fix: validate only kubernetes-related vars from kubernetes metadata

[pkoutsovasilis]

What does this PR do?

This PR updates the Kubernetes hints variable substitution logic to:

1. Restrict variable resolution to only Kubernetes-related metadata keys (e.g., ${kubernetes.pod.name}), ensuring that non-Kubernetes variables are ignored.
2. Replace usage of strings.Replace with strings.ReplaceAll to simplify code and improve readability, addressing lint rule QF1004.

Specifically:

• The regular expression used to detect variable placeholders is narrowed from \${([^{}]+)} to \${(kubernetes\.[^{}]+)}, preventing unintended resolution of non-Kubernetes placeholders such as env vars ${env_var}.
• strings.Replace with -1 is replaced by strings.ReplaceAll.

Why is it important?

Because it allows users to follow the best-practices in our documentation and actually set the value of a pod annotation as an env var of the elastic-agent pod.

co.elastic.hints/password
The password to use for authentication. It is recommended to retrieve this sensitive information from an ENV variable and avoid placing passwords in plain text.

Checklist

• I have read and understood the pull request guidelines of this project.
• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool
• I have added an integration test or an E2E test

Disruptive User Impact

How to test this PR locally

1. Provision a kind k8s cluster
2. Install ECK operator

helm install elastic-operator elastic/eck-operator -n elastic-system --create-namespace

3. Deploy an Elasticsearch cluster

cat <<EOF | kubectl apply -f - apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: quickstart spec: http: tls: selfSignedCertificate: disabled: true version: 9.2.0-SNAPSHOT nodeSets: - name: default count: 1 config: node.store.allow_mmap: false podTemplate: metadata: annotations: co.elastic.hints/enabled: "true" co.elastic.hints/package: elasticsearch co.elastic.hints/host: "http://\${kubernetes.pod.ip}:9200" co.elastic.hints/username: "\${HINTS_ELASTICSEARCH_USERNAME}" co.elastic.hints/password: "\${HINTS_ELASTICSEARCH_PASSWORD}" EOF

5. Compile the elastic-agent image of this PR and loaded in kind

USE_PACKAGE_VERSION="true" SNAPSHOT="true" EXTERNAL="true" PLATFORMS="linux/arm64" PACKAGES="docker" DOCKER_VARIANTS="basic" mage package kind load docker-image docker.elastic.co/elastic-agent/elastic-agent:9.2.0-SNAPSHOT

6. Get the elasticsearch password (username is elastic)

kubectl get secret -n default quickstart-es-elastic-user -o jsonpath="{.data.elastic}" | base64 --decode

6. Install elastic-agent using the helm chart with the values below

outputs: default: type: ESPlainAuthBasic url: "${YOUR_ES_HOST}" username: "${YOUR_ES_USERNAME}" password: "${YOUR_ES_PASSWORD}" kubernetes: hints: enabled: true state: enabled: false apiserver: enabled: false agent: presets: perNode: extraEnvs: - name: HINTS_ELASTICSEARCH_USERNAME value: "elastic" - name: HINTS_ELASTICSEARCH_PASSWORD value: "${THE_PASSWORD_FROM_PREVIOUS_STEP}" 

8. exec inside the agent pod and grab a diagnostics and in the rendered beats config you will see the elasticsearch one being rendered correctly

Related issues

• N/A

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 69e69f5

Failed CI Steps

• Win2022:sudo:default

cc @pkoutsovasilis

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[github-actions]

@Mergifyio backport 8.17 8.18 8.19 9.0 9.1

[mergify]

backport 8.17 8.18 8.19 9.0 9.1

✅ Backports have been created

• #9418 [8.17] (backport #9307) fix: validate only kubernetes-related vars from kubernetes metadata has been created for branch 8.17
• #9419 [8.18] (backport #9307) fix: validate only kubernetes-related vars from kubernetes metadata has been created for branch 8.18
• #9420 [8.19] (backport #9307) fix: validate only kubernetes-related vars from kubernetes metadata has been created for branch 8.19
• #9421 [9.0] (backport #9307) fix: validate only kubernetes-related vars from kubernetes metadata has been created for branch 9.0
• #9422 [9.1] (backport #9307) fix: validate only kubernetes-related vars from kubernetes metadata has been created for branch 9.1