Probe all config-derived secrets for set/unset in the support bundle

charts/openhands/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 description: OpenHands is an AI-driven autonomous software engineer
 name: openhands
 appVersion: cloud-1.38.0
-version: 0.7.64
+version: 0.7.66
 maintainers:
   - name: rbren
   - name: xingyao

charts/openhands/templates/troubleshoot/support-bundle.yaml

@@ -5,29 +5,34 @@ metadata:
   name: {{ .Release.Name }}-support-bundle
 spec:
   collectors: {{- include "troubleshoot.collectors.shared" .  | nindent 4 }}
+    {{- /* Presence of admin-configured/optional secrets: a key renders only when its KOTS
+    value is set, so includeValue:false keyExists ⇔ value-set -- presence only, never the value.
+    Always-generated internal secrets are omitted; they'd read "set" unconditionally. */}}
+    {{- $secretKeys := dict
+      "azure-devops-app"          (list "client-id" "client-secret")
+      "bitbucket-data-center-app" (list "host" "client-id" "client-secret" "bot-token")
+      "github-app"                (list "app-id" "app-slug" "client-id" "client-secret" "private-key" "webhook-secret")
+      "gitlab-app"                (list "client-id" "client-secret")
+      "jira-dc-app"               (list "base-url" "client-id" "client-secret" "service-account-email" "service-account-pat")
+      "keycloak-realm"            (list "client-id" "client-secret" "smtp-password")
+      "litellm-env-secrets"       (list "ANTHROPIC_API_KEY" "OPENAI_API_KEY" "GOOGLE_API_KEY" "GOOGLE_APPLICATION_CREDENTIALS_JSON" "VERTEXAI_PROJECT" "VERTEXAI_LOCATION" "DEEPSEEK_API_KEY" "MISTRAL_API_KEY" "AZURE_API_KEY" "AZURE_TENANT_ID" "AZURE_CLIENT_ID" "AZURE_CLIENT_SECRET" "AZURE_API_BASE" "AZURE_API_VERSION" "GROQ_API_KEY" "OPENROUTER_API_KEY" "AWS_ACCESS_KEY_ID" "AWS_SECRET_ACCESS_KEY" "AWS_REGION_NAME" "CUSTOM_API_KEY" "CUSTOM_API_BASE")
+      "openhands-env-secrets"     (list "LLM_API_KEY" "LLM_MODEL" "LLM_BASE_URL" "LLM_API_VERSION" "AWS_ACCESS_KEY_ID" "AWS_SECRET_ACCESS_KEY" "AWS_REGION_NAME")
+      "openhands-tls"             (list "tls.crt" "ca.crt")
+      "postgres-password"         (list "postgres-password")
+      "redis"                     (list "redis-password")
+      "s3-credentials"            (list "access-key" "secret-key")
+      "sandbox-api-key"           (list "sandbox-api-key")
+      "slack-auth"                (list "client-id" "client-secret" "signing-secret")
+    }}
+    {{- range $name, $keys := $secretKeys }}
+    {{- range $key := $keys }}
     - secret:
-        name: postgres-password
-        namespace: {{ .Release.Namespace }}
-        key: postgres-password
-        includeValue: false
-    - secret:
-        name: redis
-        namespace: {{ .Release.Namespace }}
-        key: redis-password
-        includeValue: false
-    - secret:
-        name: sandbox-api-key
-        namespace: {{ .Release.Namespace }}
-        key: sandbox-api-key
-        includeValue: false
-    - secret:
-        name: github-app
-        namespace: {{ .Release.Namespace }}
-        includeValue: false
-    - secret:
-        name: keycloak-realm
-        namespace: {{ .Release.Namespace }}
+        name: {{ $name }}
+        namespace: {{ $.Release.Namespace }}
+        key: {{ $key }}
         includeValue: false
+    {{- end }}
+    {{- end }}
     # Log volume is bounded by kubelet rotation (~tens of MB/pod), not maxAge,
     # so 336h is free on chatty pods and only adds history on quiet ones.
     # OpenHands main application logs