From 3280772934dfe6c7ce5fcda01dc7ed0c8733e03b Mon Sep 17 00:00:00 2001 From: Bradley Boveinis Date: Tue, 24 Feb 2026 13:09:31 +1000 Subject: [PATCH] fix(helm): exclude password keys from env range loop to prevent duplicate YAML keys (#13136) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Fix duplicate YAML mapping keys in `helm/templates/env.yaml` that cause deployment failures with strict YAML parsers ## Problem The `range` loop in `env.yaml` iterates over all `.Values.env` keys and emits them into a Secret. The exclusion filter skips host/port/user keys, but does **not** skip password keys (`MYSQL_PASSWORD`, `REDIS_PASSWORD`, `MINIO_PASSWORD`, `ELASTIC_PASSWORD`, `OPENSEARCH_PASSWORD`). These same keys are then explicitly defined again later in the template, producing duplicate YAML mapping keys. Go's `yaml.v3` (used by Flux's helm-controller for post-rendering) rejects duplicate keys per the YAML spec: ``` Helm install failed: yaml: unmarshal errors: mapping key "MINIO_PASSWORD" already defined mapping key "MYSQL_PASSWORD" already defined mapping key "REDIS_PASSWORD" already defined ``` Plain `helm install` does not surface this because Helm's internal parser (`yaml.v2`) silently accepts duplicate keys (last value wins). ## Fix Add password keys to the exclusion filter on line 12 so they are only emitted by their explicit definitions later in the template. Note: `MINIO_ROOT_USER` is intentionally **not** excluded — it is only emitted by the range loop and has no explicit definition elsewhere. Excluding it causes MinIO to crash with `Missing credential environment variable, "MINIO_ROOT_USER"`. ## Test plan - [ ] Deploy with Flux helm-controller (uses yaml.v3) — no duplicate key errors - [ ] Verify all passwords are present in the rendered Secret - [ ] Verify `MINIO_ROOT_USER` is present in the rendered Secret - [ ] Test with `DOC_ENGINE=elasticsearch` (ELASTIC_PASSWORD) - [ ] Test with `DOC_ENGINE=opensearch` (OPENSEARCH_PASSWORD) Fixes #13135 --- helm/templates/env.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/templates/env.yaml b/helm/templates/env.yaml index c4dad4af22..4121a39ee8 100644 --- a/helm/templates/env.yaml +++ b/helm/templates/env.yaml @@ -9,7 +9,7 @@ metadata: type: Opaque stringData: {{- range $key, $val := .Values.env }} - {{- if and $val (ne $key "MYSQL_HOST") (ne $key "MYSQL_PORT") (ne $key "MYSQL_USER") (ne $key "MINIO_HOST") (ne $key "MINIO_PORT") (ne $key "REDIS_HOST") (ne $key "REDIS_PORT") }} + {{- if and $val (ne $key "MYSQL_HOST") (ne $key "MYSQL_PORT") (ne $key "MYSQL_USER") (ne $key "MYSQL_PASSWORD") (ne $key "MINIO_HOST") (ne $key "MINIO_PORT") (ne $key "MINIO_PASSWORD") (ne $key "REDIS_HOST") (ne $key "REDIS_PORT") (ne $key "REDIS_PASSWORD") (ne $key "ELASTIC_PASSWORD") (ne $key "OPENSEARCH_PASSWORD") }} {{ $key }}: {{ quote $val }} {{- end }} {{- end }}