Add .spec.kubeConfig.secretRef.key

Signed-off-by: Nick Stogner <[email protected]>
fluxcd · Apr 12, 2022 · 73c8e48 · 73c8e48
1 parent cbe622f
commit 73c8e48
Show file tree

Hide file tree

Showing 5 changed files with 89 additions and 17 deletions.
diff --git a/api/v2beta1/helmrelease_types.go b/api/v2beta1/helmrelease_types.go
@@ -213,7 +213,7 @@ func (in HelmReleaseSpec) GetUninstall() Uninstall {
 
 // KubeConfig references a Kubernetes secret that contains a kubeconfig file.
 type KubeConfig struct {
-	// SecretRef holds the name to a secret that contains a 'value' key with
+	// SecretRef holds the name to a secret that contains
 	// the kubeconfig file as the value. It must be in the same namespace as
 	// the HelmRelease.
 	// It is recommended that the kubeconfig is self-contained, and the secret
@@ -222,7 +222,14 @@ type KubeConfig struct {
 	// binaries and credentials to the Pod that is responsible for reconciling
 	// the HelmRelease.
 	// +required
-	SecretRef meta.LocalObjectReference `json:"secretRef,omitempty"`
+	SecretRef SecretRef `json:"secretRef,omitempty"`
+}
+
+type SecretRef struct {
+	// Name of the Secret.
+	Name string `json:"name"`
+	// Key in the Secret. If not specified it defaults to 'value'.
+	Key string `json:"key"`
 }
 
 // HelmChartTemplate defines the template from which the controller will

diff --git a/api/v2beta1/zz_generated.deepcopy.go b/api/v2beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml b/config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml
@@ -245,18 +245,22 @@ spec:
                 properties:
                   secretRef:
                     description: SecretRef holds the name to a secret that contains
-                      a 'value' key with the kubeconfig file as the value. It must
-                      be in the same namespace as the HelmRelease. It is recommended
-                      that the kubeconfig is self-contained, and the secret is regularly
-                      updated if credentials such as a cloud-access-token expire.
-                      Cloud specific `cmd-path` auth helpers will not function without
-                      adding binaries and credentials to the Pod that is responsible
-                      for reconciling the HelmRelease.
+                      the kubeconfig file as the value. It must be in the same namespace
+                      as the HelmRelease. It is recommended that the kubeconfig is
+                      self-contained, and the secret is regularly updated if credentials
+                      such as a cloud-access-token expire. Cloud specific `cmd-path`
+                      auth helpers will not function without adding binaries and credentials
+                      to the Pod that is responsible for reconciling the HelmRelease.
                     properties:
+                      key:
+                        description: Key in the Secret. If not specified it defaults
+                          to 'value'.
+                        type: string
                       name:
-                        description: Name of the referent.
+                        description: Name of the Secret.
                         type: string
                     required:
+                    - key
                     - name
                     type: object
                 type: object

diff --git a/controllers/helmrelease_controller.go b/controllers/helmrelease_controller.go
@@ -495,10 +495,14 @@ func (r *HelmReleaseReconciler) getRESTClientGetter(ctx context.Context, hr v2.H
 		}
 
 		var kubeConfig []byte
-		for k, _ := range secret.Data {
-			if k == "value" || k == "value.yaml" {
-				kubeConfig = secret.Data[k]
-				break
+		if refkey := hr.Spec.KubeConfig.SecretRef.Key; refkey != "" {
+			kubeConfig = secret.Data[refkey]
+		} else {
+			for k, _ := range secret.Data {
+				if k == "value" || k == "value.yaml" {
+					kubeConfig = secret.Data[k]
+					break
+				}
 			}
 		}
 

diff --git a/docs/api/helmrelease.md b/docs/api/helmrelease.md
@@ -1398,13 +1398,13 @@ no retries remain. Defaults to &lsquo;false&rsquo;.</p>
 <td>
 <code>secretRef</code><br>
 <em>
-<a href="https://godoc.org/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
-github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+<a href="#helm.toolkit.fluxcd.io/v2beta1.SecretRef">
+SecretRef
 </a>
 </em>
 </td>
 <td>
-<p>SecretRef holds the name to a secret that contains a &lsquo;value&rsquo; key with
+<p>SecretRef holds the name to a secret that contains
 the kubeconfig file as the value. It must be in the same namespace as
 the HelmRelease.
 It is recommended that the kubeconfig is self-contained, and the secret
@@ -1658,6 +1658,48 @@ rollback action when it fails.</p>
 </table>
 </div>
 </div>
+<h3 id="helm.toolkit.fluxcd.io/v2beta1.SecretRef">SecretRef
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#helm.toolkit.fluxcd.io/v2beta1.KubeConfig">KubeConfig</a>)
+</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>name</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Name of the Secret.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>key</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Key in the Secret. If not specified it defaults to &lsquo;value&rsquo;.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
 <h3 id="helm.toolkit.fluxcd.io/v2beta1.Test">Test
 </h3>
 <p>