Secure agent_config by using volume mounts instead of env vars

[aayushchouhan09]

Explain the changes

1. Replace AGENT_CONFIG environment variable with secure volume mount approach
2. Added AGENT_CONFIG_PATH environment variable pointing to mounted config file
3. Use lowercase agent_config secret key for naming consistency

Issues: Fixed #xxx / Gap #xxx

1. Bug: https://issues.redhat.com/browse/DFBUGS-2687
2. Core PR: Support AGENT_CONFIG from volume mounts and remove secret logging noobaa-core#9243

Testing Instructions:

1. Install noobaa operator and check for volume, volumeMounts and AGENT_CONFIG_PATH in backingstore pod.

• Doc added/updated
• Tests added

Summary by CodeRabbit

• Refactor

  • Switched agent configuration from an inline environment value to a read-only secret-mounted config path.
  • Renamed the environment variable to reference the mounted config location.

• Chores

  • Updated bundled deployment assets to use the secret-backed config mount, volume, and env name.
  • Bumped the default container image tag to a newer release.

[coderabbitai]

Walkthrough

Replaced env var injection of AGENT_CONFIG with a file-backed AGENT_CONFIG_PATH in the agent Pod manifest and bundle; reconciler now mounts an agent-config-secret, updates Pod templates to reference /etc/agent-config/agent_config, and changed secret key usage to agent_config.

Changes

Cohort / File(s)	Summary
Pod agent manifest deploy/internal/pod-agent.yaml	Env var renamed AGENT_CONFIG → AGENT_CONFIG_PATH with value /etc/agent-config/agent_config; added top-level volume agent-config-secret (secretName: AGENT_CONFIG_SECRET_NAME); added volumeMount in noobaa-agent mounting agent-config-secret at /etc/agent-config (readOnly: true).
BackingStore reconciler pkg/backingstore/reconciler.go	Renamed secret key usage AGENT_CONFIG → agent_config in ReconcilePool/reconcilePvPool; removed env-var secret injection; updatePodTemplate now handles adding agent-config-secret volume/volumeMount, replaces AGENT_CONFIG_SECRET_NAME placeholder with the actual SecretName, and ensures AGENT_CONFIG_PATH points to the mounted file.
Bundle constants & embedded YAML pkg/bundle/deploy.go	Updated Sha256_deploy_internal_pod_agent_yaml checksum and embedded Pod YAML to reflect env var rename and added agent-config-secret volume + volumeMount.
Options pkg/options/options.go	Bumped default ContainerImageTag from master-20250911 to master-20251028.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant R as BackingStore Reconciler
  participant T as Pod Template
  participant K as Kubernetes API

  Note over R: Reconciling pool / pod spec

  R->>T: Build/modify Pod template
  activate T
  T->>T: Add volume `agent-config-secret` (secretName placeholder)
  T->>T: Add volumeMount at /etc/agent-config (readOnly)
  T->>T: Set env `AGENT_CONFIG_PATH` = "/etc/agent-config/agent_config"
  deactivate T

  R->>K: Apply Pod template (create/update)
  K-->>R: Status / result

  Note right of T: previous flow removed: secret value injected into ENV `AGENT_CONFIG`

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Potential review focal points:

• pkg/backingstore/reconciler.go — correctness of replacing the AGENT_CONFIG_SECRET_NAME placeholder with the actual SecretName and all references to the secret key name change to agent_config.
• Consistency between deploy/internal/pod-agent.yaml and the embedded YAML/checksum in pkg/bundle/deploy.go.
• Verification that /etc/agent-config/agent_config path matches the secret contents and runtime expectations.

Possibly related PRs

• Added TopologyKey to noobaa CRD for multizone support #1653 — modifies updatePodTemplate in pkg/backingstore/reconciler.go; likely related due to overlapping changes to pod template handling and volume/affinity mutations.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "Secure agent_config by using volume mounts instead of env vars" is fully related to the main changeset. The changes across multiple files (pod-agent.yaml, reconciler.go, and deploy.go) collectively implement a migration from passing the agent configuration via environment variables to using Kubernetes volume mounts, which is a security best practice. The title accurately captures this primary objective, is concise at 10 words, and clearly conveys the intent without vague terminology or unnecessary details.
Description Check	✅ Passed	The pull request description follows the required template structure and is substantially complete. All three required sections are present: "Explain the changes" contains three clear bullet points describing the key modifications, "Issues" section references both a bug fix (DFBUGS-2687) and a related upstream PR, and "Testing Instructions" provides specific actionable steps for verification. The checkbox items for documentation and tests are included. The explanation provides sufficient detail about the security approach, environment variable changes, and naming consistency improvements.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1f6d638 and 0d3ea0e.

📒 Files selected for processing (4)

• deploy/internal/pod-agent.yaml (3 hunks)
• pkg/backingstore/reconciler.go (3 hunks)
• pkg/bundle/deploy.go (4 hunks)
• pkg/options/options.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• pkg/options/options.go
• deploy/internal/pod-agent.yaml
• pkg/backingstore/reconciler.go
• pkg/bundle/deploy.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

• GitHub Check: run-operator-tests
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-core-config-map-tests
• GitHub Check: run-cli-tests
• GitHub Check: run-azure-vault-test
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-admission-test
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-hac-test
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-kms-dev-test

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/backingstore/reconciler.go (1)

1165-1262: Add migration check for environment variable change.

The needUpdate() function doesn't detect the environment variable name change from AGENT_CONFIG to AGENT_CONFIG_PATH, nor does it check for the new volume mount. This means existing pods will continue running with the old insecure approach (config in env var) instead of automatically adopting the new secure volume mount approach.

Apply this diff to detect pods that need migration:

 func (r *Reconciler) needUpdate(pod *corev1.Pod) bool {
 	var c = &pod.Spec.Containers[0]
+	
+	// Check for migration from AGENT_CONFIG to AGENT_CONFIG_PATH + volume mount
+	agentConfigPathVar := util.GetEnvVariable(&c.Env, "AGENT_CONFIG_PATH")
+	oldAgentConfigVar := util.GetEnvVariable(&c.Env, "AGENT_CONFIG")
+	hasAgentConfigVolume := false
+	for _, vm := range c.VolumeMounts {
+		if vm.MountPath == agentConfigSecretMountPath {
+			hasAgentConfigVolume = true
+			break
+		}
+	}
+	if oldAgentConfigVar != nil || agentConfigPathVar == nil || !hasAgentConfigVolume {
+		r.Logger.Warnf("Pod needs migration from AGENT_CONFIG env var to AGENT_CONFIG_PATH with volume mount")
+		return true
+	}
+	
 	for _, name := range []string{"HTTP_PROXY", "HTTPS_PROXY", "NO_PROXY"} {

🧹 Nitpick comments (2)

pkg/backingstore/reconciler.go (2)

999-1002: Consider handling migration from old secret key.

The secret key has changed from AGENT_CONFIG to agent_config (lowercase). While the lowercase naming follows better conventions, existing secrets containing the old AGENT_CONFIG key won't be detected, causing the config to be refetched and stored under the new key name. This leaves orphaned data in the secret.

Consider adding a migration check:

 if r.Secret.StringData["agent_config"] == "" {
+	// Migrate from old key name if present
+	if oldConfig := r.Secret.StringData["AGENT_CONFIG"]; oldConfig != "" {
+		r.Secret.StringData["agent_config"] = oldConfig
+		delete(r.Secret.StringData, "AGENT_CONFIG")
+		util.KubeUpdate(r.Secret)
+	} else {
 		r.Secret.StringData["agent_config"] = res
 		util.KubeUpdate(r.Secret)
+	}
+} else {
+	// Clean up old key if present
+	if _, exists := r.Secret.StringData["AGENT_CONFIG"]; exists {
+		delete(r.Secret.StringData, "AGENT_CONFIG")
+		util.KubeUpdate(r.Secret)
+	}
 }

---

1292-1293: Consider using filepath.Join for path construction.

String concatenation for building file paths is fragile and could break if agentConfigSecretMountPath is modified to include a trailing slash.

Apply this diff to use proper path joining:

+import (
+	"path/filepath"
+	// ... other imports
+)

 case "AGENT_CONFIG_PATH":
-	c.Env[j].Value = agentConfigSecretMountPath + "/agent_config"
+	c.Env[j].Value = filepath.Join(agentConfigSecretMountPath, "agent_config")

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 22f1cc3 and 15818a0.

📒 Files selected for processing (3)

• deploy/internal/pod-agent.yaml (1 hunks)
• pkg/backingstore/reconciler.go (5 hunks)
• pkg/bundle/deploy.go (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

pkg/backingstore/reconciler.go (2)

pkg/nb/types.go (1)

• GetHostsPoolAgentConfigParams (455-458)

pkg/util/util.go (2)

• MergeVolumeMountList (1631-1643)
• MergeVolumeList (1616-1628)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: run-kms-tls-sa-test
• GitHub Check: golangci-lint
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-hac-test
• GitHub Check: run-operator-tests
• GitHub Check: run-azure-vault-test
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-kms-dev-test
• GitHub Check: run-cli-tests
• GitHub Check: run-admission-test
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-core-config-map-tests

🔇 Additional comments (4)

deploy/internal/pod-agent.yaml (1)

24-24: LGTM! Environment variable renamed appropriately.

The rename from AGENT_CONFIG to AGENT_CONFIG_PATH correctly reflects the new architecture where the config is accessed via a file path rather than directly through an environment variable.

pkg/backingstore/reconciler.go (3)

35-35: LGTM! Mount path constant defined clearly.

The constant provides a clear, centralized definition for the agent config mount path.

---

1353-1370: LGTM! Volume mount implementation is secure.

The implementation correctly:

• Mounts the agent config secret as a read-only volume
• Uses merge functions to prevent duplicate volume definitions
• Follows Kubernetes best practices for secret mounting

The read-only mount enhances security by preventing the agent from modifying its own configuration.

---

1292-1293: Verify noobaa-agent reads its config from the file specified by AGENT_CONFIG_PATH. Ensure the agent calls os.Getenv("AGENT_CONFIG_PATH") and loads that file (e.g., via os.ReadFile), rather than expecting raw config data in an env var.

[nimrod-becker]

@dannyzaken @jackyalbo @tangledbytes PTAL

[liranmauda]

I am not convinced that this is the way of mounting.
Why not do in the yaml something like: #1015 ?

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/backingstore/reconciler.go (1)

1353-1365: Consider more robust placeholder replacement with validation.

The current approach uses string comparisons to find and replace placeholders (AGENT_CONFIG_MOUNT_PATH and AGENT_CONFIG_SECRET_NAME). This is fragile because:

1. If the placeholders in the template YAML change, this code will silently fail to replace them
2. There's no validation to confirm the replacements actually occurred
3. String literals are repeated rather than defined as constants

Consider these improvements:

Option 1 (Recommended): Add constants and validation:

+const (
+	agentConfigMountPathPlaceholder = "AGENT_CONFIG_MOUNT_PATH"
+	agentConfigSecretNamePlaceholder = "AGENT_CONFIG_SECRET_NAME"
+)
+
 func (r *Reconciler) updatePodTemplate() error {
 	log := r.Logger.WithField("func", "updatePodTemplate")
+	mountPathReplaced := false
+	secretNameReplaced := false
+
 	// ... existing code ...
 
 	// replace AGENT_CONFIG_MOUNT_PATH with actual mount path
 	for i := range r.PodAgentTemplate.Spec.Containers[0].VolumeMounts {
-		if r.PodAgentTemplate.Spec.Containers[0].VolumeMounts[i].MountPath == "AGENT_CONFIG_MOUNT_PATH" {
+		if r.PodAgentTemplate.Spec.Containers[0].VolumeMounts[i].MountPath == agentConfigMountPathPlaceholder {
 			r.PodAgentTemplate.Spec.Containers[0].VolumeMounts[i].MountPath = agentConfigSecretMountPath
+			mountPathReplaced = true
 		}
 	}
 
 	// replace AGENT_CONFIG_SECRET_NAME with actual secret name
 	for i := range r.PodAgentTemplate.Spec.Volumes {
-		if r.PodAgentTemplate.Spec.Volumes[i].Secret != nil && r.PodAgentTemplate.Spec.Volumes[i].Secret.SecretName == "AGENT_CONFIG_SECRET_NAME" {
+		if r.PodAgentTemplate.Spec.Volumes[i].Secret != nil && r.PodAgentTemplate.Spec.Volumes[i].Secret.SecretName == agentConfigSecretNamePlaceholder {
 			r.PodAgentTemplate.Spec.Volumes[i].Secret.SecretName = r.Secret.Name
+			secretNameReplaced = true
 		}
 	}
+
+	if !mountPathReplaced || !secretNameReplaced {
+		return fmt.Errorf("failed to replace pod template placeholders: mountPath=%v, secretName=%v", mountPathReplaced, secretNameReplaced)
+	}

 	return r.updatePodResourcesTemplate(c)
 }

Option 2: Use a more structured approach by directly setting the values in the template rather than relying on placeholder replacement.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 15818a0 and f59b2e2.

📒 Files selected for processing (3)

• deploy/internal/pod-agent.yaml (3 hunks)
• pkg/backingstore/reconciler.go (5 hunks)
• pkg/bundle/deploy.go (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/bundle/deploy.go
• deploy/internal/pod-agent.yaml

🧰 Additional context used

🧬 Code graph analysis (1)

pkg/backingstore/reconciler.go (1)

pkg/nb/types.go (1)

• GetHostsPoolAgentConfigParams (455-458)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: run-hac-test
• GitHub Check: run-admission-test
• GitHub Check: run-operator-tests
• GitHub Check: golangci-lint
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-azure-vault-test
• GitHub Check: run-kms-dev-test
• GitHub Check: run-cli-tests
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-core-config-map-tests

🔇 Additional comments (2)

pkg/backingstore/reconciler.go (2)

35-35: LGTM!

The constant definition is clear and follows Go naming conventions. Using a constant for the mount path ensures consistency throughout the reconciler.

---

1292-1293: LGTM! Security improvement by using file-based config.

The change from AGENT_CONFIG (env var) to AGENT_CONFIG_PATH (file path) correctly implements the volume mount approach, which is more secure as it avoids exposing sensitive config in environment variables.

[aayushchouhan09]

I am not convinced that this is the way of mounting. Why not do in the yaml something like: #1015 ?

@liranmauda If we put the volume mount directly in the pod-agent.yaml file, we still need to use loops to change the secret name and AGENT_CONFIG_PATH. The problem is that our secret name changes each time (it's dynamic), but in the PR you refrenced, the secret names stay the same. I have created a commit with this approach.

But I think our old way of using utility functions is better and easier to understand. wdyt?

[tangledbytes]

LGTM. Just one minor comment (feel free to ignore).