Enhance security by filtering out sensitive keys and improve version handling in ConfigMap injection

Author: chenzhiguo

pkg/mutation/mutation_deploy.go

@@ -242,14 +242,24 @@ func AddApplicationEnvironments(source appsv1.Deployment, target *appsv1.Deploym
 
 func createOrUpdateConfigMap(deploy *appsv1.Deployment) error {
 	configMapData := config.DefaultInjectorConfigMap
-	if version, ok := deploy.Spec.Template.Labels[config.AgentVersionLabel]; ok {
+	// Prefer version from pod template labels, fallback to deployment labels.
+	version, ok := deploy.Spec.Template.Labels[config.AgentVersionLabel]
+	if !ok {
+		version = deploy.Labels[config.AgentVersionLabel]
+	}
+
+	if version != "" {
 		if agentVersion, ok := config.InjectorAgentVersion[version]; ok {
 			cmd, configExists := config.InjectorConfigMaps[agentVersion.ConfigMapName]
 			if agentVersion.Enable && configExists {
 				configMapData = cmd
-				log.Info("[mutation] injection-deploy: Inject the specified version of configMap",
+				log.Info("[mutation] injection-deploy: Injecting specified version of ConfigMap",
 					zap.String("deployment", deploy.Name), zap.String("version", version),
 					zap.String("cmName", agentVersion.ConfigMapName))
+				// Ensure the pod template has the agent version label.
+				deploy.Spec.Template.Labels[config.AgentVersionLabel] = version
+			} else {
+				log.Warnf("[mutation] injection-deploy: Specified agent version '%s' for deployment '%s' is not enabled or its config is missing. Using default.", version, deploy.Name)
 			}
 		}
 	}

pkg/mutation/mutation_pod.go

@@ -238,7 +238,13 @@ func addPodInitContainer(targetPod *corev1.Pod, _ []corev1.EnvVar, deploymentNam
 				agentVersion = v.Version
 				log.Info("[mutation] injection-pod: Inject the specified version to pod",
 					zap.String("pod", targetPod.Name), zap.String("version", agentVersion))
+			} else {
+				log.Warnf("[mutation] injection-pod: The specified version %s is not enabled or the configuration information is missing, using the default version %s",
+					av, config.DefaultInjectorConfig.AgentConfig.Version)
 			}
+		} else {
+			log.Warnf("[mutation] injection-pod: The specified version %s does not exist, using the default version %s",
+				av, config.DefaultInjectorConfig.AgentConfig.Version)
 		}
 	}
 	agentInitContainer := &corev1.Container{

pkg/resource/control.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"strings"
 
 	"github.com/jd-opensource/joylive-injector/pkg/config"
 )
@@ -57,6 +58,10 @@ func GetApplicationEnvironments(labels map[string]string) (map[string]string, er
 			return nil, response.Error
 		}
 		for key, value := range response.Data {
+			// Filter out keys ending with "USERNAME" and "PASSWORD" to enhance security.
+			if strings.HasSuffix(key, "USERNAME") || strings.HasSuffix(key, "PASSWORD") {
+				continue
+			}
 			envMaps[key] = value
 		}
 		envMaps["APPLICATION_NAME"] = application