From 411a8aab89fc399eb5648e128d9d7acc81435ce3 Mon Sep 17 00:00:00 2001 From: Steve Hipwell Date: Mon, 8 Jan 2024 10:23:20 +0000 Subject: [PATCH] chore(chart): Deprecated secretConfiguration Signed-off-by: Steve Hipwell --- charts/external-dns/CHANGELOG.md | 4 +++ charts/external-dns/README.md | 2 +- charts/external-dns/values.schema.json | 1 + charts/external-dns/values.yaml | 2 +- docs/tutorials/azure.md | 47 ++++++++++++++++++-------- 5 files changed, 40 insertions(+), 16 deletions(-) diff --git a/charts/external-dns/CHANGELOG.md b/charts/external-dns/CHANGELOG.md index a58a88b70..fd4a59063 100644 --- a/charts/external-dns/CHANGELOG.md +++ b/charts/external-dns/CHANGELOG.md @@ -29,6 +29,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Avoid unnecessary pod restart on each helm chart version. ([#4103](https://github.com/kubernetes-sigs/external-dns/pull/4103)) [@jkroepke](https://github.com/jkroepke) +### Deprecated + +- The `secretConfiguration` value has been deprecated in favour of creating secrets external to the Helm chart and configuring their use via the `extraVolumes` & `extraVolumeMounts` values. + ## [v1.13.1] - 2023-09-07 ### Added diff --git a/charts/external-dns/README.md b/charts/external-dns/README.md index f1b8fb868..7ea5be250 100644 --- a/charts/external-dns/README.md +++ b/charts/external-dns/README.md @@ -116,7 +116,7 @@ If `namespaced` is set to `true`, please ensure that `sources` my only contains | resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `external-dns` container. | | revisionHistoryLimit | int | `nil` | Specify the number of old `ReplicaSets` to retain to allow rollback of the `Deployment``. | | secretConfiguration.data | object | `{}` | `Secret` data. | -| secretConfiguration.enabled | bool | `false` | If `true`, create a `Secret` to store sensitive provider configuration. | +| secretConfiguration.enabled | bool | `false` | If `true`, create a `Secret` to store sensitive provider configuration (**DEPRECATED**). | | secretConfiguration.mountPath | string | `nil` | Mount path for the `Secret`, this can be templated. | | secretConfiguration.subPath | string | `nil` | Sub-path for mounting the `Secret`, this can be templated. | | securityContext | object | See _values.yaml_ | [Security context](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#securitycontext-v1-core) for the `external-dns` container. | diff --git a/charts/external-dns/values.schema.json b/charts/external-dns/values.schema.json index 94b043afe..883c1b505 100644 --- a/charts/external-dns/values.schema.json +++ b/charts/external-dns/values.schema.json @@ -24,6 +24,7 @@ } }, "secretConfiguration": { + "$comment": "This value is DEPRECATED as secrets should be configured external to the chart and exposed to the container via extraVolumes & extraVolumeMounts.", "type": "object", "properties": { "enabled": { diff --git a/charts/external-dns/values.yaml b/charts/external-dns/values.yaml index e12eed3cf..887874b88 100644 --- a/charts/external-dns/values.yaml +++ b/charts/external-dns/values.yaml @@ -220,7 +220,7 @@ provider: extraArgs: [] secretConfiguration: - # -- If `true`, create a `Secret` to store sensitive provider configuration. + # -- If `true`, create a `Secret` to store sensitive provider configuration (**DEPRECATED**). enabled: false # -- Mount path for the `Secret`, this can be templated. mountPath: diff --git a/docs/tutorials/azure.md b/docs/tutorials/azure.md index 55adab973..bdd55af14 100644 --- a/docs/tutorials/azure.md +++ b/docs/tutorials/azure.md @@ -386,33 +386,52 @@ $ az identity federated-credential create --name ${IDENTITY_NAME} --identity-nam NOTE: make sure federated credential refers to correct namespace and service account (`system:serviceaccount::`) -#### helm +#### Helm -When deploying external-dns with helm, here are the parameters you need to pass: +When deploying external-dns with Helm you need to create a secret to store the Azure config (see below) and create a workload identity (out of scope here) before you can install the chart. + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: external-dns-azure +type: Opaque +data: + azure.json: | + { + "tenantId": "", + "subscriptionId": "", + "resourceGroup": "", + "useWorkloadIdentityExtension": true + } +``` + +Once you have created the secret and have a workload identity you can install the chart with the following values. ```yaml fullnameOverride: external-dns serviceAccount: + labels: + azure.workload.identity/use: "true" annotations: azure.workload.identity/client-id: podLabels: azure.workload.identity/use: "true" -provider: azure +extraVolumes: + - name: azure-config-file + secret: + secretName: external-dns-azure -secretConfiguration: - enabled: true - mountPath: "/etc/kubernetes/" - data: - azure.json: | - { - "tenantId": "", - "subscriptionId": "", - "resourceGroup": "", - "useWorkloadIdentityExtension": true - } +extraVolumeMounts: + - name: azure-config-file + mountPath: /etc/kubernetes + readOnly: true + +provider: + name: azure ``` NOTE: make sure the pod is restarted whenever you make a configuration change.