Current Behavior

After implementing https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration#option-2-init-container (with HELM_SECRETS_WRAPPER_ENABLED=true and the wrapper mounted at /usr/local/sbin/helm), existing single-source apps that previously used secrets:// now show unexpected changes in ArgoCD.

Specifically, the last defined multiline value before the sops: metadata block in the encrypted YAML file has its trailing newline stripped. Other multiline values in the same file are unaffected.

Previously, we had:

source:
  helm:
    valueFiles:
      - values.yaml
      - secrets://secrets.yaml

Rendered all secrets with newlines, but now:

After enabling wrapper (diffs appear)

The same apps now show changes for the last multiline secret only. New multi-source and single-source apps show the same behavior:

sources:
  - repoURL: xxxx
    chart: microservice
    targetRevision: 1.3.0
    helm:
      releaseName: xxxx
      valueFiles:
        - $values/services/values.yaml
        - $values/services/secrets.yaml
  - repoURL: https://...
    targetRevision: HEAD
    ref: values

Example encrypted file

simpleSecret: ENC[AES256_GCM,...]
sshPrivateKey: ENC[AES256_GCM,...]    # multiline - no changes
known_hosts: ENC[AES256_GCM,...]      # multiline - shows changes (last before sops:)
sops:
  kms: ...

Only known_hosts (last value before sops:) shows a diff in ArgoCD. sshPrivateKey (also multiline, but not last) is unchanged. I see this exact pattern happening with multiple secrets, only on multiline secrets where the last secret has its newline stripped.

Environment

• ArgoCD chart version: 9.4.4
• helm-secrets: 4.7.5
• SOPS: 3.12.1
• Backend: sops with AWS KMS

Expected Behavior

For argoCD to show no changes to existing secrets, as it should go through the same process as its secrets:// equivalent

Steps To Reproduce

Environment

• Helm Version: -
• Helm Secrets Version: 4.7.5
• ArgoCD Version v3.3.2
• OS: -
• Shell: -

Anything else?

No response