test.go
• pkg/gsm-secrets/execution.go
• pkg/gsm-secrets/execution_mock.go
• pkg/secrets/gsm.go
• pkg/steps/multi_stage/gsm_bundle_resolver_test.go

[hector-vido]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hector-vido, Prucek, psalajova

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Prucek,hector-vido,psalajova]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[droslean]

It seems that you always want to destroy the previous versions, so the bool doesn't make any difference here.

[psalajova]

There are 3 call sites:

• gsm.go:68 (SetFieldOnItem): passes true -- ci-secret-generator updating existing secrets
• gsm.go:81 (UpdateIndexSecret): passes true -- ci-secret-generator updating index
• execution.go:299 (CreateSecrets): passes false -- initial secret creation by gsm-secret-sync

The false at execution.go:299 is intentional: when gsm-secret-sync creates secrets for the first time, there are no previous versions to destroy. Additionally, the migration code I'm working on also calls CreateOrUpdateSecret with false (initial migration, no previous versions). I agree that maybe we could set it to always destroy previous versions, but it feels better to be able to control it.

[psalajova]

/hold

[psalajova]

We are discussing if this is the right approach in https://redhat-internal.slack.com/archives/GB7NB0CUC/p1779274337330229 , waiting for the conclusion there before I move forward with this

[openshift-ci]

New changes are detected. LGTM label has been removed.

[psalajova]

/unhold

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

pkg/steps/multi_stage/gsm_bundle_resolver_test.go (1)

52-54: ⚡ Quick win

Prefer returning an error instead of panicking in the test fake.

Use an explicit error return here so failures stay assertion-driven and consistent with non-panic error paths.

Suggested fix

 func (f *fakeGSMClient) DestroySecretVersion(ctx context.Context, req *secretmanagerpb.DestroySecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error) {
-	panic("DestroySecretVersion not implemented in test")
+	return nil, errors.New("DestroySecretVersion not implemented in test")
 }

As per coding guidelines, Avoid panic() in Go except in init() or fatal conditions.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/steps/multi_stage/gsm_bundle_resolver_test.go` around lines 52 - 54, The
test fake method DestroySecretVersion on fakeGSMClient currently panics; change
it to return an explicit error instead (e.g., return nil and an error describing
the unimplemented method) so tests can handle failures via assertions; locate
the DestroySecretVersion method on the fakeGSMClient type and replace the panic
with a nil *secretmanagerpb.SecretVersion and a descriptive error value.

pkg/gsm-secrets/execution.go (1)

31-31: Coordinate downstream update for this public API change.

CreateOrUpdateSecret now has a new parameter; linked-repo findings show openshift/ci-chat-bot still vendors the old signature/interface. Please revendor/update in lockstep to avoid downstream compile breaks.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/gsm-secrets/execution.go` at line 31, CreateOrUpdateSecret now adds a new
parameter (destroyPreviousVersions bool), so update downstream consumers and
vendor copies that still call the old signature (notably openshift/ci-chat-bot)
to use the new function signature; change calls to pass the new
destroyPreviousVersions argument, update the vendored pkg/gsm-secrets to this
version, run go mod tidy / vendor refresh and rebuild downstream to ensure the
interface/signature change is synchronized and avoids compile errors.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/gsm-secrets/execution.go`:
- Around line 103-110: The interface methods in SecretManagerClient reference
gax.CallOption but execution.go is missing the gax package import; add the
import "github.com/googleapis/gax-go/v2" to the imports block in
pkg/gsm-secrets/execution.go so ListSecrets, ListSecretVersions, GetSecret,
DeleteSecret, CreateSecret, AddSecretVersion, DestroySecretVersion and
AccessSecretVersion compile and use gax.CallOption correctly, then run go build
to verify.

---

Nitpick comments:
In `@pkg/gsm-secrets/execution.go`:
- Line 31: CreateOrUpdateSecret now adds a new parameter
(destroyPreviousVersions bool), so update downstream consumers and vendor copies
that still call the old signature (notably openshift/ci-chat-bot) to use the new
function signature; change calls to pass the new destroyPreviousVersions
argument, update the vendored pkg/gsm-secrets to this version, run go mod tidy /
vendor refresh and rebuild downstream to ensure the interface/signature change
is synchronized and avoids compile errors.

In `@pkg/steps/multi_stage/gsm_bundle_resolver_test.go`:
- Around line 52-54: The test fake method DestroySecretVersion on fakeGSMClient
currently panics; change it to return an explicit error instead (e.g., return
nil and an error describing the unimplemented method) so tests can handle
failures via assertions; locate the DestroySecretVersion method on the
fakeGSMClient type and replace the panic with a nil
*secretmanagerpb.SecretVersion and a descriptive error value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c20eb856-1ef4-487d-9bba-dc0c5d30eeb9

📥 Commits

Reviewing files that changed from the base of the PR and between 5ae92dd and 46e8fdc.

📒 Files selected for processing (5)

• cmd/ci-secret-bootstrap/main_test.go
• pkg/gsm-secrets/execution.go
• pkg/gsm-secrets/execution_mock.go
• pkg/secrets/gsm.go
• pkg/steps/multi_stage/gsm_bundle_resolver_test.go

[openshift-ci]

@psalajova: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/secret-generator-validation	46e8fdc	link	false	/test secret-generator-validation
ci/prow/frontend-checks	46e8fdc	link	true	/test frontend-checks
ci/prow/images	46e8fdc	link	true	/test images
ci/prow/lint	46e8fdc	link	true	/test lint
ci/prow/secret-bootstrapper-validation	46e8fdc	link	false	/test secret-bootstrapper-validation
ci/prow/checkconfig	46e8fdc	link	true	/test checkconfig
ci/prow/codegen	46e8fdc	link	true	/test codegen
ci/prow/unit	46e8fdc	link	true	/test unit
ci/prow/breaking-changes	46e8fdc	link	false	/test breaking-changes
ci/prow/integration	46e8fdc	link	true	/test integration

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

pkg/steps/multi_stage/gsm_bundle_resolver_test.go (1)

48-50: ⚡ Quick win

Make ListSecretVersions fail-fast in this “should never be called” fake.

Line 48 currently returns nil, which can hide accidental usage. This fake’s contract is explicit; panic here too for consistency and stronger test signaling.

Proposed change

 func (f *fakeGSMClient) ListSecretVersions(ctx context.Context, req *secretmanagerpb.ListSecretVersionsRequest, opts ...gax.CallOption) *secretmanager.SecretVersionIterator {
-	return nil
+	panic("ListSecretVersions should not be called when cache is populated")
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/steps/multi_stage/gsm_bundle_resolver_test.go` around lines 48 - 50, The
fake method ListSecretVersions on fakeGSMClient currently returns nil and should
fail-fast; replace the nil return with an immediate panic (or equivalent
immediate test-failing behavior) so any accidental call to
fakeGSMClient.ListSecretVersions(...) surfaces immediately (use a clear message
like "ListSecretVersions should not be called" to aid debugging).

cmd/ci-secret-bootstrap/main_test.go (1)

2326-2328: ⚡ Quick win

Fail fast on unexpected ListSecretVersions calls in the fake.

Returning nil here can silently pass if code unexpectedly calls this method (the production path treats nil iterator as a no-op). Panicking (or returning a deterministic failing iterator path) makes regressions visible in tests.

Proposed change

 func (f *fakeGSMClient) ListSecretVersions(ctx context.Context, req *secretmanagerpb.ListSecretVersionsRequest, opts ...gax.CallOption) *secretmanager.SecretVersionIterator {
-	return nil
+	panic("ListSecretVersions not implemented in test")
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/ci-secret-bootstrap/main_test.go` around lines 2326 - 2328, The
fakeGSMClient's ListSecretVersions currently returns nil which can hide
unexpected calls; change fakeGSMClient.ListSecretVersions to fail fast by either
panicking with a clear message (e.g., "unexpected ListSecretVersions call in
test") or returning a deterministic iterator that immediately yields a non-nil
error so tests fail fast; update the implementation referenced by
fakeGSMClient.ListSecretVersions to use one of these approaches so any
accidental invocation becomes an explicit test failure.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/gsm-secrets/execution.go`:
- Line 32: CreateOrUpdateSecret signature was changed which breaks downstream
vendored consumers (e.g., openshift/ci-chat-bot); coordinate a compatible
rollout by either restoring a backwards-compatible wrapper with the old
signature that calls the new CreateOrUpdateSecret(ctx, client, projectIdNumber,
secretName, payload, labels, annotations, destroyPreviousVersions) or
communicate and land a coordinated vendor bump: notify the downstream repo,
update their vendor snapshot to include the new API, and regenerate any mocks
(mock for CreateOrUpdateSecret) so tests compile against the updated signature.

---

Nitpick comments:
In `@cmd/ci-secret-bootstrap/main_test.go`:
- Around line 2326-2328: The fakeGSMClient's ListSecretVersions currently
returns nil which can hide unexpected calls; change
fakeGSMClient.ListSecretVersions to fail fast by either panicking with a clear
message (e.g., "unexpected ListSecretVersions call in test") or returning a
deterministic iterator that immediately yields a non-nil error so tests fail
fast; update the implementation referenced by fakeGSMClient.ListSecretVersions
to use one of these approaches so any accidental invocation becomes an explicit
test failure.

In `@pkg/steps/multi_stage/gsm_bundle_resolver_test.go`:
- Around line 48-50: The fake method ListSecretVersions on fakeGSMClient
currently returns nil and should fail-fast; replace the nil return with an
immediate panic (or equivalent immediate test-failing behavior) so any
accidental call to fakeGSMClient.ListSecretVersions(...) surfaces immediately
(use a clear message like "ListSecretVersions should not be called" to aid
debugging).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c0b58b58-59ce-450e-b290-efe369c730ab

📥 Commits

Reviewing files that changed from the base of the PR and between 46e8fdc and ff62178.

📒 Files selected for processing (5)

• cmd/ci-secret-bootstrap/main_test.go
• pkg/gsm-secrets/execution.go
• pkg/gsm-secrets/execution_mock.go
• pkg/secrets/gsm.go
• pkg/steps/multi_stage/gsm_bundle_resolver_test.go

✅ Files skipped from review due to trivial changes (1)

• pkg/gsm-secrets/execution_mock.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Coordinate downstream vendored consumers before merging this API change.

Line 32 changes CreateOrUpdateSecret’s signature, and linked-repo findings show openshift/ci-chat-bot vendors the old pkg/gsm-secrets API and mock. That downstream will break until its vendor snapshot is updated in lockstep.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/gsm-secrets/execution.go` at line 32, CreateOrUpdateSecret signature was
changed which breaks downstream vendored consumers (e.g.,
openshift/ci-chat-bot); coordinate a compatible rollout by either restoring a
backwards-compatible wrapper with the old signature that calls the new
CreateOrUpdateSecret(ctx, client, projectIdNumber, secretName, payload, labels,
annotations, destroyPreviousVersions) or communicate and land a coordinated
vendor bump: notify the downstream repo, update their vendor snapshot to include
the new API, and regenerate any mocks (mock for CreateOrUpdateSecret) so tests
compile against the updated signature.