temporary: disable sendSecretValues by default

SgtCoDFish · SgtCoDFish · commit f047920d2f9a · 2026-03-10T15:02:24.000Z
In the long run, this should default to true. For now, while
the DisCo backend finishes the backend work, disable it and
print a warning when it's enabled

Signed-off-by: Ashley Davis &lt;ashley.davis@cyberark.com&gt;
diff --git a/deploy/charts/disco-agent/README.md b/deploy/charts/disco-agent/README.md
@@ -348,11 +348,10 @@ This description will be associated with the data that the agent uploads to the
 #### **config.sendSecretValues** ~ `bool`
 > Default value:
 > ```yaml
-> true
+> false
 > ```
 
-Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk, fetched from the Discovery and Context service.  
-Default: true
+Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk, fetched from the Discovery and Context service. This value will default to "true" in a future release when further updates have been made to the Discovery and Context backend.
 #### **authentication.secretName** ~ `string`
 > Default value:
 > ```yaml
diff --git a/deploy/charts/disco-agent/templates/NOTES.txt b/deploy/charts/disco-agent/templates/NOTES.txt
@@ -7,3 +7,8 @@ APP VERSION: {{ .Chart.AppVersion }}
 
 - Check the application logs for successful connection to the platform:
 > kubectl logs -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
+
+{{ if .Values.config.sendSecretValues }}
+WARNING: sendSecretValues is not finalised and is subject to breaking changes in the future.
+It should be enabled only for testing and validation.
+{{ end }}
diff --git a/deploy/charts/disco-agent/values.schema.json b/deploy/charts/disco-agent/values.schema.json
@@ -166,8 +166,8 @@
       "type": "string"
     },
     "helm-values.config.sendSecretValues": {
-      "default": true,
-      "description": "Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk, fetched from the Discovery and Context service.\nDefault: true",
+      "default": false,
+      "description": "Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk, fetched from the Discovery and Context service. This value will default to \"true\" in a future release when further updates have been made to the Discovery and Context backend.",
       "type": "boolean"
     },
     "helm-values.extraArgs": {
diff --git a/deploy/charts/disco-agent/values.yaml b/deploy/charts/disco-agent/values.yaml
@@ -200,8 +200,9 @@ config:
   # Metadata is always sent, but the actual values of Secrets are not sent by default.
   # When enabled, Secret data is encrypted using envelope encryption using
   # a key managed by CyberArk, fetched from the Discovery and Context service.
-  # Default: true
-  sendSecretValues: true
+  # This value will default to "true" in a future release when further updates have been
+  # made to the Discovery and Context backend.
+  sendSecretValues: false
 
 authentication:
   secretName: agent-credentials
