Merge pull request #50 from lightrun-platform/DEVOPS-2694-security-lightrun-installer-container-must-not-consume-secrets-as-env-vars-2nd-attempt

yitzhaktal · web-flow · commit 7fbc1a4ccba9 · 2025-06-23T17:31:40.000+03:00
DEVOPS-2694-security-lightrun-installer-container-must-not-consume-secrets-as-env-vars-2nd-attempt
diff --git a/.github/workflows/tests_data/lightrunjavaagent.yaml b/.github/workflows/tests_data/lightrunjavaagent.yaml
@@ -10,6 +10,7 @@ spec:
   deploymentName: sample-deployment  
   secretName: lightrun-secrets 
   serverHostname: dogfood.internal.lightrun.com
+  useSecretsAsMountedFiles: false
   agentEnvVarName: JAVA_TOOL_OPTIONS
   agentConfig:
     max_log_cpu_cost: "2"
diff --git a/api/v1beta/lightrunjavaagent_types.go b/api/v1beta/lightrunjavaagent_types.go
@@ -93,6 +93,10 @@ type LightrunJavaAgentSpec struct {
 	// +optional
 	// Agent name for registration to the server
 	AgentName string `json:"agentName,omitempty"`
+
+	// UseSecretsAsMountedFiles determines whether to use secret values as mounted files (true) or as environment variables (false)
+	// +kubebuilder:default=false
+	UseSecretsAsMountedFiles bool `json:"useSecretsAsMountedFiles,omitempty"`
 }
 
 // LightrunJavaAgentStatus defines the observed state of LightrunJavaAgent
diff --git a/charts/lightrun-agents/templates/java-agent-cr.yaml b/charts/lightrun-agents/templates/java-agent-cr.yaml
@@ -29,6 +29,9 @@ spec:
   secretName: {{ .name }}-secret
   {{- end }}
   serverHostname: {{ .serverHostname }}
+  {{- if .useSecretsAsMountedFiles }}
+  useSecretsAsMountedFiles: {{ .useSecretsAsMountedFiles | default false }}
+  {{- end }}
   agentEnvVarName: {{ .agentEnvVarName | default "JAVA_TOOL_OPTIONS" }}
   {{- if .agentConfig }}
   agentConfig: {{ toYaml .agentConfig | nindent 4 }}
diff --git a/charts/lightrun-agents/values.yaml b/charts/lightrun-agents/values.yaml
@@ -19,6 +19,7 @@ javaAgents: []
 #    containerSelector:
 #      - my-container-1
 #    serverHostname: 'lightrun.example.com'
+#    useSecretsAsMountedFiles: false
 #    initContainer:
 #      image: "lightruncom/k8s-operator-init-java-agent-linux:latest"
 #      imagePullPolicy: "IfNotPresent"
@@ -42,6 +43,7 @@ javaAgents: []
 #    containerSelector:
 #      - my-container-2
 #    serverHostname: 'lightrun.example.com'
+#    useSecretsAsMountedFiles: false
 #    agentPoolCredentials:
 #      existingSecret: "my-existing-secret"
 #      apiKey: ""
@@ -69,6 +71,7 @@ javaAgents: []
 #    containerSelector:
 #      - my-container-1
 #    serverHostname: 'lightrun.example.com'
+#    useSecretsAsMountedFiles: false
 #    agentEnvVarName: '_JAVA_OPTIONS'
 #    agentConfig:
 #      max_log_cpu_cost: "2"
@@ -100,6 +103,7 @@ javaAgents: []
 #    containerSelector:
 #      - my-container-2
 #    serverHostname: 'lightrun.example.com'
+#    useSecretsAsMountedFiles: false
 #    agentEnvVarName: 'JAVA_OPTS'
 #    agentConfig:
 #      max_log_cpu_cost: "2"
diff --git a/charts/lightrun-operator/crds/lightrunjavaagent_crd.yaml b/charts/lightrun-operator/crds/lightrunjavaagent_crd.yaml
@@ -123,6 +123,11 @@ spec:
                   Lightrun server hostname that will be used for downloading an agent
                   Key and company id in the secret has to be taken from this server as well
                 type: string
+              useSecretsAsMountedFiles:
+                default: false
+                description: UseSecretsAsMountedFiles determines whether to use secret
+                  values as mounted files (true) or as environment variables (false)
+                type: boolean
               workloadName:
                 description: Name of the Workload that will be patched. workload can
                   be either Deployment or StatefulSet e.g. my-deployment, my-statefulset
diff --git a/config/crd/bases/agents.lightrun.com_lightrunjavaagents.yaml b/config/crd/bases/agents.lightrun.com_lightrunjavaagents.yaml
@@ -124,6 +124,11 @@ spec:
                   Lightrun server hostname that will be used for downloading an agent
                   Key and company id in the secret has to be taken from this server as well
                 type: string
+              useSecretsAsMountedFiles:
+                default: false
+                description: UseSecretsAsMountedFiles determines whether to use secret
+                  values as mounted files (true) or as environment variables (false)
+                type: boolean
               workloadName:
                 description: Name of the Workload that will be patched. workload can
                   be either Deployment or StatefulSet e.g. my-deployment, my-statefulset
diff --git a/config/samples/agents_v1beta_lightrunjavaagent.yaml b/config/samples/agents_v1beta_lightrunjavaagent.yaml
@@ -11,6 +11,7 @@ spec:
   workloadType: Deployment
   secretName: lightrun-secrets 
   serverHostname: <lightrun_server>  #for saas it will be app.lightrun.com
+  useSecretsAsMountedFiles: false
   agentEnvVarName: JAVA_TOOL_OPTIONS
   agentConfig:
     max_log_cpu_cost: "2"
diff --git a/config/samples/operator.yaml b/config/samples/operator.yaml
@@ -135,6 +135,11 @@ spec:
                   Lightrun server hostname that will be used for downloading an agent
                   Key and company id in the secret has to be taken from this server as well
                 type: string
+              useSecretsAsMountedFiles:
+                default: false
+                description: UseSecretsAsMountedFiles determines whether to use secret
+                  values as mounted files (true) or as environment variables (false)
+                type: boolean
               workloadName:
                 description: Name of the Workload that will be patched. workload can
                   be either Deployment or StatefulSet e.g. my-deployment, my-statefulset
diff --git a/docs/custom_resource.md b/docs/custom_resource.md
@@ -51,6 +51,9 @@ spec:
   # If container not mentioned here it will be not patched
   containerSelector:
     - app
+  # useSecretsAsMountedFiles determines whether to use secret values as environment variables (false) or as mounted files (true)
+  # Default is false for backward compatibility
+  useSecretsAsMountedFiles: false
 ---
 apiVersion: v1
 metadata: 
diff --git a/examples/lightrunjavaagent.yaml b/examples/lightrunjavaagent.yaml
@@ -61,3 +61,7 @@ spec:
     - latest
   # Agent name. If not provided, pod name will be used
   #agentName: "operator-test-agent"
+
+  # UseSecretsAsMountedFiles determines whether to use secret values as mounted files (true) or as environment variables (false)
+  # Default is false for better security practices
+  useSecretsAsMountedFiles: false
diff --git a/examples/operator.yaml b/examples/operator.yaml
@@ -125,6 +125,11 @@ spec:
                   Lightrun server hostname that will be used for downloading an agent
                   Key and company id in the secret has to be taken from this server as well
                 type: string
+              useSecretsAsMountedFiles:
+                default: false
+                description: UseSecretsAsMountedFiles determines whether to use secret
+                  values as mounted files (true) or as environment variables (false)
+                type: boolean
               workloadName:
                 description: Name of the Workload that will be patched. workload can
                   be either Deployment or StatefulSet e.g. my-deployment, my-statefulset
diff --git a/internal/controller/patch_funcs.go b/internal/controller/patch_funcs.go
diff --git a/lightrun-init-agent/Dockerfile b/lightrun-init-agent/Dockerfile
diff --git a/lightrun-init-agent/update_config.sh b/lightrun-init-agent/update_config.sh
