Skip to content

Commit 224a536

Browse files
committed
ilter out NOOBAA_ROOT_SECRET from env vars to avoid exposing it in pod spec
- ilter out NOOBAA_ROOT_SECRET from env vars to avoid exposing it in pod spec Signed-off-by: liranmauda <liran.mauda@gmail.com> (cherry picked from commit a0dffcf) (cherry picked from commit c9e73db) (cherry picked from commit 9f80212)
1 parent 492956e commit 224a536

1 file changed

Lines changed: 15 additions & 0 deletions

File tree

pkg/system/phase2_creating.go

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -392,6 +392,21 @@ func (r *Reconciler) SetDesiredNooBaaDB() error {
392392
}
393393

394394
func (r *Reconciler) setDesiredCoreEnv(c *corev1.Container) {
395+
// Filter out NOOBAA_ROOT_SECRET from env vars to avoid exposing it in pod spec
396+
// it is set via mounting the secret as files
397+
// this will remove the leftover env var in case of an upgrade from older operator version (older than 4.21)
398+
// as we preserve env vars on updates by merging the arrays and not replacing them.
399+
400+
if len(c.Env) > 0 {
401+
filtered := c.Env[:0]
402+
for _, env := range c.Env {
403+
if env.Name != "NOOBAA_ROOT_SECRET" {
404+
filtered = append(filtered, env)
405+
}
406+
}
407+
c.Env = filtered
408+
}
409+
395410
for j := range c.Env {
396411
switch c.Env[j].Name {
397412
case "AGENT_PROFILE":

0 commit comments

Comments
 (0)