From b0503a00d80c01875b59aad0790f062bf537fb2c Mon Sep 17 00:00:00 2001
From: John Houston <jhouston@hashicorp.com>
Date: Thu, 25 Sep 2025 12:10:00 -0600
Subject: [PATCH 1/2] manifest: only use environment variables if there is no
 configuration present

---
 manifest/provider/configure.go | 51 +++++++++++-----------------------
 1 file changed, 16 insertions(+), 35 deletions(-)

diff --git a/manifest/provider/configure.go b/manifest/provider/configure.go
index cd57f8a209..6985154187 100644
--- a/manifest/provider/configure.go
+++ b/manifest/provider/configure.go
@@ -84,9 +84,7 @@ func (s *RawProviderServer) ConfigureProvider(ctx context.Context, req *tfprotov
 			})
 			return response, nil
 		}
-	}
-	// check environment - this overrides any value found in provider configuration
-	if configPathEnv, ok := os.LookupEnv("KUBE_CONFIG_PATH"); ok && configPathEnv != "" {
+	} else if configPathEnv, ok := os.LookupEnv("KUBE_CONFIG_PATH"); ok && configPathEnv != "" {
 		configPath = configPathEnv
 	}
 	if len(configPath) > 0 {
@@ -122,12 +120,10 @@ func (s *RawProviderServer) ConfigureProvider(ctx context.Context, req *tfprotov
 			p.As(&pp)
 			precedence = append(precedence, pp)
 		}
-	}
-	//
-	// check environment for KUBE_CONFIG_PATHS
-	if configPathsEnv, ok := os.LookupEnv("KUBE_CONFIG_PATHS"); ok && configPathsEnv != "" {
+	} else if configPathsEnv, ok := os.LookupEnv("KUBE_CONFIG_PATHS"); ok && configPathsEnv != "" {
 		precedence = filepath.SplitList(configPathsEnv)
 	}
+
 	if len(precedence) > 0 {
 		for i, p := range precedence {
 			absPath, err := homedir.Expand(p)
@@ -159,8 +155,7 @@ func (s *RawProviderServer) ConfigureProvider(ctx context.Context, req *tfprotov
 			})
 			return response, nil
 		}
-	}
-	if clientCrtEnv, ok := os.LookupEnv("KUBE_CLIENT_CERT_DATA"); ok && clientCrtEnv != "" {
+	} else if clientCrtEnv, ok := os.LookupEnv("KUBE_CLIENT_CERT_DATA"); ok && clientCrtEnv != "" {
 		clientCertificate = clientCrtEnv
 	}
 	if len(clientCertificate) > 0 {
@@ -189,8 +184,7 @@ func (s *RawProviderServer) ConfigureProvider(ctx context.Context, req *tfprotov
 			})
 			return response, nil
 		}
-	}
-	if clusterCAEnv, ok := os.LookupEnv("KUBE_CLUSTER_CA_CERT_DATA"); ok && clusterCAEnv != "" {
+	} else if clusterCAEnv, ok := os.LookupEnv("KUBE_CLUSTER_CA_CERT_DATA"); ok && clusterCAEnv != "" {
 		clusterCaCertificate = clusterCAEnv
 	}
 	if len(clusterCaCertificate) > 0 {
@@ -219,8 +213,7 @@ func (s *RawProviderServer) ConfigureProvider(ctx context.Context, req *tfprotov
 			})
 			return response, nil
 		}
-	}
-	if insecureEnv, ok := os.LookupEnv("KUBE_INSECURE"); ok && insecureEnv != "" {
+	} else if insecureEnv, ok := os.LookupEnv("KUBE_INSECURE"); ok && insecureEnv != "" {
 		iv, err := strconv.ParseBool(insecureEnv)
 		if err != nil {
 			diags = append(diags, &tfprotov5.Diagnostic{
@@ -249,8 +242,7 @@ func (s *RawProviderServer) ConfigureProvider(ctx context.Context, req *tfprotov
 			return response, nil
 		}
 		overrides.ClusterInfo.TLSServerName = tlsServerName
-	}
-	if tlsServerName, ok := os.LookupEnv("KUBE_TLS_SERVER_NAME"); ok && tlsServerName != "" {
+	} else if tlsServerName, ok := os.LookupEnv("KUBE_TLS_SERVER_NAME"); ok && tlsServerName != "" {
 		overrides.ClusterInfo.TLSServerName = tlsServerName
 	}
 
@@ -272,9 +264,7 @@ func (s *RawProviderServer) ConfigureProvider(ctx context.Context, req *tfprotov
 			})
 			return response, nil
 		}
-	}
-	// check environment - this overrides any value found in provider configuration
-	if hostEnv, ok := os.LookupEnv("KUBE_HOST"); ok && hostEnv != "" {
+	} else if hostEnv, ok := os.LookupEnv("KUBE_HOST"); ok && hostEnv != "" {
 		host = hostEnv
 	}
 	if len(host) > 0 {
@@ -316,9 +306,7 @@ func (s *RawProviderServer) ConfigureProvider(ctx context.Context, req *tfprotov
 			})
 			return response, nil
 		}
-	}
-	// check environment - this overrides any value found in provider configuration
-	if clientKeyEnv, ok := os.LookupEnv("KUBE_CLIENT_KEY_DATA"); ok && clientKeyEnv != "" {
+	} else if clientKeyEnv, ok := os.LookupEnv("KUBE_CLIENT_KEY_DATA"); ok && clientKeyEnv != "" {
 		clientKey = clientKeyEnv
 	}
 	if len(clientKey) > 0 {
@@ -353,8 +341,7 @@ func (s *RawProviderServer) ConfigureProvider(ctx context.Context, req *tfprotov
 			return response, nil
 		}
 		overrides.CurrentContext = cfgContext
-	}
-	if cfgContext, ok := os.LookupEnv("KUBE_CTX"); ok && cfgContext != "" {
+	} else if cfgContext, ok := os.LookupEnv("KUBE_CTX"); ok && cfgContext != "" {
 		overrides.CurrentContext = cfgContext
 	}
 
@@ -375,8 +362,7 @@ func (s *RawProviderServer) ConfigureProvider(ctx context.Context, req *tfprotov
 			return response, nil
 		}
 		overrides.Context.Cluster = cfgCtxCluster
-	}
-	if cfgCtxCluster, ok := os.LookupEnv("KUBE_CTX_CLUSTER"); ok && cfgCtxCluster != "" {
+	} else if cfgCtxCluster, ok := os.LookupEnv("KUBE_CTX_CLUSTER"); ok && cfgCtxCluster != "" {
 		overrides.Context.Cluster = cfgCtxCluster
 	}
 
@@ -397,8 +383,7 @@ func (s *RawProviderServer) ConfigureProvider(ctx context.Context, req *tfprotov
 		if cfgContextAuthInfo != nil {
 			overrides.Context.AuthInfo = *cfgContextAuthInfo
 		}
-	}
-	if cfgContextAuthInfoEnv, ok := os.LookupEnv("KUBE_CTX_AUTH_INFO"); ok && cfgContextAuthInfoEnv != "" {
+	} else if cfgContextAuthInfoEnv, ok := os.LookupEnv("KUBE_CTX_AUTH_INFO"); ok && cfgContextAuthInfoEnv != "" {
 		overrides.Context.AuthInfo = cfgContextAuthInfoEnv
 	}
 
@@ -415,8 +400,7 @@ func (s *RawProviderServer) ConfigureProvider(ctx context.Context, req *tfprotov
 			return response, nil
 		}
 		overrides.AuthInfo.Username = username
-	}
-	if username, ok := os.LookupEnv("KUBE_USERNAME"); ok && username != "" {
+	} else if username, ok := os.LookupEnv("KUBE_USERNAME"); ok && username != "" {
 		overrides.AuthInfo.Username = username
 	}
 
@@ -433,8 +417,7 @@ func (s *RawProviderServer) ConfigureProvider(ctx context.Context, req *tfprotov
 			return response, nil
 		}
 		overrides.AuthInfo.Password = password
-	}
-	if password, ok := os.LookupEnv("KUBE_PASSWORD"); ok && password != "" {
+	} else if password, ok := os.LookupEnv("KUBE_PASSWORD"); ok && password != "" {
 		overrides.AuthInfo.Password = password
 	}
 
@@ -451,8 +434,7 @@ func (s *RawProviderServer) ConfigureProvider(ctx context.Context, req *tfprotov
 			return response, nil
 		}
 		overrides.AuthInfo.Token = token
-	}
-	if token, ok := os.LookupEnv("KUBE_TOKEN"); ok && token != "" {
+	} else if token, ok := os.LookupEnv("KUBE_TOKEN"); ok && token != "" {
 		overrides.AuthInfo.Token = token
 	}
 
@@ -469,8 +451,7 @@ func (s *RawProviderServer) ConfigureProvider(ctx context.Context, req *tfprotov
 			return response, nil
 		}
 		overrides.ClusterDefaults.ProxyURL = proxyURL
-	}
-	if proxyURL, ok := os.LookupEnv("KUBE_PROXY_URL"); ok && proxyURL != "" {
+	} else if proxyURL, ok := os.LookupEnv("KUBE_PROXY_URL"); ok && proxyURL != "" {
 		overrides.ClusterDefaults.ProxyURL = proxyURL
 	}
 

From 1462467018d21537d07b8d6d78347735b4993e55 Mon Sep 17 00:00:00 2001
From: John Houston <jhouston@hashicorp.com>
Date: Fri, 26 Sep 2025 12:54:08 -0600
Subject: [PATCH 2/2] Add changelog entry

---
 .changelog/2788.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .changelog/2788.txt

diff --git a/.changelog/2788.txt b/.changelog/2788.txt
new file mode 100644
index 0000000000..0b5889e28f
--- /dev/null
+++ b/.changelog/2788.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+Environment variables should not override configuration when using `kubernetes_manifest`.
+```