lhumina_code/hero_proc
2
0
Fork 0
Code Issues 27 Pull requests Projects Releases 3 Packages Wiki Activity Actions 1

Manifest env defaults shadow operator-set context secrets at service spawn #151

New issue
Open
opened 2026-06-12 02:27:13 +00:00 by mik-tf · 0 comments
mik-tf commented 2026-06-12 02:27:13 +00:00
Owner
Copy link

When a service declares an env var in its service.toml env block, lab resolves the value at registration time (shell env first, then the manifest default) and bakes it into the stored service definition. At spawn, hero_proc_server builds the child environment as context secrets first and then appends the stored spec env after them (run_job in supervisor/executor.rs), so the baked default always overrides a secret of the same name that an operator later sets in the service's context. Practical effect: hero_proc secret set --context core SOME_VAR value silently does nothing for any var declared with a default in the manifest, and the only working path is re-registering with the var exported in the shell (SOME_VAR=value lab service <name> --start), which then silently reverts to the default on the next plain re-registration. Suggest either letting context secrets win over the spec env at spawn, or re-resolving declared env vars against the secret store at spawn time. Hit live while configuring COCKPIT_MACHINE_ROLE for the cockpit machine profile.

Signed-by: mik-tf mik-tf@noreply.invalid

When a service declares an env var in its service.toml [[env]] block, lab resolves the value at registration time (shell env first, then the manifest default) and bakes it into the stored service definition. At spawn, hero_proc_server builds the child environment as context secrets first and then appends the stored spec env after them (run_job in supervisor/executor.rs), so the baked default always overrides a secret of the same name that an operator later sets in the service's context. Practical effect: `hero_proc secret set --context core SOME_VAR value` silently does nothing for any var declared with a default in the manifest, and the only working path is re-registering with the var exported in the shell (`SOME_VAR=value lab service <name> --start`), which then silently reverts to the default on the next plain re-registration. Suggest either letting context secrets win over the spec env at spawn, or re-resolving declared env vars against the secret store at spawn time. Hit live while configuring COCKPIT_MACHINE_ROLE for [the cockpit machine profile](https://forge.ourworld.tf/lhumina_code/home/issues/282). Signed-by: mik-tf <mik-tf@noreply.invalid>
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
development_markup_admin
integration
main
development_freeze
development_cleanup_138
oschema_migration
feat/secrets-catalogue-hero-db-port
stopgap/openrpc-enforcement-b1
issue-109-path-root-env
development_sameh_hp02
latest-development
latest-integration
latest-main
__scopecheck
__releaser_apitest
latest-dev
latest
lab-latest
v0.5.0-rc2
v0.5.0-rc1
v0.4.4
v0.4.1
v0.1.1
Labels
Clear labels   
prio_critical

   
prio_low

   
type_bug

   
type_contact

   
type_issue

   
type_lead

   
type_question

   
type_story

   
type_task
No labels
prio_critical
prio_low
type_bug
type_contact
type_issue
type_lead
type_question
type_story
type_task
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/hero_proc#151
No description provided.