Merge pull request #49 from lightrun-platform/DEVOPS-2694-security-lightrun-installer-container-must-not-consume-secrets-as-env-vars-REVERT

yitzhaktal · web-flow · commit 7c90c926036c · 2025-06-23T14:29:46.000+03:00
Revert "Merge pull request #46 from lightrun-platform/DEVOPS-2694-sec…
diff --git a/.github/workflows/tests_data/lightrunjavaagent.yaml b/.github/workflows/tests_data/lightrunjavaagent.yaml
@@ -10,7 +10,6 @@ spec:
   deploymentName: sample-deployment  
   secretName: lightrun-secrets 
   serverHostname: dogfood.internal.lightrun.com
-  useSecretsAsMountedFiles: false
   agentEnvVarName: JAVA_TOOL_OPTIONS
   agentConfig:
     max_log_cpu_cost: "2"
diff --git a/api/v1beta/lightrunjavaagent_types.go b/api/v1beta/lightrunjavaagent_types.go
@@ -93,10 +93,6 @@ type LightrunJavaAgentSpec struct {
 	// +optional
 	// Agent name for registration to the server
 	AgentName string `json:"agentName,omitempty"`
-
-	// UseSecretsAsMountedFiles determines whether to use secret values as mounted files (true) or as environment variables (false)
-	// +kubebuilder:default=false
-	UseSecretsAsMountedFiles bool `json:"useSecretsAsMountedFiles,omitempty"`
 }
 
 // LightrunJavaAgentStatus defines the observed state of LightrunJavaAgent
diff --git a/charts/lightrun-agents/templates/java-agent-cr.yaml b/charts/lightrun-agents/templates/java-agent-cr.yaml
@@ -29,9 +29,6 @@ spec:
   secretName: {{ .name }}-secret
   {{- end }}
   serverHostname: {{ .serverHostname }}
-  {{- if .useSecretsAsMountedFiles }}
-  useSecretsAsMountedFiles: {{ .useSecretsAsMountedFiles | default false }}
-  {{- end }}
   agentEnvVarName: {{ .agentEnvVarName | default "JAVA_TOOL_OPTIONS" }}
   {{- if .agentConfig }}
   agentConfig: {{ toYaml .agentConfig | nindent 4 }}
diff --git a/charts/lightrun-agents/values.yaml b/charts/lightrun-agents/values.yaml
@@ -19,7 +19,6 @@ javaAgents: []
 #    containerSelector:
 #      - my-container-1
 #    serverHostname: 'lightrun.example.com'
-#    useSecretsAsMountedFiles: false
 #    initContainer:
 #      image: "lightruncom/k8s-operator-init-java-agent-linux:latest"
 #      imagePullPolicy: "IfNotPresent"
@@ -43,7 +42,6 @@ javaAgents: []
 #    containerSelector:
 #      - my-container-2
 #    serverHostname: 'lightrun.example.com'
-#    useSecretsAsMountedFiles: false
 #    agentPoolCredentials:
 #      existingSecret: "my-existing-secret"
 #      apiKey: ""
@@ -71,7 +69,6 @@ javaAgents: []
 #    containerSelector:
 #      - my-container-1
 #    serverHostname: 'lightrun.example.com'
-#    useSecretsAsMountedFiles: false
 #    agentEnvVarName: '_JAVA_OPTIONS'
 #    agentConfig:
 #      max_log_cpu_cost: "2"
@@ -103,7 +100,6 @@ javaAgents: []
 #    containerSelector:
 #      - my-container-2
 #    serverHostname: 'lightrun.example.com'
-#    useSecretsAsMountedFiles: false
 #    agentEnvVarName: 'JAVA_OPTS'
 #    agentConfig:
 #      max_log_cpu_cost: "2"
diff --git a/charts/lightrun-operator/crds/lightrunjavaagent_crd.yaml b/charts/lightrun-operator/crds/lightrunjavaagent_crd.yaml
@@ -123,11 +123,6 @@ spec:
                   Lightrun server hostname that will be used for downloading an agent
                   Key and company id in the secret has to be taken from this server as well
                 type: string
-              useSecretsAsMountedFiles:
-                default: false
-                description: UseSecretsAsMountedFiles determines whether to use secret
-                  values as mounted files (true) or as environment variables (false)
-                type: boolean
               workloadName:
                 description: Name of the Workload that will be patched. workload can
                   be either Deployment or StatefulSet e.g. my-deployment, my-statefulset
diff --git a/config/crd/bases/agents.lightrun.com_lightrunjavaagents.yaml b/config/crd/bases/agents.lightrun.com_lightrunjavaagents.yaml
@@ -124,11 +124,6 @@ spec:
                   Lightrun server hostname that will be used for downloading an agent
                   Key and company id in the secret has to be taken from this server as well
                 type: string
-              useSecretsAsMountedFiles:
-                default: false
-                description: UseSecretsAsMountedFiles determines whether to use secret
-                  values as mounted files (true) or as environment variables (false)
-                type: boolean
               workloadName:
                 description: Name of the Workload that will be patched. workload can
                   be either Deployment or StatefulSet e.g. my-deployment, my-statefulset
diff --git a/config/samples/agents_v1beta_lightrunjavaagent.yaml b/config/samples/agents_v1beta_lightrunjavaagent.yaml
@@ -11,7 +11,6 @@ spec:
   workloadType: Deployment
   secretName: lightrun-secrets 
   serverHostname: <lightrun_server>  #for saas it will be app.lightrun.com
-  useSecretsAsMountedFiles: false
   agentEnvVarName: JAVA_TOOL_OPTIONS
   agentConfig:
     max_log_cpu_cost: "2"
diff --git a/config/samples/operator.yaml b/config/samples/operator.yaml
@@ -135,11 +135,6 @@ spec:
                   Lightrun server hostname that will be used for downloading an agent
                   Key and company id in the secret has to be taken from this server as well
                 type: string
-              useSecretsAsMountedFiles:
-                default: false
-                description: UseSecretsAsMountedFiles determines whether to use secret
-                  values as mounted files (true) or as environment variables (false)
-                type: boolean
               workloadName:
                 description: Name of the Workload that will be patched. workload can
                   be either Deployment or StatefulSet e.g. my-deployment, my-statefulset
diff --git a/docs/custom_resource.md b/docs/custom_resource.md
@@ -51,9 +51,6 @@ spec:
   # If container not mentioned here it will be not patched
   containerSelector:
     - app
-  # useSecretsAsMountedFiles determines whether to use secret values as environment variables (false) or as mounted files (true)
-  # Default is false for backward compatibility
-  useSecretsAsMountedFiles: false
 ---
 apiVersion: v1
 metadata: 
diff --git a/examples/lightrunjavaagent.yaml b/examples/lightrunjavaagent.yaml
@@ -61,7 +61,3 @@ spec:
     - latest
   # Agent name. If not provided, pod name will be used
   #agentName: "operator-test-agent"
-
-  # UseSecretsAsMountedFiles determines whether to use secret values as mounted files (true) or as environment variables (false)
-  # Default is false for better security practices
-  useSecretsAsMountedFiles: false
diff --git a/examples/operator.yaml b/examples/operator.yaml
@@ -125,11 +125,6 @@ spec:
                   Lightrun server hostname that will be used for downloading an agent
                   Key and company id in the secret has to be taken from this server as well
                 type: string
-              useSecretsAsMountedFiles:
-                default: false
-                description: UseSecretsAsMountedFiles determines whether to use secret
-                  values as mounted files (true) or as environment variables (false)
-                type: boolean
               workloadName:
                 description: Name of the Workload that will be patched. workload can
                   be either Deployment or StatefulSet e.g. my-deployment, my-statefulset
diff --git a/internal/controller/patch_funcs.go b/internal/controller/patch_funcs.go
diff --git a/lightrun-init-agent/Dockerfile b/lightrun-init-agent/Dockerfile
diff --git a/lightrun-init-agent/update_config.sh b/lightrun-init-agent/update_config.sh
