Never render secrets into values.yaml (#8497)

davidfowl · web-flow · commit c0413aca47c7 · 2025-04-01T23:30:35.000-07:00
- Added tests
diff --git a/src/Aspire.Hosting.Kubernetes/KubernetesResourceContext.cs b/src/Aspire.Hosting.Kubernetes/KubernetesResourceContext.cs
@@ -360,7 +360,7 @@ private HelmExpressionWithValue AllocateParameter(ParameterResource parameter)
             formattedName.ToHelmSecretExpression(resource.Name) :
             formattedName.ToHelmConfigExpression(resource.Name);
 
-        var value = parameter.Default is null ? null : parameter.Value;
+        var value = parameter.Default is null || parameter.Secret ? null : parameter.Value;
         return new(expression, value);
     }
 
diff --git a/tests/Aspire.Hosting.Kubernetes.Tests/ExpectedValues.cs b/tests/Aspire.Hosting.Kubernetes.Tests/ExpectedValues.cs
@@ -29,6 +29,7 @@ public static class ExpectedValues
         secrets:
           myapp:
             param1: ""
+            param3: ""
         config:
           myapp:
             ASPNETCORE_ENVIRONMENT: "Development"
@@ -39,7 +40,7 @@ public static class ExpectedValues
             OTEL_DOTNET_EXPERIMENTAL_OTLP_EMIT_EVENT_LOG_ATTRIBUTES: "true"
             OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY: "in_memory"
             services__myapp__http__0: "http://myapp:8080"
-
+        
         """;
 
     public const string ProjectOneDeployment =
@@ -194,6 +195,7 @@ public static class ExpectedValues
             component: "myapp"
         stringData:
           param1: "{{ .Values.secrets.myapp.param1 }}"
+          param3: "{{ .Values.secrets.myapp.param3 }}"
           ConnectionStrings__cs: "Url={{ .Values.config.myapp.param0 }}, Secret={{ .Values.secrets.myapp.param1 }}"
         type: "Opaque"
 
diff --git a/tests/Aspire.Hosting.Kubernetes.Tests/KubernetesPublisherTests.cs b/tests/Aspire.Hosting.Kubernetes.Tests/KubernetesPublisherTests.cs
@@ -48,6 +48,7 @@ public async Task PublishAsync_GeneratesValidHelmChart(string expectedFile)
             var param0 = builder.AddParameter("param0");
             var param1 = builder.AddParameter("param1", secret: true);
             var param2 = builder.AddParameter("param2", "default", publishValueAsDefault: true);
+            var param3 = builder.AddResource(ParameterResourceBuilderExtensions.CreateDefaultPasswordParameter(builder, "param3"));
             var cs = builder.AddConnectionString("cs", ReferenceExpression.Create($"Url={param0}, Secret={param1}"));
 
             // Add a container to the application
@@ -57,6 +58,7 @@ public async Task PublishAsync_GeneratesValidHelmChart(string expectedFile)
                 .WithEnvironment("param0", param0)
                 .WithEnvironment("param1", param1)
                 .WithEnvironment("param2", param2)
+                .WithEnvironment("param3", param3)
                 .WithReference(cs)
                 .WithVolume("logs", "/logs")
                 .WithArgs("--cs", cs.Resource);

Original file line number	Diff line number	Diff line change
`@@ -360,7 +360,7 @@ private HelmExpressionWithValue AllocateParameter(ParameterResource parameter)`
`360`	`360`	`formattedName.ToHelmSecretExpression(resource.Name) :`
`361`	`361`	`formattedName.ToHelmConfigExpression(resource.Name);`
`362`	`362`
`363`		`- var value = parameter.Default is null ? null : parameter.Value;`
	`363`	`+ var value = parameter.Default is null \|\| parameter.Secret ? null : parameter.Value;`
`364`	`364`	`return new(expression, value);`
`365`	`365`	`}`
`366`	`366`