Skip to content

Bug: Environment variable with valueFrom.secretKeyRef displays secret key name instead of actual value #4555

New issue
New issue
Open
#4706
Open
Bug: Environment variable with valueFrom.secretKeyRef displays secret key name instead of actual value#4555
#4706
Labels
frontendIssues related to the frontendgood first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.kind/bugCategorizes issue or PR as related to a bug.
@yuzhichang

Description

@yuzhichang
yuzhichang
opened on Feb 5, 2026

Bug: Environment variable with valueFrom.secretKeyRef displays secret key name instead of actual value

Summary

Headlamp incorrectly displays the Secret key name instead of the actual Secret value for environment variables that use valueFrom.secretKeyRef.

Environment

  • Headlamp version: 0.39.0
  • Kubernetes version: 1.24+

Expected Behavior

When viewing a Pod's environment variables in Headlamp, if an environment variable uses valueFrom.secretKeyRef to reference a Secret, Headlamp should display the actual decoded value from the Secret, similar to how it handles directly set environment variables.

Actual Behavior

Headlamp displays the Secret key name (e.g., "elastic") instead of the actual Secret value.

Steps to Reproduce

  1. Create a Secret:
apiVersion: v1
kind: Secret
metadata:
  name: elasticsearch-es-elastic-user
  namespace: ragflow
data:
  elastic: clpURmVrTG54SVlXdGltR01haHJ6QjBR
  1. Create a Deployment with env var from Secret:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ragflow
  namespace: ragflow
spec:
  template:
    spec:
      containers:
      - name: ragflow
        env:
        - name: MYSQL_PASSWORD
          value: "infiniflow@2023"
        - name: ELASTIC_PASSWORD
          valueFrom:
            secretKeyRef:
              name: elasticsearch-es-elastic-user
              key: elastic

  1. In Headlamp, navigate to the Pod and view environment variables

  2. Observe the incorrect display

Detailed Comparison

Environment Variable Configuration Headlamp Display Pod Shell Status
MYSQL_PASSWORD value: "infiniflow@2023" infiniflow@2023 infiniflow@2023 ✅ Correct
ELASTIC_PASSWORD valueFrom.secretKeyRef.key: elastic elastic rZTFekLnxIYWtimGMahrzB0Q ❌ Bug

Verification

# Secret content (base64)
kubectl get secret elasticsearch-es-elastic-user -n ragflow -o jsonpath='{.data.elastic}'
# Output: clpURmVrTG54SVlXdGltR01haHJ6QjBR

# Decoded value
kubectl get secret elasticsearch-es-elastic-user -n ragflow -o jsonpath='{.data.elastic}' | base64 -d
# Output: rZTFekLnxIYWtimGMahrzB0Q

# Pod environment variable (actual value)
kubectl exec -n ragflow <pod-name> -- printenv ELASTIC_PASSWORD
# Output: rZTFekLnxIYWtimGMahrzB0Q ✅

# But Headlamp shows: "elastic" ❌

Impact

  • Severity: Low (cosmetic issue only)
  • Functionality: Not affected - Pod environment variables are correctly set
  • Security: Could cause confusion - users might think the password is "elastic"

Additional Context

Suggested Fix

Headlamp should:

  1. Read the Secret referenced by valueFrom.secretKeyRef
  2. Decode the base64 value
  3. Display the decoded value (similar to how directly set env vars are displayed)
  4. Optionally apply masking (e.g., **** or show first 4 chars only) for security

Metadata

Metadata

Assignees

No one assigned

    Labels

    frontendIssues related to the frontendgood first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.kind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions