DEVOPS-2694 - Update the lightrun-k8s-operator deployment to mount Secrets as files via volumes instead of exposing them as environment variables in containers.

Author: yitzhaktal

internal/controller/lightrunjavaagent_controller.go

@@ -252,7 +252,7 @@ func (r *LightrunJavaAgentReconciler) reconcileDeployment(ctx context.Context, l
 
 	// Create config map
 	log.V(2).Info("Reconciling config map with agent configuration")
-	configMap, err := r.createAgentConfig(lightrunJavaAgent)
+	configMap, err := r.createAgentConfig(lightrunJavaAgent, secret)
 	if err != nil {
 		log.Error(err, "unable to create configMap")
 		return r.errorStatus(ctx, lightrunJavaAgent, err)
@@ -493,7 +493,7 @@ func (r *LightrunJavaAgentReconciler) reconcileStatefulSet(ctx context.Context,
 
 	// Create config map
 	log.V(2).Info("Reconciling config map with agent configuration")
-	configMap, err := r.createAgentConfig(lightrunJavaAgent)
+	configMap, err := r.createAgentConfig(lightrunJavaAgent, secret)
 	if err != nil {
 		log.Error(err, "unable to create configMap")
 		return r.errorStatus(ctx, lightrunJavaAgent, err)

internal/controller/patch_funcs.go

@@ -1,6 +1,7 @@
 package controller
 
 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -27,7 +28,7 @@ const (
 	annotationAgentName       = "lightrun.com/lightrunjavaagent"
 )
 
-func (r *LightrunJavaAgentReconciler) createAgentConfig(lightrunJavaAgent *agentv1beta.LightrunJavaAgent) (corev1.ConfigMap, error) {
+func (r *LightrunJavaAgentReconciler) createAgentConfig(lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret) (corev1.ConfigMap, error) {
 	populateTags(lightrunJavaAgent.Spec.AgentTags, lightrunJavaAgent.Spec.AgentName, &metadata)
 	jsonString, err := json.Marshal(metadata)
 	if err != nil {
@@ -52,26 +53,28 @@ func (r *LightrunJavaAgentReconciler) createAgentConfig(lightrunJavaAgent *agent
 }
 
 func (r *LightrunJavaAgentReconciler) patchDeployment(lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret, origDeployment *appsv1.Deployment, deploymentApplyConfig *appsv1ac.DeploymentApplyConfiguration, cmDataHash uint64) error {
-
 	// init spec.template.spec
 	deploymentApplyConfig.WithSpec(
 		appsv1ac.DeploymentSpec().WithTemplate(
 			corev1ac.PodTemplateSpec().WithSpec(
 				corev1ac.PodSpec(),
 			).WithAnnotations(map[string]string{
 				annotationConfigMapHash: fmt.Sprint(cmDataHash),
-			},
-			),
+			}),
 		),
 	).WithAnnotations(map[string]string{
 		annotationAgentName: lightrunJavaAgent.Name,
 	})
 	r.addVolume(deploymentApplyConfig, lightrunJavaAgent)
 	r.addInitContainer(deploymentApplyConfig, lightrunJavaAgent, secret)
-	err = r.patchAppContainers(lightrunJavaAgent, origDeployment, deploymentApplyConfig)
+	err := r.patchAppContainers(lightrunJavaAgent, origDeployment, deploymentApplyConfig)
 	if err != nil {
 		return err
 	}
+	deploymentApplyConfig.Spec.Template.Spec.WithSecurityContext(
+		corev1ac.PodSecurityContext().
+			WithFSGroup(1000),
+	)
 	return nil
 }
 
@@ -98,55 +101,73 @@ func (r *LightrunJavaAgentReconciler) addVolume(deploymentApplyConfig *appsv1ac.
 	)
 }
 
-func (r *LightrunJavaAgentReconciler) addInitContainer(deploymentApplyConfig *appsv1ac.DeploymentApplyConfiguration, lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret) {
+func (r *LightrunJavaAgentReconciler) createPinnedCertConfigMap(ctx context.Context, lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret) (*corev1.ConfigMap, error) {
+	configMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      fmt.Sprintf("%s-pinned-cert", lightrunJavaAgent.Name),
+			Namespace: lightrunJavaAgent.Namespace,
+		},
+		Data: map[string]string{
+			"pinned_cert_hash": string(secret.Data["pinned_cert_hash"]),
+		},
+	}
 
+	err := r.Create(ctx, configMap)
+	if err != nil {
+		return nil, err
+	}
+
+	return configMap, nil
+}
+
+func (r *LightrunJavaAgentReconciler) addInitContainer(deploymentApplyConfig *appsv1ac.DeploymentApplyConfiguration, lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret) {
 	deploymentApplyConfig.Spec.Template.Spec.WithInitContainers(
 		corev1ac.Container().
 			WithName(initContainerName).
 			WithImage(lightrunJavaAgent.Spec.InitContainer.Image).
 			WithVolumeMounts(
-				corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath("/tmp/"),
+				corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath(lightrunJavaAgent.Spec.InitContainer.SharedVolumeMountPath),
 				corev1ac.VolumeMount().WithName(cmVolumeName).WithMountPath("/tmp/cm/"),
-			).WithEnv(
-			corev1ac.EnvVar().WithName("LIGHTRUN_KEY").WithValueFrom(
-				corev1ac.EnvVarSource().WithSecretKeyRef(
-					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("lightrun_key"),
-				),
-			),
-			corev1ac.EnvVar().WithName("PINNED_CERT").WithValueFrom(
-				corev1ac.EnvVarSource().WithSecretKeyRef(
-					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("pinned_cert_hash"),
-				),
-			),
-			corev1ac.EnvVar().WithName("LIGHTRUN_SERVER").WithValue(lightrunJavaAgent.Spec.ServerHostname),
-		).
+				corev1ac.VolumeMount().WithName("lightrun-secret").WithMountPath("/etc/lightrun/secret").WithReadOnly(true),
+			).
+			WithEnv(
+				corev1ac.EnvVar().WithName("LIGHTRUN_SERVER").WithValue(lightrunJavaAgent.Spec.ServerHostname),
+			).
+			WithSecurityContext(
+				corev1ac.SecurityContext().
+					WithReadOnlyRootFilesystem(true).
+					WithAllowPrivilegeEscalation(false).
+					WithRunAsNonRoot(true).
+					WithRunAsUser(1000),
+			).
 			WithResources(
 				corev1ac.ResourceRequirements().
 					WithLimits(
 						corev1.ResourceList{
 							corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
-							corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)), // 500 * 10^6 = 500M
+							corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
 						},
-					).WithRequests(
-					corev1.ResourceList{
-						corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
-						corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
-					},
-				),
-			).
-			WithSecurityContext(
-				corev1ac.SecurityContext().
-					WithCapabilities(
-						corev1ac.Capabilities().WithDrop(corev1.Capability("ALL")),
 					).
-					WithAllowPrivilegeEscalation(false).
-					WithRunAsNonRoot(true).
-					WithSeccompProfile(
-						corev1ac.SeccompProfile().
-							WithType(corev1.SeccompProfileTypeRuntimeDefault),
+					WithRequests(
+						corev1.ResourceList{
+							corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
+							corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
+						},
 					),
 			),
 	)
+
+	// Add volume for secret with proper permissions
+	deploymentApplyConfig.Spec.Template.Spec.WithVolumes(
+		corev1ac.Volume().WithName("lightrun-secret").
+			WithSecret(corev1ac.SecretVolumeSource().
+				WithSecretName(secret.Name).
+				WithItems(
+					corev1ac.KeyToPath().WithKey("lightrun_key").WithPath("lightrun_key"),
+					corev1ac.KeyToPath().WithKey("pinned_cert_hash").WithPath("pinned_cert_hash"),
+				).
+				WithDefaultMode(0440)),
+	)
 }
 
 func (r *LightrunJavaAgentReconciler) patchAppContainers(lightrunJavaAgent *agentv1beta.LightrunJavaAgent, origDeployment *appsv1.Deployment, deploymentApplyConfig *appsv1ac.DeploymentApplyConfiguration) error {
@@ -167,26 +188,22 @@ func (r *LightrunJavaAgentReconciler) patchAppContainers(lightrunJavaAgent *agen
 		}
 	}
 	if !found {
-		err = errors.New("unable to find matching container to patch")
-		return err
+		return errors.New("unable to find matching container to patch")
 	}
 	return nil
 }
 
 // Client side patch, as we can't update value from 2 sources
 func (r *LightrunJavaAgentReconciler) patchJavaToolEnv(deplAnnotations map[string]string, container *corev1.Container, targetEnvVar string, agentArg string) error {
-	// Check if some env was already patched before
 	patchedEnv := deplAnnotations[annotationPatchedEnvName]
 	patchedEnvValue := deplAnnotations[annotationPatchedEnvValue]
 
 	if patchedEnv != targetEnvVar || patchedEnvValue != agentArg {
-		// If different env was patched before - unpatch it
 		r.unpatchJavaToolEnv(deplAnnotations, container)
 	}
 
 	targetEnvVarIndex := findEnvVarIndex(targetEnvVar, container.Env)
 	if targetEnvVarIndex == -1 {
-		// No such env - add new
 		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  targetEnvVar,
 			Value: agentArg,
@@ -223,28 +240,22 @@ func (r *LightrunJavaAgentReconciler) unpatchJavaToolEnv(deplAnnotations map[str
 
 // patchStatefulSet applies changes to a StatefulSet to inject the Lightrun agent
 func (r *LightrunJavaAgentReconciler) patchStatefulSet(lightrunJavaAgent *agentv1beta.LightrunJavaAgent, secret *corev1.Secret, origStatefulSet *appsv1.StatefulSet, statefulSetApplyConfig *appsv1ac.StatefulSetApplyConfiguration, cmDataHash uint64) error {
-	// init spec.template.spec
 	statefulSetApplyConfig.WithSpec(
 		appsv1ac.StatefulSetSpec().WithTemplate(
 			corev1ac.PodTemplateSpec().WithSpec(
 				corev1ac.PodSpec(),
 			).WithAnnotations(map[string]string{
 				annotationConfigMapHash: fmt.Sprint(cmDataHash),
-			},
-			),
+			}),
 		),
 	).WithAnnotations(map[string]string{
 		annotationAgentName: lightrunJavaAgent.Name,
 	})
 
-	// Add volumes to the StatefulSet
 	r.addVolumeToStatefulSet(statefulSetApplyConfig, lightrunJavaAgent)
-
-	// Add init container to the StatefulSet
 	r.addInitContainerToStatefulSet(statefulSetApplyConfig, lightrunJavaAgent, secret)
 
-	// Patch app containers in the StatefulSet
-	err = r.patchStatefulSetAppContainers(lightrunJavaAgent, origStatefulSet, statefulSetApplyConfig)
+	err := r.patchStatefulSetAppContainers(lightrunJavaAgent, origStatefulSet, statefulSetApplyConfig)
 	if err != nil {
 		return err
 	}
@@ -271,6 +282,15 @@ func (r *LightrunJavaAgentReconciler) addVolumeToStatefulSet(statefulSetApplyCon
 						corev1ac.KeyToPath().WithKey("metadata").WithPath("agent.metadata.json"),
 					),
 			),
+	).WithVolumes(
+		corev1ac.Volume().WithName("lightrun-secret").
+			WithSecret(corev1ac.SecretVolumeSource().
+				WithSecretName(secret.Name).
+				WithItems(
+					corev1ac.KeyToPath().WithKey("lightrun_key").WithPath("lightrun_key"),
+					corev1ac.KeyToPath().WithKey("pinned_cert_hash").WithPath("pinned_cert_hash"),
+				).
+				WithDefaultMode(0440)),
 	)
 }
 
@@ -280,48 +300,45 @@ func (r *LightrunJavaAgentReconciler) addInitContainerToStatefulSet(statefulSetA
 			WithName(initContainerName).
 			WithImage(lightrunJavaAgent.Spec.InitContainer.Image).
 			WithVolumeMounts(
-				corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath("/tmp/"),
+				corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath(lightrunJavaAgent.Spec.InitContainer.SharedVolumeMountPath),
 				corev1ac.VolumeMount().WithName(cmVolumeName).WithMountPath("/tmp/cm/"),
+				corev1ac.VolumeMount().WithName("lightrun-secret").WithMountPath("/etc/lightrun/secret").WithReadOnly(true),
 			).WithEnv(
-			corev1ac.EnvVar().WithName("LIGHTRUN_KEY").WithValueFrom(
-				corev1ac.EnvVarSource().WithSecretKeyRef(
-					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("lightrun_key"),
-				),
-			),
-			corev1ac.EnvVar().WithName("PINNED_CERT").WithValueFrom(
-				corev1ac.EnvVarSource().WithSecretKeyRef(
-					corev1ac.SecretKeySelector().WithName(secret.Name).WithKey("pinned_cert_hash"),
-				),
-			),
 			corev1ac.EnvVar().WithName("LIGHTRUN_SERVER").WithValue(lightrunJavaAgent.Spec.ServerHostname),
 		).
+			WithSecurityContext(
+				corev1ac.SecurityContext().
+					WithReadOnlyRootFilesystem(true).
+					WithAllowPrivilegeEscalation(false).
+					WithRunAsNonRoot(true).
+					WithRunAsUser(1000),
+			).
 			WithResources(
 				corev1ac.ResourceRequirements().
 					WithLimits(
 						corev1.ResourceList{
 							corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
-							corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)), // 64M
+							corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
 						},
 					).WithRequests(
 					corev1.ResourceList{
 						corev1.ResourceCPU:    *resource.NewMilliQuantity(int64(50), resource.BinarySI),
 						corev1.ResourceMemory: *resource.NewScaledQuantity(int64(64), resource.Scale(6)),
 					},
 				),
-			).
-			WithSecurityContext(
-				corev1ac.SecurityContext().
-					WithCapabilities(
-						corev1ac.Capabilities().WithDrop(corev1.Capability("ALL")),
-					).
-					WithAllowPrivilegeEscalation(false).
-					WithRunAsNonRoot(true).
-					WithSeccompProfile(
-						corev1ac.SeccompProfile().
-							WithType(corev1.SeccompProfileTypeRuntimeDefault),
-					),
 			),
 	)
+
+	statefulSetApplyConfig.Spec.Template.Spec.WithVolumes(
+		corev1ac.Volume().WithName("lightrun-secret").
+			WithSecret(corev1ac.SecretVolumeSource().
+				WithSecretName(secret.Name).
+				WithItems(
+					corev1ac.KeyToPath().WithKey("lightrun_key").WithPath("lightrun_key"),
+					corev1ac.KeyToPath().WithKey("pinned_cert_hash").WithPath("pinned_cert_hash"),
+				).
+				WithDefaultMode(0440)),
+	)
 }
 
 func (r *LightrunJavaAgentReconciler) patchStatefulSetAppContainers(lightrunJavaAgent *agentv1beta.LightrunJavaAgent, origStatefulSet *appsv1.StatefulSet, statefulSetApplyConfig *appsv1ac.StatefulSetApplyConfiguration) error {
@@ -342,15 +359,13 @@ func (r *LightrunJavaAgentReconciler) patchStatefulSetAppContainers(lightrunJava
 		}
 	}
 	if !found {
-		err = errors.New("unable to find matching container to patch")
-		return err
+		return errors.New("unable to find matching container to patch")
 	}
 	return nil
 }
 
 // configMapDataHash calculates a hash of the ConfigMap data to detect changes
 func configMapDataHash(cmData map[string]string) uint64 {
-	// Combine all data values into a single string for hashing
 	var hashString string
 	for _, v := range cmData {
 		hashString += v

lightrun-init-agent/Dockerfile

@@ -1,20 +1,26 @@
 ARG base_image_tag=alpine-3.20.0-r1
 
 FROM lightruncom/prod-base:${base_image_tag}
-ARG FILE 
-
-COPY lightrun-init-agent/$FILE /tmp/$FILE
+ARG FILE
 
 RUN unzip -o /tmp/$FILE -d /agent ;\
     rm -rf /tmp/$FILE && \
     # Erase default values
     sed -i.bak "s|com.lightrun.secret=.*|com.lightrun.secret=|" /agent/agent.config && rm /agent/agent.config.bak && \
     sed -i.bak "s|pinned_certs=.*|pinned_certs=|" /agent/agent.config && rm /agent/agent.config.bak && \
-    # In openshift UID will be dynamic per project, hence procide permissions to root group (defualt in k8s)
-    chgrp -R 0 /agent && \
-    chmod -R g=u /agent
+    # Set proper permissions for the agent directory
+    chown -R 1000:1000 /agent && \
+    chmod -R 750 /agent && \
+    # Create secret directory with proper permissions
+    mkdir -p /etc/lightrun/secret && \
+    chown -R 1000:1000 /etc/lightrun/secret && \
+    chmod -R 700 /etc/lightrun/secret
+
+# Copy and set permissions for update_config.sh before switching user
+COPY update_config.sh /update_config.sh
+RUN chmod 750 /update_config.sh && \
+    chown 1000:1000 /update_config.sh
 
 USER 1000
-COPY lightrun-init-agent/update_config.sh /update_config.sh
 
 CMD [ "/bin/sh", "/update_config.sh" ]