DEVOPS-2694 - Update the lightrun-k8s-operator deployment to mount Secrets as files via volumes instead of exposing them as environment variables in containers.

yitzhaktal · yitzhaktal · commit ad2d8216445c · 2025-06-01T11:45:35.000+03:00
diff --git a/api/v1beta/lightrunjavaagent_types.go b/api/v1beta/lightrunjavaagent_types.go
@@ -90,6 +90,10 @@ type LightrunJavaAgentSpec struct {
 	// +optional
 	// Agent name for registration to the server
 	AgentName string `json:"agentName,omitempty"`
+
+	// UseSecretAsEnvVars determines whether to use secret values as environment variables (true) or as mounted files (false)
+	// +kubebuilder:default=true
+	UseSecretAsEnvVars bool `json:"useSecretAsEnvVars,omitempty"`
 }
 
 // LightrunJavaAgentStatus defines the observed state of LightrunJavaAgent
diff --git a/config/crd/bases/agents.lightrun.com_lightrunjavaagents.yaml b/config/crd/bases/agents.lightrun.com_lightrunjavaagents.yaml
@@ -120,6 +120,11 @@ spec:
                   Lightrun server hostname that will be used for downloading an agent
                   Key and company id in the secret has to be taken from this server as well
                 type: string
+              useSecretAsEnvVars:
+                default: true
+                description: UseSecretAsEnvVars determines whether to use secret values
+                  as environment variables (true) or as mounted files (false)
+                type: boolean
               workloadName:
                 description: Name of the Workload that will be patched. workload can
                   be either Deployment or StatefulSet e.g. my-deployment, my-statefulset
diff --git a/internal/controller/lightrunjavaagent_controller.go b/internal/controller/lightrunjavaagent_controller.go
@@ -252,7 +252,7 @@ func (r *LightrunJavaAgentReconciler) reconcileDeployment(ctx context.Context, l
 
 	// Create config map
 	log.V(2).Info("Reconciling config map with agent configuration")
-	configMap, err := r.createAgentConfig(lightrunJavaAgent)
+	configMap, err := r.createAgentConfig(lightrunJavaAgent, secret)
 	if err != nil {
 		log.Error(err, "unable to create configMap")
 		return r.errorStatus(ctx, lightrunJavaAgent, err)
@@ -493,7 +493,7 @@ func (r *LightrunJavaAgentReconciler) reconcileStatefulSet(ctx context.Context,
 
 	// Create config map
 	log.V(2).Info("Reconciling config map with agent configuration")
-	configMap, err := r.createAgentConfig(lightrunJavaAgent)
+	configMap, err := r.createAgentConfig(lightrunJavaAgent, secret)
 	if err != nil {
 		log.Error(err, "unable to create configMap")
 		return r.errorStatus(ctx, lightrunJavaAgent, err)
diff --git a/internal/controller/patch_funcs.go b/internal/controller/patch_funcs.go
@@ -27,7 +27,7 @@ const (
 	annotationAgentName       = "lightrun.com/lightrunjavaagent"
 )
 
-func (r *LightrunJavaAgentReconciler) createAgentConfig(lightrunJavaAgent *agentv1beta.LightrunJavaAgent) (corev1.ConfigMap, error) {
+func (r *LightrunJavaAgentReconciler) createAgentConfig(lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret) (corev1.ConfigMap, error) {
 	populateTags(lightrunJavaAgent.Spec.AgentTags, lightrunJavaAgent.Spec.AgentName, &metadata)
 	jsonString, err := json.Marshal(metadata)
 	if err != nil {
@@ -52,16 +52,14 @@ func (r *LightrunJavaAgentReconciler) createAgentConfig(lightrunJavaAgent *agent
 }
 
 func (r *LightrunJavaAgentReconciler) patchDeployment(lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret, origDeployment *appsv1.Deployment, deploymentApplyConfig *appsv1ac.DeploymentApplyConfiguration, cmDataHash uint64) error {
-
 	// init spec.template.spec
 	deploymentApplyConfig.WithSpec(
 		appsv1ac.DeploymentSpec().WithTemplate(
 			corev1ac.PodTemplateSpec().WithSpec(
 				corev1ac.PodSpec(),
 			).WithAnnotations(map[string]string{
 				annotationConfigMapHash: fmt.Sprint(cmDataHash),
-			},
-			),
+			}),
 		),
 	).WithAnnotations(map[string]string{
 		annotationAgentName: lightrunJavaAgent.Name,
@@ -72,19 +70,21 @@ func (r *LightrunJavaAgentReconciler) patchDeployment(lightrunJavaAgent *agentv1
 	if err != nil {
 		return err
 	}
+	deploymentApplyConfig.Spec.Template.Spec.WithSecurityContext(
+		corev1ac.PodSecurityContext().
+			WithFSGroup(1000),
+	)
 	return nil
 }
 
 func (r *LightrunJavaAgentReconciler) addVolume(deploymentApplyConfig *appsv1ac.DeploymentApplyConfiguration, lightrunJavaAgent *agentv1beta.LightrunJavaAgent) {
-
-	deploymentApplyConfig.Spec.Template.Spec.
-		WithVolumes(
-			corev1ac.Volume().
-				WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).
-				WithEmptyDir(
-					corev1ac.EmptyDirVolumeSource(),
-				),
-		).WithVolumes(
+	// Start with base volumes
+	volumes := []*corev1ac.VolumeApplyConfiguration{
+		corev1ac.Volume().
+			WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).
+			WithEmptyDir(
+				corev1ac.EmptyDirVolumeSource(),
+			),
 		corev1ac.Volume().
 			WithName(cmVolumeName).
 			WithConfigMap(
@@ -95,19 +95,34 @@ func (r *LightrunJavaAgentReconciler) addVolume(deploymentApplyConfig *appsv1ac.
 						corev1ac.KeyToPath().WithKey("metadata").WithPath("agent.metadata.json"),
 					),
 			),
-	)
+	}
+
+	// Add secret volume if UseSecretAsEnvVars is false
+	if !lightrunJavaAgent.Spec.UseSecretAsEnvVars {
+		volumes = append(volumes,
+			corev1ac.Volume().WithName("lightrun-secret").
+				WithSecret(corev1ac.SecretVolumeSource().
+					WithSecretName(secret.Name).
+					WithItems(
+						corev1ac.KeyToPath().WithKey("lightrun_key").WithPath("lightrun_key"),
+						corev1ac.KeyToPath().WithKey("pinned_cert_hash").WithPath("pinned_cert_hash"),
+					).
+					WithDefaultMode(0440)),
+		)
+	}
+
+	deploymentApplyConfig.Spec.Template.Spec.WithVolumes(volumes...)
 }
 
 func (r *LightrunJavaAgentReconciler) addInitContainer(deploymentApplyConfig *appsv1ac.DeploymentApplyConfiguration, lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret) {
+	// Start with base environment variables
+	envVars := []*corev1ac.EnvVarApplyConfiguration{
+		corev1ac.EnvVar().WithName("LIGHTRUN_SERVER").WithValue(lightrunJavaAgent.Spec.ServerHostname),
+	}
 
-	deploymentApplyConfig.Spec.Template.Spec.WithInitContainers(
-		corev1ac.Container().
-			WithName(initContainerName).
-			WithImage(lightrunJavaAgent.Spec.InitContainer.Image).
-			WithVolumeMounts(
-				corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath("/tmp/"),
-				corev1ac.VolumeMount().WithName(cmVolumeName).WithMountPath("/tmp/cm/"),
-			).WithEnv(
+	// Add secret environment variables if UseSecretAsEnvVars is true
+	if lightrunJavaAgent.Spec.UseSecretAsEnvVars {
+		envVars = append(envVars,
 			corev1ac.EnvVar().WithName("LIGHTRUN_KEY").WithValueFrom(
 				corev1ac.EnvVarSource().WithSecretKeyRef(
 					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("lightrun_key"),
@@ -118,33 +133,48 @@ func (r *LightrunJavaAgentReconciler) addInitContainer(deploymentApplyConfig *ap
 					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("pinned_cert_hash"),
 				),
 			),
-			corev1ac.EnvVar().WithName("LIGHTRUN_SERVER").WithValue(lightrunJavaAgent.Spec.ServerHostname),
-		).
+		)
+	}
+
+	// Start with base volume mounts
+	volumeMounts := []*corev1ac.VolumeMountApplyConfiguration{
+		corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath("/tmp/"),
+		corev1ac.VolumeMount().WithName(cmVolumeName).WithMountPath("/tmp/cm/"),
+	}
+
+	// Add secret volume mount if UseSecretAsEnvVars is false
+	if !lightrunJavaAgent.Spec.UseSecretAsEnvVars {
+		volumeMounts = append(volumeMounts,
+			corev1ac.VolumeMount().WithName("lightrun-secret").WithMountPath("/etc/lightrun/secret").WithReadOnly(true),
+		)
+	}
+
+	deploymentApplyConfig.Spec.Template.Spec.WithInitContainers(
+		corev1ac.Container().
+			WithName(initContainerName).
+			WithImage(lightrunJavaAgent.Spec.InitContainer.Image).
+			WithVolumeMounts(volumeMounts...).
+			WithEnv(envVars...).
+			WithSecurityContext(
+				corev1ac.SecurityContext().
+					WithReadOnlyRootFilesystem(true).
+					WithAllowPrivilegeEscalation(false).
+					WithRunAsNonRoot(true).
+					WithRunAsUser(1000),
+			).
 			WithResources(
 				corev1ac.ResourceRequirements().
 					WithLimits(
 						corev1.ResourceList{
 							corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
-							corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)), // 500 * 10^6 = 500M
+							corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)), // 64M
 						},
 					).WithRequests(
 					corev1.ResourceList{
 						corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
 						corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
 					},
 				),
-			).
-			WithSecurityContext(
-				corev1ac.SecurityContext().
-					WithCapabilities(
-						corev1ac.Capabilities().WithDrop(corev1.Capability("ALL")),
-					).
-					WithAllowPrivilegeEscalation(false).
-					WithRunAsNonRoot(true).
-					WithSeccompProfile(
-						corev1ac.SeccompProfile().
-							WithType(corev1.SeccompProfileTypeRuntimeDefault),
-					),
 			),
 	)
 }
@@ -230,19 +260,16 @@ func (r *LightrunJavaAgentReconciler) patchStatefulSet(lightrunJavaAgent *agentv
 				corev1ac.PodSpec(),
 			).WithAnnotations(map[string]string{
 				annotationConfigMapHash: fmt.Sprint(cmDataHash),
-			},
-			),
+			}),
 		),
 	).WithAnnotations(map[string]string{
 		annotationAgentName: lightrunJavaAgent.Name,
 	})
 
 	// Add volumes to the StatefulSet
 	r.addVolumeToStatefulSet(statefulSetApplyConfig, lightrunJavaAgent)
-
 	// Add init container to the StatefulSet
 	r.addInitContainerToStatefulSet(statefulSetApplyConfig, lightrunJavaAgent, secret)
-
 	// Patch app containers in the StatefulSet
 	err = r.patchStatefulSetAppContainers(lightrunJavaAgent, origStatefulSet, statefulSetApplyConfig)
 	if err != nil {
@@ -253,14 +280,13 @@ func (r *LightrunJavaAgentReconciler) patchStatefulSet(lightrunJavaAgent *agentv
 }
 
 func (r *LightrunJavaAgentReconciler) addVolumeToStatefulSet(statefulSetApplyConfig *appsv1ac.StatefulSetApplyConfiguration, lightrunJavaAgent *agentv1beta.LightrunJavaAgent) {
-	statefulSetApplyConfig.Spec.Template.Spec.
-		WithVolumes(
-			corev1ac.Volume().
-				WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).
-				WithEmptyDir(
-					corev1ac.EmptyDirVolumeSource(),
-				),
-		).WithVolumes(
+	// Start with base volumes
+	volumes := []*corev1ac.VolumeApplyConfiguration{
+		corev1ac.Volume().
+			WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).
+			WithEmptyDir(
+				corev1ac.EmptyDirVolumeSource(),
+			),
 		corev1ac.Volume().
 			WithName(cmVolumeName).
 			WithConfigMap(
@@ -271,18 +297,34 @@ func (r *LightrunJavaAgentReconciler) addVolumeToStatefulSet(statefulSetApplyCon
 						corev1ac.KeyToPath().WithKey("metadata").WithPath("agent.metadata.json"),
 					),
 			),
-	)
+	}
+
+	// Add secret volume if UseSecretAsEnvVars is false
+	if !lightrunJavaAgent.Spec.UseSecretAsEnvVars {
+		volumes = append(volumes,
+			corev1ac.Volume().WithName("lightrun-secret").
+				WithSecret(corev1ac.SecretVolumeSource().
+					WithSecretName(secret.Name).
+					WithItems(
+						corev1ac.KeyToPath().WithKey("lightrun_key").WithPath("lightrun_key"),
+						corev1ac.KeyToPath().WithKey("pinned_cert_hash").WithPath("pinned_cert_hash"),
+					).
+					WithDefaultMode(0440)),
+		)
+	}
+
+	statefulSetApplyConfig.Spec.Template.Spec.WithVolumes(volumes...)
 }
 
 func (r *LightrunJavaAgentReconciler) addInitContainerToStatefulSet(statefulSetApplyConfig *appsv1ac.StatefulSetApplyConfiguration, lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret) {
-	statefulSetApplyConfig.Spec.Template.Spec.WithInitContainers(
-		corev1ac.Container().
-			WithName(initContainerName).
-			WithImage(lightrunJavaAgent.Spec.InitContainer.Image).
-			WithVolumeMounts(
-				corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath("/tmp/"),
-				corev1ac.VolumeMount().WithName(cmVolumeName).WithMountPath("/tmp/cm/"),
-			).WithEnv(
+	// Start with base environment variables
+	envVars := []*corev1ac.EnvVarApplyConfiguration{
+		corev1ac.EnvVar().WithName("LIGHTRUN_SERVER").WithValue(lightrunJavaAgent.Spec.ServerHostname),
+	}
+
+	// Add secret environment variables if UseSecretAsEnvVars is true
+	if lightrunJavaAgent.Spec.UseSecretAsEnvVars {
+		envVars = append(envVars,
 			corev1ac.EnvVar().WithName("LIGHTRUN_KEY").WithValueFrom(
 				corev1ac.EnvVarSource().WithSecretKeyRef(
 					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("lightrun_key"),
@@ -293,8 +335,35 @@ func (r *LightrunJavaAgentReconciler) addInitContainerToStatefulSet(statefulSetA
 					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("pinned_cert_hash"),
 				),
 			),
-			corev1ac.EnvVar().WithName("LIGHTRUN_SERVER").WithValue(lightrunJavaAgent.Spec.ServerHostname),
-		).
+		)
+	}
+
+	// Start with base volume mounts
+	volumeMounts := []*corev1ac.VolumeMountApplyConfiguration{
+		corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath("/tmp/"),
+		corev1ac.VolumeMount().WithName(cmVolumeName).WithMountPath("/tmp/cm/"),
+	}
+
+	// Add secret volume mount if UseSecretAsEnvVars is false
+	if !lightrunJavaAgent.Spec.UseSecretAsEnvVars {
+		volumeMounts = append(volumeMounts,
+			corev1ac.VolumeMount().WithName("lightrun-secret").WithMountPath("/etc/lightrun/secret").WithReadOnly(true),
+		)
+	}
+
+	statefulSetApplyConfig.Spec.Template.Spec.WithInitContainers(
+		corev1ac.Container().
+			WithName(initContainerName).
+			WithImage(lightrunJavaAgent.Spec.InitContainer.Image).
+			WithVolumeMounts(volumeMounts...).
+			WithEnv(envVars...).
+			WithSecurityContext(
+				corev1ac.SecurityContext().
+					WithReadOnlyRootFilesystem(true).
+					WithAllowPrivilegeEscalation(false).
+					WithRunAsNonRoot(true).
+					WithRunAsUser(1000),
+			).
 			WithResources(
 				corev1ac.ResourceRequirements().
 					WithLimits(
@@ -308,18 +377,6 @@ func (r *LightrunJavaAgentReconciler) addInitContainerToStatefulSet(statefulSetA
 						corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
 					},
 				),
-			).
-			WithSecurityContext(
-				corev1ac.SecurityContext().
-					WithCapabilities(
-						corev1ac.Capabilities().WithDrop(corev1.Capability("ALL")),
-					).
-					WithAllowPrivilegeEscalation(false).
-					WithRunAsNonRoot(true).
-					WithSeccompProfile(
-						corev1ac.SeccompProfile().
-							WithType(corev1.SeccompProfileTypeRuntimeDefault),
-					),
 			),
 	)
 }
@@ -335,7 +392,7 @@ func (r *LightrunJavaAgentReconciler) patchStatefulSetAppContainers(lightrunJava
 						WithName(container.Name).
 						WithImage(container.Image).
 						WithVolumeMounts(
-							corev1ac.VolumeMount().WithMountPath(lightrunJavaAgent.Spec.InitContainer.SharedVolumeMountPath).WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName),
+							corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath(lightrunJavaAgent.Spec.InitContainer.SharedVolumeMountPath),
 						),
 				)
 			}
diff --git a/lightrun-init-agent/Dockerfile b/lightrun-init-agent/Dockerfile
@@ -1,9 +1,9 @@
 ARG base_image_tag=alpine-3.20.0-r1
 
 FROM lightruncom/prod-base:${base_image_tag}
-ARG FILE 
+ARG FILE
 
-COPY lightrun-init-agent/$FILE /tmp/$FILE
+COPY $FILE /tmp/$FILE
 
 RUN unzip -o /tmp/$FILE -d /agent ;\
     rm -rf /tmp/$FILE && \
@@ -12,9 +12,20 @@ RUN unzip -o /tmp/$FILE -d /agent ;\
     sed -i.bak "s|pinned_certs=.*|pinned_certs=|" /agent/agent.config && rm /agent/agent.config.bak && \
     # In openshift UID will be dynamic per project, hence procide permissions to root group (defualt in k8s)
     chgrp -R 0 /agent && \
-    chmod -R g=u /agent
+    chmod -R g=u /agent && \
+    # Set proper permissions for the agent directory
+    chown -R 1000:1000 /agent && \
+    chmod -R 750 /agent && \
+    # Create secret directory with proper permissions
+    mkdir -p /etc/lightrun/secret && \
+    chown -R 1000:1000 /etc/lightrun/secret && \
+    chmod -R 700 /etc/lightrun/secret
+
+# Copy and set permissions for update_config.sh before switching user
+COPY update_config.sh /update_config.sh
+RUN chmod 750 /update_config.sh && \
+    chown 1000:1000 /update_config.sh
 
 USER 1000
-COPY lightrun-init-agent/update_config.sh /update_config.sh
 
 CMD [ "/bin/sh", "/update_config.sh" ]
diff --git a/lightrun-init-agent/update_config.sh b/lightrun-init-agent/update_config.sh
