Refactor/env vars access (#2693)

Limits the dependency between packages to make the code more readable

cmd/aro/const.go

@@ -0,0 +1,11 @@
+package main
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+const (
+	DatabaseName        = "DATABASE_NAME"
+	DatabaseAccountName = "DATABASE_ACCOUNT_NAME"
+	KeyVaultPrefix      = "KEYVAULT_PREFIX"
+	DBTokenUrl          = "DBTOKEN_URL"
+)

cmd/aro/dbtoken.go

@@ -5,7 +5,6 @@ package main
 
 import (
 	"context"
-	"fmt"
 	"net"
 	"os"
 
@@ -27,23 +26,13 @@ func dbtoken(ctx context.Context, log *logrus.Entry) error {
 		return err
 	}
 
-	for _, key := range []string{
-		"AZURE_GATEWAY_SERVICE_PRINCIPAL_ID",
-		"AZURE_DBTOKEN_CLIENT_ID",
-	} {
-		if _, found := os.LookupEnv(key); !found {
-			return fmt.Errorf("environment variable %q unset", key)
-		}
+	if err := env.ValidateVars("AZURE_GATEWAY_SERVICE_PRINCIPAL_ID", "AZURE_DBTOKEN_CLIENT_ID"); err != nil {
+		return err
 	}
 
 	if !_env.IsLocalDevelopmentMode() {
-		for _, key := range []string{
-			"MDM_ACCOUNT",
-			"MDM_NAMESPACE",
-		} {
-			if _, found := os.LookupEnv(key); !found {
-				return fmt.Errorf("environment variable %q unset", key)
-			}
+		if err := env.ValidateVars("MDM_ACCOUNT", "MDM_NAMESPACE"); err != nil {
+			return err
 		}
 	}
 
@@ -66,33 +55,39 @@ func dbtoken(ctx context.Context, log *logrus.Entry) error {
 
 	go g.Run()
 
-	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, msiAuthorizer)
+	if err := env.ValidateVars(DatabaseAccountName); err != nil {
+		return err
+	}
+
+	dbAccountName := os.Getenv(DatabaseAccountName)
+
+	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, msiAuthorizer, dbAccountName)
 	if err != nil {
 		return err
 	}
 
-	dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, dbAuthorizer, m, nil)
+	dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, dbAuthorizer, m, nil, dbAccountName)
 	if err != nil {
 		return err
 	}
 
-	dbid, err := database.Name(_env.IsLocalDevelopmentMode())
+	dbName, err := DBName(_env.IsLocalDevelopmentMode())
 	if err != nil {
 		return err
 	}
 
-	userc := cosmosdb.NewUserClient(dbc, dbid)
+	userc := cosmosdb.NewUserClient(dbc, dbName)
 
-	err = pkgdbtoken.ConfigurePermissions(ctx, dbid, userc)
+	err = pkgdbtoken.ConfigurePermissions(ctx, dbName, userc)
 	if err != nil {
 		return err
 	}
 
-	dbtokenKeyvaultURI, err := keyvault.URI(_env, env.DBTokenKeyvaultSuffix)
-	if err != nil {
+	if err := env.ValidateVars(KeyVaultPrefix); err != nil {
 		return err
 	}
-
+	keyVaultPrefix := os.Getenv(KeyVaultPrefix)
+	dbtokenKeyvaultURI := keyvault.URI(_env, env.DBTokenKeyvaultSuffix, keyVaultPrefix)
 	dbtokenKeyvault := keyvault.NewManager(msiKVAuthorizer, dbtokenKeyvaultURI)
 
 	servingKey, servingCerts, err := dbtokenKeyvault.GetCertificateSecret(ctx, env.DBTokenServerSecretName)

cmd/aro/deploy.go

@@ -42,18 +42,16 @@ func deploy(ctx context.Context, log *logrus.Entry) error {
 			return err
 		}
 	} else { // running in CI node/Public - Use SP from Env
-		for _, key := range []string{
+		err := env.ValidateVars(
 			"AZURE_CLIENT_ID",
 			"AZURE_CLIENT_SECRET",
 			"AZURE_SUBSCRIPTION_ID",
-			"AZURE_TENANT_ID",
-		} {
-			if _, found := os.LookupEnv(key); !found {
-				return fmt.Errorf("environment variable %q unset", key)
-			}
+			"AZURE_TENANT_ID")
+
+		if err != nil {
+			return err
 		}
 
-		var err error
 		_env, err = env.NewCoreForCI(ctx, log)
 		if err != nil {
 			return err

cmd/aro/gateway.go

@@ -5,7 +5,6 @@ package main
 
 import (
 	"context"
-	"fmt"
 	"os"
 	"os/signal"
 	"strings"
@@ -29,12 +28,8 @@ func gateway(ctx context.Context, log *logrus.Entry) error {
 		return err
 	}
 
-	for _, key := range []string{
-		"AZURE_DBTOKEN_CLIENT_ID",
-	} {
-		if _, found := os.LookupEnv(key); !found {
-			return fmt.Errorf("environment variable %q unset", key)
-		}
+	if err = env.ValidateVars("AZURE_DBTOKEN_CLIENT_ID"); err != nil {
+		return err
 	}
 
 	m := statsd.New(ctx, log.WithField("component", "gateway"), _env, os.Getenv("MDM_ACCOUNT"), os.Getenv("MDM_NAMESPACE"), os.Getenv("MDM_STATSD_SOCKET"))
@@ -46,7 +41,10 @@ func gateway(ctx context.Context, log *logrus.Entry) error {
 
 	go g.Run()
 
-	dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, nil, m, nil)
+	if err := env.ValidateVars(DatabaseAccountName); err != nil {
+		return err
+	}
+	dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, nil, m, nil, os.Getenv(DatabaseAccountName))
 	if err != nil {
 		return err
 	}
@@ -71,12 +69,18 @@ func gateway(ctx context.Context, log *logrus.Entry) error {
 		}
 	}
 
-	dbRefresher, err := pkgdbtoken.NewRefresher(log, _env, msiRefresherAuthorizer, insecureSkipVerify, dbc, "gateway", m, "gateway")
+	url, err := getURL(_env.IsLocalDevelopmentMode())
+	if err != nil {
+		return err
+	}
+	dbRefresher := pkgdbtoken.NewRefresher(log, _env, msiRefresherAuthorizer, insecureSkipVerify, dbc, "gateway", m, "gateway", url)
+
+	dbName, err := DBName(_env.IsLocalDevelopmentMode())
 	if err != nil {
 		return err
 	}
 
-	dbGateway, err := database.NewGateway(ctx, _env.IsLocalDevelopmentMode(), dbc)
+	dbGateway, err := database.NewGateway(ctx, dbc, dbName)
 	if err != nil {
 		return err
 	}
@@ -126,3 +130,15 @@ func gateway(ctx context.Context, log *logrus.Entry) error {
 
 	return nil
 }
+
+func getURL(isLocalDevelopmentMode bool) (string, error) {
+	if isLocalDevelopmentMode {
+		return "https://localhost:8445", nil
+	}
+
+	if err := env.ValidateVars(DBTokenUrl); err != nil {
+		return "", err
+	}
+
+	return os.Getenv(DBTokenUrl), nil
+}

cmd/aro/main.go

@@ -14,6 +14,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/Azure/ARO-RP/pkg/env"
 	utillog "github.com/Azure/ARO-RP/pkg/util/log"
 	_ "github.com/Azure/ARO-RP/pkg/util/scheme"
 	"github.com/Azure/ARO-RP/pkg/util/version"
@@ -106,3 +107,15 @@ func checkMinArgs(required int) {
 		os.Exit(2)
 	}
 }
+
+func DBName(isLocalDevelopmentMode bool) (string, error) {
+	if !isLocalDevelopmentMode {
+		return "ARO", nil
+	}
+
+	if err := env.ValidateVars(DatabaseName); err != nil {
+		return "", fmt.Errorf("%v (development mode)", err.Error())
+	}
+
+	return os.Getenv(DatabaseName), nil
+}

cmd/aro/mirror.go

@@ -40,15 +40,14 @@ func getAuth(key string) (*types.DockerAuthConfig, error) {
 }
 
 func mirror(ctx context.Context, log *logrus.Entry) error {
-	for _, key := range []string{
+	err := env.ValidateVars(
 		"DST_AUTH",
 		"DST_ACR_NAME",
 		"SRC_AUTH_QUAY",
-		"SRC_AUTH_REDHAT",
-	} {
-		if _, found := os.LookupEnv(key); !found {
-			return fmt.Errorf("environment variable %q unset", key)
-		}
+		"SRC_AUTH_REDHAT")
+
+	if err != nil {
+		return err
 	}
 
 	env, err := env.NewCoreForCI(ctx, log)

cmd/aro/monitor.go

@@ -5,7 +5,6 @@ package main
 
 import (
 	"context"
-	"fmt"
 	"os"
 
 	"github.com/Azure/go-autorest/tracing"
@@ -32,15 +31,14 @@ func monitor(ctx context.Context, log *logrus.Entry) error {
 	}
 
 	if !_env.IsLocalDevelopmentMode() {
-		for _, key := range []string{
+		err := env.ValidateVars(
 			"CLUSTER_MDM_ACCOUNT",
 			"CLUSTER_MDM_NAMESPACE",
 			"MDM_ACCOUNT",
-			"MDM_NAMESPACE",
-		} {
-			if _, found := os.LookupEnv(key); !found {
-				return fmt.Errorf("environment variable %q unset", key)
-			}
+			"MDM_NAMESPACE")
+
+		if err != nil {
+			return err
 		}
 	}
 
@@ -71,12 +69,12 @@ func monitor(ctx context.Context, log *logrus.Entry) error {
 		return err
 	}
 
-	// TODO: should not be using the service keyvault here
-	serviceKeyvaultURI, err := keyvault.URI(_env, env.ServiceKeyvaultSuffix)
-	if err != nil {
+	if err := env.ValidateVars(KeyVaultPrefix); err != nil {
 		return err
 	}
-
+	keyVaultPrefix := os.Getenv(KeyVaultPrefix)
+	// TODO: should not be using the service keyvault here
+	serviceKeyvaultURI := keyvault.URI(_env, env.ServiceKeyvaultSuffix, keyVaultPrefix)
 	serviceKeyvault := keyvault.NewManager(msiKVAuthorizer, serviceKeyvaultURI)
 
 	aead, err := encryption.NewMulti(ctx, serviceKeyvault, env.EncryptionSecretV2Name, env.EncryptionSecretName)
@@ -84,27 +82,36 @@ func monitor(ctx context.Context, log *logrus.Entry) error {
 		return err
 	}
 
-	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, msiAuthorizer)
+	if err := env.ValidateVars(DatabaseAccountName); err != nil {
+		return err
+	}
+
+	dbAccountName := os.Getenv(DatabaseAccountName)
+	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, msiAuthorizer, dbAccountName)
 	if err != nil {
 		return err
 	}
 
-	dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, dbAuthorizer, &noop.Noop{}, aead)
+	dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, dbAuthorizer, &noop.Noop{}, aead, dbAccountName)
 	if err != nil {
 		return err
 	}
 
-	dbMonitors, err := database.NewMonitors(ctx, _env.IsLocalDevelopmentMode(), dbc)
+	dbName, err := DBName(_env.IsLocalDevelopmentMode())
+	if err != nil {
+		return err
+	}
+	dbMonitors, err := database.NewMonitors(ctx, dbc, dbName)
 	if err != nil {
 		return err
 	}
 
-	dbOpenShiftClusters, err := database.NewOpenShiftClusters(ctx, _env.IsLocalDevelopmentMode(), dbc)
+	dbOpenShiftClusters, err := database.NewOpenShiftClusters(ctx, dbc, dbName)
 	if err != nil {
 		return err
 	}
 
-	dbSubscriptions, err := database.NewSubscriptions(ctx, _env.IsLocalDevelopmentMode(), dbc)
+	dbSubscriptions, err := database.NewSubscriptions(ctx, dbc, dbName)
 	if err != nil {
 		return err
 	}

cmd/aro/portal.go

@@ -6,7 +6,6 @@ package main
 import (
 	"context"
 	"crypto/x509"
-	"fmt"
 	"net"
 	"os"
 	"strings"
@@ -32,25 +31,23 @@ func portal(ctx context.Context, log *logrus.Entry, audit *logrus.Entry) error {
 	}
 
 	if !_env.IsLocalDevelopmentMode() {
-		for _, key := range []string{
+		err := env.ValidateVars(
 			"MDM_ACCOUNT",
 			"MDM_NAMESPACE",
-			"PORTAL_HOSTNAME",
-		} {
-			if _, found := os.LookupEnv(key); !found {
-				return fmt.Errorf("environment variable %q unset", key)
-			}
+			"PORTAL_HOSTNAME")
+
+		if err != nil {
+			return err
 		}
 	}
 
-	for _, key := range []string{
+	err = env.ValidateVars(
 		"AZURE_PORTAL_CLIENT_ID",
 		"AZURE_PORTAL_ACCESS_GROUP_IDS",
-		"AZURE_PORTAL_ELEVATED_GROUP_IDS",
-	} {
-		if _, found := os.LookupEnv(key); !found {
-			return fmt.Errorf("environment variable %q unset", key)
-		}
+		"AZURE_PORTAL_ELEVATED_GROUP_IDS")
+
+	if err != nil {
+		return err
 	}
 
 	groupIDs, err := parseGroupIDs(os.Getenv("AZURE_PORTAL_ACCESS_GROUP_IDS"))
@@ -82,12 +79,12 @@ func portal(ctx context.Context, log *logrus.Entry, audit *logrus.Entry) error {
 
 	go g.Run()
 
-	// TODO: should not be using the service keyvault here
-	serviceKeyvaultURI, err := keyvault.URI(_env, env.ServiceKeyvaultSuffix)
-	if err != nil {
+	if err := env.ValidateVars(KeyVaultPrefix); err != nil {
 		return err
 	}
-
+	keyVaultPrefix := os.Getenv(KeyVaultPrefix)
+	// TODO: should not be using the service keyvault here
+	serviceKeyvaultURI := keyvault.URI(_env, env.ServiceKeyvaultSuffix, keyVaultPrefix)
 	serviceKeyvault := keyvault.NewManager(msiKVAuthorizer, serviceKeyvaultURI)
 
 	aead, err := encryption.NewMulti(ctx, serviceKeyvault, env.EncryptionSecretV2Name, env.EncryptionSecretName)
@@ -95,31 +92,36 @@ func portal(ctx context.Context, log *logrus.Entry, audit *logrus.Entry) error {
 		return err
 	}
 
-	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, msiAuthorizer)
+	if err := env.ValidateVars(DatabaseAccountName); err != nil {
+		return err
+	}
+
+	dbAccountName := os.Getenv(DatabaseAccountName)
+	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, msiAuthorizer, dbAccountName)
 	if err != nil {
 		return err
 	}
 
-	dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, dbAuthorizer, m, aead)
+	dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, dbAuthorizer, m, aead, dbAccountName)
 	if err != nil {
 		return err
 	}
 
-	dbOpenShiftClusters, err := database.NewOpenShiftClusters(ctx, _env.IsLocalDevelopmentMode(), dbc)
+	dbName, err := DBName(_env.IsLocalDevelopmentMode())
+	if err != nil {
+		return err
+	}
+	dbOpenShiftClusters, err := database.NewOpenShiftClusters(ctx, dbc, dbName)
 	if err != nil {
 		return err
 	}
 
-	dbPortal, err := database.NewPortal(ctx, _env.IsLocalDevelopmentMode(), dbc)
-	if err != nil {
-		return err
-	}
-
-	portalKeyvaultURI, err := keyvault.URI(_env, env.PortalKeyvaultSuffix)
+	dbPortal, err := database.NewPortal(ctx, dbc, dbName)
 	if err != nil {
 		return err
 	}
 
+	portalKeyvaultURI := keyvault.URI(_env, env.PortalKeyvaultSuffix, keyVaultPrefix)
 	portalKeyvault := keyvault.NewManager(msiKVAuthorizer, portalKeyvaultURI)
 
 	servingKey, servingCerts, err := portalKeyvault.GetCertificateSecret(ctx, env.PortalServerSecretName)

cmd/aro/rp.go

@@ -61,10 +61,9 @@ func rp(ctx context.Context, log, audit *logrus.Entry) error {
 			return fmt.Errorf(`environment variable "PULL_SECRET" set`)
 		}
 	}
-	for _, key := range keys {
-		if _, found := os.LookupEnv(key); !found {
-			return fmt.Errorf("environment variable %q unset", key)
-		}
+
+	if err = env.ValidateVars(keys...); err != nil {
+		return err
 	}
 
 	err = _env.InitializeAuthorizers()
@@ -97,47 +96,56 @@ func rp(ctx context.Context, log, audit *logrus.Entry) error {
 		return err
 	}
 
-	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, msiAuthorizer)
+	if err := env.ValidateVars(DatabaseAccountName); err != nil {
+		return err
+	}
+
+	dbAccountName := os.Getenv(DatabaseAccountName)
+	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, msiAuthorizer, dbAccountName)
 	if err != nil {
 		return err
 	}
 
-	dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, dbAuthorizer, metrics, aead)
+	dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, dbAuthorizer, metrics, aead, dbAccountName)
 	if err != nil {
 		return err
 	}
 
-	dbAsyncOperations, err := database.NewAsyncOperations(ctx, _env.IsLocalDevelopmentMode(), dbc)
+	dbName, err := DBName(env.IsLocalDevelopmentMode())
+	if err != nil {
+		return err
+	}
+	dbAsyncOperations, err := database.NewAsyncOperations(ctx, _env.IsLocalDevelopmentMode(), dbc, dbName)
 	if err != nil {
 		return err
 	}
 
-	dbClusterManagerConfiguration, err := database.NewClusterManagerConfigurations(ctx, _env.IsLocalDevelopmentMode(), dbc)
+	dbClusterManagerConfiguration, err := database.NewClusterManagerConfigurations(ctx, dbc, dbName)
 	if err != nil {
 		return err
 	}
 
-	dbBilling, err := database.NewBilling(ctx, _env.IsLocalDevelopmentMode(), dbc)
+	dbBilling, err := database.NewBilling(ctx, dbc, dbName)
 	if err != nil {
 		return err
 	}
 
-	dbGateway, err := database.NewGateway(ctx, _env.IsLocalDevelopmentMode(), dbc)
+	dbGateway, err := database.NewGateway(ctx, dbc, dbName)
 	if err != nil {
 		return err
 	}
 
-	dbOpenShiftClusters, err := database.NewOpenShiftClusters(ctx, _env.IsLocalDevelopmentMode(), dbc)
+	dbOpenShiftClusters, err := database.NewOpenShiftClusters(ctx, dbc, dbName)
 	if err != nil {
 		return err
 	}
 
-	dbSubscriptions, err := database.NewSubscriptions(ctx, _env.IsLocalDevelopmentMode(), dbc)
+	dbSubscriptions, err := database.NewSubscriptions(ctx, dbc, dbName)
 	if err != nil {
 		return err
 	}
 
-	dbOpenShiftVersions, err := database.NewOpenShiftVersions(ctx, _env.IsLocalDevelopmentMode(), dbc)
+	dbOpenShiftVersions, err := database.NewOpenShiftVersions(ctx, dbc, dbName)
 	if err != nil {
 		return err
 	}

cmd/aro/update_ocp_versions.go

@@ -50,22 +50,13 @@ func getVersionsDatabase(ctx context.Context, log *logrus.Entry) (database.OpenS
 		return nil, err
 	}
 
-	for _, key := range []string{
-		"DST_ACR_NAME",
-	} {
-		if _, found := os.LookupEnv(key); !found {
-			return nil, fmt.Errorf("environment variable %q unset", key)
-		}
+	if err = env.ValidateVars("DST_ACR_NAME"); err != nil {
+		return nil, err
 	}
 
 	if !_env.IsLocalDevelopmentMode() {
-		for _, key := range []string{
-			"MDM_ACCOUNT",
-			"MDM_NAMESPACE",
-		} {
-			if _, found := os.LookupEnv(key); !found {
-				return nil, fmt.Errorf("environment variable %q unset", key)
-			}
+		if err = env.ValidateVars("MDM_ACCOUNT", "MDM_NAMESPACE"); err != nil {
+			return nil, err
 		}
 	}
 
@@ -81,11 +72,11 @@ func getVersionsDatabase(ctx context.Context, log *logrus.Entry) (database.OpenS
 
 	m := statsd.New(ctx, log.WithField("component", "update-ocp-versions"), _env, os.Getenv("MDM_ACCOUNT"), os.Getenv("MDM_NAMESPACE"), os.Getenv("MDM_STATSD_SOCKET"))
 
-	serviceKeyvaultURI, err := keyvault.URI(_env, env.ServiceKeyvaultSuffix)
-	if err != nil {
+	if err := env.ValidateVars(KeyVaultPrefix); err != nil {
 		return nil, err
 	}
-
+	keyVaultPrefix := os.Getenv(KeyVaultPrefix)
+	serviceKeyvaultURI := keyvault.URI(_env, env.ServiceKeyvaultSuffix, keyVaultPrefix)
 	serviceKeyvault := keyvault.NewManager(msiKVAuthorizer, serviceKeyvaultURI)
 
 	aead, err := encryption.NewMulti(ctx, serviceKeyvault, env.EncryptionSecretV2Name, env.EncryptionSecretName)
@@ -93,17 +84,26 @@ func getVersionsDatabase(ctx context.Context, log *logrus.Entry) (database.OpenS
 		return nil, err
 	}
 
-	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, msiAuthorizer)
+	if err := env.ValidateVars(DatabaseAccountName); err != nil {
+		return nil, err
+	}
+
+	dbAccountName := os.Getenv(DatabaseAccountName)
+	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, msiAuthorizer, dbAccountName)
 	if err != nil {
 		return nil, err
 	}
 
-	dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, dbAuthorizer, m, aead)
+	dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, dbAuthorizer, m, aead, dbAccountName)
 	if err != nil {
 		return nil, err
 	}
 
-	dbOpenShiftVersions, err := database.NewOpenShiftVersions(ctx, _env.IsLocalDevelopmentMode(), dbc)
+	dbName, err := DBName(_env.IsLocalDevelopmentMode())
+	if err != nil {
+		return nil, err
+	}
+	dbOpenShiftVersions, err := database.NewOpenShiftVersions(ctx, dbc, dbName)
 	if err != nil {
 		return nil, err
 	}

hack/aead/aead.go

@@ -21,6 +21,10 @@ import (
 	utillog "github.com/Azure/ARO-RP/pkg/util/log"
 )
 
+const (
+	KeyVaultPrefix = "KEYVAULT_PREFIX"
+)
+
 func run(ctx context.Context, log *logrus.Entry) error {
 	fileName := flag.String("file", "-", "File to read. '-' for stdin.")
 
@@ -56,11 +60,11 @@ func run(ctx context.Context, log *logrus.Entry) error {
 		return err
 	}
 
-	serviceKeyvaultURI, err := keyvault.URI(_env, env.ServiceKeyvaultSuffix)
-	if err != nil {
+	if err := env.ValidateVars(KeyVaultPrefix); err != nil {
 		return err
 	}
-
+	keyVaultPrefix := os.Getenv(KeyVaultPrefix)
+	serviceKeyvaultURI := keyvault.URI(_env, env.ServiceKeyvaultSuffix, keyVaultPrefix)
 	serviceKeyvault := keyvault.NewManager(msiKVAuthorizer, serviceKeyvaultURI)
 
 	aead, err := encryption.NewMulti(ctx, serviceKeyvault, env.EncryptionSecretV2Name, env.EncryptionSecretName)

hack/clean/clean.go

@@ -6,7 +6,6 @@ package main
 import (
 	"context"
 	"flag"
-	"fmt"
 	"os"
 	"strings"
 	"time"
@@ -59,15 +58,14 @@ type settings struct {
 }
 
 func run(ctx context.Context, log *logrus.Entry, dryRun *bool) error {
-	for _, key := range []string{
+	err := env.ValidateVars(
 		"AZURE_CLIENT_ID",
 		"AZURE_CLIENT_SECRET",
 		"AZURE_SUBSCRIPTION_ID",
-		"AZURE_TENANT_ID",
-	} {
-		if _, found := os.LookupEnv(key); !found {
-			return fmt.Errorf("environment variable %q unset", key)
-		}
+		"AZURE_TENANT_ID")
+
+	if err != nil {
+		return err
 	}
 
 	env, err := env.NewCoreForCI(ctx, log)

hack/cluster/cluster.go

@@ -18,17 +18,17 @@ import (
 	utillog "github.com/Azure/ARO-RP/pkg/util/log"
 )
 
+const (
+	Cluster = "CLUSTER"
+)
+
 func run(ctx context.Context, log *logrus.Entry) error {
 	if len(os.Args) != 2 {
 		return fmt.Errorf("usage: CLUSTER=x %s {create,delete}", os.Args[0])
 	}
 
-	for _, key := range []string{
-		"CLUSTER",
-	} {
-		if _, found := os.LookupEnv(key); !found {
-			return fmt.Errorf("environment variable %q unset", key)
-		}
+	if err := env.ValidateVars(Cluster); err != nil {
+		return err
 	}
 
 	env, err := env.NewCore(ctx, log)
@@ -38,9 +38,9 @@ func run(ctx context.Context, log *logrus.Entry) error {
 
 	vnetResourceGroup := os.Getenv("RESOURCEGROUP") // TODO: remove this when we deploy and peer a vnet per cluster create
 	if os.Getenv("CI") != "" {
-		vnetResourceGroup = os.Getenv("CLUSTER")
+		vnetResourceGroup = os.Getenv(Cluster)
 	}
-	clusterName := os.Getenv("CLUSTER")
+	clusterName := os.Getenv(Cluster)
 
 	c, err := cluster.New(log, env, os.Getenv("CI") != "")
 	if err != nil {

hack/db/db.go

@@ -22,6 +22,12 @@ import (
 	utillog "github.com/Azure/ARO-RP/pkg/util/log"
 )
 
+const (
+	DatabaseName        = "DATABASE_NAME"
+	DatabaseAccountName = "DATABASE_ACCOUNT_NAME"
+	KeyVaultPrefix      = "KEYVAULT_PREFIX"
+)
+
 func run(ctx context.Context, log *logrus.Entry) error {
 	if len(os.Args) != 2 {
 		return fmt.Errorf("usage: %s resourceid", os.Args[0])
@@ -45,11 +51,11 @@ func run(ctx context.Context, log *logrus.Entry) error {
 		return err
 	}
 
-	serviceKeyvaultURI, err := keyvault.URI(_env, env.ServiceKeyvaultSuffix)
-	if err != nil {
+	if err := env.ValidateVars(KeyVaultPrefix); err != nil {
 		return err
 	}
-
+	keyVaultPrefix := os.Getenv(KeyVaultPrefix)
+	serviceKeyvaultURI := keyvault.URI(_env, env.ServiceKeyvaultSuffix, keyVaultPrefix)
 	serviceKeyvault := keyvault.NewManager(msiKVAuthorizer, serviceKeyvaultURI)
 
 	aead, err := encryption.NewMulti(ctx, serviceKeyvault, env.EncryptionSecretV2Name, env.EncryptionSecretName)
@@ -57,17 +63,27 @@ func run(ctx context.Context, log *logrus.Entry) error {
 		return err
 	}
 
-	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, authorizer)
+	if err := env.ValidateVars(DatabaseAccountName); err != nil {
+		return err
+	}
+
+	dbAccountName := os.Getenv(DatabaseAccountName)
+	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, _env, authorizer, dbAccountName)
 	if err != nil {
 		return err
 	}
 
-	dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, dbAuthorizer, &noop.Noop{}, aead)
+	dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, dbAuthorizer, &noop.Noop{}, aead, dbAccountName)
 	if err != nil {
 		return err
 	}
 
-	openShiftClusters, err := database.NewOpenShiftClusters(ctx, _env.IsLocalDevelopmentMode(), dbc)
+	dbName, err := DBName(_env.IsLocalDevelopmentMode())
+	if err != nil {
+		return err
+	}
+
+	openShiftClusters, err := database.NewOpenShiftClusters(ctx, dbc, dbName)
 	if err != nil {
 		return err
 	}
@@ -87,3 +103,15 @@ func main() {
 		log.Fatal(err)
 	}
 }
+
+func DBName(isLocalDevelopmentMode bool) (string, error) {
+	if !isLocalDevelopmentMode {
+		return "ARO", nil
+	}
+
+	if err := env.ValidateVars(DatabaseName); err != nil {
+		return "", fmt.Errorf("%v (development mode)", err.Error())
+	}
+
+	return os.Getenv(DatabaseName), nil
+}

hack/gendevconfig/gendevconfig.go

@@ -5,7 +5,6 @@ package main
 
 import (
 	"context"
-	"fmt"
 	"os"
 
 	"github.com/ghodss/yaml"
@@ -17,7 +16,7 @@ import (
 )
 
 func run(ctx context.Context, log *logrus.Entry) error {
-	for _, key := range []string{
+	err := env.ValidateVars(
 		"ADMIN_OBJECT_ID",
 		"AZURE_CLIENT_ID",
 		"AZURE_DBTOKEN_CLIENT_ID",
@@ -28,11 +27,10 @@ func run(ctx context.Context, log *logrus.Entry) error {
 		"AZURE_PORTAL_ELEVATED_GROUP_IDS",
 		"HOME",
 		"PARENT_DOMAIN_NAME",
-		"USER",
-	} {
-		if _, found := os.LookupEnv(key); !found {
-			return fmt.Errorf("environment variable %q unset", key)
-		}
+		"USER")
+
+	if err != nil {
+		return err
 	}
 
 	if _, found := os.LookupEnv("SSH_PUBLIC_KEY"); !found {

hack/portalauth/portalauth.go

@@ -8,6 +8,7 @@ import (
 	"flag"
 	"fmt"
 	"net/http"
+	"os"
 	"strings"
 	"time"
 
@@ -25,6 +26,7 @@ const (
 	SessionKeyExpires  = "expires"
 	SessionKeyUsername = "user_name"
 	SessionKeyGroups   = "groups"
+	KeyVaultPrefix     = "KEYVAULT_PREFIX"
 )
 
 func run(ctx context.Context, log *logrus.Entry) error {
@@ -43,11 +45,11 @@ func run(ctx context.Context, log *logrus.Entry) error {
 		return err
 	}
 
-	portalKeyvaultURI, err := keyvault.URI(_env, env.PortalKeyvaultSuffix)
-	if err != nil {
+	if err := env.ValidateVars(KeyVaultPrefix); err != nil {
 		return err
 	}
-
+	keyVaultPrefix := os.Getenv(KeyVaultPrefix)
+	portalKeyvaultURI := keyvault.URI(_env, env.PortalKeyvaultSuffix, keyVaultPrefix)
 	portalKeyvault := keyvault.NewManager(msiKVAuthorizer, portalKeyvaultURI)
 
 	sessionKey, err := portalKeyvault.GetBase64Secret(ctx, env.PortalServerSessionKeySecretName, "")

pkg/database/asyncoperations.go

@@ -28,13 +28,8 @@ type AsyncOperations interface {
 }
 
 // NewAsyncOperations returns a new AsyncOperations
-func NewAsyncOperations(ctx context.Context, isLocalDevelopmentMode bool, dbc cosmosdb.DatabaseClient) (AsyncOperations, error) {
-	dbid, err := Name(isLocalDevelopmentMode)
-	if err != nil {
-		return nil, err
-	}
-
-	collc := cosmosdb.NewCollectionClient(dbc, dbid)
+func NewAsyncOperations(ctx context.Context, isLocalDevelopmentMode bool, dbc cosmosdb.DatabaseClient, dbName string) (AsyncOperations, error) {
+	collc := cosmosdb.NewCollectionClient(dbc, dbName)
 	client := cosmosdb.NewAsyncOperationDocumentClient(collc, collAsyncOperations)
 	return NewAsyncOperationsWithProvidedClient(client, uuid.DefaultGenerator), nil
 }

pkg/database/billing.go

@@ -29,13 +29,8 @@ type Billing interface {
 }
 
 // NewBilling returns a new Billing
-func NewBilling(ctx context.Context, isLocalDevelopmentMode bool, dbc cosmosdb.DatabaseClient) (Billing, error) {
-	dbid, err := Name(isLocalDevelopmentMode)
-	if err != nil {
-		return nil, err
-	}
-
-	collc := cosmosdb.NewCollectionClient(dbc, dbid)
+func NewBilling(ctx context.Context, dbc cosmosdb.DatabaseClient, dbName string) (Billing, error) {
+	collc := cosmosdb.NewCollectionClient(dbc, dbName)
 
 	triggers := []*cosmosdb.Trigger{
 		{

pkg/database/clustermanager.go

@@ -36,13 +36,8 @@ type ClusterManagerConfigurations interface {
 	NewUUID() string
 }
 
-func NewClusterManagerConfigurations(ctx context.Context, isDevelopmentMode bool, dbc cosmosdb.DatabaseClient) (ClusterManagerConfigurations, error) {
-	dbid, err := Name(isDevelopmentMode)
-	if err != nil {
-		return nil, err
-	}
-
-	collc := cosmosdb.NewCollectionClient(dbc, dbid)
+func NewClusterManagerConfigurations(ctx context.Context, dbc cosmosdb.DatabaseClient, dbName string) (ClusterManagerConfigurations, error) {
+	collc := cosmosdb.NewCollectionClient(dbc, dbName)
 
 	documentClient := cosmosdb.NewClusterManagerConfigurationDocumentClient(collc, collClusterManager)
 	return NewClusterManagerConfigurationsWithProvidedClient(documentClient, collc, uuid.DefaultGenerator.Generate(), uuid.DefaultGenerator), nil

pkg/database/database.go

@@ -6,9 +6,7 @@ package database
 import (
 	"context"
 	"crypto/tls"
-	"fmt"
 	"net/http"
-	"os"
 	"reflect"
 	"time"
 
@@ -37,15 +35,7 @@ const (
 	collSubscriptions     = "Subscriptions"
 )
 
-func NewDatabaseClient(log *logrus.Entry, env env.Core, authorizer cosmosdb.Authorizer, m metrics.Emitter, aead encryption.AEAD) (cosmosdb.DatabaseClient, error) {
-	for _, key := range []string{
-		"DATABASE_ACCOUNT_NAME",
-	} {
-		if _, found := os.LookupEnv(key); !found {
-			return nil, fmt.Errorf("environment variable %q unset", key)
-		}
-	}
-
+func NewDatabaseClient(log *logrus.Entry, _env env.Core, authorizer cosmosdb.Authorizer, m metrics.Emitter, aead encryption.AEAD, databaseAccountName string) (cosmosdb.DatabaseClient, error) {
 	h, err := NewJSONHandle(aead)
 	if err != nil {
 		return nil, err
@@ -60,21 +50,13 @@ func NewDatabaseClient(log *logrus.Entry, env env.Core, authorizer cosmosdb.Auth
 		Timeout: 30 * time.Second,
 	}
 
-	return cosmosdb.NewDatabaseClient(log, c, h, os.Getenv("DATABASE_ACCOUNT_NAME")+"."+env.Environment().CosmosDBDNSSuffix, authorizer), nil
+	return cosmosdb.NewDatabaseClient(log, c, h, databaseAccountName+"."+_env.Environment().CosmosDBDNSSuffix, authorizer), nil
 }
 
-func NewMasterKeyAuthorizer(ctx context.Context, _env env.Core, msiAuthorizer autorest.Authorizer) (cosmosdb.Authorizer, error) {
-	for _, key := range []string{
-		"DATABASE_ACCOUNT_NAME",
-	} {
-		if _, found := os.LookupEnv(key); !found {
-			return nil, fmt.Errorf("environment variable %q unset", key)
-		}
-	}
-
+func NewMasterKeyAuthorizer(ctx context.Context, _env env.Core, msiAuthorizer autorest.Authorizer, databaseAccountName string) (cosmosdb.Authorizer, error) {
 	databaseaccounts := documentdb.NewDatabaseAccountsClient(_env.Environment(), _env.SubscriptionID(), msiAuthorizer)
 
-	keys, err := databaseaccounts.ListKeys(ctx, _env.ResourceGroup(), os.Getenv("DATABASE_ACCOUNT_NAME"))
+	keys, err := databaseaccounts.ListKeys(ctx, _env.ResourceGroup(), databaseAccountName)
 	if err != nil {
 		return nil, err
 	}
@@ -107,19 +89,3 @@ func NewJSONHandle(aead encryption.AEAD) (*codec.JsonHandle, error) {
 
 	return h, nil
 }
-
-func Name(isLocalDevelopmentMode bool) (string, error) {
-	if !isLocalDevelopmentMode {
-		return "ARO", nil
-	}
-
-	for _, key := range []string{
-		"DATABASE_NAME",
-	} {
-		if _, found := os.LookupEnv(key); !found {
-			return "", fmt.Errorf("environment variable %q unset (development mode)", key)
-		}
-	}
-
-	return os.Getenv("DATABASE_NAME"), nil
-}

pkg/database/gateway.go

@@ -27,13 +27,8 @@ type Gateway interface {
 	NewUUID() string
 }
 
-func NewGateway(ctx context.Context, isDevelopmentMode bool, dbc cosmosdb.DatabaseClient) (Gateway, error) {
-	dbid, err := Name(isDevelopmentMode)
-	if err != nil {
-		return nil, err
-	}
-
-	collc := cosmosdb.NewCollectionClient(dbc, dbid)
+func NewGateway(ctx context.Context, dbc cosmosdb.DatabaseClient, dbName string) (Gateway, error) {
+	collc := cosmosdb.NewCollectionClient(dbc, dbName)
 
 	documentClient := cosmosdb.NewGatewayDocumentClient(collc, collGateway)
 	return NewGatewayWithProvidedClient(documentClient, uuid.DefaultGenerator), nil

pkg/database/monitors.go

@@ -30,13 +30,8 @@ type Monitors interface {
 }
 
 // NewMonitors returns a new Monitors
-func NewMonitors(ctx context.Context, isLocalDevelopmentMode bool, dbc cosmosdb.DatabaseClient) (Monitors, error) {
-	dbid, err := Name(isLocalDevelopmentMode)
-	if err != nil {
-		return nil, err
-	}
-
-	collc := cosmosdb.NewCollectionClient(dbc, dbid)
+func NewMonitors(ctx context.Context, dbc cosmosdb.DatabaseClient, dbName string) (Monitors, error) {
+	collc := cosmosdb.NewCollectionClient(dbc, dbName)
 
 	triggers := []*cosmosdb.Trigger{
 		{

pkg/database/openshiftclusters.go

@@ -56,13 +56,8 @@ type OpenShiftClusters interface {
 }
 
 // NewOpenShiftClusters returns a new OpenShiftClusters
-func NewOpenShiftClusters(ctx context.Context, isLocalDevelopmentMode bool, dbc cosmosdb.DatabaseClient) (OpenShiftClusters, error) {
-	dbid, err := Name(isLocalDevelopmentMode)
-	if err != nil {
-		return nil, err
-	}
-
-	collc := cosmosdb.NewCollectionClient(dbc, dbid)
+func NewOpenShiftClusters(ctx context.Context, dbc cosmosdb.DatabaseClient, dbName string) (OpenShiftClusters, error) {
+	collc := cosmosdb.NewCollectionClient(dbc, dbName)
 
 	triggers := []*cosmosdb.Trigger{
 		{

pkg/database/openshiftversions.go

@@ -29,13 +29,8 @@ type OpenShiftVersions interface {
 	NewUUID() string
 }
 
-func NewOpenShiftVersions(ctx context.Context, isDevelopmentMode bool, dbc cosmosdb.DatabaseClient) (OpenShiftVersions, error) {
-	dbid, err := Name(isDevelopmentMode)
-	if err != nil {
-		return nil, err
-	}
-
-	collc := cosmosdb.NewCollectionClient(dbc, dbid)
+func NewOpenShiftVersions(ctx context.Context, dbc cosmosdb.DatabaseClient, dbName string) (OpenShiftVersions, error) {
+	collc := cosmosdb.NewCollectionClient(dbc, dbName)
 
 	documentClient := cosmosdb.NewOpenShiftVersionDocumentClient(collc, collOpenShiftVersion)
 	return NewOpenShiftVersionsWithProvidedClient(documentClient, uuid.DefaultGenerator), nil

pkg/database/portal.go

@@ -28,13 +28,8 @@ type Portal interface {
 }
 
 // NewPortal returns a new Portal
-func NewPortal(ctx context.Context, isLocalDevelopmentMode bool, dbc cosmosdb.DatabaseClient) (Portal, error) {
-	dbid, err := Name(isLocalDevelopmentMode)
-	if err != nil {
-		return nil, err
-	}
-
-	collc := cosmosdb.NewCollectionClient(dbc, dbid)
+func NewPortal(ctx context.Context, dbc cosmosdb.DatabaseClient, dbName string) (Portal, error) {
+	collc := cosmosdb.NewCollectionClient(dbc, dbName)
 
 	documentClient := cosmosdb.NewPortalDocumentClient(collc, collPortal)
 	return NewPortalWithProvidedClient(documentClient, uuid.DefaultGenerator), nil

pkg/database/subscriptions.go

@@ -33,13 +33,8 @@ type Subscriptions interface {
 }
 
 // NewSubscriptions returns a new Subscriptions
-func NewSubscriptions(ctx context.Context, isLocalDevelopmentMode bool, dbc cosmosdb.DatabaseClient) (Subscriptions, error) {
-	dbid, err := Name(isLocalDevelopmentMode)
-	if err != nil {
-		return nil, err
-	}
-
-	collc := cosmosdb.NewCollectionClient(dbc, dbid)
+func NewSubscriptions(ctx context.Context, dbc cosmosdb.DatabaseClient, dbName string) (Subscriptions, error) {
+	collc := cosmosdb.NewCollectionClient(dbc, dbName)
 
 	triggers := []*cosmosdb.Trigger{
 		{

pkg/dbtoken/client.go

@@ -10,7 +10,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"os"
 
 	"github.com/Azure/go-autorest/autorest"
 
@@ -31,20 +30,7 @@ type client struct {
 	url        string
 }
 
-func NewClient(env env.Core, authorizer autorest.Authorizer, insecureSkipVerify bool) (Client, error) {
-	url := "https://localhost:8445"
-	if !env.IsLocalDevelopmentMode() {
-		for _, key := range []string{
-			"DBTOKEN_URL",
-		} {
-			if _, found := os.LookupEnv(key); !found {
-				return nil, fmt.Errorf("environment variable %q unset", key)
-			}
-		}
-
-		url = os.Getenv("DBTOKEN_URL")
-	}
-
+func NewClient(_env env.Core, authorizer autorest.Authorizer, insecureSkipVerify bool, url string) Client {
 	return &client{
 		c: &http.Client{
 			Transport: &http.Transport{
@@ -57,7 +43,7 @@ func NewClient(env env.Core, authorizer autorest.Authorizer, insecureSkipVerify
 		},
 		authorizer: authorizer,
 		url:        url,
-	}, nil
+	}
 }
 
 func (c *client) Token(ctx context.Context, permission string) (string, error) {

pkg/dbtoken/refresher.go

@@ -39,22 +39,17 @@ type refresher struct {
 	tokenRefreshed bool
 }
 
-func NewRefresher(log *logrus.Entry, env env.Core, authorizer autorest.Authorizer, insecureSkipVerify bool, dbc cosmosdb.DatabaseClient, permission string, m metrics.Emitter, metricPrefix string) (Refresher, error) {
-	c, err := NewClient(env, authorizer, insecureSkipVerify)
-	if err != nil {
-		return nil, err
-	}
-
+func NewRefresher(log *logrus.Entry, env env.Core, authorizer autorest.Authorizer, insecureSkipVerify bool, dbc cosmosdb.DatabaseClient, permission string, m metrics.Emitter, metricPrefix string, url string) Refresher {
 	return &refresher{
 		log: log,
-		c:   c,
+		c:   NewClient(env, authorizer, insecureSkipVerify, url),
 
 		dbc:        dbc,
 		permission: permission,
 
 		m:            m,
 		metricPrefix: metricPrefix,
-	}, nil
+	}
 }
 
 func (r *refresher) checkRefreshAndReset() bool {

pkg/env/dev.go

@@ -23,14 +23,6 @@ type dev struct {
 }
 
 func newDev(ctx context.Context, log *logrus.Entry) (Interface, error) {
-	for _, key := range []string{
-		"PROXY_HOSTNAME",
-	} {
-		if _, found := os.LookupEnv(key); !found {
-			return nil, fmt.Errorf("environment variable %q unset", key)
-		}
-	}
-
 	d := &dev{}
 
 	var err error

pkg/env/env.go

@@ -7,6 +7,7 @@ import (
 	"context"
 	"crypto/rsa"
 	"crypto/x509"
+	"fmt"
 	"net"
 	"os"
 	"strings"
@@ -55,6 +56,7 @@ const (
 	PortalKeyvaultSuffix             = "-por"
 	ServiceKeyvaultSuffix            = "-svc"
 	RPPrivateEndpointPrefix          = "rp-pe-"
+	ProxyHostName                    = "PROXY_HOSTNAME"
 )
 
 // Interface is clunky and somewhat legacy and only used in the RP codebase (not
@@ -100,6 +102,9 @@ type Interface interface {
 
 func NewEnv(ctx context.Context, log *logrus.Entry) (Interface, error) {
 	if IsLocalDevelopmentMode() {
+		if err := ValidateVars(ProxyHostName); err != nil {
+			return nil, err
+		}
 		return newDev(ctx, log)
 	}
 
@@ -113,3 +118,15 @@ func IsLocalDevelopmentMode() bool {
 func IsCI() bool {
 	return strings.EqualFold(os.Getenv("CI"), "true")
 }
+
+// ValidateVars iterates over all the elements of vars and
+// if it does not exist an environment variable with that name, it will return an error.
+// Otherwise it returns nil.
+func ValidateVars(vars ...string) error {
+	for _, v := range vars {
+		if _, found := os.LookupEnv(v); !found {
+			return fmt.Errorf("environment variable %q unset", v)
+		}
+	}
+	return nil
+}

pkg/env/msiauthorizer.go

@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/jongio/azidext/go/azidext"
@@ -21,30 +20,31 @@ const (
 )
 
 func (c *core) NewMSIAuthorizer(msiContext MSIContext, scopes ...string) (autorest.Authorizer, error) {
-	var tokenCredential azcore.TokenCredential
-	var err error
-
 	if !c.IsLocalDevelopmentMode() {
 		options := c.Environment().ManagedIdentityCredentialOptions()
-		tokenCredential, err = azidentity.NewManagedIdentityCredential(options)
-	} else {
-		for _, key := range []string{
-			"AZURE_" + string(msiContext) + "_CLIENT_ID",
-			"AZURE_" + string(msiContext) + "_CLIENT_SECRET",
-			"AZURE_TENANT_ID",
-		} {
-			if _, found := os.LookupEnv(key); !found {
-				return nil, fmt.Errorf("environment variable %q unset (development mode)", key)
-			}
+		tokenCredential, err := azidentity.NewManagedIdentityCredential(options)
+		if err != nil {
+			return nil, err
 		}
 
-		options := c.Environment().ClientSecretCredentialOptions()
-		tokenCredential, err = azidentity.NewClientSecretCredential(
-			os.Getenv("AZURE_TENANT_ID"),
-			os.Getenv("AZURE_"+string(msiContext)+"_CLIENT_ID"),
-			os.Getenv("AZURE_"+string(msiContext)+"_CLIENT_SECRET"),
-			options)
+		return azidext.NewTokenCredentialAdapter(tokenCredential, scopes), nil
 	}
+
+	tenantIdKey := "AZURE_TENANT_ID"
+	azureClientIdKey := "AZURE_" + string(msiContext) + "_CLIENT_ID"
+	azureClientSecretKey := "AZURE_" + string(msiContext) + "_CLIENT_SECRET"
+
+	if err := ValidateVars(azureClientIdKey, azureClientSecretKey, tenantIdKey); err != nil {
+		return nil, fmt.Errorf("%v (development mode)", err.Error())
+	}
+
+	tenantId := os.Getenv(tenantIdKey)
+	azureClientId := os.Getenv(azureClientIdKey)
+	azureClientSecret := os.Getenv(azureClientSecretKey)
+
+	options := c.Environment().ClientSecretCredentialOptions()
+
+	tokenCredential, err := azidentity.NewClientSecretCredential(tenantId, azureClientId, azureClientSecret, options)
 	if err != nil {
 		return nil, err
 	}

pkg/env/prod.go

@@ -30,6 +30,10 @@ import (
 	"github.com/Azure/ARO-RP/pkg/util/version"
 )
 
+const (
+	KeyvaultPrefix = "KEYVAULT_PREFIX"
+)
+
 type prod struct {
 	Core
 	proxy.Dialer
@@ -64,27 +68,21 @@ type prod struct {
 }
 
 func newProd(ctx context.Context, log *logrus.Entry) (*prod, error) {
-	for _, key := range []string{
-		"AZURE_FP_CLIENT_ID",
-		"DOMAIN_NAME",
-	} {
-		if _, found := os.LookupEnv(key); !found {
-			return nil, fmt.Errorf("environment variable %q unset", key)
-		}
+	if err := ValidateVars("AZURE_FP_CLIENT_ID", "DOMAIN_NAME"); err != nil {
+		return nil, err
 	}
 
 	if !IsLocalDevelopmentMode() {
-		for _, key := range []string{
+		err := ValidateVars(
 			"CLUSTER_MDSD_CONFIG_VERSION",
 			"CLUSTER_MDSD_ACCOUNT",
 			"GATEWAY_DOMAINS",
 			"GATEWAY_RESOURCEGROUP",
 			"MDSD_ENVIRONMENT",
-			"CLUSTER_MDSD_NAMESPACE",
-		} {
-			if _, found := os.LookupEnv(key); !found {
-				return nil, fmt.Errorf("environment variable %q unset", key)
-			}
+			"CLUSTER_MDSD_NAMESPACE")
+
+		if err != nil {
+			return nil, err
 		}
 	}
 
@@ -136,11 +134,11 @@ func newProd(ctx context.Context, log *logrus.Entry) (*prod, error) {
 		return nil, err
 	}
 
-	serviceKeyvaultURI, err := keyvault.URI(p, ServiceKeyvaultSuffix)
-	if err != nil {
+	if err := ValidateVars(KeyvaultPrefix); err != nil {
 		return nil, err
 	}
-
+	keyVaultPrefix := os.Getenv(KeyvaultPrefix)
+	serviceKeyvaultURI := keyvault.URI(p, ServiceKeyvaultSuffix, keyVaultPrefix)
 	p.serviceKeyvault = keyvault.NewManager(msiKVAuthorizer, serviceKeyvaultURI)
 
 	resourceSkusClient := compute.NewResourceSkusClient(p.Environment(), p.SubscriptionID(), msiAuthorizer)
@@ -160,11 +158,7 @@ func newProd(ctx context.Context, log *logrus.Entry) (*prod, error) {
 		return nil, err
 	}
 
-	clusterKeyvaultURI, err := keyvault.URI(p, ClusterKeyvaultSuffix)
-	if err != nil {
-		return nil, err
-	}
-
+	clusterKeyvaultURI := keyvault.URI(p, ClusterKeyvaultSuffix, keyVaultPrefix)
 	p.clusterKeyvault = keyvault.NewManager(localFPKVAuthorizer, clusterKeyvaultURI)
 
 	clusterGenevaLoggingPrivateKey, clusterGenevaLoggingCertificates, err := p.serviceKeyvault.GetCertificateSecret(ctx, ClusterLoggingSecretName)

pkg/util/cluster/cluster.go

@@ -85,12 +85,8 @@ func (errs errors) Error() string {
 
 func New(log *logrus.Entry, environment env.Core, ci bool) (*Cluster, error) {
 	if env.IsLocalDevelopmentMode() {
-		for _, key := range []string{
-			"AZURE_FP_CLIENT_ID",
-		} {
-			if _, found := os.LookupEnv(key); !found {
-				return nil, fmt.Errorf("environment variable %q unset", key)
-			}
+		if err := env.ValidateVars("AZURE_FP_CLIENT_ID"); err != nil {
+			return nil, err
 		}
 	}
 

pkg/util/keyvault/uri.go

@@ -5,19 +5,10 @@ package keyvault
 
 import (
 	"fmt"
-	"os"
 
 	"github.com/Azure/ARO-RP/pkg/util/instancemetadata"
 )
 
-func URI(instancemetadata instancemetadata.InstanceMetadata, suffix string) (string, error) {
-	for _, key := range []string{
-		"KEYVAULT_PREFIX",
-	} {
-		if _, found := os.LookupEnv(key); !found {
-			return "", fmt.Errorf("environment variable %q unset", key)
-		}
-	}
-
-	return fmt.Sprintf("https://%s%s.%s/", os.Getenv("KEYVAULT_PREFIX"), suffix, instancemetadata.Environment().KeyVaultDNSSuffix), nil
+func URI(instancemetadata instancemetadata.InstanceMetadata, suffix, keyVaultPrefix string) string {
+	return fmt.Sprintf("https://%s%s.%s/", keyVaultPrefix, suffix, instancemetadata.Environment().KeyVaultDNSSuffix)
 }

test/e2e/setup.go

@@ -432,20 +432,18 @@ func tearDownSelenium(ctx context.Context) error {
 }
 
 func setup(ctx context.Context) error {
-	for _, key := range []string{
+	err := env.ValidateVars(
 		"AZURE_CLIENT_ID",
 		"AZURE_CLIENT_SECRET",
 		"AZURE_SUBSCRIPTION_ID",
 		"AZURE_TENANT_ID",
 		"CLUSTER",
-		"LOCATION",
-	} {
-		if _, found := os.LookupEnv(key); !found {
-			return fmt.Errorf("environment variable %q unset", key)
-		}
+		"LOCATION")
+
+	if err != nil {
+		return err
 	}
 
-	var err error
 	_env, err = env.NewCoreForCI(ctx, log)
 	if err != nil {
 		return err