Skip to content

IssueBot: Pass CF credential env vars through CloudFoundrySandboxProvider to DEPLOYER tasks (#35)#61

Merged
dbbaskette merged 1 commit intomainfrom
issuebot/issue-35-pass-cf-credential-env-vars-through-cloudfoundrysa
Feb 21, 2026
Merged

IssueBot: Pass CF credential env vars through CloudFoundrySandboxProvider to DEPLOYER tasks (#35)#61
dbbaskette merged 1 commit intomainfrom
issuebot/issue-35-pass-cf-credential-env-vars-through-cloudfoundrysa

Conversation

@dbbaskette
Copy link
Copy Markdown
Owner

@dbbaskette dbbaskette commented Feb 21, 2026

Summary

Resolves #35

Summary

Ensure that when CloudFoundrySandboxProvider dispatches a DEPLOYER task, the CF credentials (CF_API_URL, CF_USERNAME, CF_PASSWORD, CF_ORG, CF_SPACE) are included as environment variables in the CF task, allowing the Goose agent to authenticate and deploy.

Context

Currently, CloudFoundrySandboxProvider passes env vars like GOOSE_MODEL, GOOSE_PROVIDER, OPENAI_API_KEY, and OPENAI_HOST to all agent CF tasks. For the DEPLOYER agent, we also need the CF credentials that the orchestrator itself uses.

Changes Required

1. CloudFoundrySandboxProvider.java

When the agent type is DEPLOYER, add these env vars to the CF task:

Variable Source
CF_API_URL From orchestrator env / CloudFoundryProperties
CF_USERNAME From orchestrator env / CloudFoundryProperties
CF_PASSWORD From orchestrator env / CloudFoundryProperties
CF_ORG From orchestrator env / CloudFoundryProperties
CF_SPACE From orchestrator env / CloudFoundryProperties
CF_APPS_DOMAIN New property — the apps domain for route generation

2. CloudFoundryProperties.java

Add a property for the apps domain:

private String appsDomain; // e.g., "tas-tdc.kuhn-labs.com"

3. application-cf.yml

Add:

cf:
  apps-domain: ${CF_APPS_DOMAIN:apps.internal}

4. .env

Add:

CF_APPS_DOMAIN=tas-tdc.kuhn-labs.com

Security Considerations

  • CF credentials are already stored as env vars in the orchestrator (from VCAP_SERVICES or .env)
  • They are passed to the CF task which runs in the same CF space
  • No credentials are stored in code or manifests
  • Consider: should we limit credential env vars to DEPLOYER tasks only? (Yes — coder/tester don't need them)

Acceptance Criteria

  • DEPLOYER tasks receive CF_API_URL, CF_USERNAME, CF_PASSWORD, CF_ORG, CF_SPACE as env vars
  • CODER/TESTER/REVIEWER tasks do NOT receive CF credential env vars
  • CF_APPS_DOMAIN is configurable and passed through
  • Agent can successfully run cf api / cf auth / cf target inside the task container

PRD Reference

docs/deployer-agent-prd.md — "Environment Variables" and "Agent Communication"

IssueBot Metadata

  • Iterations: 1 (review: 0)
  • Estimated Cost: $0.7019 (impl: $0.7019, review: $0.0000)
  • Mode: APPROVAL_GATED

This PR was automatically generated by IssueBot

This was referenced Feb 21, 2026
Closed
Closed
@dbbaskette dbbaskette marked this pull request as ready for review February 21, 2026 03:03
@dbbaskette dbbaskette merged commit 395e8b9 into main Feb 21, 2026
1 check passed
@dbbaskette dbbaskette mentioned this pull request Feb 21, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Pass CF credential env vars through CloudFoundrySandboxProvider to DEPLOYER tasks

1 participant

@dbbaskette