Werk #19427: Agent Controller auto-registration: Re-bake agents when automation secret changes
| Component | Agent bakery | ||||
| Title | Agent Controller auto-registration: Re-bake agents when automation secret changes | ||||
| Date | Mar 25, 2026 | ||||
| Level | Trivial Change | ||||
| Class | Bug Fix | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
Previously, a changed secret of an automation user used in the Agent Controller auto-registration bakery rule was not recognized when baking agent packages. The baked agent hash only depended on rule configuration and plugin source files — the automation secret was read at bake time but wasn't tracked for changes. As a result, re-baking still served the old cached agent with stale credentials, causing auto agent controller registration to fail with "401 Unauthorized".
The agent bakery now tracks the underlying file as a dependency. When the secret changes on disk, the agent hash changes, the Bake agents and Bake and sign agents buttons indicate a changed state, and a re-bake picks up the new credentials.
Additionally, if the automation user's secret file is missing (e.g., because "Store the secret in cleartext" was disabled), the bakery now shows an actionable error message pointing to the relevant setting in Setup > Users.