Skip to content

"env-secret" — impossible to inject env vars from other secrets? #173

New issue
New issue
Open
Open
"env-secret" — impossible to inject env vars from other secrets?#173
@sarendipitee

Description

@sarendipitee
sarendipitee
opened on Oct 15, 2025

How are we supposed to use valueFrom.secretKeyRef in the env to correctly inject the secrets?

For example, CNPG stores its dynamically created credentials for PG Clusters in Secrets, which can't be known at helm render time, only live on the cluster. Normally it's not a problem you just do:

        env:
          POSTGRES_USERNAME:
            secretKeyRef:
              name: pg-app
              key: user
          POSTGRES_PASSWORD:
            secretKeyRef:
              name: pg-app
              key: password
          POSTGRES_DATABASE:
            secretKeyRef:
              name: pg-app
              key: dbname

But with how this helm chart is setup, it's trying to copy the raw string values from the values into the secret and then references all the secret values into the env vars for the workers with envFrom 🤕

$ k get secret -n chatwoot chatwoot-env -o yaml | yq .data.POSTGRES_PASSWORD | base64 -d
map[secretKeyRef:map[key:password name:pg-app]]%

Uh oh.

This results in the chatwoot worker processes trying to do this:

+ PG_READY='pg_isready -h pg-pooler.chatwoot.svc.cluster.local. -p 5432 -U map[secretKeyRef:map[key:user name:pg-app]]'
+ pg_isready -h pg-pooler.chatwoot.svc.cluster.local. -p 5432 -U 'map[secretKeyRef:map[key:user' name:pg-app]]
pg_isready: error: too many command-line arguments (first is "name:pg-app]]")
pg_isready: hint: Try "pg_isready --help" for more information.

I'm really thinking storing the entire env in secrets is a bit of an anti-pattern here. I'm sure if other people are using Secret managers or Vault they'd be running into a similar problem.

A better approach would be to use helm to iterate over all the env vars and dynamically inject them one by one into the Pod templates specs so you can reference other values in Secrets/Vaults

It'd just be changing the "envFrom" usages in the worker/web deployments:

          envFrom:
            - secretRef:
                name: {{ template "chatwoot.fullname" . }}-env

to something like:

          env:
          {{- /* Iterate over every key-value pair in the env map */}}
          {{- range $key, $value := .Values.env }}
            - name: {{ $key }}
              {{- /* Check if the value is a simple string */}}
              {{- if kindIs "string" $value }}
              value: {{ $value | quote }}
              {{- /* If it's not a string, it must be an object (like valueFrom) */}}
              {{- else }}
              {{- $value | toYaml | nindent 14 }}
              {{- end }}
          {{- end }}

(Copilot could knock this out real quick using this a prompt)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions