Unset environment variables that might have sensitive data, after use

Michael Chmielewski · Michael Chmielewski · commit 136c5b966a65 · 2023-01-17T13:23:10.000-05:00
diff --git a/templates/daemonset.yaml b/templates/daemonset.yaml
@@ -102,7 +102,8 @@ spec:
           - >-
               eval "tsagent setup --deploy-key $THREATSTACK_SETUP_DEPLOY_KEY $THREATSTACK_SETUP_ARGS" &&
               tsagent config --set $THREATSTACK_CONFIG_ARGS &&
-              exec /opt/threatstack/sbin/tsagentd -logstdout=1
+              exec /opt/threatstack/sbin/tsagentd -logstdout=1 &&
+              unset THREATSTACK_SETUP_DEPLOY_KEY THREATSTACK_SETUP_ARGS THREATSTACK_CONFIG_ARGS
 {{- end }}
 {{- if .Values.daemonset.livenessProbe }}
         livenessProbe:
diff --git a/templates/deployment-api-reader.yaml b/templates/deployment-api-reader.yaml
@@ -94,7 +94,8 @@ spec:
           - >-
               eval "tsagent setup --deploy-key $THREATSTACK_SETUP_DEPLOY_KEY $THREATSTACK_SETUP_ARGS" &&
               tsagent config --set $THREATSTACK_CONFIG_ARGS &&
-              exec /opt/threatstack/sbin/tsagentd -logstdout=1
+              exec /opt/threatstack/sbin/tsagentd -logstdout=1 &&
+              unset THREATSTACK_SETUP_DEPLOY_KEY THREATSTACK_SETUP_ARGS THREATSTACK_CONFIG_ARGS
 {{- if .Values.apiReader.livenessProbe }}
         livenessProbe:
 {{ toYaml .Values.apiReader.livenessProbe | indent 10 }}
diff --git a/values.yaml b/values.yaml
@@ -40,7 +40,8 @@ gkeContainerOsCmd:
         systemctl mask systemd-journald-audit.socket;
         systemctl restart systemd-journald; auditctl --backlog_wait_time 0' &&
         eval tsagent setup --deploy-key $THREATSTACK_SETUP_DEPLOY_KEY $THREATSTACK_SETUP_ARGS &&
-        eval tsagent config --set $THREATSTACK_CONFIG_ARGS && sleep 5 && exec /opt/threatstack/sbin/tsagentd -logstdout=1
+        eval tsagent config --set $THREATSTACK_CONFIG_ARGS && sleep 5 && exec /opt/threatstack/sbin/tsagentd -logstdout=1 &&
+        unset THREATSTACK_SETUP_DEPLOY_KEY THREATSTACK_SETUP_ARGS THREATSTACK_CONFIG_ARGS
 
 # Using Ubuntu nodes
 gkeUbuntu: false
@@ -53,7 +54,8 @@ gkeUbuntuCmd:
         eval tsagent setup --deploy-key $THREATSTACK_SETUP_DEPLOY_KEY $THREATSTACK_SETUP_ARGS &&
         eval tsagent config --set $THREATSTACK_CONFIG_ARGS &&
         sleep 5 &&
-        exec /opt/threatstack/sbin/tsagentd -logstdout=1
+        exec /opt/threatstack/sbin/tsagentd -logstdout=1 &&
+        unset THREATSTACK_SETUP_DEPLOY_KEY THREATSTACK_SETUP_ARGS THREATSTACK_CONFIG_ARGS
 
 # Using EKS Amazon Linux 2 nodes
 eksAmazon2: false
@@ -66,7 +68,8 @@ eksAmazon2Cmd:
         eval tsagent setup --deploy-key $THREATSTACK_SETUP_DEPLOY_KEY $THREATSTACK_SETUP_ARGS &&
         eval tsagent config --set $THREATSTACK_CONFIG_ARGS &&
         sleep 5 &&
-        exec /opt/threatstack/sbin/tsagentd -logstdout=1
+        exec /opt/threatstack/sbin/tsagentd -logstdout=1 &&
+        unset THREATSTACK_SETUP_DEPLOY_KEY THREATSTACK_SETUP_ARGS THREATSTACK_CONFIG_ARGS
 
 # Uncomment the command and args sub-attributes, and define them as desired to run custom commands in the Daemonset.
 #
@@ -83,7 +86,8 @@ customDaemonsetCmd: {}
   #       eval tsagent setup --deploy-key $THREATSTACK_SETUP_DEPLOY_KEY $THREATSTACK_SETUP_ARGS &&
   #       eval tsagent config --set $THREATSTACK_CONFIG_ARGS &&
   #       sleep 5 &&
-  #       /opt/threatstack/sbin/tsagentd -logstdout=1
+  #       /opt/threatstack/sbin/tsagentd -logstdout=1 &&
+  #       unset THREATSTACK_SETUP_DEPLOY_KEY THREATSTACK_SETUP_ARGS THREATSTACK_CONFIG_ARGS
 
 # Using OpenShift
 #
