DEVOPS-2694 - Update the lightrun-k8s-operator deployment to mount Secrets as files via volumes instead of exposing them as environment variables in containers.

Author: yitzhaktal

internal/controller/lightrunjavaagent_controller.go

@@ -252,7 +252,7 @@ func (r *LightrunJavaAgentReconciler) reconcileDeployment(ctx context.Context, l
 
 	// Create config map
 	log.V(2).Info("Reconciling config map with agent configuration")
-	configMap, err := r.createAgentConfig(lightrunJavaAgent)
+	configMap, err := r.createAgentConfig(lightrunJavaAgent, secret)
 	if err != nil {
 		log.Error(err, "unable to create configMap")
 		return r.errorStatus(ctx, lightrunJavaAgent, err)
@@ -493,7 +493,7 @@ func (r *LightrunJavaAgentReconciler) reconcileStatefulSet(ctx context.Context,
 
 	// Create config map
 	log.V(2).Info("Reconciling config map with agent configuration")
-	configMap, err := r.createAgentConfig(lightrunJavaAgent)
+	configMap, err := r.createAgentConfig(lightrunJavaAgent, secret)
 	if err != nil {
 		log.Error(err, "unable to create configMap")
 		return r.errorStatus(ctx, lightrunJavaAgent, err)

internal/controller/patch_funcs.go

@@ -27,7 +27,7 @@ const (
 	annotationAgentName       = "lightrun.com/lightrunjavaagent"
 )
 
-func (r *LightrunJavaAgentReconciler) createAgentConfig(lightrunJavaAgent *agentv1beta.LightrunJavaAgent) (corev1.ConfigMap, error) {
+func (r *LightrunJavaAgentReconciler) createAgentConfig(lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret) (corev1.ConfigMap, error) {
 	populateTags(lightrunJavaAgent.Spec.AgentTags, lightrunJavaAgent.Spec.AgentName, &metadata)
 	jsonString, err := json.Marshal(metadata)
 	if err != nil {
@@ -52,16 +52,14 @@ func (r *LightrunJavaAgentReconciler) createAgentConfig(lightrunJavaAgent *agent
 }
 
 func (r *LightrunJavaAgentReconciler) patchDeployment(lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret, origDeployment *appsv1.Deployment, deploymentApplyConfig *appsv1ac.DeploymentApplyConfiguration, cmDataHash uint64) error {
-
 	// init spec.template.spec
 	deploymentApplyConfig.WithSpec(
 		appsv1ac.DeploymentSpec().WithTemplate(
 			corev1ac.PodTemplateSpec().WithSpec(
 				corev1ac.PodSpec(),
 			).WithAnnotations(map[string]string{
 				annotationConfigMapHash: fmt.Sprint(cmDataHash),
-			},
-			),
+			}),
 		),
 	).WithAnnotations(map[string]string{
 		annotationAgentName: lightrunJavaAgent.Name,
@@ -72,6 +70,10 @@ func (r *LightrunJavaAgentReconciler) patchDeployment(lightrunJavaAgent *agentv1
 	if err != nil {
 		return err
 	}
+	deploymentApplyConfig.Spec.Template.Spec.WithSecurityContext(
+		corev1ac.PodSecurityContext().
+			WithFSGroup(1000),
+	)
 	return nil
 }
 
@@ -99,54 +101,53 @@ func (r *LightrunJavaAgentReconciler) addVolume(deploymentApplyConfig *appsv1ac.
 }
 
 func (r *LightrunJavaAgentReconciler) addInitContainer(deploymentApplyConfig *appsv1ac.DeploymentApplyConfiguration, lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret) {
-
 	deploymentApplyConfig.Spec.Template.Spec.WithInitContainers(
 		corev1ac.Container().
 			WithName(initContainerName).
 			WithImage(lightrunJavaAgent.Spec.InitContainer.Image).
 			WithVolumeMounts(
 				corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath("/tmp/"),
 				corev1ac.VolumeMount().WithName(cmVolumeName).WithMountPath("/tmp/cm/"),
-			).WithEnv(
-			corev1ac.EnvVar().WithName("LIGHTRUN_KEY").WithValueFrom(
-				corev1ac.EnvVarSource().WithSecretKeyRef(
-					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("lightrun_key"),
-				),
-			),
-			corev1ac.EnvVar().WithName("PINNED_CERT").WithValueFrom(
-				corev1ac.EnvVarSource().WithSecretKeyRef(
-					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("pinned_cert_hash"),
-				),
-			),
-			corev1ac.EnvVar().WithName("LIGHTRUN_SERVER").WithValue(lightrunJavaAgent.Spec.ServerHostname),
-		).
+				corev1ac.VolumeMount().WithName("lightrun-secret").WithMountPath("/etc/lightrun/secret").WithReadOnly(true),
+			).
+			WithEnv(
+				corev1ac.EnvVar().WithName("LIGHTRUN_SERVER").WithValue(lightrunJavaAgent.Spec.ServerHostname),
+			).
+			WithSecurityContext(
+				corev1ac.SecurityContext().
+					WithReadOnlyRootFilesystem(true).
+					WithAllowPrivilegeEscalation(false).
+					WithRunAsNonRoot(true).
+					WithRunAsUser(1000),
+			).
 			WithResources(
 				corev1ac.ResourceRequirements().
 					WithLimits(
 						corev1.ResourceList{
 							corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
 							corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)), // 500 * 10^6 = 500M
 						},
-					).WithRequests(
-					corev1.ResourceList{
-						corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
-						corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
-					},
-				),
-			).
-			WithSecurityContext(
-				corev1ac.SecurityContext().
-					WithCapabilities(
-						corev1ac.Capabilities().WithDrop(corev1.Capability("ALL")),
 					).
-					WithAllowPrivilegeEscalation(false).
-					WithRunAsNonRoot(true).
-					WithSeccompProfile(
-						corev1ac.SeccompProfile().
-							WithType(corev1.SeccompProfileTypeRuntimeDefault),
+					WithRequests(
+						corev1.ResourceList{
+							corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
+							corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
+						},
 					),
 			),
 	)
+
+	// Add volume for secret with proper permissions
+	deploymentApplyConfig.Spec.Template.Spec.WithVolumes(
+		corev1ac.Volume().WithName("lightrun-secret").
+			WithSecret(corev1ac.SecretVolumeSource().
+				WithSecretName(secret.Name).
+				WithItems(
+					corev1ac.KeyToPath().WithKey("lightrun_key").WithPath("lightrun_key"),
+					corev1ac.KeyToPath().WithKey("pinned_cert_hash").WithPath("pinned_cert_hash"),
+				).
+				WithDefaultMode(0440)),
+	)
 }
 
 func (r *LightrunJavaAgentReconciler) patchAppContainers(lightrunJavaAgent *agentv1beta.LightrunJavaAgent, origDeployment *appsv1.Deployment, deploymentApplyConfig *appsv1ac.DeploymentApplyConfiguration) error {
@@ -230,19 +231,16 @@ func (r *LightrunJavaAgentReconciler) patchStatefulSet(lightrunJavaAgent *agentv
 				corev1ac.PodSpec(),
 			).WithAnnotations(map[string]string{
 				annotationConfigMapHash: fmt.Sprint(cmDataHash),
-			},
-			),
+			}),
 		),
 	).WithAnnotations(map[string]string{
 		annotationAgentName: lightrunJavaAgent.Name,
 	})
 
 	// Add volumes to the StatefulSet
 	r.addVolumeToStatefulSet(statefulSetApplyConfig, lightrunJavaAgent)
-
 	// Add init container to the StatefulSet
 	r.addInitContainerToStatefulSet(statefulSetApplyConfig, lightrunJavaAgent, secret)
-
 	// Patch app containers in the StatefulSet
 	err = r.patchStatefulSetAppContainers(lightrunJavaAgent, origStatefulSet, statefulSetApplyConfig)
 	if err != nil {
@@ -271,6 +269,15 @@ func (r *LightrunJavaAgentReconciler) addVolumeToStatefulSet(statefulSetApplyCon
 						corev1ac.KeyToPath().WithKey("metadata").WithPath("agent.metadata.json"),
 					),
 			),
+	).WithVolumes(
+		corev1ac.Volume().WithName("lightrun-secret").
+			WithSecret(corev1ac.SecretVolumeSource().
+				WithSecretName(secret.Name).
+				WithItems(
+					corev1ac.KeyToPath().WithKey("lightrun_key").WithPath("lightrun_key"),
+					corev1ac.KeyToPath().WithKey("pinned_cert_hash").WithPath("pinned_cert_hash"),
+				).
+				WithDefaultMode(0440)),
 	)
 }
 
@@ -282,19 +289,17 @@ func (r *LightrunJavaAgentReconciler) addInitContainerToStatefulSet(statefulSetA
 			WithVolumeMounts(
 				corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath("/tmp/"),
 				corev1ac.VolumeMount().WithName(cmVolumeName).WithMountPath("/tmp/cm/"),
+				corev1ac.VolumeMount().WithName("lightrun-secret").WithMountPath("/etc/lightrun/secret").WithReadOnly(true),
 			).WithEnv(
-			corev1ac.EnvVar().WithName("LIGHTRUN_KEY").WithValueFrom(
-				corev1ac.EnvVarSource().WithSecretKeyRef(
-					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("lightrun_key"),
-				),
-			),
-			corev1ac.EnvVar().WithName("PINNED_CERT").WithValueFrom(
-				corev1ac.EnvVarSource().WithSecretKeyRef(
-					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("pinned_cert_hash"),
-				),
-			),
 			corev1ac.EnvVar().WithName("LIGHTRUN_SERVER").WithValue(lightrunJavaAgent.Spec.ServerHostname),
 		).
+			WithSecurityContext(
+				corev1ac.SecurityContext().
+					WithReadOnlyRootFilesystem(true).
+					WithAllowPrivilegeEscalation(false).
+					WithRunAsNonRoot(true).
+					WithRunAsUser(1000),
+			).
 			WithResources(
 				corev1ac.ResourceRequirements().
 					WithLimits(
@@ -308,18 +313,6 @@ func (r *LightrunJavaAgentReconciler) addInitContainerToStatefulSet(statefulSetA
 						corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
 					},
 				),
-			).
-			WithSecurityContext(
-				corev1ac.SecurityContext().
-					WithCapabilities(
-						corev1ac.Capabilities().WithDrop(corev1.Capability("ALL")),
-					).
-					WithAllowPrivilegeEscalation(false).
-					WithRunAsNonRoot(true).
-					WithSeccompProfile(
-						corev1ac.SeccompProfile().
-							WithType(corev1.SeccompProfileTypeRuntimeDefault),
-					),
 			),
 	)
 }
@@ -335,7 +328,7 @@ func (r *LightrunJavaAgentReconciler) patchStatefulSetAppContainers(lightrunJava
 						WithName(container.Name).
 						WithImage(container.Image).
 						WithVolumeMounts(
-							corev1ac.VolumeMount().WithMountPath(lightrunJavaAgent.Spec.InitContainer.SharedVolumeMountPath).WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName),
+							corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath("/tmp/"),
 						),
 				)
 			}

lightrun-init-agent/Dockerfile

@@ -1,9 +1,9 @@
 ARG base_image_tag=alpine-3.20.0-r1
 
 FROM lightruncom/prod-base:${base_image_tag}
-ARG FILE 
+ARG FILE
 
-COPY lightrun-init-agent/$FILE /tmp/$FILE
+COPY $FILE /tmp/$FILE
 
 RUN unzip -o /tmp/$FILE -d /agent ;\
     rm -rf /tmp/$FILE && \
@@ -12,9 +12,20 @@ RUN unzip -o /tmp/$FILE -d /agent ;\
     sed -i.bak "s|pinned_certs=.*|pinned_certs=|" /agent/agent.config && rm /agent/agent.config.bak && \
     # In openshift UID will be dynamic per project, hence procide permissions to root group (defualt in k8s)
     chgrp -R 0 /agent && \
-    chmod -R g=u /agent
+    chmod -R g=u /agent && \
+    # Set proper permissions for the agent directory
+    chown -R 1000:1000 /agent && \
+    chmod -R 750 /agent && \
+    # Create secret directory with proper permissions
+    mkdir -p /etc/lightrun/secret && \
+    chown -R 1000:1000 /etc/lightrun/secret && \
+    chmod -R 700 /etc/lightrun/secret
+
+# Copy and set permissions for update_config.sh before switching user
+COPY update_config.sh /update_config.sh
+RUN chmod 750 /update_config.sh && \
+    chown 1000:1000 /update_config.sh
 
 USER 1000
-COPY lightrun-init-agent/update_config.sh /update_config.sh
 
 CMD [ "/bin/sh", "/update_config.sh" ]

lightrun-init-agent/update_config.sh

@@ -1,10 +1,10 @@
 #!/bin/sh
 # Script to initialize and configure the Lightrun agent
 # This script:
-# 1. Validates required environment variables
+# 1. Validates required environment variables and files
 # 2. Sets up a working directory
 # 3. Merges configuration files
-# 4. Updates configuration with environment variables
+# 4. Updates configuration with values from files
 # 5. Copies the final configuration to destination
 
 set -e
@@ -14,23 +14,58 @@ TMP_DIR="/tmp"
 WORK_DIR="${TMP_DIR}/agent-workdir"
 FINAL_DEST="${TMP_DIR}/agent"
 CONFIG_MAP_DIR="${TMP_DIR}/cm"
+SECRET_DIR="/etc/lightrun/secret"
+
+# Function to get value from either environment variable or file
+get_value() {
+    local env_var=$1
+    local file_path=$2
+    local value=""
+
+    # First try environment variable
+    eval "value=\$${env_var}"
+    if [ -n "${value}" ]; then
+        echo "[WARNING] Using environment variable ${env_var}. Please upgrade to the latest operator version for better security and management." >&2
+        echo "[INFO] Using value from environment variable ${env_var}" >&2
+        echo "${value}"
+        return 0
+    fi
+
+    # Then try file
+    if [ -f "${file_path}" ]; then
+        value=$(cat "${file_path}")
+        echo "[INFO] Using value from file ${file_path}" >&2
+        echo "${value}"
+        return 0
+    fi
 
-# Function to validate required environment variables
+    echo ""
+    return 1
+}
+
+# Function to validate required files and environment variables
 validate_env_vars() {
-    local missing_vars=""
+    local missing_requirements=""
 
-    if [ -z "${LIGHTRUN_KEY}" ]; then
-        missing_vars="${missing_vars} LIGHTRUN_KEY"
+    # Check for LIGHTRUN_SERVER (required in both old and new versions)
+    if [ -z "${LIGHTRUN_SERVER}" ]; then
+        missing_requirements="${missing_requirements} LIGHTRUN_SERVER"
     fi
-    if [ -z "${PINNED_CERT}" ]; then
-        missing_vars="${missing_vars} PINNED_CERT"
+
+    # Check for lightrun_key (either env var or file)
+    local lightrun_key=$(get_value "LIGHTRUN_KEY" "${SECRET_DIR}/lightrun_key")
+    if [ -z "${lightrun_key}" ]; then
+        missing_requirements="${missing_requirements} LIGHTRUN_KEY"
     fi
-    if [ -z "${LIGHTRUN_SERVER}" ]; then
-        missing_vars="${missing_vars} LIGHTRUN_SERVER"
+
+    # Check for pinned_cert (either env var or file)
+    local pinned_cert=$(get_value "PINNED_CERT" "${SECRET_DIR}/pinned_cert_hash")
+    if [ -z "${pinned_cert}" ]; then
+        missing_requirements="${missing_requirements} PINNED_CERT"
     fi
 
-    if [ -n "${missing_vars}" ]; then
-        echo "Error: Missing required environment variables:${missing_vars}"
+    if [ -n "${missing_requirements}" ]; then
+        echo "Error: Missing required environment variables or files:${missing_requirements}"
         exit 1
     fi
 }
@@ -64,27 +99,36 @@ merge_configs() {
     rm "${temp_conf}"
 }
 
-# Function to update configuration with environment variables
+# Function to update configuration with values from files
 update_config() {
-    echo "Updating configuration with environment variables"
+    echo "Updating configuration with values from files"
     local config_file="${WORK_DIR}/agent.config"
     local missing_configuration_params=""
 
+    if [ ! -f "${config_file}" ]; then
+        echo "[ERROR] Config file not found at ${config_file}"
+        exit 1
+    fi
+
+    # Get values from either environment variables or files
+    local lightrun_key=$(get_value "LIGHTRUN_KEY" "${SECRET_DIR}/lightrun_key")
+    local pinned_cert=$(get_value "PINNED_CERT" "${SECRET_DIR}/pinned_cert_hash")
+
     if sed -n "s|com.lightrun.server=.*|com.lightrun.server=https://${LIGHTRUN_SERVER}|p" "${config_file}" | grep -q .; then
         # Perform actual in-place change
         sed -i "s|com.lightrun.server=.*|com.lightrun.server=https://${LIGHTRUN_SERVER}|" "${config_file}"
     else
         missing_configuration_params="${missing_configuration_params} com.lightrun.server"
     fi
-    if sed -n "s|com.lightrun.secret=.*|com.lightrun.secret=${LIGHTRUN_KEY}|p" "${config_file}" | grep -q .; then
+    if sed -n "s|com.lightrun.secret=.*|com.lightrun.secret=${lightrun_key}|p" "${config_file}" | grep -q .; then
         # Perform actual in-place change
-        sed -i "s|com.lightrun.secret=.*|com.lightrun.secret=${LIGHTRUN_KEY}|" "${config_file}"
+        sed -i "s|com.lightrun.secret=.*|com.lightrun.secret=${lightrun_key}|" "${config_file}"
     else
         missing_configuration_params="${missing_configuration_params} com.lightrun.secret"
     fi
-    if sed -n "s|pinned_certs=.*|pinned_certs=${PINNED_CERT}|p" "${config_file}" | grep -q .; then
+    if sed -n "s|pinned_certs=.*|pinned_certs=${pinned_cert}|p" "${config_file}" | grep -q .; then
         # Perform actual in-place change
-        sed -i "s|pinned_certs=.*|pinned_certs=${PINNED_CERT}|" "${config_file}"
+        sed -i "s|pinned_certs=.*|pinned_certs=${pinned_cert}|" "${config_file}"
     else
         missing_configuration_params="${missing_configuration_params} pinned_certs"
     fi