helm 3 shows secrets with --dry-run option in clear text #7275
Description
Output of helm version:
helm version version.BuildInfo{Version:"v3.0.2", GitCommit:"19e47ee3283ae98139d98460de796c1be1e3975f", GitTreeState:"clean", GoVersion:"go1.13.5"}
Output of kubectl version:
kubectl version Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.3", GitCommit:"2d3c76f9091b6bec110a5e63777c332469e0cba2", GitTreeState:"clean", BuildDate:"2019-08-19T11:13:54Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"darwin/amd64"}
Cloud Provider/Platform (AKS, GKE, Minikube etc.):
Issue
helm3 --dry-run command prints content of the secrets where helm2 just the fact that secret has been created.
This creates issue running helm --dry-run in CI/CD tools as it exposes secrets.
helm upgrade --install myrelease mychart --set thanos.sayamlbase64=TESTSECRET --dry-run
Release "myrelease" has been upgraded. Happy Helming!
NAME: myrelease
LAST DEPLOYED: Thu Dec 19 15:11:43 2019
NAMESPACE: kube-system
STATUS: pending-upgrade
REVISION: 400
TEST SUITE: None
HOOKS:
MANIFEST:
---
# Source: mychart/templates/thanos-objstore-config-secret.yaml
apiVersion: v1
data:
thanos.yaml: TESTSECRET
kind: Secret
metadata:
name: thanos-objstore-config
namespace: kube-system
type: Opaque
---
helm2 upgrade --install release-name chart --set thanos.sayamlbase64=TESTSECRET --dry-run
Release "release-name" has been upgraded. Happy Helming!
LAST DEPLOYED: Thu Dec 19 14:51:59 2019
NAMESPACE: kube-system
STATUS: DEPLOYED
RESOURCES:
==> v1/Secret
NAME TYPE DATA AGE
thanos-objstore-config Opaque 1 80d