Skip to content

fix: existingSecrets implementation causes env var validation errors in Deployment #9111

Closed
Unleash/helm-charts
#180
Closed
fix: existingSecrets implementation causes env var validation errors in Deployment#9111
Unleash/helm-charts
#180
Assignees
chriswk
@TrueBurn

Description

@TrueBurn
TrueBurn
opened on Jan 17, 2025

existingSecrets in values.yaml is incorrectly structured and causes deployment failures

Issue Description

The current implementation of existingSecrets in the unleash-edge chart has two significant issues:

  1. The default value in values.yaml is incorrectly set as an empty string (""):
existingSecrets:
  ""

This is invalid YAML for a field that should accept an array of secret configurations. It should be an empty array ([]) instead.

  1. The current template structure attempts to merge secret configurations directly into the env: section, which causes Kubernetes validation errors when environment variables contain both value and valueFrom fields. This results in deployment failures with the error:
Failed sync attempt to : one or more objects failed to apply, reason: Deployment.apps "unleash-edge" is invalid: [spec.template.spec.containers[0].env[4].valueFrom: Invalid value: "": may not be specified when `value` is not empty, spec.template.spec.containers[0].env[5].valueFrom: Invalid value: "": may not be specified when `value` is not empty] (retried 5 times)

Current Implementation

The values.yaml provides a misleading example:

# adds environmentvars for existing secrets to the container via tpl function
existingSecrets:
  ""
  # - name: TOKENS
  #   valueFrom:
  #     secretKeyRef:
  #       name: secretname
  #       key: secretkey

This structure suggests that secrets should be configured as environment variables with valueFrom, but the implementation causes validation errors in Kubernetes when combined with other environment variables.

Expected Behavior

The chart should either:

  1. Use envFrom: to properly reference secrets (preferred approach)
  2. Fix the template to properly handle secret references in the env: section without causing validation errors

Steps to Reproduce

  1. Configure the chart with secret references:
existingSecrets:
  - name: TOKENS
    valueFrom:
      secretKeyRef:
        name: unleash-token
        key: token
  - name: FRONTEND_TOKENS
    valueFrom:
      secretKeyRef:
        name: unleash-token
        key: token
  1. Deploy the chart
  2. Observe the deployment failure due to invalid environment variable configuration

Proposed Solution

Two potential solutions:

Option 1 (Preferred): Use envFrom

Update values.yaml:

# Name of the secret to load as environment variables
existingSecrets: ""  # or [] if no secrets needed

Update deployment template to use envFrom:

{{- if not (quote .Values.existingSecrets | empty) }}
envFrom:
  - secretRef:
      name: {{ .Values.existingSecrets }}
{{- end }}

Option 2: Fix Current Approach

If maintaining the current structure is preferred:

  1. Update values.yaml default:
# adds environmentvars for existing secrets to the container via tpl function
existingSecrets: []  # Empty array as default
  1. Update template to properly handle secret configurations without causing validation errors.

Additional Context

This issue affects users who need to configure secrets for the Unleash Edge service, particularly when using tokens for authentication.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

Issues and PRs

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions