Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

spec: take note of KubeConfig.SecretRef.Key field #645

Merged
merged 1 commit into from
May 3, 2022
Merged

spec: take note of KubeConfig.SecretRef.Key field #645

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 8 additions & 6 deletions docs/spec/v1beta2/kustomization.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ type KustomizationSpec struct {
// for changing image names, tags or digests. This can also be achieved with a
// patch, but this operator is simpler to specify.
// +optional
Images []kustomize.Image `json:"images,omitempty"`
Images []kustomize.Image `json:"images,omitempty"`

// The name of the Kubernetes service account to impersonate
// when reconciling this Kustomization.
Expand Down Expand Up @@ -123,16 +123,17 @@ This can be used with Cluster API:

```go
type KubeConfig struct {
// SecretRef holds the name to a secret that contains a 'value' key with
// the kubeconfig file as the value. It must be in the same namespace as
// SecretRef holds the name of a secret that contains a key with
// the kubeconfig file as the value. If no key is set, the key will default
// to 'value'. The secret must be in the same namespace as
// the Kustomization.
// It is recommended that the kubeconfig is self-contained, and the secret
// is regularly updated if credentials such as a cloud-access-token expire.
// Cloud specific `cmd-path` auth helpers will not function without adding
// binaries and credentials to the Pod that is responsible for reconciling
// the Kustomization.
// +required
SecretRef meta.LocalObjectReference `json:"secretRef,omitempty"`
SecretRef meta.SecretKeyReference `json:"secretRef,omitempty"`
}
```

Expand Down Expand Up @@ -938,8 +939,9 @@ If the `kubeConfig` field is set, objects will be applied, health-checked, prune
cluster specified in that KubeConfig instead of using the in-cluster ServiceAccount.

The secret defined in the `kubeConfig.SecretRef` must exist in the same namespace as the Kustomization.
On every reconciliation, the KubeConfig bytes will be loaded from the `value` or `value.yaml` key of the secret's data,
and the secret can thus be regularly updated if cluster-access-tokens have to rotate due to expiration.
On every reconciliation, the KubeConfig bytes will be loaded from the `.secretRef.key`
key (default: `value` or `value.yaml`) of the Secret's data , and the Secret can thus be regularly
updated if cluster-access-tokens have to rotate due to expiration.

This composes well with Cluster API bootstrap providers such as CAPBK (kubeadm), CAPA (AWS) and others.

Expand Down