Refactor envvar filtering to only kubelet collector

DataDog · Feb 26, 2025 · 407ff22 · 407ff22
1 parent ccb9b5a
commit 407ff22
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 24 deletions.
diff --git a/comp/core/workloadmeta/collectors/internal/kubelet/kubelet.go b/comp/core/workloadmeta/collectors/internal/kubelet/kubelet.go
@@ -402,6 +402,7 @@ func extractContainerSecurityContext(spec *kubelet.ContainerSpec) *workloadmeta.
 }
 
 func extractEnvFromSpec(envSpec []kubelet.EnvVar) map[string]string {
+	filterEnvVars(&envSpec)
 	env := make(map[string]string)
 	mappingFunc := expansion.MappingFuncFor(env)
 
@@ -436,6 +437,19 @@ func extractEnvFromSpec(envSpec []kubelet.EnvVar) map[string]string {
 	return env
 }
 
+// filterEnvVars removes unsupported env var sources (eg. ConfigMap, Secrets, etc.)
+func filterEnvVars(envSpec *[]kubelet.EnvVar) {
+	j := 0 // Position for the next valid element
+	for _, envVar := range *envSpec {
+		if envVar.ValueFrom != nil {
+			continue
+		}
+		(*envSpec)[j] = envVar
+		j++
+	}
+	*envSpec = (*envSpec)[:j]
+}
+
 func extractResources(spec *kubelet.ContainerSpec) workloadmeta.ContainerResources {
 	resources := workloadmeta.ContainerResources{}
 	if cpuReq, found := spec.Resources.Requests[kubelet.ResourceCPU]; found {

diff --git a/internal/third_party/golang/expansion/expand.go b/internal/third_party/golang/expansion/expand.go
@@ -19,6 +19,9 @@ func syntaxWrap(input string) string {
 // implements the expansion semantics defined in the expansion spec; it
 // returns the input string wrapped in the expansion syntax if no mapping
 // for the input is found.
+//
+// Additionally, it returns a boolean indicating whether the variable was
+// found in the context.
 func MappingFuncFor(context ...map[string]string) func(string) (string, bool) {
 	return func(input string) (string, bool) {
 		for _, vars := range context {
@@ -35,9 +38,13 @@ func MappingFuncFor(context ...map[string]string) func(string) (string, bool) {
 // Expand replaces variable references in the input string according to
 // the expansion spec using the given mapping function to resolve the
 // values of variables.
+//
+// Additionally, it returns the status of whether all nested variables
+// have a defined mapping value in the environment.
 func Expand(input string, mapping func(string) (string, bool)) (string, bool) {
 	var buf bytes.Buffer
 	checkpoint := 0
+	allMappingsFound := true
 	for cursor := 0; cursor < len(input); cursor++ {
 		if input[cursor] == operator && cursor+1 < len(input) {
 			// Copy the portion of the input string since the last
@@ -53,9 +60,12 @@ func Expand(input string, mapping func(string) (string, bool)) (string, bool) {
 				// apply the mapping to the variable name and copy the
 				// bytes into the buffer
 				mappedValue, found := mapping(read)
+
+				// Record that the read variable is not mapped in the environment
 				if !found {
-					return "", false
+					allMappingsFound = false
 				}
+
 				buf.WriteString(mappedValue)
 			} else {
 				// Not a variable name; copy the read bytes into the buffer
@@ -72,8 +82,9 @@ func Expand(input string, mapping func(string) (string, bool)) (string, bool) {
 	}
 
 	// Return the buffer and any remaining unwritten bytes in the
-	// input string.
-	return buf.String() + input[checkpoint:], true
+	// input string. Also return whether any nested variables in
+	// the input string were not found in the environment.
+	return buf.String() + input[checkpoint:], allMappingsFound
 }
 
 // tryReadVariableName attempts to read a variable name from the input

diff --git a/internal/third_party/golang/expansion/expand_test.go b/internal/third_party/golang/expansion/expand_test.go
@@ -165,13 +165,13 @@ func doExpansionTest(t *testing.T, mapping func(string) (string, bool)) {
 		{
 			name:           "nested var references",
 			input:          "$(VAR_A$(VAR_B))",
-			expected:       "",
+			expected:       "$(VAR_A$(VAR_B))",
 			expectedStatus: false,
 		},
 		{
 			name:           "nested var references second type",
 			input:          "$(VAR_A$(VAR_B)",
-			expected:       "",
+			expected:       "$(VAR_A$(VAR_B)",
 			expectedStatus: false,
 		},
 		{
@@ -219,7 +219,7 @@ func doExpansionTest(t *testing.T, mapping func(string) (string, bool)) {
 		{
 			name:           "undefined vars are passed through",
 			input:          "$(VAR_DNE)",
-			expected:       "",
+			expected:       "$(VAR_DNE)",
 			expectedStatus: false,
 		},
 		{
@@ -237,7 +237,7 @@ func doExpansionTest(t *testing.T, mapping func(string) (string, bool)) {
 		{
 			name:           "multiple (odd) operators, var undefined",
 			input:          "$$$$$$$(GOOD_ODDS)",
-			expected:       "",
+			expected:       "$$$$(GOOD_ODDS)",
 			expectedStatus: false,
 		},
 		{
@@ -303,7 +303,7 @@ func doExpansionTest(t *testing.T, mapping func(string) (string, bool)) {
 		{
 			name:           "escaped operators in variable names are not escaped",
 			input:          "$(foo$$var)",
-			expected:       "",
+			expected:       "$(foo$$var)",
 			expectedStatus: false,
 		},
 		{

diff --git a/pkg/util/kubernetes/kubelet/kubelet.go b/pkg/util/kubernetes/kubelet/kubelet.go
@@ -230,8 +230,6 @@ func (ku *KubeUtil) getLocalPodList(ctx context.Context) (*PodList, error) {
 			allContainers = append(allContainers, pod.Status.InitContainers...)
 			allContainers = append(allContainers, pod.Status.Containers...)
 			pod.Status.AllContainers = allContainers
-			filterEnvVars(pod.Spec.Containers)
-			filterEnvVars(pod.Spec.InitContainers)
 			tmpSlice = append(tmpSlice, pod)
 		}
 	}
@@ -482,17 +480,3 @@ func isPodStatic(pod *Pod) bool {
 	}
 	return false
 }
-
-// filterEnvVars removes unsupported env var sources (eg. ConfigMap, Secrets, etc.)
-func filterEnvVars(containers []ContainerSpec) {
-	for i := range containers {
-		cleanEnvVars := make([]EnvVar, 0)
-		for _, envVar := range containers[i].Env {
-			if envVar.ValueFrom != nil {
-				continue
-			}
-			cleanEnvVars = append(cleanEnvVars, envVar)
-		}
-		containers[i].Env = cleanEnvVars
-	}
-}