Self Checks

• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report (Language Policy).
• Non-english title submitions will be closed directly
• Please do not modify this template :) and fill in all the required fields.

RAGFlow workspace code commit ID

392ec99 (v0.24.0)

RAGFlow image version

v0.24.0

Other environment information

Kubernetes 1.31 with Flux helm-controller

Actual behavior

When deploying via the Helm chart, the rendered env.yaml Secret contains duplicate YAML mapping keys for MYSQL_PASSWORD, REDIS_PASSWORD, and MINIO_PASSWORD.

In helm/templates/env.yaml, the range loop on line 11-15 iterates over all .Values.env keys and emits them. The exclusion filter (line 12) only skips host/port/user keys but does not skip password keys. The same password keys are then explicitly defined again on lines 44, 50, and 54.

This produces invalid YAML with duplicate keys:

stringData:
  MYSQL_PASSWORD: "infini_rag_flow_helm"   # from range loop
  REDIS_PASSWORD: "infini_rag_flow_helm"   # from range loop
  MINIO_PASSWORD: "infini_rag_flow_helm"   # from range loop
  # ... other keys ...
  REDIS_PASSWORD: infini_rag_flow_helm     # explicit (line 44) - DUPLICATE
  MYSQL_PASSWORD: infini_rag_flow_helm     # explicit (line 50) - DUPLICATE
  MINIO_PASSWORD: infini_rag_flow_helm     # explicit (line 54) - DUPLICATE

Strict YAML parsers (Go's yaml.v3, used by Flux's helm-controller for post-rendering) reject duplicate mapping keys:

Helm install failed: yaml: unmarshal errors:
  line 32: mapping key "MINIO_PASSWORD" already defined at line 15
  line 30: mapping key "MYSQL_PASSWORD" already defined at line 18
  line 29: mapping key "REDIS_PASSWORD" already defined at line 20

Expected behavior

The range loop exclusion filter should also skip password keys that are explicitly defined later in the template. The fix is to add these keys to the exclusion list on line 12:

-  {{- if and $val (ne $key "MYSQL_HOST") (ne $key "MYSQL_PORT") (ne $key "MYSQL_USER") (ne $key "MINIO_HOST") (ne $key "MINIO_PORT") (ne $key "REDIS_HOST") (ne $key "REDIS_PORT") }}
+  {{- if and $val (ne $key "MYSQL_HOST") (ne $key "MYSQL_PORT") (ne $key "MYSQL_USER") (ne $key "MYSQL_PASSWORD") (ne $key "MINIO_HOST") (ne $key "MINIO_PORT") (ne $key "MINIO_PASSWORD") (ne $key "REDIS_HOST") (ne $key "REDIS_PORT") (ne $key "REDIS_PASSWORD") (ne $key "ELASTIC_PASSWORD") (ne $key "OPENSEARCH_PASSWORD") }}

Important: MINIO_ROOT_USER must NOT be excluded — it is only emitted by the range loop and has no explicit definition later in the template. Excluding it causes MinIO to crash with Missing credential environment variable, "MINIO_ROOT_USER".

Steps to reproduce

1. Deploy RAGFlow v0.24.0 Helm chart to Kubernetes with Flux
2. Use default values (or any values that include password env vars)
3. Observe HelmRelease failure with duplicate key YAML errors

Additional information

This also affects ELASTIC_PASSWORD and OPENSEARCH_PASSWORD when using those doc engines, as they are similarly emitted by both the range loop and explicit definitions on lines 61 and 67-68.

Plain helm install may not surface this error because Helm's internal YAML parser (yaml.v2) silently accepts duplicate keys. Flux's helm-controller uses yaml.v3 for post-rendering which rejects them per the YAML spec.