Skip to content

Support AGENT_CONFIG from volume mounts and remove secret logging #9243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
+23 −7
Open

Support AGENT_CONFIG from volume mounts and remove secret logging #9243

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5731e3a
Support AGENT_CONFIG from volume mounts and remove secret logging
aayushchouhan09 Oct 14, 2025
17b14ea
Simplified node command in the script
aayushchouhan09 Oct 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -242,6 +242,12 @@ if (process.env.CONTAINER_PLATFORM || process.env.LOCAL_MD_SERVER) {

config.ROOT_KEY_MOUNT = '/etc/noobaa-server/root_keys';

//////////////////
// AGENT CONFIG //
//////////////////
config.AGENT_CONFIG_PATH = process.env.AGENT_CONFIG_PATH || '/etc/agent-config/agent_config';
config.AGENT_CONFIG = process.env.AGENT_CONFIG || _get_data_from_file(config.AGENT_CONFIG_PATH);

///////////////
// DB CONFIG //
///////////////
Expand Down
24 changes: 17 additions & 7 deletions src/deploy/NVA_build/noobaa_init.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,17 +122,27 @@ run_internal_process() {

prepare_agent_conf() {
AGENT_CONF_FILE="/noobaa_storage/agent_conf.json"
if [ -z ${AGENT_CONFIG} ]
then
echo "AGENT_CONFIG is required ENV variable. AGENT_CONFIG is missing. Exit"

# get AGENT_CONFIG from env var or config.js (volume mount)
if [ -z ${AGENT_CONFIG} ]; then
cd /root/node_modules/noobaa-core/
AGENT_CONFIG=$(node -p 'require("./config").AGENT_CONFIG || ""')
fi

if [ -z "${AGENT_CONFIG}" ]; then
echo "AGENT_CONFIG is required. AGENT_CONFIG is missing. Exit"
exit 1
else
echo "Got base64 agent_conf: ${AGENT_CONFIG}"
if [ ! -f $AGENT_CONF_FILE ]; then
fi

echo "Got agent_conf"
if [ ! -f $AGENT_CONF_FILE ]; then
if echo "${AGENT_CONFIG}" | jq . >/dev/null 2>&1; then
echo "${AGENT_CONFIG}" >${AGENT_CONF_FILE}
else
openssl enc -base64 -d -A <<<${AGENT_CONFIG} >${AGENT_CONF_FILE}
fi
echo "Written agent_conf.json: $(cat ${AGENT_CONF_FILE})"
fi
echo "Written agent_conf.json"
Comment on lines +137 to +145
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Good security improvement, but quote variable in base64 decode.

Removing the direct echo of AGENT_CONFIG from logs is a good security practice. However, line 142 should quote ${AGENT_CONFIG} to handle values with spaces or special characters safely.

Apply this diff to line 142:

-      openssl enc -base64 -d -A <<<${AGENT_CONFIG} >${AGENT_CONF_FILE}
+      openssl enc -base64 -d -A <<<"${AGENT_CONFIG}" >${AGENT_CONF_FILE}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
echo "Got agent_conf"
if [ ! -f $AGENT_CONF_FILE ]; then
if echo "${AGENT_CONFIG}" | jq . >/dev/null 2>&1; then
echo "${AGENT_CONFIG}" >${AGENT_CONF_FILE}
else
openssl enc -base64 -d -A <<<${AGENT_CONFIG} >${AGENT_CONF_FILE}
fi
echo "Written agent_conf.json: $(cat ${AGENT_CONF_FILE})"
fi
echo "Written agent_conf.json"
echo "Got agent_conf"
if [ ! -f $AGENT_CONF_FILE ]; then
if echo "${AGENT_CONFIG}" | jq . >/dev/null 2>&1; then
echo "${AGENT_CONFIG}" >${AGENT_CONF_FILE}
else
openssl enc -base64 -d -A <<<"${AGENT_CONFIG}" >${AGENT_CONF_FILE}
fi
fi
echo "Written agent_conf.json"
🤖 Prompt for AI Agents 
In src/deploy/NVA_build/noobaa_init.sh around lines 137 to 145, the openssl
base64 decode uses an unquoted here-string which can break on spaces/special
characters; update the here-string to quote the variable (use
<<<"${AGENT_CONFIG}") so the entire AGENT_CONFIG value is passed safely to
openssl without word-splitting or globbing.

}

prepare_server_pvs() {
Expand Down