Merge pull request #4161 from stevehipwell/helm-deprecate-secret-configuration

chore(chart): Deprecated secretConfiguration
2025-08-06 09:36:58 +02:00 · 2024-01-09 02:28:18 +01:00 · 2024-01-09 02:28:18 +01:00 · 70a70892a8
commit 70a70892a8
parent 79a45b3aea 411a8aab89
5 changed files with 40 additions and 16 deletions
--- a/charts/external-dns/CHANGELOG.md
+++ b/charts/external-dns/CHANGELOG.md
@ -30,6 +30,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 - Avoid unnecessary pod restart on each helm chart version. ([#4103](https://github.com/kubernetes-sigs/external-dns/pull/4103)) [@jkroepke](https://github.com/jkroepke)

+### Deprecated
+
+- The `secretConfiguration` value has been deprecated in favour of creating secrets external to the Helm chart and configuring their use via the `extraVolumes` & `extraVolumeMounts` values.
+
 ## [v1.13.1] - 2023-09-07

 ### Added
--- a/charts/external-dns/README.md
+++ b/charts/external-dns/README.md
@ -116,7 +116,7 @@ If `namespaced` is set to `true`, please ensure that `sources` my only contains
 | resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `external-dns` container. |
 | revisionHistoryLimit | int | `nil` | Specify the number of old `ReplicaSets` to retain to allow rollback of the `Deployment``. |
 | secretConfiguration.data | object | `{}` | `Secret` data. |
-| secretConfiguration.enabled | bool | `false` | If `true`, create a `Secret` to store sensitive provider configuration. |
+| secretConfiguration.enabled | bool | `false` | If `true`, create a `Secret` to store sensitive provider configuration (**DEPRECATED**). |
 | secretConfiguration.mountPath | string | `nil` | Mount path for the `Secret`, this can be templated. |
 | secretConfiguration.subPath | string | `nil` | Sub-path for mounting the `Secret`, this can be templated. |
 | securityContext | object | See _values.yaml_ | [Security context](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#securitycontext-v1-core) for the `external-dns` container. |
--- a/charts/external-dns/values.schema.json
+++ b/charts/external-dns/values.schema.json
@ -24,6 +24,7 @@
      }
    },
    "secretConfiguration": {
+      "$comment": "This value is DEPRECATED as secrets should be configured external to the chart and exposed to the container via extraVolumes & extraVolumeMounts.",
      "type": "object",
      "properties": {
        "enabled": {
--- a/charts/external-dns/values.yaml
+++ b/charts/external-dns/values.yaml
@ -224,7 +224,7 @@ provider:
 extraArgs: []

 secretConfiguration:
-  # -- If `true`, create a `Secret` to store sensitive provider configuration.
+  # -- If `true`, create a `Secret` to store sensitive provider configuration (**DEPRECATED**).
  enabled: false
  # -- Mount path for the `Secret`, this can be templated.
  mountPath:
--- a/docs/tutorials/azure.md
+++ b/docs/tutorials/azure.md
@ -386,33 +386,52 @@ $ az identity federated-credential create --name ${IDENTITY_NAME} --identity-nam

 NOTE: make sure federated credential refers to correct namespace and service account (`system:serviceaccount:<NAMESPACE>:<SERVICE_ACCOUNT>`)

-#### helm
+#### Helm

-When deploying external-dns with helm, here are the parameters you need to pass:
+When deploying external-dns with Helm you need to create a secret to store the Azure config (see below) and create a workload identity (out of scope here) before you can install the chart.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: external-dns-azure
+type: Opaque
+data:
+  azure.json: |
+    {
+      "tenantId": "<TENANT_ID>",
+      "subscriptionId": "<SUBSCRIPTION_ID>",
+      "resourceGroup": "<AZURE_DNS_ZONE_RESOURCE_GROUP>",
+      "useWorkloadIdentityExtension": true
+    }
+```
+
+Once you have created the secret and have a workload identity you can install the chart with the following values.

 ```yaml
 fullnameOverride: external-dns

 serviceAccount:
+  labels:
+    azure.workload.identity/use: "true"
  annotations:
    azure.workload.identity/client-id: <IDENTITY_CLIENT_ID>

 podLabels:
  azure.workload.identity/use: "true"

-provider: azure
+extraVolumes:
+  - name: azure-config-file
+    secret:
+      secretName: external-dns-azure

-secretConfiguration:
-  enabled: true
-  mountPath: "/etc/kubernetes/"
-  data:
-    azure.json: |
-      {
-        "tenantId": "<TENANT_ID>",
-        "subscriptionId": "<SUBSCRIPTION_ID>",
-        "resourceGroup": "<AZURE_DNS_ZONE_RESOURCE_GROUP>",
-        "useWorkloadIdentityExtension": true
-      }
+extraVolumeMounts:
+  - name: azure-config-file
+    mountPath: /etc/kubernetes
+    readOnly: true
+
+provider:
+  name: azure
 ```

 NOTE: make sure the pod is restarted whenever you make a configuration change.