DEVOPS-2694 - Update the lightrun-k8s-operator deployment to mount Secrets as files via volumes instead of exposing them as environment variables in containers.

yitzhaktal · yitzhaktal · commit d238bd640224 · 2025-05-29T12:14:47.000+03:00
diff --git a/internal/controller/lightrunjavaagent_controller.go b/internal/controller/lightrunjavaagent_controller.go
@@ -252,7 +252,7 @@ func (r *LightrunJavaAgentReconciler) reconcileDeployment(ctx context.Context, l
 
 	// Create config map
 	log.V(2).Info("Reconciling config map with agent configuration")
-	configMap, err := r.createAgentConfig(lightrunJavaAgent)
+	configMap, err := r.createAgentConfig(lightrunJavaAgent, secret)
 	if err != nil {
 		log.Error(err, "unable to create configMap")
 		return r.errorStatus(ctx, lightrunJavaAgent, err)
@@ -493,7 +493,7 @@ func (r *LightrunJavaAgentReconciler) reconcileStatefulSet(ctx context.Context,
 
 	// Create config map
 	log.V(2).Info("Reconciling config map with agent configuration")
-	configMap, err := r.createAgentConfig(lightrunJavaAgent)
+	configMap, err := r.createAgentConfig(lightrunJavaAgent, secret)
 	if err != nil {
 		log.Error(err, "unable to create configMap")
 		return r.errorStatus(ctx, lightrunJavaAgent, err)
diff --git a/internal/controller/patch_funcs.go b/internal/controller/patch_funcs.go
@@ -27,7 +27,7 @@ const (
 	annotationAgentName       = "lightrun.com/lightrunjavaagent"
 )
 
-func (r *LightrunJavaAgentReconciler) createAgentConfig(lightrunJavaAgent *agentv1beta.LightrunJavaAgent) (corev1.ConfigMap, error) {
+func (r *LightrunJavaAgentReconciler) createAgentConfig(lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret) (corev1.ConfigMap, error) {
 	populateTags(lightrunJavaAgent.Spec.AgentTags, lightrunJavaAgent.Spec.AgentName, &metadata)
 	jsonString, err := json.Marshal(metadata)
 	if err != nil {
@@ -52,26 +52,28 @@ func (r *LightrunJavaAgentReconciler) createAgentConfig(lightrunJavaAgent *agent
 }
 
 func (r *LightrunJavaAgentReconciler) patchDeployment(lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret, origDeployment *appsv1.Deployment, deploymentApplyConfig *appsv1ac.DeploymentApplyConfiguration, cmDataHash uint64) error {
-
 	// init spec.template.spec
 	deploymentApplyConfig.WithSpec(
 		appsv1ac.DeploymentSpec().WithTemplate(
 			corev1ac.PodTemplateSpec().WithSpec(
 				corev1ac.PodSpec(),
 			).WithAnnotations(map[string]string{
 				annotationConfigMapHash: fmt.Sprint(cmDataHash),
-			},
-			),
+			}),
 		),
 	).WithAnnotations(map[string]string{
 		annotationAgentName: lightrunJavaAgent.Name,
 	})
 	r.addVolume(deploymentApplyConfig, lightrunJavaAgent)
 	r.addInitContainer(deploymentApplyConfig, lightrunJavaAgent, secret)
-	err = r.patchAppContainers(lightrunJavaAgent, origDeployment, deploymentApplyConfig)
+	err := r.patchAppContainers(lightrunJavaAgent, origDeployment, deploymentApplyConfig)
 	if err != nil {
 		return err
 	}
+	deploymentApplyConfig.Spec.Template.Spec.WithSecurityContext(
+		corev1ac.PodSecurityContext().
+			WithFSGroup(1000),
+	)
 	return nil
 }
 
@@ -99,54 +101,53 @@ func (r *LightrunJavaAgentReconciler) addVolume(deploymentApplyConfig *appsv1ac.
 }
 
 func (r *LightrunJavaAgentReconciler) addInitContainer(deploymentApplyConfig *appsv1ac.DeploymentApplyConfiguration, lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret) {
-
 	deploymentApplyConfig.Spec.Template.Spec.WithInitContainers(
 		corev1ac.Container().
 			WithName(initContainerName).
 			WithImage(lightrunJavaAgent.Spec.InitContainer.Image).
 			WithVolumeMounts(
 				corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath("/tmp/"),
 				corev1ac.VolumeMount().WithName(cmVolumeName).WithMountPath("/tmp/cm/"),
-			).WithEnv(
-			corev1ac.EnvVar().WithName("LIGHTRUN_KEY").WithValueFrom(
-				corev1ac.EnvVarSource().WithSecretKeyRef(
-					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("lightrun_key"),
-				),
-			),
-			corev1ac.EnvVar().WithName("PINNED_CERT").WithValueFrom(
-				corev1ac.EnvVarSource().WithSecretKeyRef(
-					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("pinned_cert_hash"),
-				),
-			),
-			corev1ac.EnvVar().WithName("LIGHTRUN_SERVER").WithValue(lightrunJavaAgent.Spec.ServerHostname),
-		).
+				corev1ac.VolumeMount().WithName("lightrun-secret").WithMountPath("/etc/lightrun/secret").WithReadOnly(true),
+			).
+			WithEnv(
+				corev1ac.EnvVar().WithName("LIGHTRUN_SERVER").WithValue(lightrunJavaAgent.Spec.ServerHostname),
+			).
+			WithSecurityContext(
+				corev1ac.SecurityContext().
+					WithReadOnlyRootFilesystem(true).
+					WithAllowPrivilegeEscalation(false).
+					WithRunAsNonRoot(true).
+					WithRunAsUser(1000),
+			).
 			WithResources(
 				corev1ac.ResourceRequirements().
 					WithLimits(
 						corev1.ResourceList{
 							corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
 							corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)), // 500 * 10^6 = 500M
 						},
-					).WithRequests(
-					corev1.ResourceList{
-						corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
-						corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
-					},
-				),
-			).
-			WithSecurityContext(
-				corev1ac.SecurityContext().
-					WithCapabilities(
-						corev1ac.Capabilities().WithDrop(corev1.Capability("ALL")),
 					).
-					WithAllowPrivilegeEscalation(false).
-					WithRunAsNonRoot(true).
-					WithSeccompProfile(
-						corev1ac.SeccompProfile().
-							WithType(corev1.SeccompProfileTypeRuntimeDefault),
+					WithRequests(
+						corev1.ResourceList{
+							corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
+							corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
+						},
 					),
 			),
 	)
+
+	// Add volume for secret with proper permissions
+	deploymentApplyConfig.Spec.Template.Spec.WithVolumes(
+		corev1ac.Volume().WithName("lightrun-secret").
+			WithSecret(corev1ac.SecretVolumeSource().
+				WithSecretName(secret.Name).
+				WithItems(
+					corev1ac.KeyToPath().WithKey("lightrun_key").WithPath("lightrun_key"),
+					corev1ac.KeyToPath().WithKey("pinned_cert_hash").WithPath("pinned_cert_hash"),
+				).
+				WithDefaultMode(0440)),
+	)
 }
 
 func (r *LightrunJavaAgentReconciler) patchAppContainers(lightrunJavaAgent *agentv1beta.LightrunJavaAgent, origDeployment *appsv1.Deployment, deploymentApplyConfig *appsv1ac.DeploymentApplyConfiguration) error {
@@ -167,8 +168,7 @@ func (r *LightrunJavaAgentReconciler) patchAppContainers(lightrunJavaAgent *agen
 		}
 	}
 	if !found {
-		err = errors.New("unable to find matching container to patch")
-		return err
+		return errors.New("unable to find matching container to patch")
 	}
 	return nil
 }
@@ -230,21 +230,18 @@ func (r *LightrunJavaAgentReconciler) patchStatefulSet(lightrunJavaAgent *agentv
 				corev1ac.PodSpec(),
 			).WithAnnotations(map[string]string{
 				annotationConfigMapHash: fmt.Sprint(cmDataHash),
-			},
-			),
+			}),
 		),
 	).WithAnnotations(map[string]string{
 		annotationAgentName: lightrunJavaAgent.Name,
 	})
 
 	// Add volumes to the StatefulSet
 	r.addVolumeToStatefulSet(statefulSetApplyConfig, lightrunJavaAgent)
-
 	// Add init container to the StatefulSet
 	r.addInitContainerToStatefulSet(statefulSetApplyConfig, lightrunJavaAgent, secret)
-
 	// Patch app containers in the StatefulSet
-	err = r.patchStatefulSetAppContainers(lightrunJavaAgent, origStatefulSet, statefulSetApplyConfig)
+	err := r.patchStatefulSetAppContainers(lightrunJavaAgent, origStatefulSet, statefulSetApplyConfig)
 	if err != nil {
 		return err
 	}
@@ -271,6 +268,15 @@ func (r *LightrunJavaAgentReconciler) addVolumeToStatefulSet(statefulSetApplyCon
 						corev1ac.KeyToPath().WithKey("metadata").WithPath("agent.metadata.json"),
 					),
 			),
+	).WithVolumes(
+		corev1ac.Volume().WithName("lightrun-secret").
+			WithSecret(corev1ac.SecretVolumeSource().
+				WithSecretName(secret.Name).
+				WithItems(
+					corev1ac.KeyToPath().WithKey("lightrun_key").WithPath("lightrun_key"),
+					corev1ac.KeyToPath().WithKey("pinned_cert_hash").WithPath("pinned_cert_hash"),
+				).
+				WithDefaultMode(0440)),
 	)
 }
 
@@ -282,19 +288,17 @@ func (r *LightrunJavaAgentReconciler) addInitContainerToStatefulSet(statefulSetA
 			WithVolumeMounts(
 				corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath("/tmp/"),
 				corev1ac.VolumeMount().WithName(cmVolumeName).WithMountPath("/tmp/cm/"),
+				corev1ac.VolumeMount().WithName("lightrun-secret").WithMountPath("/etc/lightrun/secret").WithReadOnly(true),
 			).WithEnv(
-			corev1ac.EnvVar().WithName("LIGHTRUN_KEY").WithValueFrom(
-				corev1ac.EnvVarSource().WithSecretKeyRef(
-					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("lightrun_key"),
-				),
-			),
-			corev1ac.EnvVar().WithName("PINNED_CERT").WithValueFrom(
-				corev1ac.EnvVarSource().WithSecretKeyRef(
-					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("pinned_cert_hash"),
-				),
-			),
 			corev1ac.EnvVar().WithName("LIGHTRUN_SERVER").WithValue(lightrunJavaAgent.Spec.ServerHostname),
 		).
+			WithSecurityContext(
+				corev1ac.SecurityContext().
+					WithReadOnlyRootFilesystem(true).
+					WithAllowPrivilegeEscalation(false).
+					WithRunAsNonRoot(true).
+					WithRunAsUser(1000),
+			).
 			WithResources(
 				corev1ac.ResourceRequirements().
 					WithLimits(
@@ -308,20 +312,19 @@ func (r *LightrunJavaAgentReconciler) addInitContainerToStatefulSet(statefulSetA
 						corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
 					},
 				),
-			).
-			WithSecurityContext(
-				corev1ac.SecurityContext().
-					WithCapabilities(
-						corev1ac.Capabilities().WithDrop(corev1.Capability("ALL")),
-					).
-					WithAllowPrivilegeEscalation(false).
-					WithRunAsNonRoot(true).
-					WithSeccompProfile(
-						corev1ac.SeccompProfile().
-							WithType(corev1.SeccompProfileTypeRuntimeDefault),
-					),
 			),
 	)
+
+	statefulSetApplyConfig.Spec.Template.Spec.WithVolumes(
+		corev1ac.Volume().WithName("lightrun-secret").
+			WithSecret(corev1ac.SecretVolumeSource().
+				WithSecretName(secret.Name).
+				WithItems(
+					corev1ac.KeyToPath().WithKey("lightrun_key").WithPath("lightrun_key"),
+					corev1ac.KeyToPath().WithKey("pinned_cert_hash").WithPath("pinned_cert_hash"),
+				).
+				WithDefaultMode(0440)),
+	)
 }
 
 func (r *LightrunJavaAgentReconciler) patchStatefulSetAppContainers(lightrunJavaAgent *agentv1beta.LightrunJavaAgent, origStatefulSet *appsv1.StatefulSet, statefulSetApplyConfig *appsv1ac.StatefulSetApplyConfiguration) error {
@@ -335,15 +338,14 @@ func (r *LightrunJavaAgentReconciler) patchStatefulSetAppContainers(lightrunJava
 						WithName(container.Name).
 						WithImage(container.Image).
 						WithVolumeMounts(
-							corev1ac.VolumeMount().WithMountPath(lightrunJavaAgent.Spec.InitContainer.SharedVolumeMountPath).WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName),
+							corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath("/tmp/"),
 						),
 				)
 			}
 		}
 	}
 	if !found {
-		err = errors.New("unable to find matching container to patch")
-		return err
+		return errors.New("unable to find matching container to patch")
 	}
 	return nil
 }
diff --git a/lightrun-init-agent/Dockerfile b/lightrun-init-agent/Dockerfile
@@ -1,9 +1,9 @@
 ARG base_image_tag=alpine-3.20.0-r1
 
 FROM lightruncom/prod-base:${base_image_tag}
-ARG FILE 
+ARG FILE
 
-COPY lightrun-init-agent/$FILE /tmp/$FILE
+COPY $FILE /tmp/$FILE
 
 RUN unzip -o /tmp/$FILE -d /agent ;\
     rm -rf /tmp/$FILE && \
@@ -12,9 +12,20 @@ RUN unzip -o /tmp/$FILE -d /agent ;\
     sed -i.bak "s|pinned_certs=.*|pinned_certs=|" /agent/agent.config && rm /agent/agent.config.bak && \
     # In openshift UID will be dynamic per project, hence procide permissions to root group (defualt in k8s)
     chgrp -R 0 /agent && \
-    chmod -R g=u /agent
+    chmod -R g=u /agent && \
+    # Set proper permissions for the agent directory
+    chown -R 1000:1000 /agent && \
+    chmod -R 750 /agent && \
+    # Create secret directory with proper permissions
+    mkdir -p /etc/lightrun/secret && \
+    chown -R 1000:1000 /etc/lightrun/secret && \
+    chmod -R 700 /etc/lightrun/secret
+
+# Copy and set permissions for update_config.sh before switching user
+COPY update_config.sh /update_config.sh
+RUN chmod 750 /update_config.sh && \
+    chown 1000:1000 /update_config.sh
 
 USER 1000
-COPY lightrun-init-agent/update_config.sh /update_config.sh
 
 CMD [ "/bin/sh", "/update_config.sh" ]
diff --git a/lightrun-init-agent/update_config.sh b/lightrun-init-agent/update_config.sh
