From a23dd9e3b756c12cfdaa1b2c3a023c92530c0d0a Mon Sep 17 00:00:00 2001
From: Matt Farina <matt.farina@suse.com>
Date: Sun, 10 Mar 2024 14:05:50 -0400
Subject: [PATCH] Add a note about --dry-run displaying secrets

Signed-off-by: Matt Farina <matt.farina@suse.com>
---
 cmd/helm/install.go | 6 +++++-
 cmd/helm/upgrade.go | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/cmd/helm/install.go b/cmd/helm/install.go
index d987d300f..84ecc406d 100644
--- a/cmd/helm/install.go
+++ b/cmd/helm/install.go
@@ -94,7 +94,11 @@ And in the following example, 'foo' is set to '{"key1":"value1","key2":"bar"}':
     $ helm install --set-json='foo={"key1":"value1","key2":"value2"}' --set-json='foo.key2="bar"' myredis ./redis
 
 To check the generated manifests of a release without installing the chart,
-the '--debug' and '--dry-run' flags can be combined.
+the --debug and --dry-run flags can be combined.
+
+The --dry-run flag will output all generated chart manifests, including Secrets
+which can contain sensitive values. Please carefully consider how and when this
+flag is used.
 
 If --verify is set, the chart MUST have a provenance file, and the provenance
 file MUST pass all verification steps.
diff --git a/cmd/helm/upgrade.go b/cmd/helm/upgrade.go
index e7c6dd166..acd1c72f1 100644
--- a/cmd/helm/upgrade.go
+++ b/cmd/helm/upgrade.go
@@ -72,6 +72,10 @@ parameters, and existing values will be merged with any values set via '--values
 or '--set' flags. Priority is given to new values.
 
     $ helm upgrade --reuse-values --set foo=bar --set foo=newbar redis ./redis
+
+The --dry-run flag will output all generated chart manifests, including Secrets
+which can contain sensitive values. Please carefully consider how and when this
+flag is used.
 `
 
 func newUpgradeCmd(cfg *action.Configuration, out io.Writer) *cobra.Command {