suite: chart-computed env keys can't be overridden (round-8 regression net) release: name: t namespace: sim tests: - it: app pod uses chart-computed DATABASE_URL even when user tries to override template: deployment-app.yaml set: app.env.BETTER_AUTH_SECRET: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx app.env.ENCRYPTION_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx app.env.INTERNAL_API_SECRET: x app.env.CRON_SECRET: x app.env.DATABASE_URL: "should-be-ignored" postgresql.auth.password: xxxxxxxx asserts: - notContains: path: spec.template.spec.containers[0].env content: name: DATABASE_URL value: "should-be-ignored" - it: existingSecret inline path skips DATABASE_URL/SOCKET_SERVER_URL template: deployment-app.yaml set: app.secrets.existingSecret.enabled: true app.secrets.existingSecret.name: my-secret app.env.DATABASE_URL: "postgres://evil-1:5432/x" app.env.SOCKET_SERVER_URL: "https://evil-2.example.com" postgresql.auth.password: xxxxxxxx asserts: - notContains: path: spec.template.spec.containers[0].env content: { name: DATABASE_URL, value: "postgres://evil-1:5432/x" } - notContains: path: spec.template.spec.containers[0].env content: { name: SOCKET_SERVER_URL, value: "https://evil-2.example.com" } - it: realtime pod existingSecret inline path skips chart-computed keys (round-8) template: deployment-realtime.yaml set: app.secrets.existingSecret.enabled: true app.secrets.existingSecret.name: my-secret app.env.DATABASE_URL: "postgres://evil-1:5432/x" app.env.SOCKET_SERVER_URL: "https://evil-2.example.com" postgresql.auth.password: xxxxxxxx asserts: - notContains: path: spec.template.spec.containers[0].env content: { name: SOCKET_SERVER_URL, value: "https://evil-2.example.com" }