HYPERFLEET-710: Fix config file resolution broken by -trimpath build flag

[ciaranRoche]

Summary

• Replace runtime.Caller(0)-based GetProjectRootDir() with os.Getwd() for resolving relative config file paths
• Fix Helm deployment template secret mount path from /build/secrets to /app/secrets (matching Dockerfile WORKDIR)
• Clear secret file paths in unit test environment (uses mock DB, doesn't need real credentials)

Root Cause

GetProjectRootDir() in pkg/config/config.go uses runtime.Caller(0) to derive the project root from the source file path at compile time. When built with -trimpath (required for reproducible builds and FIPS 140-3 compliance), runtime.Caller(0) returns the Go module path instead of the actual filesystem path.

Before (broken)

db-migrate init container crash:

{
  "level": "error",
  "message": "Fatal error",
  "error": "open github.com/openshift-hyperfleet/hyperfleet-api/secrets/db.host: no such file or directory"
}

Pod status: Init:CrashLoopBackOff — API cannot start in any Kubernetes environment.

After (fixed)

db-migrate init container success:

{
  "level": "info",
  "message": "Migration completed successfully"
}

Main container startup:

{
  "level": "info",
  "message": "Application ready to receive traffic"
}

Pods: 1/1 Running

Test plan

• All 421 unit tests pass (make test)
• Image built with -trimpath and deployed to GKE cluster
• db-migrate init container completes successfully
• API starts and is ready to receive traffic
• Local development workflow unaffected

JIRA: https://issues.redhat.com/browse/HYPERFLEET-710

🤖 Generated with Claude Code

Summary by CodeRabbit

• Breaking Changes

  • Removed a public project-root helper; downstream code should stop relying on it.

• Bug Fixes

  • Stricter file-path handling and tighter error reporting when resolving configuration files.
  • Empty file contents are now treated as an error in certain config reads.

• Chores

  • Updated secret volume mount paths in deployment manifests.
  • Cleared file-based DB credential paths in testing environments.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign xueli181114 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 58ac1460-5781-4970-9c75-754151138d8d

📥 Commits

Reviewing files that changed from the base of the PR and between b9eb632 and df94039.

📒 Files selected for processing (1)

• cmd/hyperfleet-api/environments/e_integration_testing.go

---

Walkthrough

The pull request updates path handling and configuration across three areas. The Helm deployment template changes secret volume mount paths from /build/secrets to /app/secrets in both initContainers and main container sections. The unit and integration testing environment configs clear database credential file path fields so tests no longer read file-based credentials. The config package removes the exported GetProjectRootDir() function, switches relative file resolution to use the current working directory (returning an error if it cannot be obtained), and tightens file-read error handling (empty file content is now treated as an error).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

lgtm, approved

Suggested reviewers

• vkareh

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: fixing config file resolution that was broken by the -trimpath build flag, which is the core issue addressed across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch HYPERFLEET-710/fix-trimpath-config-resolution

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/config/config.go`:
- Around line 81-82: The current check "if err != nil || fileContents == "" {
return err }" lets an empty file bypass error when err == nil; change the logic
so that you first return the existing err if non-nil, but if err is nil and
fileContents == "" return a new explicit error (e.g., fmt.Errorf("empty file
contents") ) to signal an empty-config file while preserving the original "no
file configured" behavior; update the block around the variables err and
fileContents accordingly (refer to the function that reads config where err and
fileContents are used).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d464fc6b-6c39-4f21-b897-7f18df504cb5

📥 Commits

Reviewing files that changed from the base of the PR and between 53db6e3 and b9eb632.

📒 Files selected for processing (3)

• charts/templates/deployment.yaml
• cmd/hyperfleet-api/environments/e_unit_testing.go
• pkg/config/config.go

[yasun1]

/test presubmits-integration

[openshift-ci]

@ciaranRoche: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/presubmits-integration	df94039	link	true	/test presubmits-integration

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.