Skip to content

extraVars is causing problems #469

New issue
New issue
Open
Open
extraVars is causing problems#469
Labels
bugSomething isn't working
@max-allan-cgr

Description

@max-allan-cgr
max-allan-cgr
opened on Jul 17, 2025

Describe the bug

Related to #461

When using extraVars the values are not being used properly.

This could be considered a security issue because it allows me to override the name of the container. I may also be able to override other useful fields. For example specifying an image that could run something malicious. VERY minor issue because anyone deploying the chart can probably just change the value for image: to a different image anyway!! But this obfuscation of setting the image could mask the efforts of a bad actor.

Reproduction steps

git checkout v1.18.2
helm upgrade --install kfo charts/log-router --set fluentd.extraEnv.name=foo

fluentd Container runs with name=foo in environment. Everything is as expected.
(This proves we are doing the right thing)

For these and following steps, use the main branch.

git checkout main
helm upgrade --install kfo charts/log-router --set fluentd.extraEnv.name=foo

fluentd container runs with name foo. and name=foo in the environment.

helm upgrade --install kfo charts/log-router --set fluentd.extraEnv.image=alpine

fluentd container runs alpine image instead of intended image (which exits because no command was specified)

helm upgrade --install kfo charts/log-router --set fluentd.extraEnv.ENVIRONMENT=variable                                        
I0717 11:35:22.345564   81793 warnings.go:110] "Warning: unknown field \"spec.template.spec.containers[0].ENVIRONMENT\""

fluentd container runs as expected with ENVIRONMENT=variable - this is just the warning error message from helm while deploying.

Expected behavior

Setting values for extraEnv should not be able to overwrite container name/image or cause unknown field warnings.

Additional context

Caused by #439

Which, originally, in PR 437 was going to use "additionalEnv" - doing that may have avoided these issues.

I think PR 437 would allow additionalEnv to specify things like:

  - name: VARIABLE
    value: value
  - name: SECRETVARIABLE
    valueFrom:
      secretKeyRef:
       name: mysecret
       key: secret1

Which cannot be done with the extraEnv because the extraEnv values are used in the secret.yaml and need to be key:value pairs not maps.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions