[Backport into 5.21] Filter out NOOBAA_ROOT_SECRET from env vars to avoid exposing it in pod spec

[liranmauda]

Explain the changes

1. Filter out NOOBAA_ROOT_SECRET from env vars to avoid exposing it in pod spec

Issues: Fixed #xxx / Gap #xxx

1. https://issues.redhat.com/browse/DFBUGS-4850

Summary by CodeRabbit

• Chores

  • Updated Go toolchain to version 1.25.5 and upgraded multiple dependencies including Azure SDKs, KEDA, and other supporting libraries.

• Bug Fixes

  • Enhanced security by removing NOOBAA_ROOT_SECRET from pod environment variables; the secret is now mounted via files instead.

• Tests

  • Removed KMS initialization condition verification from test suites.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Go toolchain upgraded to 1.25.5; several dependencies updated (KEDA, Azure SDKs, expr-lang, compress). NOOBAA_ROOT_SECRET removed from container environment variables to prevent secret exposure in pod specs. KMSInit condition assertions removed from multiple KMS test files.

Changes

Cohort / File(s)	Summary
Dependency Updates go.mod	Upgraded Go toolchain to 1.25.5; updated indirect dependencies including KEDA v2 (v2.18.1 → v2.18.3), Azure SDKs (azcore, azidentity, MSAL), expr-lang, and compress libraries.
Environment Variable Handling pkg/system/phase2_creating.go	Removed NOOBAA_ROOT_SECRET from core container environment variables in setDesiredCoreEnv; secret is now mounted via files instead of exposed in pod spec.
KMS Test Cleanup pkg/util/kms/test/dev/kms_dev_test.go, pkg/util/kms/test/ibm-kp/kms_ibm_kp_test.go, pkg/util/kms/test/kmip/kms_kmip_test.go, pkg/util/kms/test/rotate/kms_rotate_test.go, pkg/util/kms/test/tls-sa/kms_tls_sa_test.go, pkg/util/kms/test/tls-token/kms_tls_token_test.go	Removed verification assertions for KMSInit condition across multiple KMS test scenarios (Create default system, Create Vault Noobaa, Create Vault v2, Verify KMIP, Verify Rotate, TLS SA, TLS Token contexts). Remaining test logic and other assertions remain intact.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Possibly related PRs

• CI | Remove KMS condition status Init checks from tests #1755: Removes identical KMSInit condition status checks from the same KMS test files.
• filter out NOOBAA_ROOT_SECRET from env vars to avoid exposing it in pod spec #1753: Filters NOOBAA_ROOT_SECRET from container environment in the same phase2_creating.go file.

Suggested reviewers

• nimrod-becker
• dannyzaken

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: filtering out NOOBAA_ROOT_SECRET from environment variables to prevent exposure in the pod spec.
Description check	✅ Passed	The description includes the required 'Explain the changes' and 'Issues' sections with adequate detail. The testing instructions section is present but empty, which is acceptable for non-test-focused changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 70b16cc and a1f6038.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (8)

• go.mod
• pkg/system/phase2_creating.go
• pkg/util/kms/test/dev/kms_dev_test.go
• pkg/util/kms/test/ibm-kp/kms_ibm_kp_test.go
• pkg/util/kms/test/kmip/kms_kmip_test.go
• pkg/util/kms/test/rotate/kms_rotate_test.go
• pkg/util/kms/test/tls-sa/kms_tls_sa_test.go
• pkg/util/kms/test/tls-token/kms_tls_token_test.go

💤 Files with no reviewable changes (6)

• pkg/util/kms/test/rotate/kms_rotate_test.go
• pkg/util/kms/test/ibm-kp/kms_ibm_kp_test.go
• pkg/util/kms/test/dev/kms_dev_test.go
• pkg/util/kms/test/tls-sa/kms_tls_sa_test.go
• pkg/util/kms/test/kmip/kms_kmip_test.go
• pkg/util/kms/test/tls-token/kms_tls_token_test.go

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: Neon-White
Repo: noobaa/noobaa-operator PR: 1662
File: .github/workflows/manual-upgrade-tests.yaml:0-0
Timestamp: 2025-08-07T13:17:18.101Z
Learning: Go 1.23 was released on August 13, 2024, and is a stable version. As of August 2025, Go 1.24 is the latest major version, but Go 1.23 remains actively supported and widely used.

📚 Learning: 2025-09-07T07:50:45.559Z

Learnt from: liranmauda
Repo: noobaa/noobaa-operator PR: 1687
File: scripts/run-golangci-lint.sh:48-56
Timestamp: 2025-09-07T07:50:45.559Z
Learning: In the noobaa-operator repository, the maintainer liranmauda has confirmed that Go files with spaces in their names are not present and will never be allowed. Shellcheck warnings about word splitting in filename handling can be ignored when they relate to this edge case, as the added complexity for handling spaces is not justified.

Applied to files:

• go.mod

📚 Learning: 2025-09-02T11:05:25.671Z

Learnt from: Neon-White
Repo: noobaa/noobaa-operator PR: 0
File: :0-0
Timestamp: 2025-09-02T11:05:25.671Z
Learning: In the noobaa-operator repository, the golangci-lint timeout is configured in `.golangci.yml` under `run.timeout` and is set to 5 minutes.

Applied to files:

• go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: run-operator-tests
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-core-config-map-tests
• GitHub Check: run-cli-tests
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-hac-test
• GitHub Check: run-azure-vault-test
• GitHub Check: run-admission-test
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: golangci-lint
• GitHub Check: run-kms-dev-test

🔇 Additional comments (3)

pkg/system/phase2_creating.go (1)

440-454: LGTM! Security improvement with correct filtering logic.

The in-place filtering pattern efficiently removes NOOBAA_ROOT_SECRET from environment variables while preserving other env vars. Moving secrets from environment variables to mounted files is a security best practice, as it prevents secret exposure in pod specifications and kubectl describe output.

The setDesiredRootMasterKeyMounts function properly mounts the secret as a read-only volume to /etc/noobaa-server/root_keys, and no other code in the codebase reads NOOBAA_ROOT_SECRET from environment variables. The filtering also handles upgrades from pre-4.21 operator versions that may have leftover env var references.

go.mod (2)

27-27: Azure SDK updates are safe; KEDA v2.18.3 is a security-critical fix.

The dependency updates are verified:

• Azure SDK azcore v1.20.0: No breaking changes. Includes features (HTTPVerb option for next-link fetching) and bug fixes (base64 decode panic, resource ID parsing).
• Azure SDK azidentity v1.13.1: No breaking changes. Windows-specific bug fix for quoted arguments in AzureCLICredential.
• KEDA v2.18.3: Fixes CVE-2025-68476, a high-severity arbitrary file-read vulnerability in HashiCorp Vault TriggerAuthentication. Upgrade is recommended.
• Other updates (expr, klauspost/compress) are routine patch releases.

Proceed with these dependency updates.

---

3-3: Go 1.25.5 is the latest stable release (released December 2, 2025) and is suitable for use.

No action required.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}