Secure agent_config by using volume mounts instead of env vars

aayushchouhan09 · aayushchouhan09 · commit 07488383f8cc · 2025-10-30T22:49:26.000+05:30
Signed-off-by: Aayush Chouhan &lt;achouhan@redhat.com&gt;
diff --git a/deploy/internal/pod-agent.yaml b/deploy/internal/pod-agent.yaml
@@ -21,7 +21,8 @@ spec:
         # Insert the relevant config for the current agent
         - name: CONTAINER_PLATFORM
           value: KUBERNETES
-        - name: AGENT_CONFIG
+        - name: AGENT_CONFIG_PATH
+          value: /etc/agent-config/agent_config
         - name: NOOBAA_LOG_LEVEL
         - name: NOOBAA_LOG_COLOR
       command: ["/noobaa_init_files/noobaa_init.sh", "agent"]
@@ -34,6 +35,9 @@ spec:
           mountPath: /noobaa_storage
         - name: tmp-logs-vol
           mountPath: /usr/local/noobaa/logs
+        - name: agent-config-secret
+          mountPath: /etc/agent-config
+          readOnly: true
       securityContext:
         runAsNonRoot: true
         allowPrivilegeEscalation: false
@@ -49,3 +53,6 @@ spec:
     - name: noobaastorage
       persistentVolumeClaim:
         claimName: noobaa-pv-claim
+    - name: agent-config-secret
+      secret:
+        secretName: AGENT_CONFIG_SECRET_NAME
diff --git a/pkg/backingstore/reconciler.go b/pkg/backingstore/reconciler.go
@@ -994,8 +994,8 @@ func (r *Reconciler) ReconcilePool() error {
 			}
 			return err
 		}
-		if r.Secret.StringData["AGENT_CONFIG"] == "" {
-			r.Secret.StringData["AGENT_CONFIG"] = res
+		if r.Secret.StringData["agent_config"] == "" {
+			r.Secret.StringData["agent_config"] = res
 			util.KubeUpdate(r.Secret)
 		}
 		err = r.NBClient.UpdateAllBucketsDefaultPool(nb.UpdateDefaultResourceParams{
@@ -1050,14 +1050,14 @@ func (r *Reconciler) reconcilePvPool() error {
 	if r.Secret.StringData == nil {
 		return fmt.Errorf("reconcilePvPool: r.Secret.StringData is not initialized yet")
 	}
-	if r.Secret.StringData["AGENT_CONFIG"] == "" {
+	if r.Secret.StringData["agent_config"] == "" {
 		res, err := r.NBClient.GetHostsPoolAgentConfigAPI(nb.GetHostsPoolAgentConfigParams{
 			Name: r.BackingStore.Name,
 		})
 		if err != nil {
 			return err
 		}
-		r.Secret.StringData["AGENT_CONFIG"] = res
+		r.Secret.StringData["agent_config"] = res
 		util.KubeUpdate(r.Secret)
 	}
 	podsList := &corev1.PodList{}
@@ -1287,15 +1287,6 @@ func (r *Reconciler) updatePodTemplate() error {
 	c := &r.PodAgentTemplate.Spec.Containers[0]
 	for j := range c.Env {
 		switch c.Env[j].Name {
-		case "AGENT_CONFIG":
-			c.Env[j].ValueFrom = &corev1.EnvVarSource{
-				SecretKeyRef: &corev1.SecretKeySelector{
-					LocalObjectReference: corev1.LocalObjectReference{
-						Name: r.Secret.Name,
-					},
-					Key: "AGENT_CONFIG",
-				},
-			}
 		case "NOOBAA_LOG_LEVEL":
 			c.Env[j].Value = r.CoreAppConfig.Data["NOOBAA_LOG_LEVEL"]
 		case "NOOBAA_LOG_COLOR":
@@ -1355,6 +1346,13 @@ func (r *Reconciler) updatePodTemplate() error {
 		r.PodAgentTemplate.Spec.TopologySpreadConstraints = []corev1.TopologySpreadConstraint{topologySpreadConstraint}
 	}
 
+	// replace AGENT_CONFIG_SECRET_NAME with actual secret name
+	for i, vol := range r.PodAgentTemplate.Spec.Volumes {
+		if vol.Secret != nil && vol.Secret.SecretName == "AGENT_CONFIG_SECRET_NAME" {
+			r.PodAgentTemplate.Spec.Volumes[i].Secret.SecretName = r.Secret.Name
+		}
+	}
+
 	return r.updatePodResourcesTemplate(c)
 }
 
diff --git a/pkg/bundle/deploy.go b/pkg/bundle/deploy.go
@@ -4477,7 +4477,7 @@ spec:
       storage: 30Gi
 `
 
-const Sha256_deploy_internal_pod_agent_yaml = "0d3d438a85024b605e1d1b3587c0bf9522f7e30f187fdd0f1d607337e3df90d1"
+const Sha256_deploy_internal_pod_agent_yaml = "74237f435120c893cd8e349e9ac685dd1c884e121c018f46e48228f845a51093"
 
 const File_deploy_internal_pod_agent_yaml = `apiVersion: v1
 kind: Pod
@@ -4502,7 +4502,8 @@ spec:
         # Insert the relevant config for the current agent
         - name: CONTAINER_PLATFORM
           value: KUBERNETES
-        - name: AGENT_CONFIG
+        - name: AGENT_CONFIG_PATH
+          value: /etc/agent-config/agent_config
         - name: NOOBAA_LOG_LEVEL
         - name: NOOBAA_LOG_COLOR
       command: ["/noobaa_init_files/noobaa_init.sh", "agent"]
@@ -4515,6 +4516,9 @@ spec:
           mountPath: /noobaa_storage
         - name: tmp-logs-vol
           mountPath: /usr/local/noobaa/logs
+        - name: agent-config-secret
+          mountPath: /etc/agent-config
+          readOnly: true
       securityContext:
         runAsNonRoot: true
         allowPrivilegeEscalation: false
@@ -4530,6 +4534,9 @@ spec:
     - name: noobaastorage
       persistentVolumeClaim:
         claimName: noobaa-pv-claim
+    - name: agent-config-secret
+      secret:
+        secretName: AGENT_CONFIG_SECRET_NAME
 `
 
 const Sha256_deploy_internal_prometheus_rules_yaml = "9dba8cfe7b655d3467b091531c95e6d34e8bd179f36ece6eaf3cff8ef73df23d"
diff --git a/pkg/options/options.go b/pkg/options/options.go
@@ -30,7 +30,7 @@ const (
 	// ContainerImageRepo is the repo of the default image url
 	ContainerImageRepo = "noobaa-core"
 	// ContainerImageTag is the tag of the default image url
-	ContainerImageTag = "master-20250911"
+	ContainerImageTag = "master-20251028"
 	// ContainerImageSemverLowerBound is the lower bound for supported image versions
 	ContainerImageSemverLowerBound = "5.0.0"
 	// ContainerImageSemverUpperBound is the upper bound for supported image versions
