Only add keyring default value when verification is turned on

CHANGELOG.md

@@ -1,7 +1,11 @@
 ## Unreleased
-- Fix the DaemonSet name on diff which prevented pulumi to replace the resource (https://github.com/pulumi/pulumi-kubernetes/pull/1951)
 (None)
 
+## 3.18.2 (April 6, 2022)
+- Only add keyring default value when verification is turned on (https://github.com/pulumi/pulumi-kubernetes/pull/1961)
+  Regression introduced in 3.18.1
+- Fix the DaemonSet name on diff which prevented pulumi to replace the resource (https://github.com/pulumi/pulumi-kubernetes/pull/1951)
+
 ## 3.18.1 (April 5, 2022)
 - Fix autonaming panic for helm release (https://github.com/pulumi/pulumi-kubernetes/pull/1953)
   This change also adds support for deterministic autonaming through sequence numbers to the kubernetes provider.

provider/pkg/provider/helm_release.go

@@ -395,9 +395,13 @@ func (r *helmReleaseProvider) setDefaults(target resource.PropertyMap) {
 		}
 	}
 
-	keyringVal, ok := target["keyring"]
-	if !ok || (keyringVal.IsString() && keyringVal.StringValue() == "") {
-		target["keyring"] = resource.NewStringProperty(os.ExpandEnv("$HOME/.gnupg/pubring.gpg"))
+	// Discover the keyring if chart verification is requested, and a keyring is not explicitly specified.
+	verify, ok := target["verify"]
+	if ok && verify.IsBool() && verify.BoolValue() {
+		keyringVal, ok := target["keyring"]
+		if !ok || (keyringVal.IsString() && keyringVal.StringValue() == "") {
+			target["keyring"] = resource.NewStringProperty(os.ExpandEnv("$HOME/.gnupg/pubring.gpg"))
+		}
 	}
 }
 

tests/sdk/nodejs/examples/examples_test.go

@@ -501,6 +501,32 @@ func TestHelmReleaseNamespace(t *testing.T) {
 }
 
 func TestHelmReleaseRedis(t *testing.T) {
+	expectKeyringInput := func(verifyVal bool, keyRingNonEmpty bool) func(t *testing.T,
+		stackInfo integration.RuntimeValidationStackInfo) {
+		// Validate that the keyring is omitted when verify is false/unspecified.
+		// https://github.com/pulumi/pulumi-kubernetes/issues/1959
+		return func(t *testing.T, stackInfo integration.RuntimeValidationStackInfo) {
+			seen := false
+			for _, res := range stackInfo.Deployment.Resources {
+				if res.Type == "kubernetes:helm.sh/v3:Release" {
+					seen = true
+
+					assert.Contains(t, res.Inputs, "verify")
+					verify := res.Inputs["verify"].(bool)
+					assert.Equal(t, verifyVal, verify)
+					val := res.Inputs["keyring"]
+					if keyRingNonEmpty {
+						assert.NotEmpty(t, val)
+					} else {
+						assert.Empty(t, val)
+					}
+
+				}
+			}
+			assert.True(t, seen)
+		}
+	}
+
 	// Validate fix for https://github.com/pulumi/pulumi-kubernetes/issues/1933
 	skipIfShort(t)
 	test := getBaseOptions(t).
@@ -513,8 +539,12 @@ func TestHelmReleaseRedis(t *testing.T) {
 				{
 					Dir:      filepath.Join(getCwd(t), "helm-release-redis", "step2"),
 					Additive: true,
+					// The redis chart isn't signed so can't find provenance file for it.
+					// TODO: Add a separate test for chart verification.
+					ExtraRuntimeValidation: expectKeyringInput(false, false),
 				},
 			},
+			ExtraRuntimeValidation: expectKeyringInput(false, false),
 		})
 
 	integration.ProgramTest(t, &test)

tests/sdk/nodejs/examples/helm-release-redis/step2/index.ts

@@ -39,6 +39,7 @@ const release = new k8s.helm.v3.Release("redis", {
     },
     namespace: namespace.metadata.name,
     values: values(redisPassword.result),
+    verify: false, // Turn off verification explicitly.
 });