DEVOPS-2694 - Update the lightrun-k8s-operator deployment to mount Secrets as files via volumes instead of exposing them as environment variables in containers.

Author: yitzhaktal

config/crd/bases/agents.lightrun.com_lightrunjavaagents.yaml

@@ -112,8 +112,10 @@ spec:
                 - sharedVolumeName
                 type: object
               secretName:
-                description: Name of the Secret in the same namespace contains lightrun
-                  key and conmpany id
+                description: |-
+                  Name of the Secret in the same namespace that contains the Lightrun API key.
+                  The secret should have a key named 'lightrun_key'.
+                  The pinned certificate hash is now stored in a ConfigMap created by the operator.
                 type: string
               serverHostname:
                 description: |-

internal/controller/patch_funcs.go

@@ -1,6 +1,7 @@
 package controller
 
 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -27,7 +28,7 @@ const (
 	annotationAgentName       = "lightrun.com/lightrunjavaagent"
 )
 
-func (r *LightrunJavaAgentReconciler) createAgentConfig(lightrunJavaAgent *agentv1beta.LightrunJavaAgent) (corev1.ConfigMap, error) {
+func (r *LightrunJavaAgentReconciler) createAgentConfig(lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret) (corev1.ConfigMap, error) {
 	populateTags(lightrunJavaAgent.Spec.AgentTags, lightrunJavaAgent.Spec.AgentName, &metadata)
 	jsonString, err := json.Marshal(metadata)
 	if err != nil {
@@ -42,6 +43,7 @@ func (r *LightrunJavaAgentReconciler) createAgentConfig(lightrunJavaAgent *agent
 		Data: map[string]string{
 			"config":   parseAgentConfig(lightrunJavaAgent.Spec.AgentConfig),
 			"metadata": string(jsonString),
+			"pinned_cert_hash": string(secret.Data["pinned_cert_hash"]),
 		},
 	}
 
@@ -98,54 +100,58 @@ func (r *LightrunJavaAgentReconciler) addVolume(deploymentApplyConfig *appsv1ac.
 	)
 }
 
-func (r *LightrunJavaAgentReconciler) addInitContainer(deploymentApplyConfig *appsv1ac.DeploymentApplyConfiguration, lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret) {
+func (r *LightrunJavaAgentReconciler) createPinnedCertConfigMap(ctx context.Context, lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret) (*corev1.ConfigMap, error) {
+	configMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      fmt.Sprintf("%s-pinned-cert", lightrunJavaAgent.Name),
+			Namespace: lightrunJavaAgent.Namespace,
+		},
+		Data: map[string]string{
+			"pinned_cert_hash": string(secret.Data["pinned_cert_hash"]),
+		},
+	}
 
+	err := r.Create(ctx, configMap)
+	if err != nil {
+		return nil, err
+	}
+
+	return configMap, nil
+}
+
+func (r *LightrunJavaAgentReconciler) addInitContainer(deploymentApplyConfig *appsv1ac.DeploymentApplyConfiguration, lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret) {
 	deploymentApplyConfig.Spec.Template.Spec.WithInitContainers(
 		corev1ac.Container().
 			WithName(initContainerName).
 			WithImage(lightrunJavaAgent.Spec.InitContainer.Image).
 			WithVolumeMounts(
 				corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath("/tmp/"),
 				corev1ac.VolumeMount().WithName(cmVolumeName).WithMountPath("/tmp/cm/"),
+				corev1ac.VolumeMount().WithName("lightrun-secret").WithMountPath("/etc/lightrun/secret").WithReadOnly(true),
 			).WithEnv(
-			corev1ac.EnvVar().WithName("LIGHTRUN_KEY").WithValueFrom(
-				corev1ac.EnvVarSource().WithSecretKeyRef(
-					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("lightrun_key"),
-				),
-			),
-			corev1ac.EnvVar().WithName("PINNED_CERT").WithValueFrom(
-				corev1ac.EnvVarSource().WithSecretKeyRef(
-					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("pinned_cert_hash"),
-				),
-			),
 			corev1ac.EnvVar().WithName("LIGHTRUN_SERVER").WithValue(lightrunJavaAgent.Spec.ServerHostname),
 		).
 			WithResources(
 				corev1ac.ResourceRequirements().
 					WithLimits(
 						corev1.ResourceList{
 							corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
-							corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)), // 500 * 10^6 = 500M
+							corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
 						},
 					).WithRequests(
 					corev1.ResourceList{
 						corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
 						corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
 					},
 				),
-			).
-			WithSecurityContext(
-				corev1ac.SecurityContext().
-					WithCapabilities(
-						corev1ac.Capabilities().WithDrop(corev1.Capability("ALL")),
-					).
-					WithAllowPrivilegeEscalation(false).
-					WithRunAsNonRoot(true).
-					WithSeccompProfile(
-						corev1ac.SeccompProfile().
-							WithType(corev1.SeccompProfileTypeRuntimeDefault),
-					),
-			),
+			)
+
+	// Add volume for secret
+	deploymentApplyConfig.Spec.Template.Spec.WithVolumes(
+		corev1ac.Volume().WithName("lightrun-secret").
+			WithSecret(corev1ac.SecretVolumeSource().
+				WithSecretName(secret.Name).
+				WithItems(corev1ac.KeyToPath().WithKey("lightrun_key").WithPath("lightrun_key"))),
 	)
 }
 
@@ -282,45 +288,31 @@ func (r *LightrunJavaAgentReconciler) addInitContainerToStatefulSet(statefulSetA
 			WithVolumeMounts(
 				corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath("/tmp/"),
 				corev1ac.VolumeMount().WithName(cmVolumeName).WithMountPath("/tmp/cm/"),
+				corev1ac.VolumeMount().WithName("lightrun-secret").WithMountPath("/etc/lightrun/secret").WithReadOnly(true),
 			).WithEnv(
-			corev1ac.EnvVar().WithName("LIGHTRUN_KEY").WithValueFrom(
-				corev1ac.EnvVarSource().WithSecretKeyRef(
-					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("lightrun_key"),
-				),
-			),
-			corev1ac.EnvVar().WithName("PINNED_CERT").WithValueFrom(
-				corev1ac.EnvVarSource().WithSecretKeyRef(
-					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("pinned_cert_hash"),
-				),
-			),
 			corev1ac.EnvVar().WithName("LIGHTRUN_SERVER").WithValue(lightrunJavaAgent.Spec.ServerHostname),
 		).
 			WithResources(
 				corev1ac.ResourceRequirements().
 					WithLimits(
 						corev1.ResourceList{
 							corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
-							corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)), // 64M
+							corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
 						},
 					).WithRequests(
 					corev1.ResourceList{
 						corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
 						corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
 					},
 				),
-			).
-			WithSecurityContext(
-				corev1ac.SecurityContext().
-					WithCapabilities(
-						corev1ac.Capabilities().WithDrop(corev1.Capability("ALL")),
-					).
-					WithAllowPrivilegeEscalation(false).
-					WithRunAsNonRoot(true).
-					WithSeccompProfile(
-						corev1ac.SeccompProfile().
-							WithType(corev1.SeccompProfileTypeRuntimeDefault),
-					),
-			),
+			)
+
+	// Add volume for secret
+	statefulSetApplyConfig.Spec.Template.Spec.WithVolumes(
+		corev1ac.Volume().WithName("lightrun-secret").
+			WithSecret(corev1ac.SecretVolumeSource().
+				WithSecretName(secret.Name).
+				WithItems(corev1ac.KeyToPath().WithKey("lightrun_key").WithPath("lightrun_key"))),
 	)
 }
 

lightrun-init-agent/update_config.sh

@@ -1,10 +1,10 @@
 #!/bin/sh
 # Script to initialize and configure the Lightrun agent
 # This script:
-# 1. Validates required environment variables
+# 1. Validates required environment variables and files
 # 2. Sets up a working directory
 # 3. Merges configuration files
-# 4. Updates configuration with environment variables
+# 4. Updates configuration with values from files
 # 5. Copies the final configuration to destination
 
 set -e
@@ -14,23 +14,24 @@ TMP_DIR="/tmp"
 WORK_DIR="${TMP_DIR}/agent-workdir"
 FINAL_DEST="${TMP_DIR}/agent"
 CONFIG_MAP_DIR="${TMP_DIR}/cm"
+SECRET_DIR="/etc/lightrun/secret"
 
-# Function to validate required environment variables
-validate_env_vars() {
-    local missing_vars=""
+# Function to validate required files and environment variables
+validate_requirements() {
+    local missing_requirements=""
 
-    if [ -z "${LIGHTRUN_KEY}" ]; then
-        missing_vars="${missing_vars} LIGHTRUN_KEY"
+    if [ ! -f "${SECRET_DIR}/lightrun_key" ]; then
+        missing_requirements="${missing_requirements} ${SECRET_DIR}/lightrun_key"
     fi
-    if [ -z "${PINNED_CERT}" ]; then
-        missing_vars="${missing_vars} PINNED_CERT"
+    if [ ! -f "${CONFIG_MAP_DIR}/pinned_cert_hash" ]; then
+        missing_requirements="${missing_requirements} ${CONFIG_MAP_DIR}/pinned_cert_hash"
     fi
     if [ -z "${LIGHTRUN_SERVER}" ]; then
-        missing_vars="${missing_vars} LIGHTRUN_SERVER"
+        missing_requirements="${missing_requirements} LIGHTRUN_SERVER"
     fi
 
-    if [ -n "${missing_vars}" ]; then
-        echo "Error: Missing required environment variables:${missing_vars}"
+    if [ -n "${missing_requirements}" ]; then
+        echo "Error: Missing required files or environment variables:${missing_requirements}"
         exit 1
     fi
 }
@@ -64,27 +65,31 @@ merge_configs() {
     rm "${temp_conf}"
 }
 
-# Function to update configuration with environment variables
+# Function to update configuration with values from files
 update_config() {
-    echo "Updating configuration with environment variables"
+    echo "Updating configuration with values from files"
     local config_file="${WORK_DIR}/agent.config"
     local missing_configuration_params=""
 
+    # Read values from files
+    local lightrun_key=$(cat "${SECRET_DIR}/lightrun_key")
+    local pinned_cert=$(cat "${CONFIG_MAP_DIR}/pinned_cert_hash")
+
     if sed -n "s|com.lightrun.server=.*|com.lightrun.server=https://${LIGHTRUN_SERVER}|p" "${config_file}" | grep -q .; then
         # Perform actual in-place change
         sed -i "s|com.lightrun.server=.*|com.lightrun.server=https://${LIGHTRUN_SERVER}|" "${config_file}"
     else
         missing_configuration_params="${missing_configuration_params} com.lightrun.server"
     fi
-    if sed -n "s|com.lightrun.secret=.*|com.lightrun.secret=${LIGHTRUN_KEY}|p" "${config_file}" | grep -q .; then
+    if sed -n "s|com.lightrun.secret=.*|com.lightrun.secret=${lightrun_key}|p" "${config_file}" | grep -q .; then
         # Perform actual in-place change
-        sed -i "s|com.lightrun.secret=.*|com.lightrun.secret=${LIGHTRUN_KEY}|" "${config_file}"
+        sed -i "s|com.lightrun.secret=.*|com.lightrun.secret=${lightrun_key}|" "${config_file}"
     else
         missing_configuration_params="${missing_configuration_params} com.lightrun.secret"
     fi
-    if sed -n "s|pinned_certs=.*|pinned_certs=${PINNED_CERT}|p" "${config_file}" | grep -q .; then
+    if sed -n "s|pinned_certs=.*|pinned_certs=${pinned_cert}|p" "${config_file}" | grep -q .; then
         # Perform actual in-place change
-        sed -i "s|pinned_certs=.*|pinned_certs=${PINNED_CERT}|" "${config_file}"
+        sed -i "s|pinned_certs=.*|pinned_certs=${pinned_cert}|" "${config_file}"
     else
         missing_configuration_params="${missing_configuration_params} pinned_certs"
     fi
@@ -108,7 +113,7 @@ cleanup() {
 
 # Main execution
 main() {
-    validate_env_vars
+    validate_requirements
     setup_working_dir
     merge_configs
     update_config