nomad template whitespace trimming strips newlines between env var blocks #996

New issue

Closed

opened 2026-04-18 06:55:41 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-18 06:55:41 +00:00

Collaborator

Flagged by AI reviewer in PR #993.

Problem

The consul-template with/else/end pattern using aggressive whitespace trimming (e.g. {{- with secret ... -}} / {{- else -}} / {{- end }} then immediately {{- with) strips all newlines between consecutive single-variable env blocks at parse time. This would render the secrets env file as one concatenated line (GITHUB_TOKEN=valCODEBERG_TOKEN=val...), which Nomad's env = true cannot parse correctly.

Why not blocked

agents.hcl has been runtime-tested (S4-fix-6 and S4-fix-7 made observable runtime fixes). If the env file were broken, all bot tokens would be absent — a loud, observable failure. This suggests consul-template may handle whitespace trimming differently from raw Go text/template. Needs runtime verification.

Verification

Deploy either job and inspect the rendered secrets file:

nomad alloc exec <alloc-id> cat /secrets/bots.env

Confirm each KEY=VALUE pair is on its own line.

Auto-created from AI review

Affected files

nomad/jobs/agents.hcl — bots.env template (lines 147-189)
nomad/jobs/vault-runner.hcl — runner.env template (PR #993)

Acceptance criteria

Deploy agents or vault-runner job on factory host
Inspect rendered secrets file: nomad alloc exec <alloc-id> cat /secrets/bots.env
Confirm each KEY=VALUE pair is on its own line (not concatenated)
If broken: fix whitespace trimming to preserve newlines between blocks; if fine, close as not-a-bug

Flagged by AI reviewer in PR #993. ## Problem The consul-template with/else/end pattern using aggressive whitespace trimming (e.g. `{{- with secret ... -}}` / `{{- else -}}` / `{{- end }}` then immediately `{{- with`) strips all newlines between consecutive single-variable env blocks at parse time. This would render the secrets env file as one concatenated line (`GITHUB_TOKEN=valCODEBERG_TOKEN=val...`), which Nomad's `env = true` cannot parse correctly. ## Why not blocked agents.hcl has been runtime-tested (S4-fix-6 and S4-fix-7 made observable runtime fixes). If the env file were broken, all bot tokens would be absent — a loud, observable failure. This suggests consul-template may handle whitespace trimming differently from raw Go text/template. Needs runtime verification. ## Verification Deploy either job and inspect the rendered secrets file: ``` nomad alloc exec <alloc-id> cat /secrets/bots.env ``` Confirm each KEY=VALUE pair is on its own line. --- *Auto-created from AI review* ## Affected files - `nomad/jobs/agents.hcl` — bots.env template (lines 147-189) - `nomad/jobs/vault-runner.hcl` — runner.env template (PR #993) ## Acceptance criteria - [ ] Deploy `agents` or `vault-runner` job on factory host - [ ] Inspect rendered secrets file: `nomad alloc exec <alloc-id> cat /secrets/bots.env` - [ ] Confirm each KEY=VALUE pair is on its own line (not concatenated) - [ ] If broken: fix whitespace trimming to preserve newlines between blocks; if fine, close as not-a-bug