Chart: influxdb3-enterprise v0.2.0 (appVersion 3.8.4)
Summary
When using license.type: home or trial and storing the license email in an existingSecret (for sealed-secret / GitOps workflows), the chart does not emit the INFLUXDB3_ENTERPRISE_LICENSE_EMAIL env var unless license.email is also set in values.yaml to a truthy value — even though the actual value is then read exclusively from the existingSecret via secretKeyRef.
Reproduction
# values.yaml
license:
type: home
existingSecret: my-license-secret # contains key: license-email
Render the chart → the pods get INFLUXDB3_ENTERPRISE_LICENSE_FILE and INFLUXDB3_ENTERPRISE_LICENSE_TYPE, but no INFLUXDB3_ENTERPRISE_LICENSE_EMAIL. InfluxDB 3 Enterprise then fails to register for a home license (no email to phone home with) and the pods CrashLoopBackOff with License email not provided.
Root cause
In templates/_helpers.tpl, the licenseEnv helper (line ~236):
{{- if or .Values.license.existingSecret (or .Values.license.email .Values.license.file) }}
{{- if .Values.license.email }} # <-- gate
- name: INFLUXDB3_ENTERPRISE_LICENSE_EMAIL
valueFrom:
secretKeyRef:
name: {{ include "influxdb3-enterprise.licenseSecretName" . }}
key: license-email
{{- end }}
The gate is .Values.license.email only — .Values.license.existingSecret doesn't trigger it. But when existingSecret is set, licenseSecretName correctly points to it, and the actual email value is read via secretKeyRef, making the value in license.email irrelevant.
Workaround
license:
type: home
email: "placeholder" # any truthy string to pass the gate
existingSecret: my-license-secret # real email is here
This works but is confusing: license.email in values.yaml is a dead value — only there to flip the gate.
Suggested fix
Decouple the gate from the value source. The env var should be emitted whenever the license has an email somewhere (either license.email or existingSecret with key license-email):
{{- if or .Values.license.email .Values.license.existingSecret }}
- name: INFLUXDB3_ENTERPRISE_LICENSE_EMAIL
valueFrom:
secretKeyRef:
name: {{ include "influxdb3-enterprise.licenseSecretName" . }}
key: license-email
{{- end }}
For commercial licenses (which use license.file and don't need email), users wouldn't set existingSecret — or would set it with only a license-file key, in which case the env var references a non-existent key and Kubernetes would fail to start the pod. To handle that, you could also add optional: true to the secretKeyRef, or gate on a dedicated field like license.mode: home|commercial.
Impact
Blocks GitOps-friendly secret management for at-home / trial licenses. Users have to either:
- Commit their email plaintext to Git (the chart's current intended usage), or
- Use the dummy-value workaround (undocumented, confusing)
Environment
- Chart:
influxdb3-enterprise-0.2.0
- Helm: 3.x
- Kubernetes: 1.30+
- Deployment: Kustomize +
helmCharts inflation
Chart:
influxdb3-enterprisev0.2.0 (appVersion 3.8.4)Summary
When using
license.type: homeortrialand storing the license email in anexistingSecret(for sealed-secret / GitOps workflows), the chart does not emit theINFLUXDB3_ENTERPRISE_LICENSE_EMAILenv var unlesslicense.emailis also set invalues.yamlto a truthy value — even though the actual value is then read exclusively from theexistingSecretviasecretKeyRef.Reproduction
Render the chart → the pods get
INFLUXDB3_ENTERPRISE_LICENSE_FILEandINFLUXDB3_ENTERPRISE_LICENSE_TYPE, but noINFLUXDB3_ENTERPRISE_LICENSE_EMAIL. InfluxDB 3 Enterprise then fails to register for a home license (no email to phone home with) and the podsCrashLoopBackOffwithLicense email not provided.Root cause
In
templates/_helpers.tpl, thelicenseEnvhelper (line ~236):The gate is
.Values.license.emailonly —.Values.license.existingSecretdoesn't trigger it. But whenexistingSecretis set,licenseSecretNamecorrectly points to it, and the actual email value is read viasecretKeyRef, making the value inlicense.emailirrelevant.Workaround
This works but is confusing:
license.emailinvalues.yamlis a dead value — only there to flip the gate.Suggested fix
Decouple the gate from the value source. The env var should be emitted whenever the license has an email somewhere (either
license.emailorexistingSecretwith keylicense-email):For
commerciallicenses (which uselicense.fileand don't need email), users wouldn't setexistingSecret— or would set it with only alicense-filekey, in which case the env var references a non-existent key and Kubernetes would fail to start the pod. To handle that, you could also addoptional: trueto the secretKeyRef, or gate on a dedicated field likelicense.mode: home|commercial.Impact
Blocks GitOps-friendly secret management for at-home / trial licenses. Users have to either:
Environment
influxdb3-enterprise-0.2.0helmChartsinflation