fix(agents): correct logic for agents secrets flags (#554)

rektdeckard · web-flow · commit 104fdf9cbfaf · 2025-04-25T10:29:17.000-06:00
- None required for `lk agent deploy`
- Use lazy exaluation if secrets set via flags in `lk agent
  update-secrets`
diff --git a/cmd/lk/agent.go b/cmd/lk/agent.go
@@ -68,9 +68,10 @@ var (
 	}
 
 	secretsFileFlag = &cli.StringFlag{
-		Name:     "secrets-file",
-		Usage:    "`FILE` containing secret KEY=VALUE pairs, one per line. These will be injected as environment variables into the agent.",
-		Required: false,
+		Name:      "secrets-file",
+		Usage:     "`FILE` containing secret KEY=VALUE pairs, one per line. These will be injected as environment variables into the agent.",
+		TakesFile: true,
+		Required:  false,
 	}
 
 	secretsFlag = &cli.StringSliceFlag{
@@ -121,6 +122,8 @@ var (
 					Before: createAgentClient,
 					Action: deployAgent,
 					Flags: []cli.Flag{
+						secretsFlag,
+						secretsFileFlag,
 						tomlFlag,
 					},
 					ArgsUsage: "[working-dir]",
@@ -374,7 +377,7 @@ func createAgent(ctx context.Context, cmd *cli.Command) error {
 		fmt.Printf("Creating agent [%s]\n", util.Accented(agentConfig.Name))
 	}
 
-	secrets, err := requireSecrets(ctx, cmd)
+	secrets, err := requireSecrets(ctx, cmd, true, false)
 	if err != nil {
 		return err
 	}
@@ -522,19 +525,21 @@ func deployAgent(ctx context.Context, cmd *cli.Command) error {
 		return fmt.Errorf("config file [%s] required to update agent", util.Accented(tomlFilename))
 	}
 
-	secrets, err := requireSecrets(ctx, cmd)
-	if err != nil {
-		return err
-	}
-
 	req := &lkproto.DeployAgentRequest{
 		AgentName:   agentConfig.Name,
-		Secrets:     secrets,
 		Replicas:    int32(agentConfig.Replicas),
 		CpuReq:      string(agentConfig.CPU),
 		MaxReplicas: int32(agentConfig.MaxReplicas),
 	}
 
+	secrets, err := requireSecrets(ctx, cmd, false, true)
+	if err != nil {
+		return err
+	}
+	if len(secrets) > 0 {
+		req.Secrets = secrets
+	}
+
 	resp, err := agentsClient.DeployAgent(ctx, req)
 	if err != nil {
 		if twerr, ok := err.(twirp.Error); ok {
@@ -640,6 +645,14 @@ func updateAgent(ctx context.Context, cmd *cli.Command) error {
 		MaxReplicas: int32(agentConfig.MaxReplicas),
 	}
 
+	secrets, err := requireSecrets(ctx, cmd, false, true)
+	if err != nil {
+		return err
+	}
+	if len(secrets) > 0 {
+		req.Secrets = secrets
+	}
+
 	resp, err := agentsClient.UpdateAgent(ctx, req)
 	if err != nil {
 		if twerr, ok := err.(twirp.Error); ok {
@@ -867,7 +880,7 @@ func updateAgentSecrets(ctx context.Context, cmd *cli.Command) error {
 		return err
 	}
 
-	secrets, err := requireSecrets(ctx, cmd)
+	secrets, err := requireSecrets(ctx, cmd, true, true)
 	if err != nil {
 		return err
 	}
@@ -918,7 +931,7 @@ func getAgentName(cmd *cli.Command, agentDir string, tomlFileName string) (strin
 	return agentName, nil
 }
 
-func requireSecrets(_ context.Context, cmd *cli.Command) ([]*lkproto.AgentSecret, error) {
+func requireSecrets(_ context.Context, cmd *cli.Command, required, lazy bool) ([]*lkproto.AgentSecret, error) {
 	silent := cmd.Bool("silent")
 	secrets := make(map[string]*lkproto.AgentSecret)
 	for _, secret := range cmd.StringSlice("secrets") {
@@ -930,24 +943,27 @@ func requireSecrets(_ context.Context, cmd *cli.Command) ([]*lkproto.AgentSecret
 		secrets[secret[0]] = agentSecret
 	}
 
-	file, env, err := agentfs.DetectEnvFile(cmd.String("secrets-file"))
-	if err != nil {
-		return nil, err
-	}
-	if file != "" && !silent {
-		fmt.Printf("Using secrets file [%s]\n", util.Accented(file))
-	}
-
-	for k, v := range env {
-		if _, exists := secrets[k]; exists {
-			continue
+	shouldReadFromDisk := cmd.IsSet("secrets-file") || !lazy || (required && len(secrets) == 0)
+	if shouldReadFromDisk {
+		file, env, err := agentfs.DetectEnvFile(cmd.String("secrets-file"))
+		if err != nil {
+			return nil, err
+		}
+		if file != "" && !silent {
+			fmt.Printf("Using secrets file [%s]\n", util.Accented(file))
 		}
 
-		secret := &lkproto.AgentSecret{
-			Name:  k,
-			Value: []byte(v),
+		for k, v := range env {
+			if _, exists := secrets[k]; exists {
+				continue
+			}
+
+			secret := &lkproto.AgentSecret{
+				Name:  k,
+				Value: []byte(v),
+			}
+			secrets[k] = secret
 		}
-		secrets[k] = secret
 	}
 
 	var secretsSlice []*lkproto.AgentSecret
@@ -960,7 +976,7 @@ func requireSecrets(_ context.Context, cmd *cli.Command) ([]*lkproto.AgentSecret
 		secretsSlice = append(secretsSlice, secret)
 	}
 
-	if len(secretsSlice) == 0 {
+	if required && len(secretsSlice) == 0 {
 		msg := "no secrets provided"
 		if secretsIgnored {
 			msg = "no valid secrets provided, LIVEKIT_ secrets are ignored and injected automatically to your agent"
diff --git a/pkg/bootstrap/bootstrap.go b/pkg/bootstrap/bootstrap.go
@@ -135,12 +135,14 @@ func ParseTaskfile(rootPath string) (*ast.Taskfile, error) {
 		return nil, nil
 	}
 
-	file, err := os.ReadFile(taskfilePath)
+	file, err := os.Open(taskfilePath)
 	if err != nil {
 		return nil, err
 	}
+	defer file.Close()
+
 	tf := &ast.Taskfile{}
-	if err := yaml.Unmarshal(file, tf); err != nil {
+	if err := yaml.NewDecoder(file).Decode(tf); err != nil {
 		return nil, err
 	}
 	return tf, nil

Original file line number	Diff line number	Diff line change
`@@ -135,12 +135,14 @@ func ParseTaskfile(rootPath string) (*ast.Taskfile, error) {`
`135`	`135`	`return nil, nil`
`136`	`136`	`}`
`137`	`137`
`138`		`- file, err := os.ReadFile(taskfilePath)`
	`138`	`+ file, err := os.Open(taskfilePath)`
`139`	`139`	`if err != nil {`
`140`	`140`	`return nil, err`
`141`	`141`	`}`
	`142`	`+ defer file.Close()`
	`143`	`+`
`142`	`144`	`tf := &ast.Taskfile{}`
`143`		`- if err := yaml.Unmarshal(file, tf); err != nil {`
	`145`	`+ if err := yaml.NewDecoder(file).Decode(tf); err != nil {`
`144`	`146`	`return nil, err`
`145`	`147`	`}`
`146`	`148`	`return tf, nil`