From b9f43f4bf9cb8e7fe9b6b644556a7e59ca4f756a Mon Sep 17 00:00:00 2001 From: sallyom Date: Thu, 4 Dec 2025 09:15:54 -0500 Subject: [PATCH] fix: Only validate ambient-runner-secrets when Vertex AI is disabled Fixes a regression where ambient-runner-secrets validation occurs unconditionally, causing session creation to fail even when CLAUDE_CODE_USE_VERTEX=1. This fix wraps the runner secret validation in a !vertexEnabled check, since the secret is only needed when Vertex AI is disabled. When Vertex is enabled, the ambient-vertex secret is used instead. Changes: - Wrap runner secret validation in 'if !vertexEnabled' block - Add descriptive log messages for both Vertex enabled/disabled cases - Maintain error handling and status conditions for non-Vertex case Co-authored-by: Claude Signed-off-by: sallyom --- .../operator/internal/handlers/sessions.go | 34 +++++++++++-------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/components/operator/internal/handlers/sessions.go b/components/operator/internal/handlers/sessions.go index ea8436f54..1059c807c 100644 --- a/components/operator/internal/handlers/sessions.go +++ b/components/operator/internal/handlers/sessions.go @@ -810,21 +810,27 @@ func handleAgenticSessionEvent(obj *unstructured.Unstructured) error { const runnerSecretsName = "ambient-runner-secrets" // ANTHROPIC_API_KEY only (ignored when Vertex enabled) const integrationSecretsName = "ambient-non-vertex-integrations" // GIT_*, JIRA_*, custom keys (optional) - // Check if integration secrets exist (optional) - if _, err := config.K8sClient.CoreV1().Secrets(sessionNamespace).Get(context.TODO(), runnerSecretsName, v1.GetOptions{}); err != nil { - if !errors.IsNotFound(err) { - log.Printf("Error checking runner secret %s: %v", runnerSecretsName, err) - } else { - log.Printf("Runner secret %s missing in %s", runnerSecretsName, sessionNamespace) + // Only check for runner secrets when Vertex is disabled + // When Vertex is enabled, ambient-vertex secret is used instead + if !vertexEnabled { + if _, err := config.K8sClient.CoreV1().Secrets(sessionNamespace).Get(context.TODO(), runnerSecretsName, v1.GetOptions{}); err != nil { + if !errors.IsNotFound(err) { + log.Printf("Error checking runner secret %s: %v", runnerSecretsName, err) + } else { + log.Printf("Runner secret %s missing in %s (Vertex disabled)", runnerSecretsName, sessionNamespace) + } + statusPatch.AddCondition(conditionUpdate{ + Type: conditionSecretsReady, + Status: "False", + Reason: "RunnerSecretMissing", + Message: fmt.Sprintf("Secret %s missing", runnerSecretsName), + }) + _ = statusPatch.Apply() + return fmt.Errorf("runner secret %s missing in namespace %s", runnerSecretsName, sessionNamespace) } - statusPatch.AddCondition(conditionUpdate{ - Type: conditionSecretsReady, - Status: "False", - Reason: "RunnerSecretMissing", - Message: fmt.Sprintf("Secret %s missing", runnerSecretsName), - }) - _ = statusPatch.Apply() - return fmt.Errorf("runner secret %s missing in namespace %s", runnerSecretsName, sessionNamespace) + log.Printf("Found runner secret %s in %s (Vertex disabled)", runnerSecretsName, sessionNamespace) + } else { + log.Printf("Vertex AI enabled, skipping runner secret %s validation", runnerSecretsName) } integrationSecretsExist := false