Skip to content

Use password-stdin in Kubernetes Helm provider#6994

Open
rootp1 wants to merge 2 commits into
pipe-cd:masterfrom
rootp1:fix/helm-provider-password-stdin
Open

Use password-stdin in Kubernetes Helm provider#6994
rootp1 wants to merge 2 commits into
pipe-cd:masterfrom
rootp1:fix/helm-provider-password-stdin

Conversation

@rootp1

@rootp1 rootp1 commented Jul 8, 2026

Copy link
Copy Markdown

Summary

  • stop passing Helm registry and repository passwords via argv in the single-cluster Kubernetes provider
  • align the single-cluster provider with the existing multicluster --password-stdin pattern
  • add regression tests that fail if secrets appear in recorded command arguments

Linked Issue

Fixes #6993

What Changed

  • LoginToOCIRegistry now uses --password-stdin and writes the password to stdin
  • AddRepository now uses --password-stdin when a repository password is configured
  • added fake-Helm regression tests covering both code paths

Verification

  • go -C pkg/app/pipedv1/plugin/kubernetes test ./provider -run Test(LoginToOCIRegistry_PasswordUsesStdin|AddRepository_PasswordUsesStdin|TemplateLocalChart|TemplateRemoteChart|VerifyHelmValueFilePath) — passed
  • make build/go — passed
  • make check/dco — passed
  • make check — not run to completion: local environment is missing yarn, so build/web failed before later checks
  • KUBEBUILDER_ASSETS=/Users/rootp1/Documents/repos/n/new/pipecd/.dev/bin/k8s/1.36.2-darwin-arm64 go -C pkg/app/pipedv1/plugin/kubernetes test ./... — not completed locally: broader module run did not finish within the session window after envtest setup
  • make lint/go MODULES=pkg/app/pipedv1/plugin/kubernetes — not run: local environment is missing docker, which the repository lint target requires
  • make lint/helm — not run: local environment is missing helm

Scope

  • Only the single-cluster Kubernetes Helm provider and its focused regression tests were changed.

What this PR does:

Stops the single-cluster Kubernetes Helm provider from exposing Helm passwords in process arguments by switching to stdin-based credential passing.

Why we need it:

It removes avoidable credential exposure in argv and aligns this provider with the safer multicluster implementation that already exists in the repository.

Which issue(s) this PR fixes:

Fixes #6993

Does this PR introduce a user-facing change?:

  • How are users affected by this change: Helm credentials are no longer exposed in local process arguments when the single-cluster Kubernetes provider logs in to OCI registries or adds authenticated chart repositories.
  • Is this breaking change: No
  • How to migrate (if breaking change): Not applicable

Signed-off-by: rootp1 <arnav.iitr@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Kubernetes Helm provider exposes credentials in argv

1 participant