Summary
In the 0.7.7-beta.1 Helm chart, the [discord] block in the generated config.toml is conditionally rendered only if ($cfg.discord).botToken is non-empty. This creates a "Chicken and Egg" problem for users who manage secrets securely (e.g., via AWS Secrets Manager injected into Kubernetes Secrets).
Problem Description
To keep secrets secure, we inject the actual Discord Bot Token into an environment variable (e.g., DISCORD_BOT_TOKEN) from a Secret at runtime. We then use a placeholder ${DISCORD_BOT_TOKEN} in the configuration.
However, in the current configmap.yaml template:
{{- if and ($cfg.discord).enabled ($cfg.discord).botToken }}
[discord]
bot_token = "${DISCORD_BOT_TOKEN}"
...The logic requires botToken to be provided to Helm during helm install/upgrade to even generate the [discord] section. If we leave it empty, the agent crashes because no adapter is configured. If we provide it, the sensitive token is stored in the Helm release history (metadata), which is a security concern.
Suggested Fix
The generation of the [discord] (and [slack]) sections should be decoupled from the presence of the token at render time. It should be possible to enable the adapter and rely on runtime environment variable expansion for the token.
Proposal:
Change the condition in templates/configmap.yaml from:
{{- if and ($cfg.discord).enabled ($cfg.discord).botToken }}
to:
{{- if ($cfg.discord).enabled }}
This way, users can provide a dummy value or leave it empty in the Chart, while still having the [discord] block generated for runtime use.
Environment
- Chart Version: 0.7.7-beta.1
- Deployment: EKS (Tokyo)
- Secret Management: AWS Secrets Manager -> K8s Secret -> Env Var
Context
Discord discussion: https://discord.com/channels/1491295327620169908/1491365162869985283
Summary
In the
0.7.7-beta.1Helm chart, the[discord]block in the generatedconfig.tomlis conditionally rendered only if($cfg.discord).botTokenis non-empty. This creates a "Chicken and Egg" problem for users who manage secrets securely (e.g., via AWS Secrets Manager injected into Kubernetes Secrets).Problem Description
To keep secrets secure, we inject the actual Discord Bot Token into an environment variable (e.g.,
DISCORD_BOT_TOKEN) from a Secret at runtime. We then use a placeholder${DISCORD_BOT_TOKEN}in the configuration.However, in the current
configmap.yamltemplate:The logic requires
botTokento be provided to Helm duringhelm install/upgradeto even generate the[discord]section. If we leave it empty, the agent crashes because no adapter is configured. If we provide it, the sensitive token is stored in the Helm release history (metadata), which is a security concern.Suggested Fix
The generation of the
[discord](and[slack]) sections should be decoupled from the presence of the token at render time. It should be possible to enable the adapter and rely on runtime environment variable expansion for the token.Proposal:
Change the condition in
templates/configmap.yamlfrom:{{- if and ($cfg.discord).enabled ($cfg.discord).botToken }}to:
{{- if ($cfg.discord).enabled }}This way, users can provide a dummy value or leave it empty in the Chart, while still having the
[discord]block generated for runtime use.Environment
Context
Discord discussion: https://discord.com/channels/1491295327620169908/1491365162869985283