Skip to content

Support AGENT_CONFIG from volume mounts and remove secret logging #9243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Support AGENT_CONFIG from volume mounts and remove secret logging #9243

wants to merge 2 commits into from

Conversation

@aayushchouhan09
Copy link
Member

@aayushchouhan09 aayushchouhan09 commented Oct 14, 2025
edited by coderabbitai bot
Loading

Describe the Problem

AGENT_CONFIG was supported as environment variable, not as volume-mounted secrets. Also the agent logs exposed sensitive configuration data.

Explain the Changes

  1. Added support for reading AGENT_CONFIG from volume-mounted secrets
  2. Removed sensitive data logging from agent pod logs

Issues: Fixed #xxx / Gap #xxx

  1. Bug: https://issues.redhat.com/browse/DFBUGS-2687
  2. Operator PR: Secure agent_config by using volume mounts instead of env vars noobaa-operator#1718

Testing Instructions:

  • Doc added/updated
  • Tests added

Summary by CodeRabbit

  • New Features

    • Added AGENT_CONFIG and AGENT_CONFIG_PATH as configurable startup options (env or default file).

  • Bug Fixes

    • Agent initialization now falls back from environment to file if needed.
    • Accepts either JSON or base64-formatted agent config and writes a validated agent_conf.json.
    • Improved logging and clearer messages during agent configuration.

@aayushchouhan09 aayushchouhan09 requested review from a team, dannyzaken, jackyalbo, liranmauda and nbecker-cibot and removed request for a team October 14, 2025 14:11
@coderabbitai
Copy link

coderabbitai bot commented Oct 14, 2025
edited
Loading

Walkthrough

Adds AGENT_CONFIG_PATH and AGENT_CONFIG to config.js (env/file sourcing). Updates noobaa_init.sh to obtain AGENT_CONFIG from env or Node-loaded config.js, require it non-empty, and create agent_conf.json by writing JSON directly or base64-decoding it, with adjusted logging.

Changes

Cohort / File(s) Summary of modifications
Agent config exposure
config.js		 Introduces config.AGENT_CONFIG_PATH (from AGENT_CONFIG_PATH env or default /etc/agent-config/agent_config) and config.AGENT_CONFIG (from AGENT_CONFIG env or read via _get_data_from_file using AGENT_CONFIG_PATH), placed under a new AGENT CONFIG section.
Deploy init fallback & write logic
src/deploy/NVA_build/noobaa_init.sh		 prepare_agent_conf first reads AGENT_CONFIG from the environment; if empty, queries noobaa-core's config.js via Node. Ensures non-empty. If agent_conf.json is missing, tests AGENT_CONFIG with jq and writes it directly when valid JSON, otherwise base64-decodes with openssl and writes. Adds logs "Got agent_conf" and "Written agent_conf.json".

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Env as Environment
  participant Init as noobaa_init.sh
  participant Node as Node (noobaa-core/config.js)
  participant FS as Filesystem
  participant JQ as jq
  participant OpenSSL as openssl

  Init->>Env: read AGENT_CONFIG
  alt AGENT_CONFIG unset
    Init->>Node: node -e "require('.../config.js').AGENT_CONFIG"
    Node-->>Init: AGENT_CONFIG
  end
  Init->>Init: ensure AGENT_CONFIG non-empty
  alt agent_conf.json exists
    Init->>FS: use existing agent_conf.json
  else agent_conf.json missing
    Init->>JQ: validate AGENT_CONFIG as JSON
    alt valid JSON
      Init->>FS: write AGENT_CONFIG -> agent_conf.json
    else not JSON
      Init->>OpenSSL: decode AGENT_CONFIG (base64)
      OpenSSL-->>Init: decoded content
      Init->>FS: write decoded -> agent_conf.json
    end
  end
  note right of Init: logs "Got agent_conf" and "Written agent_conf.json"
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The PR title "Support AGENT_CONFIG from volume mounts and remove secret logging" is fully related to the main changes in the changeset. The title accurately captures the two primary objectives: the addition of file-based config reading via AGENT_CONFIG_PATH (supporting volume-mounted secrets) in config.js and noobaa_init.sh, and the removal of sensitive base64 logging by eliminating the previous echo statements. The title is concise, specific, and avoids vague terms or noise, making it immediately clear to someone reviewing the commit history what the PR addresses.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c5de7b9 and 17b14ea.

📒 Files selected for processing (2)
  • config.js (1 hunks)
  • src/deploy/NVA_build/noobaa_init.sh (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • config.js
🧰 Additional context used
🪛 Shellcheck (0.11.0)
src/deploy/NVA_build/noobaa_init.sh

[warning] 128-128: Use 'cd ... || exit' or 'cd ... || return' in case cd fails.

(SC2164)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: run-package-lock-validation
  • GitHub Check: run-jest-unit-tests
  • GitHub Check: Build Noobaa Image
🔇 Additional comments (1)
src/deploy/NVA_build/noobaa_init.sh (1)

123-146: Good security improvements to prevent exposure of sensitive configuration.

The refactoring to support AGENT_CONFIG from both environment and volume-mounted config files is solid. The removal of direct logging of the sensitive AGENT_CONFIG value and addition of high-level status messages ("Got agent_conf" and "Written agent_conf.json") is a good security practice. The JSON vs. base64 handling provides flexibility for different config formats.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@aayushchouhan09 aayushchouhan09 mentioned this pull request Oct 14, 2025
Open
2 tasks
coderabbitai[bot]
coderabbitai bot reviewed Oct 14, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2367740 and 5b2fd04.

📒 Files selected for processing (2)
  • config.js (1 hunks)
  • src/deploy/NVA_build/noobaa_init.sh (1 hunks)
🧰 Additional context used
🪛 Shellcheck (0.11.0)
src/deploy/NVA_build/noobaa_init.sh

[warning] 128-128: Use 'cd ... || exit' or 'cd ... || return' in case cd fails.

(SC2164)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Build Noobaa Image
  • GitHub Check: run-package-lock-validation
  • GitHub Check: run-jest-unit-tests
🔇 Additional comments (1)
config.js (1)

245-250: LGTM! Clean implementation following existing patterns.

The AGENT_CONFIG section follows the same pattern as other secret configurations (JWT_SECRET, SERVER_SECRET). Using _get_data_from_file is appropriate and handles missing files gracefully by returning undefined, which the shell script later validates.

src/deploy/NVA_build/noobaa_init.sh
Comment on lines 127 to 130
if [ -z ${AGENT_CONFIG} ]; then
cd /root/node_modules/noobaa-core/
AGENT_CONFIG=$(node -e "const config = require('./config'); console.log(config.AGENT_CONFIG || '')")
fi
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Quote variable and add error handling for cd command.

Two issues:

  1. Line 127: ${AGENT_CONFIG} should be quoted to handle empty strings correctly.
  2. Line 128: Missing error handling if cd fails.

Apply this diff:

-  if [ -z ${AGENT_CONFIG} ]; then
+  if [ -z "${AGENT_CONFIG}" ]; then
-    cd /root/node_modules/noobaa-core/
+    cd /root/node_modules/noobaa-core/ || exit 1
     AGENT_CONFIG=$(node -e "const config = require('./config'); console.log(config.AGENT_CONFIG || '')")
   fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if [ -z ${AGENT_CONFIG} ]; then
cd /root/node_modules/noobaa-core/
AGENT_CONFIG=$(node -e "const config = require('./config'); console.log(config.AGENT_CONFIG || '')")
fi
if [ -z "${AGENT_CONFIG}" ]; then
cd /root/node_modules/noobaa-core/ || exit 1
AGENT_CONFIG=$(node -e "const config = require('./config'); console.log(config.AGENT_CONFIG || '')")
fi
🧰 Tools
🪛 Shellcheck (0.11.0)

[warning] 128-128: Use 'cd ... || exit' or 'cd ... || return' in case cd fails.

(SC2164)

🤖 Prompt for AI Agents 
In src/deploy/NVA_build/noobaa_init.sh around lines 127 to 130, the test and
directory change are unsafe: quote ${AGENT_CONFIG} in the if test (if [ -z
"${AGENT_CONFIG}" ]) to correctly handle empty/whitespace values, and add error
handling for the cd command (check its exit status and abort with an error
message and non-zero exit code if cd fails) before running the node command.

src/deploy/NVA_build/noobaa_init.sh
Comment on lines +137 to +145
echo "Got agent_conf"
if [ ! -f $AGENT_CONF_FILE ]; then
if echo "${AGENT_CONFIG}" | jq . >/dev/null 2>&1; then
echo "${AGENT_CONFIG}" >${AGENT_CONF_FILE}
else
openssl enc -base64 -d -A <<<${AGENT_CONFIG} >${AGENT_CONF_FILE}
fi
echo "Written agent_conf.json: $(cat ${AGENT_CONF_FILE})"
fi
echo "Written agent_conf.json"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Good security improvement, but quote variable in base64 decode.

Removing the direct echo of AGENT_CONFIG from logs is a good security practice. However, line 142 should quote ${AGENT_CONFIG} to handle values with spaces or special characters safely.

Apply this diff to line 142:

-      openssl enc -base64 -d -A <<<${AGENT_CONFIG} >${AGENT_CONF_FILE}
+      openssl enc -base64 -d -A <<<"${AGENT_CONFIG}" >${AGENT_CONF_FILE}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
echo "Got agent_conf"
if [ ! -f $AGENT_CONF_FILE ]; then
if echo "${AGENT_CONFIG}" | jq . >/dev/null 2>&1; then
echo "${AGENT_CONFIG}" >${AGENT_CONF_FILE}
else
openssl enc -base64 -d -A <<<${AGENT_CONFIG} >${AGENT_CONF_FILE}
fi
echo "Written agent_conf.json: $(cat ${AGENT_CONF_FILE})"
fi
echo "Written agent_conf.json"
echo "Got agent_conf"
if [ ! -f $AGENT_CONF_FILE ]; then
if echo "${AGENT_CONFIG}" | jq . >/dev/null 2>&1; then
echo "${AGENT_CONFIG}" >${AGENT_CONF_FILE}
else
openssl enc -base64 -d -A <<<"${AGENT_CONFIG}" >${AGENT_CONF_FILE}
fi
fi
echo "Written agent_conf.json"
🤖 Prompt for AI Agents 
In src/deploy/NVA_build/noobaa_init.sh around lines 137 to 145, the openssl
base64 decode uses an unquoted here-string which can break on spaces/special
characters; update the here-string to quote the variable (use
<<<"${AGENT_CONFIG}") so the entire AGENT_CONFIG value is passed safely to
openssl without word-splitting or globbing.

@nimrod-becker
Copy link
Contributor

@dannyzaken @jackyalbo @tangledbytes PTAL

tangledbytes
tangledbytes reviewed Oct 17, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@dannyzaken dannyzaken Awaiting requested review from dannyzaken

@jackyalbo jackyalbo Awaiting requested review from jackyalbo

@liranmauda liranmauda Awaiting requested review from liranmauda

@nbecker-cibot nbecker-cibot Awaiting requested review from nbecker-cibot nbecker-cibot was automatically assigned from noobaa/dev

@tangledbytes tangledbytes Awaiting requested review from tangledbytes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aayushchouhan09 @nimrod-becker @tangledbytes