Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spec: take note of KubeConfig.SecretRef.Key field #474

Merged
merged 1 commit into from
May 3, 2022
Merged

spec: take note of KubeConfig.SecretRef.Key field #474

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 13 additions & 7 deletions docs/spec/v2beta1/helmreleases.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,12 @@ type HelmReleaseSpec struct {
Values *apiextensionsv1.JSON `json:"values,omitempty"`

// KubeConfig for reconciling the HelmRelease on a remote cluster.
// When specified, KubeConfig takes precedence over ServiceAccountName.
// When used in combination with HelmReleaseSpec.ServiceAccountName,
// forces the controller to act on behalf of that Service Account at the
// target cluster.
// If the --default-service-account flag is set, its value will be used as
// a controller level fallback for when HelmReleaseSpec.ServiceAccountName
// is empty.
// +optional
KubeConfig *KubeConfig `json:"kubeConfig,omitempty"`

Expand All @@ -112,16 +117,17 @@ type HelmReleaseSpec struct {

// KubeConfig references a Kubernetes secret that contains a kubeconfig file.
type KubeConfig struct {
// SecretRef holds the name to a secret that contains a 'value' key with
// the kubeconfig file as the value. It must be in the same namespace as
// SecretRef holds the name to a secret that contains a key with
// the kubeconfig file as the value. If no key is specified the key will
// default to 'value'. The secret must be in the same namespace as
// the HelmRelease.
// It is recommended that the kubeconfig is self-contained, and the secret
// is regularly updated if credentials such as a cloud-access-token expire.
// Cloud specific `cmd-path` auth helpers will not function without adding
// binaries and credentials to the Pod that is responsible for reconciling
// the HelmRelease.
// +required
SecretRef corev1.LocalObjectReference `json:"secretRef,omitempty"`
SecretRef meta.SecretKeyReference `json:"secretRef,omitempty"`
}

// HelmChartTemplate defines the template from which the controller will
Expand Down Expand Up @@ -1053,9 +1059,9 @@ in that KubeConfig instead of the local cluster that is responsible for the reco
HelmRelease.

The secret defined in the `spec.kubeConfig.secretRef` must exist in the same namespace as the
HelmRelease. On every reconciliation, the KubeConfig bytes will be loaded from the `value` or `value.yaml` key
of the secret's data, and the secret can thus be regularly updated if cluster-access-tokens have
to rotate due to expiration.
HelmRelease. On every reconciliation, the KubeConfig bytes will be loaded from the `.secretRef.key`
key (default: `value` or `value.yaml`) of the Secret's data , and the Secret can thus be regularly
updated if cluster-access-tokens have to rotate due to expiration.

The Helm storage is stored on the remote cluster in a namespace that equals to the namespace of
the HelmRelease, or the configured `spec.storageNamespace`. The release itself is made in a
Expand Down