Merge pull request #27795 from MayorFaj/fix-env-envfrom-precedence-27287

fix: ensure environment variable precedence between env and envFrom
2026-02-05 06:45:31 +01:00 · 2026-02-03 11:31:59 +01:00
parent 98788a6b5e d8f5368428
commit 6e053689d5
2 changed files with 38 additions and 9 deletions
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -485,6 +485,17 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 		envs[key] = val
 	}

+	// Process envFrom first (lower precedence)
+	for _, envFrom := range opts.Container.EnvFrom {
+		cmEnvs, err := envVarsFrom(envFrom, opts)
+		if err != nil {
+			return nil, err
+		}
+
+		maps.Copy(envs, cmEnvs)
+	}
+
+	// Process env second (higher precedence, overrides envFrom)
 	for _, env := range opts.Container.Env {
 		value, err := envVarValue(env, opts)
 		if err != nil {
@@ -496,14 +507,6 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 			envs[env.Name] = *value
 		}
 	}
-	for _, envFrom := range opts.Container.EnvFrom {
-		cmEnvs, err := envVarsFrom(envFrom, opts)
-		if err != nil {
-			return nil, err
-		}
-
-		maps.Copy(envs, cmEnvs)
-	}
 	s.Env = envs

 	for _, volume := range opts.Container.VolumeMounts {
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -2121,7 +2121,7 @@ func withVolumeMount(mountPath, subpath string, readonly bool) ctrOption {
 	}
 }

-func withEnv(name, value, valueFrom, refName, refKey string, optional bool) ctrOption { //nolint:unparam
+func withEnv(name, value, valueFrom, refName, refKey string, optional bool) ctrOption {
 	return func(c *Ctr) {
 		e := Env{
 			Name:      name,
@@ -3248,6 +3248,32 @@ var _ = Describe("Podman kube play", func() {
 		Expect(kube).Should(ExitCleanly())
 	})

+	It("test env value takes precedence over envFrom configmap value", func() {
+		cm := getConfigMap(withConfigMapName("test-config-map"), withConfigMapData("MY_ENV_VAR", "1"))
+		cmYaml, err := getKubeYaml("configmap", cm)
+		Expect(err).ToNot(HaveOccurred())
+
+		pod := getPod(withCtr(getCtr(
+			withEnvFrom("test-config-map", "configmap", false),
+			withEnv("MY_ENV_VAR", "2", "", "", "", false),
+		)))
+
+		podYaml, err := getKubeYaml("pod", pod)
+		Expect(err).ToNot(HaveOccurred())
+
+		yamls := []string{cmYaml, podYaml}
+		err = generateMultiDocKubeYaml(yamls, kubeYaml)
+		Expect(err).ToNot(HaveOccurred())
+
+		podmanTest.PodmanExitCleanly("kube", "play", kubeYaml)
+
+		inspect := podmanTest.Podman([]string{"inspect", getCtrNameInPod(pod), "--format", "'{{ .Config.Env }}'"})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect).Should(ExitCleanly())
+		// env should override envFrom, so value should be "2" not "1"
+		Expect(inspect.OutputToString()).To(ContainSubstring(`MY_ENV_VAR=2`))
+	})
+
 	It("test duplicate container name", func() {
 		p := getPod(withCtr(getCtr(withName("testctr"), withCmd([]string{"echo", "hello"}))), withCtr(getCtr(withName("testctr"), withCmd([]string{"echo", "world"}))))