fix(cli): avoid injecting unused provider secrets

officialasishkumar · officialasishkumar · commit 8cb2bcfa3ce8 · 2026-04-07T13:59:48.000Z
diff --git a/go/core/cli/internal/cli/agent/install.go b/go/core/cli/internal/cli/agent/install.go
@@ -107,7 +107,7 @@ func InstallCmd(ctx context.Context, cfg *InstallCfg) *PortForward {
 		return nil
 	}
 
-	helmConfig := setupHelmConfig(modelProvider, apiKeyValue)
+	helmConfig := setupHelmConfig(modelProvider, apiKeyValue, profiles.InstallsDefaultModelConfig(selectedProfile))
 
 	// setup profile if provided
 	if selectedProfile != "" {
@@ -146,7 +146,7 @@ func InteractiveInstallCmd(ctx context.Context, c *ishell.Context) *PortForward
 		return nil
 	}
 
-	helmConfig := setupHelmConfig(modelProvider, apiKeyValue)
+	helmConfig := setupHelmConfig(modelProvider, apiKeyValue, profiles.InstallsDefaultModelConfig(selectedProfile))
 	helmConfig.inlineValues = profiles.GetProfileYaml(selectedProfile)
 
 	return install(ctx, cfg, helmConfig, modelProvider)
@@ -164,12 +164,14 @@ type helmConfig struct {
 
 // setupHelmConfig sets up the helm config for the kagent chart
 // This sets up the general configuration for a helm installation without the profile, which is calculated later based on the installation type (interactive or non-interactive)
-func setupHelmConfig(modelProvider v1alpha2.ModelProvider, apiKeyValue string) helmConfig {
-	// Build Helm values
-	helmProviderKey := GetModelProviderHelmValuesKey(modelProvider)
-	values := []string{
-		fmt.Sprintf("providers.default=%s", helmProviderKey),
-		fmt.Sprintf("providers.%s.apiKey=%s", helmProviderKey, apiKeyValue),
+func setupHelmConfig(modelProvider v1alpha2.ModelProvider, apiKeyValue string, installDefaultModelConfig bool) helmConfig {
+	values := []string{}
+	if installDefaultModelConfig {
+		helmProviderKey := GetModelProviderHelmValuesKey(modelProvider)
+		values = append(values, fmt.Sprintf("providers.default=%s", helmProviderKey))
+		if apiKeyValue != "" {
+			values = append(values, fmt.Sprintf("providers.%s.apiKey=%s", helmProviderKey, apiKeyValue))
+		}
 	}
 
 	// allow user to set the helm registry and version
diff --git a/go/core/cli/internal/cli/agent/install_test.go b/go/core/cli/internal/cli/agent/install_test.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/kagent-dev/kagent/go/api/v1alpha2"
 	"github.com/kagent-dev/kagent/go/core/cli/internal/profiles"
+	"github.com/kagent-dev/kagent/go/core/pkg/env"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -61,3 +62,21 @@ func TestShouldRequireProviderCredentials(t *testing.T) {
 		})
 	}
 }
+
+func TestSetupHelmConfig(t *testing.T) {
+	t.Setenv(env.KagentHelmRepo.Name(), "")
+	t.Setenv(env.KagentHelmVersion.Name(), "")
+	t.Setenv(env.KagentHelmExtraArgs.Name(), "")
+
+	t.Run("includes provider values when default modelconfig is installed", func(t *testing.T) {
+		cfg := setupHelmConfig(v1alpha2.ModelProviderOpenAI, "test-key", true)
+		assert.Contains(t, cfg.values, "providers.default=openAI")
+		assert.Contains(t, cfg.values, "providers.openAI.apiKey=test-key")
+	})
+
+	t.Run("omits provider values when default modelconfig is disabled", func(t *testing.T) {
+		cfg := setupHelmConfig(v1alpha2.ModelProviderOpenAI, "test-key", false)
+		assert.NotContains(t, cfg.values, "providers.default=openAI")
+		assert.NotContains(t, cfg.values, "providers.openAI.apiKey=test-key")
+	})
+}
diff --git a/helm/kagent/templates/modelconfig-secret.yaml b/helm/kagent/templates/modelconfig-secret.yaml
@@ -1,6 +1,10 @@
 {{- if ne .Values.providers.createDefaultModelConfig false }}
 {{- $dot := . }}
-{{- $model := index $dot.Values.providers $dot.Values.providers.default  }}
+{{- $defaultProvider := $dot.Values.providers.default | default "openAI" }}
+{{- if hasKey $dot.Values.providers $defaultProvider | not }}
+{{- fail (printf "Provider key=%s is not found under .Values.providers" $defaultProvider) }}
+{{- end }}
+{{- $model := index $dot.Values.providers $defaultProvider }}
 {{- if and $model.apiKeySecretRef $model.apiKey }}
 ---
 apiVersion: v1
diff --git a/helm/kagent/tests/modelconfig-secret_test.yaml b/helm/kagent/tests/modelconfig-secret_test.yaml
@@ -41,6 +41,20 @@ tests:
           path: data.ANTHROPIC_API_KEY
           value: YW50aHJvcGljLXRlc3Qta2V5  # base64 of "anthropic-test-key"
 
+  - it: should fall back to openai secret when default provider is empty
+    set:
+      providers:
+        default: ""
+        openAI:
+          apiKey: "fallback-openai-key"
+    asserts:
+      - equal:
+          path: metadata.name
+          value: kagent-openai
+      - equal:
+          path: data.OPENAI_API_KEY
+          value: ZmFsbGJhY2stb3BlbmFpLWtleQ==  # base64 of "fallback-openai-key"
+
   - it: should render azure openai secret when azure provider is default
     set:
       providers:
