Skip to content

[Amber] Fix: Bug: BOT_TOKEN is failing to update inside session pod because it is injected via env var instead of file mount#1050

Merged
Gkrumbach07 merged 1 commit intomainfrom
amber/issue-1046-bug-bot-token-is-failing-to-update-inside-session-
Mar 26, 2026
Merged

[Amber] Fix: Bug: BOT_TOKEN is failing to update inside session pod because it is injected via env var instead of file mount#1050
Gkrumbach07 merged 1 commit intomainfrom
amber/issue-1046-bug-bot-token-is-failing-to-update-inside-session-

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot commented Mar 26, 2026

Automated Fix by Amber Agent

This PR addresses issue #1046 using the Amber background agent.

Changes Summary

  • Action Type: auto-fix
  • Commit: d90bc45
  • Triggered by: Issue label/command

Pre-merge Checklist

  • All linters pass
  • All tests pass
  • Changes follow project conventions (CLAUDE.md)
  • No scope creep beyond issue description

Reviewer Notes

This PR was automatically generated. Please review:

  1. Code quality and adherence to standards
  2. Test coverage for changes
  3. No unintended side effects

🤖 Generated with Amber Background Agent

Closes #1046

@claude
fix(runner): mount BOT_TOKEN as file so kubelet refreshes it on rotation
d90bc45 
The runner token was previously injected as an environment variable via
SecretKeyRef, which Kubernetes resolves once at pod start and never
updates. When the operator rotates the runner token (refreshRunnerToken),
the env var in the long-running pod remained stale, causing authentication
failures.

Fix: mount the runner-token Secret as a volume file at
/var/run/secrets/ambient/bot-token. Kubelet automatically updates the
file when the Secret changes. Add a get_bot_token() helper in the runner
that reads from the file first and falls back to the BOT_TOKEN env var
for local/non-Kubernetes runs. Replace all os.getenv('BOT_TOKEN') call
sites with get_bot_token(), and update BackendAPIClient._make_request to
re-read the token on every call so long-lived clients always use the
current token.

The init container retains env var injection since it runs only once at
pod startup with a freshly minted token.

Fixes #1046

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions github-actions bot added amber-generated PR created by Amber background agent auto-fix labels Mar 26, 2026
@github-actions github-actions bot mentioned this pull request Mar 26, 2026
Closed
@ambient-code ambient-code bot added this to the Review Queue milestone Mar 26, 2026
@Gkrumbach07 Gkrumbach07 merged commit f62b4ca into main Mar 26, 2026
6 checks passed
@Gkrumbach07 Gkrumbach07 deleted the amber/issue-1046-bug-bot-token-is-failing-to-update-inside-session- branch March 26, 2026 22:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Gkrumbach07 Gkrumbach07 Gkrumbach07 approved these changes

Assignees

No one assigned

Labels

amber-generated PR created by Amber background agent auto-fix

Projects

None yet

Milestone

Review Queue

Development

Successfully merging this pull request may close these issues.

Bug: BOT_TOKEN is failing to update inside session pod because it is injected via env var instead of file mount

1 participant

@Gkrumbach07