Support AGENT_CONFIG from volume mounts and remove secret logging

[aayushchouhan09]

Describe the Problem

AGENT_CONFIG was supported as environment variable, not as volume-mounted secrets. Also the agent logs exposed sensitive configuration data.

Explain the Changes

1. Added support for reading AGENT_CONFIG from volume-mounted secrets
2. Removed sensitive data logging from agent pod logs

Issues: Fixed #xxx / Gap #xxx

1. Bug: https://issues.redhat.com/browse/DFBUGS-2687
2. Operator PR: Secure agent_config by using volume mounts instead of env vars noobaa-operator#1718

Testing Instructions:

• Doc added/updated
• Tests added

Summary by CodeRabbit

• New Features

  • Added AGENT_CONFIG and AGENT_CONFIG_PATH as configurable startup options (env or default file).

• Bug Fixes

  • Improved agent initialization with environment → file fallback.
  • Accepts either JSON or base64-formatted config and writes validated agent_conf.json.
  • Clearer logging and error messages during agent configuration.

[coderabbitai]

Walkthrough

Adds AGENT_CONFIG_PATH and AGENT_CONFIG to config.js with env/file sourcing. Updates noobaa_init.sh to fetch AGENT_CONFIG from env or Node-loaded config, validate presence, and create agent_conf.json by writing JSON directly or base64-decoding it, with adjusted logging and checks inside prepare_agent_conf.

Changes

Cohort / File(s)	Summary of modifications
Agent config exposure config.js	Introduces config.AGENT_CONFIG_PATH (from AGENT_CONFIG_PATH env or default /etc/agent-config/agent_config) and config.AGENT_CONFIG (from AGENT_CONFIG env or read via _get_data_from_file using AGENT_CONFIG_PATH), grouped under a new AGENT CONFIG section.
Deploy init fallback & write logic src/deploy/NVA_build/noobaa_init.sh	prepare_agent_conf now attempts AGENT_CONFIG from env or, if unset, queries noobaa-core's config.js via Node; ensures non-empty. If agent_conf.json is missing, validates AGENT_CONFIG as JSON (jq) and writes it directly, otherwise base64-decodes (openssl) then writes. Adds logs like "Got agent_conf" and "Written agent_conf.json".

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Env as Environment
  participant Init as noobaa_init.sh
  participant Node as Node (noobaa-core/config.js)
  participant FS as Filesystem
  participant JQ as jq
  participant OpenSSL as openssl

  Init->>Env: Read AGENT_CONFIG
  alt AGENT_CONFIG unset
    Init->>Node: node -e "require('.../config.js').AGENT_CONFIG"
    Node-->>Init: AGENT_CONFIG (env or file)
  end
  Init->>Init: Check AGENT_CONFIG non-empty
  alt agent_conf.json exists
    Init->>FS: Use existing agent_conf.json
  else agent_conf.json missing
    Init->>JQ: Test AGENT_CONFIG as JSON
    alt Valid JSON
      Init->>FS: Write AGENT_CONFIG -> agent_conf.json
    else Not JSON
      Init->>OpenSSL: Decode AGENT_CONFIG (base64)
      OpenSSL-->>Init: Decoded content
      Init->>FS: Write decoded -> agent_conf.json
    end
  end
  note right of Init: Logs: "Got agent_conf", "Written agent_conf.json"

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "Support AGENT_CONFIG from volume mounts and remove secret logging" directly and clearly corresponds to the main changes in the changeset. The config.js modifications add AGENT_CONFIG_PATH and AGENT_CONFIG properties that support reading from volume-mounted paths (defaulting to /etc/agent-config/agent_config), and the noobaa_init.sh changes implement fallback logic to read from volume-mounted configuration. Additionally, the removal of direct base64 echoing and sensitive data logging aligns with the "remove secret logging" aspect of the title. The title is specific, concise, and accurately conveys the two primary objectives of the PR without being vague or overly generic.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5b2fd04 and c5de7b9.

📒 Files selected for processing (1)

• src/deploy/NVA_build/noobaa_init.sh (1 hunks)

🧰 Additional context used

🪛 Shellcheck (0.11.0)

src/deploy/NVA_build/noobaa_init.sh

[warning] 128-128: Use 'cd ... || exit' or 'cd ... || return' in case cd fails.

(SC2164)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: run-jest-unit-tests
• GitHub Check: Build Noobaa Image
• GitHub Check: run-package-lock-validation

🔇 Additional comments (3)

src/deploy/NVA_build/noobaa_init.sh (3)

129-129: Good use of node -p syntax.

The implementation correctly uses node -p as suggested in prior feedback, which is cleaner than alternative approaches.

---

132-136: Proper validation and error exit.

The second validation check correctly quotes the variable and exits with a clear error message if AGENT_CONFIG is missing.

---

137-145: Logic flow and dual-format handling looks sound.

The function now properly handles both JSON and base64-encoded AGENT_CONFIG with appropriate detection via jq, logs retrieval and completion steps, and maintains the conditional file-creation pattern. The dual-sourcing strategy (env → config.js fallback) addresses the PR objective of supporting volume-mounted secrets.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2367740 and 5b2fd04.

📒 Files selected for processing (2)

• config.js (1 hunks)
• src/deploy/NVA_build/noobaa_init.sh (1 hunks)

🧰 Additional context used

🪛 Shellcheck (0.11.0)

src/deploy/NVA_build/noobaa_init.sh

[warning] 128-128: Use 'cd ... || exit' or 'cd ... || return' in case cd fails.

(SC2164)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Noobaa Image
• GitHub Check: run-package-lock-validation
• GitHub Check: run-jest-unit-tests

🔇 Additional comments (1)

config.js (1)

245-250: LGTM! Clean implementation following existing patterns.

The AGENT_CONFIG section follows the same pattern as other secret configurations (JWT_SECRET, SERVER_SECRET). Using _get_data_from_file is appropriate and handles missing files gracefully by returning undefined, which the shell script later validates.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Quote variable and add error handling for cd command.

Two issues:

1. Line 127: ${AGENT_CONFIG} should be quoted to handle empty strings correctly.
2. Line 128: Missing error handling if cd fails.

Apply this diff:

-  if [ -z ${AGENT_CONFIG} ]; then
+  if [ -z "${AGENT_CONFIG}" ]; then
-    cd /root/node_modules/noobaa-core/
+    cd /root/node_modules/noobaa-core/ || exit 1
     AGENT_CONFIG=$(node -e "const config = require('./config'); console.log(config.AGENT_CONFIG || '')")
   fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [ -z ${AGENT_CONFIG} ]; then
	cd /root/node_modules/noobaa-core/
	AGENT_CONFIG=$(node -e "const config = require('./config'); console.log(config.AGENT_CONFIG || '')")
	fi
	if [ -z "${AGENT_CONFIG}" ]; then
	cd /root/node_modules/noobaa-core/ || exit 1
	AGENT_CONFIG=$(node -e "const config = require('./config'); console.log(config.AGENT_CONFIG || '')")
	fi

🧰 Tools

🪛 Shellcheck (0.11.0)

[warning] 128-128: Use 'cd ... || exit' or 'cd ... || return' in case cd fails.

(SC2164)

🤖 Prompt for AI Agents

In src/deploy/NVA_build/noobaa_init.sh around lines 127 to 130, the test and
directory change are unsafe: quote ${AGENT_CONFIG} in the if test (if [ -z
"${AGENT_CONFIG}" ]) to correctly handle empty/whitespace values, and add error
handling for the cd command (check its exit status and abort with an error
message and non-zero exit code if cd fails) before running the node command.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Good security improvement, but quote variable in base64 decode.

Removing the direct echo of AGENT_CONFIG from logs is a good security practice. However, line 142 should quote ${AGENT_CONFIG} to handle values with spaces or special characters safely.

Apply this diff to line 142:

-      openssl enc -base64 -d -A <<<${AGENT_CONFIG} >${AGENT_CONF_FILE}
+      openssl enc -base64 -d -A <<<"${AGENT_CONFIG}" >${AGENT_CONF_FILE}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	echo "Got agent_conf"
	if [ ! -f $AGENT_CONF_FILE ]; then
	if echo "${AGENT_CONFIG}" | jq . >/dev/null 2>&1; then
	echo "${AGENT_CONFIG}" >${AGENT_CONF_FILE}
	else
	openssl enc -base64 -d -A <<<${AGENT_CONFIG} >${AGENT_CONF_FILE}
	fi
	echo "Written agent_conf.json: $(cat ${AGENT_CONF_FILE})"
	fi
	echo "Written agent_conf.json"
	echo "Got agent_conf"
	if [ ! -f $AGENT_CONF_FILE ]; then
	if echo "${AGENT_CONFIG}" | jq . >/dev/null 2>&1; then
	echo "${AGENT_CONFIG}" >${AGENT_CONF_FILE}
	else
	openssl enc -base64 -d -A <<<"${AGENT_CONFIG}" >${AGENT_CONF_FILE}
	fi
	fi
	echo "Written agent_conf.json"

🤖 Prompt for AI Agents

In src/deploy/NVA_build/noobaa_init.sh around lines 137 to 145, the openssl
base64 decode uses an unquoted here-string which can break on spaces/special
characters; update the here-string to quote the variable (use
<<<"${AGENT_CONFIG}") so the entire AGENT_CONFIG value is passed safely to
openssl without word-splitting or globbing.

[nimrod-becker]

@dannyzaken @jackyalbo @tangledbytes PTAL

[tangledbytes]

Maybe node -p 'require("config").AGENT_CONFIG || ""' would do?

[aayushchouhan09]

Done, Thanks