DEVOPS-2694 - Update the lightrun-k8s-operator deployment to mount Secrets as files via volumes instead of exposing them as environment variables in containers.

yitzhaktal · yitzhaktal · commit d4efd4d7665d · 2025-06-01T12:35:01.000+03:00
diff --git a/.github/workflows/tests_data/lightrunjavaagent.yaml b/.github/workflows/tests_data/lightrunjavaagent.yaml
@@ -10,6 +10,7 @@ spec:
   deploymentName: sample-deployment  
   secretName: lightrun-secrets 
   serverHostname: dogfood.internal.lightrun.com
+  useSecretAsEnvVars: true
   agentEnvVarName: JAVA_TOOL_OPTIONS
   agentConfig:
     max_log_cpu_cost: "2"
diff --git a/api/v1beta/lightrunjavaagent_types.go b/api/v1beta/lightrunjavaagent_types.go
@@ -90,6 +90,10 @@ type LightrunJavaAgentSpec struct {
 	// +optional
 	// Agent name for registration to the server
 	AgentName string `json:"agentName,omitempty"`
+
+	// UseSecretAsEnvVars determines whether to use secret values as environment variables (true) or as mounted files (false)
+	// +kubebuilder:default=true
+	UseSecretAsEnvVars bool `json:"useSecretAsEnvVars,omitempty"`
 }
 
 // LightrunJavaAgentStatus defines the observed state of LightrunJavaAgent
diff --git a/charts/lightrun-agents/Chart.yaml b/charts/lightrun-agents/Chart.yaml
@@ -15,4 +15,4 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
+version: 0.0.2
diff --git a/charts/lightrun-agents/templates/java-agent-cr.yaml b/charts/lightrun-agents/templates/java-agent-cr.yaml
@@ -18,6 +18,7 @@ spec:
   secretName: {{ .name }}-secret
   {{- end }}
   serverHostname: {{ .serverHostname }}
+  useSecretAsEnvVars: {{ .useSecretAsEnvVars | default true }}
   agentEnvVarName: {{ .agentEnvVarName | default "JAVA_TOOL_OPTIONS" }}
   {{- if .agentConfig }}
   agentConfig: {{ toYaml .agentConfig | nindent 4 }}
diff --git a/charts/lightrun-agents/values.yaml b/charts/lightrun-agents/values.yaml
@@ -15,6 +15,7 @@ javaAgents: []
 #    containerSelector:
 #      - my-container-1
 #    serverHostname: 'lightrun.example.com'
+#    useSecretAsEnvVars: true
 #    initContainer:
 #      image: "lightruncom/k8s-operator-init-java-agent-linux:latest"
 #    agentPoolCredentials:
@@ -34,6 +35,7 @@ javaAgents: []
 #    containerSelector:
 #      - my-container-2
 #    serverHostname: 'lightrun.example.com'
+#    useSecretAsEnvVars: true
 #    agentPoolCredentials:
 #      existingSecret: "my-existing-secret"
 #      apiKey: ""
@@ -57,6 +59,7 @@ javaAgents: []
 #    containerSelector:
 #      - my-container-1
 #    serverHostname: 'lightrun.example.com'
+#    useSecretAsEnvVars: true
 #    agentEnvVarName: '_JAVA_OPTIONS'
 #    agentConfig:
 #      max_log_cpu_cost: "2"
@@ -84,6 +87,7 @@ javaAgents: []
 #    containerSelector:
 #      - my-container-2
 #    serverHostname: 'lightrun.example.com'
+#    useSecretAsEnvVars: true
 #    agentEnvVarName: 'JAVA_OPTS'
 #    agentConfig:
 #      max_log_cpu_cost: "2"
diff --git a/charts/lightrun-operator/crds/lightrunjavaagent_crd.yaml b/charts/lightrun-operator/crds/lightrunjavaagent_crd.yaml
@@ -119,6 +119,11 @@ spec:
                   Lightrun server hostname that will be used for downloading an agent
                   Key and company id in the secret has to be taken from this server as well
                 type: string
+              useSecretAsEnvVars:
+                default: true
+                description: UseSecretAsEnvVars determines whether to use secret values
+                  as environment variables (true) or as mounted files (false)
+                type: boolean
               workloadName:
                 description: Name of the Workload that will be patched. workload can
                   be either Deployment or StatefulSet e.g. my-deployment, my-statefulset
diff --git a/config/crd/bases/agents.lightrun.com_lightrunjavaagents.yaml b/config/crd/bases/agents.lightrun.com_lightrunjavaagents.yaml
@@ -120,6 +120,11 @@ spec:
                   Lightrun server hostname that will be used for downloading an agent
                   Key and company id in the secret has to be taken from this server as well
                 type: string
+              useSecretAsEnvVars:
+                default: true
+                description: UseSecretAsEnvVars determines whether to use secret values
+                  as environment variables (true) or as mounted files (false)
+                type: boolean
               workloadName:
                 description: Name of the Workload that will be patched. workload can
                   be either Deployment or StatefulSet e.g. my-deployment, my-statefulset
diff --git a/config/samples/agents_v1beta_lightrunjavaagent.yaml b/config/samples/agents_v1beta_lightrunjavaagent.yaml
@@ -11,6 +11,7 @@ spec:
   workloadType: Deployment
   secretName: lightrun-secrets 
   serverHostname: <lightrun_server>  #for saas it will be app.lightrun.com
+  useSecretAsEnvVars: true
   agentEnvVarName: JAVA_TOOL_OPTIONS
   agentConfig:
     max_log_cpu_cost: "2"
diff --git a/config/samples/operator.yaml b/config/samples/operator.yaml
@@ -131,6 +131,11 @@ spec:
                   Lightrun server hostname that will be used for downloading an agent
                   Key and company id in the secret has to be taken from this server as well
                 type: string
+              useSecretAsEnvVars:
+                default: true
+                description: UseSecretAsEnvVars determines whether to use secret values
+                  as environment variables (true) or as mounted files (false)
+                type: boolean
               workloadName:
                 description: Name of the Workload that will be patched. workload can
                   be either Deployment or StatefulSet e.g. my-deployment, my-statefulset
diff --git a/docs/custom_resource.md b/docs/custom_resource.md
@@ -49,6 +49,9 @@ spec:
   # If container not mentioned here it will be not patched
   containerSelector:
     - app
+  # UseSecretAsEnvVars determines whether to use secret values as environment variables (true) or as mounted files (false)
+  # Default is true for backward compatibility
+  useSecretAsEnvVars: true
 ---
 apiVersion: v1
 metadata: 
diff --git a/examples/lightrunjavaagent.yaml b/examples/lightrunjavaagent.yaml
@@ -59,3 +59,7 @@ spec:
     - latest
   # Agent name. If not provided, pod name will be used
   #agentName: "operator-test-agent"
+
+  # UseSecretAsEnvVars determines whether to use secret values as environment variables (true) or as mounted files (false)
+  # Default is true for backward compatibility
+  useSecretAsEnvVars: true
diff --git a/examples/operator.yaml b/examples/operator.yaml
@@ -121,6 +121,11 @@ spec:
                   Lightrun server hostname that will be used for downloading an agent
                   Key and company id in the secret has to be taken from this server as well
                 type: string
+              useSecretAsEnvVars:
+                default: true
+                description: UseSecretAsEnvVars determines whether to use secret values
+                  as environment variables (true) or as mounted files (false)
+                type: boolean
               workloadName:
                 description: Name of the Workload that will be patched. workload can
                   be either Deployment or StatefulSet e.g. my-deployment, my-statefulset
diff --git a/internal/controller/patch_funcs.go b/internal/controller/patch_funcs.go
diff --git a/lightrun-init-agent/Dockerfile b/lightrun-init-agent/Dockerfile
diff --git a/lightrun-init-agent/update_config.sh b/lightrun-init-agent/update_config.sh
