helm: helm upgrade fails to remove keys from Secrets when using `stringData`

If a chart templates a Secret using the stringData field, then helm upgrade ... will fail to remove keys that are removed, and instead sets their value to an empty string.

Steps to reproduce

Chart Definition:

## templates/my-secret.yaml
##
apiVersion: v1
kind: Secret
metadata:
  name: my-secret
stringData:
  STATIC_VALUE: "xxxx"
  {{- if .Values.enabled }}
  OPTIONAL_VALUE: "true"
  {{- end }}

Steps:

Run: helm install --set enabled=true ...

Run: kubectl get Secret/my-secret -o yaml: OUTPUT:

...
data:
  OPTIONAL_VALUE: dHJ1ZQ==
  STATIC_VALUE: eHh4eA==
...

Run: helm upgrade --set enabled=false ...

Run: kubectl get Secret/my-secret -o yaml: OUTPUT:

...
data:
  OPTIONAL_VALUE: ""
  STATIC_VALUE: eHh4eA==
...

Output of `helm version`:

version.BuildInfo{Version:"v3.6.3", GitCommit:"d506314abfb5d21419df8c7e7e68012379db2354", GitTreeState:"dirty", GoVersion:"go1.16.5"}

Output of `kubectl version`:

Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.2", GitCommit:"092fbfbf53427de67cac1e9fa54aaa09a28371d7", GitTreeState:"clean", BuildDate:"2021-06-16T12:59:11Z", GoVersion:"go1.16.5", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.1", GitCommit:"5e58841cce77d4bc13713ad2b91fa0d961e69192", GitTreeState:"clean", BuildDate:"2021-05-21T23:01:33Z", GoVersion:"go1.16.4", Compiler:"gc", Platform:"linux/amd64"}

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 16 (4 by maintainers)

Most upvoted comments

set empty data like this:

apiVersion: v1
kind: Secret
metadata:
  name: php-secret-env
type: Opaque
data: # Note: if you omit this, stringData will always be merged with the last. No keys would be deleted ever.
stringData:
  EXAMPLE1: {{ .Values.app.example1 | quote }}

DBLaci on Aug 9, 2023