filter out NOOBAA_ROOT_SECRET from env vars to avoid exposing it in pod spec

[liranmauda]

Explain the changes

1. filter out NOOBAA_ROOT_SECRET from env vars to avoid exposing it in pod spec

Issues: Fixed #xxx / Gap #xxx

1. https://issues.redhat.com/browse/DFBUGS-4850

Summary by CodeRabbit

• Bug Fixes

  • Removed a sensitive root secret from container environment variables to prevent accidental exposure; the secret is now provided via secure secret mounting.

• Security

  • Improved handling of confidential credentials to reduce risk of leakage and limit exposure in the runtime environment.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

SetDesiredCoreEnv in pkg/system/phase2_creating.go now removes any container Env entries with Name == "NOOBAA_ROOT_SECRET" by rebuilding c.Env without that entry before the existing per-env processing.

Changes

Cohort / File(s)	Summary
Environment variable filtering pkg/system/phase2_creating.go	In SetDesiredCoreEnv, added logic to construct a filtered Env slice excluding entries where Name == "NOOBAA_ROOT_SECRET" and reassign it to c.Env prior to existing env handling; ensures the secret env var is not propagated.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested reviewers

• dannyzaken

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description includes the explanation of changes and the related issue, but is missing the required 'Testing Instructions' section with testing details and checkboxes.	Add a 'Testing Instructions' section with steps to verify the fix and include the documentation and testing checkboxes as specified in the template.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: filtering out NOOBAA_ROOT_SECRET from environment variables to prevent exposure in pod specifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e909c24 and a0dffcf.

📒 Files selected for processing (1)

• pkg/system/phase2_creating.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: run-operator-tests
• GitHub Check: run-core-config-map-tests
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-cli-tests
• GitHub Check: run-hac-test
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: golangci-lint
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-azure-vault-test
• GitHub Check: run-admission-test
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-kms-dev-test

🔇 Additional comments (1)

pkg/system/phase2_creating.go (1)

441-454: Excellent security improvement.

The filtering logic correctly removes NOOBAA_ROOT_SECRET from environment variables before the pod spec is finalized. The in-place filtering using filtered := c.Env[:0] is idiomatic and efficient Go. The placement ensures it catches any instance of the env var—whether from current settings or from upgrades—since it runs after merging default env vars but before the switch statement processes them. The secret is properly provided via file-based mounting at line 632.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

pkg/system/phase2_creating.go (1)

441-454: Fix typo and consider extracting duplicate filtering logic.

Minor issues:

1. Typo in comment: "older then 4.21" should be "older than 4.21"
2. This exact filtering pattern is duplicated in pkg/system/phase4_configuring.go (lines 372-380). Consider extracting it to a helper function like filterEnvVar(envVars []corev1.EnvVar, nameToFilter string) []corev1.EnvVar to follow the DRY principle.

The filtering logic itself is correct and uses the idiomatic in-place filtering pattern.

🔎 Proposed refactor to eliminate duplication

Add a helper function at the package level:

// filterEnvVar removes environment variables with the specified name from the slice
func filterEnvVar(envVars []corev1.EnvVar, nameToFilter string) []corev1.EnvVar {
	if len(envVars) == 0 {
		return envVars
	}
	filtered := envVars[:0]
	for _, env := range envVars {
		if env.Name != nameToFilter {
			filtered = append(filtered, env)
		}
	}
	return filtered
}

Then replace the filtering blocks with:

-	if len(c.Env) > 0 {
-		filtered := c.Env[:0]
-		for _, env := range c.Env {
-			if env.Name != "NOOBAA_ROOT_SECRET" {
-				filtered = append(filtered, env)
-			}
-		}
-		c.Env = filtered
-	}
+	c.Env = filterEnvVar(c.Env, "NOOBAA_ROOT_SECRET")

Apply the same change in both files.

pkg/system/phase4_configuring.go (1)

367-381: Fix typo and consider extracting duplicate filtering logic.

Minor issues:

1. Typo in comment: "older then 4.21" should be "older than 4.21"
2. This filtering logic is duplicated from pkg/system/phase2_creating.go (lines 446-454). Extract to a shared helper function to avoid code duplication.

The filtering logic itself is correct. The placement here (after util.MergeEnvArrays but before the env var processing loop) ensures the filter applies to the endpoint container's environment regardless of whether JoinSecret is set.

🔎 Proposed refactor

See the refactoring suggestion in the review comment for pkg/system/phase2_creating.go:441-454 to extract a shared filterEnvVar helper function.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 40ea3c0 and ce5da53.

📒 Files selected for processing (2)

• pkg/system/phase2_creating.go
• pkg/system/phase4_configuring.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: run-kms-dev-test
• GitHub Check: run-admission-test
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-azure-vault-test
• GitHub Check: run-operator-tests
• GitHub Check: golangci-lint
• GitHub Check: run-hac-test
• GitHub Check: run-core-config-map-tests
• GitHub Check: run-cli-tests
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-kms-kmip-test

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ce5da53 and d3a8902.

📒 Files selected for processing (1)

• pkg/system/phase2_creating.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: cnpg-deployment-test
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-operator-tests
• GitHub Check: run-core-config-map-tests
• GitHub Check: run-hac-test
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: golangci-lint
• GitHub Check: run-kms-dev-test
• GitHub Check: run-cli-tests
• GitHub Check: run-admission-test
• GitHub Check: run-azure-vault-test