[ISSUE] Helm upgrade fails for imagepullsecrets 8.3.1

Describe the issue:

When trying to upgrade --dry-run from 8.2.16 to 8.3.1 we get the following message from helm:

coalesce.go:286: warning: cannot overwrite table with non table for camunda-platform.elasticsearch.image (map[debug:false digest: pullPolicy:IfNotPresent pullSecrets:[] registry:docker.io repository:bitnami/elasticsearch tag:8.7.1])
Error: UPGRADE FAILED: template: camunda-platform/charts/elasticsearch/templates/master/statefulset.yaml:52:10: executing "camunda-platform/charts/elasticsearch/templates/master/statefulset.yaml" at <include "elasticsearch.imagePullSecrets" .>: error calling include: template: camunda-platform/charts/elasticsearch/templates/_helpers.tpl:19:3: executing "elasticsearch.imagePullSecrets" at <include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.sysctlImage .Values.volumePermissions.image) "global" .Values.global)>: error calling include: template: camunda-platform/charts/common/templates/_images.tpl:50:14: executing "common.images.pullSecrets" at <.pullSecrets>: can't evaluate field pullSecrets in type interface {}
helm.go:84: [debug] template: camunda-platform/charts/elasticsearch/templates/master/statefulset.yaml:52:10: executing "camunda-platform/charts/elasticsearch/templates/master/statefulset.yaml" at <include "elasticsearch.imagePullSecrets" .>: error calling include: template: camunda-platform/charts/elasticsearch/templates/_helpers.tpl:19:3: executing "elasticsearch.imagePullSecrets" at <include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.sysctlImage .Values.volumePermissions.image) "global" .Values.global)>: error calling include: template: camunda-platform/charts/common/templates/_images.tpl:50:14: executing "common.images.pullSecrets" at <.pullSecrets>: can't evaluate field pullSecrets in type interface {}

Do you have any ideas on why the chart asks for pullSecrets to the public repository?

Actual behavior:

upgrade --dry-run gives the error above.

Expected behavior:

We expect the upgrade --dry-run to succeed.

How to reproduce:

Using the default values from the helmchart together with custom values below:

global:
  ingress:
    enabled: true
    className: nginx
    host: camunda.xxxxxx.no
    annotations:
    tls:
      enabled: true
      secretName: camunda-tls-secret
  identity:
    auth:
      publicIssuerUrl: "https://camunda.xxxxxx.no/auth/realms/camunda-platform"
      operate:
        redirectUrl: "https://camunda.xxxxxx.no/operate"
    identity:
      contextPath: "/identity"
      fullURL: "https://camunda.xxxxxx.no/identity"
zeebe:
  resources:
    limits:
      memory: 4Gi 
  pvcStorageClassName: managed-premium-retain
  podDisruptionBudget:
    enabled: true
  podSecurityContext:
    fsGroup: 1000
zeebe-gateway:
  podDisruptionBudget:
    enabled: true
  env:
  - name: ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE
    value: "NONE"
operate:
  contextPath: "/operate"
  env:
    - name: CAMUNDA_OPERATE_ENTERPRISE
      value: "true"
elasticsearch:
  master:
    persistence:
      size: 30Gi
retentionPolicy:
  enabled: true
  schedule: "0 1 * * *"
  zeebeIndexTTL: 10
optimize:
  enabled: false
tasklist:
  enabled: false
connectors:
  enabled: false

We upgrade the helmchart with the command:

helm upgrade camunda-platform camunda/camunda-platform --namespace camunda --version 8.3.1 --debug --dry-run \
    --values camunda-values.yaml --values camunda-platform-values.yaml \
    --set global.identity.auth.tasklist.existingSecret=$TASKLIST_SECRET \
    --set global.identity.auth.optimize.existingSecret=$OPTIMIZE_SECRET \
    --set global.identity.auth.operate.existingSecret=$OPERATE_SECRET \
    --set global.identity.auth.connectors.existingSecret=$CONNECTORS_SECRET \
    --set identity.keycloak.auth.adminPassword=$KEYCLOAK_ADMIN_SECRET \
    --set identity.keycloak.auth.managementPassword=$KEYCLOAK_MANAGEMENT_SECRET \
    --set identity.keycloak.postgresql.auth.password=$POSTGRESQL_SECRET \
    --set global.postgresql.auth.postgresPassword=$POSTGRES_PASSWORD \
    --set global.identity.auth.zeebe.existingSecret=$ZEEBE_SECRET

and get the error below:

Logs:

helm upgrade camunda-platform camunda/camunda-platform --namespace camunda --version 8.3.1 --debug --dry-run \
          --values camunda-values.yaml --values camunda-platform-values.yaml \
          --set global.identity.auth.tasklist.existingSecret=$TASKLIST_SECRET \
          --set global.identity.auth.optimize.existingSecret=$OPTIMIZE_SECRET \
          --set global.identity.auth.operate.existingSecret=$OPERATE_SECRET \
          --set global.identity.auth.connectors.existingSecret=$CONNECTORS_SECRET \
          --set identity.keycloak.auth.adminPassword=$KEYCLOAK_ADMIN_SECRET \
          --set identity.keycloak.auth.managementPassword=$KEYCLOAK_MANAGEMENT_SECRET \
          --set identity.keycloak.postgresql.auth.password=$POSTGRESQL_SECRET \
          --set global.postgresql.auth.postgresPassword=$POSTGRES_PASSWORD \
          --set global.identity.auth.zeebe.existingSecret=$ZEEBE_SECRET
upgrade.go:153: [debug] preparing upgrade for camunda-platform
coalesce.go:286: warning: cannot overwrite table with non table for camunda-platform.elasticsearch.image (map[repository:bitnami/elasticsearch tag:8.7.1])
coalesce.go:289: warning: destination for identity.postgresql.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:289: warning: destination for identity.postgresql.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:289: warning: destination for identity.postgresql.networkPolicy.egressRules.customRules is a table. Ignoring non-table value ([])
coalesce.go:289: warning: destination for keycloak.postgresql.networkPolicy.egressRules.customRules is a table. Ignoring non-table value ([])
coalesce.go:289: warning: destination for keycloak.postgresql.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:289: warning: destination for keycloak.postgresql.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:286: warning: cannot overwrite table with non table for camunda-platform.elasticsearch.image (map[debug:false digest: pullPolicy:IfNotPresent pullSecrets:[] registry:docker.io repository:bitnami/elasticsearch tag:8.7.1])
Error: UPGRADE FAILED: template: camunda-platform/charts/elasticsearch/templates/master/statefulset.yaml:52:10: executing "camunda-platform/charts/elasticsearch/templates/master/statefulset.yaml" at <include "elasticsearch.imagePullSecrets" .>: error calling include: template: camunda-platform/charts/elasticsearch/templates/_helpers.tpl:19:3: executing "elasticsearch.imagePullSecrets" at <include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.sysctlImage .Values.volumePermissions.image) "global" .Values.global)>: error calling include: template: camunda-platform/charts/common/templates/_images.tpl:50:14: executing "common.images.pullSecrets" at <.pullSecrets>: can't evaluate field pullSecrets in type interface {}
helm.go:84: [debug] template: camunda-platform/charts/elasticsearch/templates/master/statefulset.yaml:52:10: executing "camunda-platform/charts/elasticsearch/templates/master/statefulset.yaml" at <include "elasticsearch.imagePullSecrets" .>: error calling include: template: camunda-platform/charts/elasticsearch/templates/_helpers.tpl:19:3: executing "elasticsearch.imagePullSecrets" at <include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.sysctlImage .Values.volumePermissions.image) "global" .Values.global)>: error calling include: template: camunda-platform/charts/common/templates/_images.tpl:50:14: executing "common.images.pullSecrets" at <.pullSecrets>: can't evaluate field pullSecrets in type interface {}
UPGRADE FAILED
main.newUpgradeCmd.func2
        helm.sh/helm/v3/cmd/helm/upgrade.go:229
github.com/spf13/cobra.(*Command).execute
        github.com/spf13/cobra@v1.7.0/command.go:940
github.com/spf13/cobra.(*Command).ExecuteC
        github.com/spf13/cobra@v1.7.0/command.go:1068
github.com/spf13/cobra.(*Command).Execute
        github.com/spf13/cobra@v1.7.0/command.go:992
main.main
        helm.sh/helm/v3/cmd/helm/helm.go:83
runtime.main
        runtime/proc.go:267
runtime.goexit
        runtime/asm_arm64.s:1197

Environment:

Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.

Platform: AKS 1.27.3
Helm CLI version: version.BuildInfo{Version:"v3.13.1", GitCommit:"3547a4b5bf5edb5478ce352e18858d8a552a4110", GitTreeState:"clean", GoVersion:"go1.21.3"}
Chart version: 8.3.1
Values file:

global:
  ingress:
    enabled: true
    className: nginx
    host: camunda.xxxxxx.no
    annotations:
    tls:
      enabled: true
      secretName: camunda-tls-secret
  identity:
    auth:
      publicIssuerUrl: "https://camunda.xxxxxx.no/auth/realms/camunda-platform"
      operate:
        redirectUrl: "https://camunda.xxxxxx.no/operate"
    identity:
      contextPath: "/identity"
      fullURL: "https://camunda.xxxxxx.no/identity"
zeebe:
  resources:
    limits:
      memory: 4Gi 
  pvcStorageClassName: managed-premium-retain
  podDisruptionBudget:
    enabled: true
  podSecurityContext:
    fsGroup: 1000
zeebe-gateway:
  podDisruptionBudget:
    enabled: true
  env:
  - name: ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE
    value: "NONE"
operate:
  contextPath: "/operate"
  env:
    - name: CAMUNDA_OPERATE_ENTERPRISE
      value: "true"
elasticsearch:
  master:
    persistence:
      size: 30Gi
retentionPolicy:
  enabled: true
  schedule: "0 1 * * *"
  zeebeIndexTTL: 10
optimize:
  enabled: false
tasklist:
  enabled: false
connectors:
  enabled: false

camunda / camunda-platform-helm

[ISSUE] Helm upgrade fails for imagepullsecrets 8.3.1 #1008