Merge pull request #4161 from stevehipwell/helm-deprecate-secret-conf…

…iguration chore(chart): Deprecated secretConfiguration
kubernetes-sigs · Jan 9, 2024 · 70a7089 · 70a7089
2 parents 79a45b3 + 411a8aa
commit 70a7089
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 17 deletions.
diff --git a/charts/external-dns/CHANGELOG.md b/charts/external-dns/CHANGELOG.md
@@ -30,6 +30,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Avoid unnecessary pod restart on each helm chart version. ([#4103](https://github.com/kubernetes-sigs/external-dns/pull/4103)) [@jkroepke](https://github.com/jkroepke)
 
+### Deprecated
+
+- The `secretConfiguration` value has been deprecated in favour of creating secrets external to the Helm chart and configuring their use via the `extraVolumes` & `extraVolumeMounts` values.
+
 ## [v1.13.1] - 2023-09-07
 
 ### Added

diff --git a/charts/external-dns/README.md b/charts/external-dns/README.md
@@ -116,7 +116,7 @@ If `namespaced` is set to `true`, please ensure that `sources` my only contains
 | resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `external-dns` container. |
 | revisionHistoryLimit | int | `nil` | Specify the number of old `ReplicaSets` to retain to allow rollback of the `Deployment``. |
 | secretConfiguration.data | object | `{}` | `Secret` data. |
-| secretConfiguration.enabled | bool | `false` | If `true`, create a `Secret` to store sensitive provider configuration. |
+| secretConfiguration.enabled | bool | `false` | If `true`, create a `Secret` to store sensitive provider configuration (**DEPRECATED**). |
 | secretConfiguration.mountPath | string | `nil` | Mount path for the `Secret`, this can be templated. |
 | secretConfiguration.subPath | string | `nil` | Sub-path for mounting the `Secret`, this can be templated. |
 | securityContext | object | See _values.yaml_ | [Security context](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#securitycontext-v1-core) for the `external-dns` container. |

diff --git a/charts/external-dns/values.schema.json b/charts/external-dns/values.schema.json
@@ -24,6 +24,7 @@
       }
     },
     "secretConfiguration": {
+      "$comment": "This value is DEPRECATED as secrets should be configured external to the chart and exposed to the container via extraVolumes & extraVolumeMounts.",
       "type": "object",
       "properties": {
         "enabled": {

diff --git a/charts/external-dns/values.yaml b/charts/external-dns/values.yaml
@@ -224,7 +224,7 @@ provider:
 extraArgs: []
 
 secretConfiguration:
-  # -- If `true`, create a `Secret` to store sensitive provider configuration.
+  # -- If `true`, create a `Secret` to store sensitive provider configuration (**DEPRECATED**).
   enabled: false
   # -- Mount path for the `Secret`, this can be templated.
   mountPath:

diff --git a/docs/tutorials/azure.md b/docs/tutorials/azure.md
@@ -386,33 +386,52 @@ $ az identity federated-credential create --name ${IDENTITY_NAME} --identity-nam
 
 NOTE: make sure federated credential refers to correct namespace and service account (`system:serviceaccount:<NAMESPACE>:<SERVICE_ACCOUNT>`)
 
-#### helm
+#### Helm
 
-When deploying external-dns with helm, here are the parameters you need to pass:
+When deploying external-dns with Helm you need to create a secret to store the Azure config (see below) and create a workload identity (out of scope here) before you can install the chart.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: external-dns-azure
+type: Opaque
+data:
+  azure.json: |
+    {
+      "tenantId": "<TENANT_ID>",
+      "subscriptionId": "<SUBSCRIPTION_ID>",
+      "resourceGroup": "<AZURE_DNS_ZONE_RESOURCE_GROUP>",
+      "useWorkloadIdentityExtension": true
+    }
+```
+
+Once you have created the secret and have a workload identity you can install the chart with the following values.
 
 ```yaml
 fullnameOverride: external-dns
 
 serviceAccount:
+  labels:
+    azure.workload.identity/use: "true"
   annotations:
     azure.workload.identity/client-id: <IDENTITY_CLIENT_ID>
 
 podLabels:
   azure.workload.identity/use: "true"
 
-provider: azure
-
-secretConfiguration:
-  enabled: true
-  mountPath: "/etc/kubernetes/"
-  data:
-    azure.json: |
-      {
-        "tenantId": "<TENANT_ID>",
-        "subscriptionId": "<SUBSCRIPTION_ID>",
-        "resourceGroup": "<AZURE_DNS_ZONE_RESOURCE_GROUP>",
-        "useWorkloadIdentityExtension": true
-      }
+extraVolumes:
+  - name: azure-config-file
+    secret:
+      secretName: external-dns-azure
+
+extraVolumeMounts:
+  - name: azure-config-file
+    mountPath: /etc/kubernetes
+    readOnly: true
+
+provider:
+  name: azure
 ```
 
 NOTE: make sure the pod is restarted whenever you make a configuration change.