Add .spec.kubeConfig.secretRef.key

api/v1beta2/kustomization_types.go

@@ -164,7 +164,7 @@ type Decryption struct {
 
 // KubeConfig references a Kubernetes secret that contains a kubeconfig file.
 type KubeConfig struct {
-	// SecretRef holds the name to a secret that contains a 'value' key with
+	// SecretRef holds the name to a secret that contains
 	// the kubeconfig file as the value. It must be in the same namespace as
 	// the Kustomization.
 	// It is recommended that the kubeconfig is self-contained, and the secret
@@ -173,7 +173,14 @@ type KubeConfig struct {
 	// binaries and credentials to the Pod that is responsible for reconciling
 	// the Kustomization.
 	// +required
-	SecretRef meta.LocalObjectReference `json:"secretRef,omitempty"`
+	SecretRef SecretRef `json:"secretRef,omitempty"`
+}
+
+type SecretRef struct {
+	// Name of the Secret.
+	Name string `json:"name"`
+	// Key in the Secret. If not specified it defaults to 'value'.
+	Key string `json:"key"`
 }
 
 // PostBuild describes which actions to perform on the YAML manifest

config/crd/bases/kustomize.toolkit.fluxcd.io_kustomizations.yaml

@@ -699,18 +699,22 @@ spec:
                 properties:
                   secretRef:
                     description: SecretRef holds the name to a secret that contains
-                      a 'value' key with the kubeconfig file as the value. It must
-                      be in the same namespace as the Kustomization. It is recommended
-                      that the kubeconfig is self-contained, and the secret is regularly
-                      updated if credentials such as a cloud-access-token expire.
-                      Cloud specific `cmd-path` auth helpers will not function without
-                      adding binaries and credentials to the Pod that is responsible
-                      for reconciling the Kustomization.
+                      the kubeconfig file as the value. It must be in the same namespace
+                      as the Kustomization. It is recommended that the kubeconfig
+                      is self-contained, and the secret is regularly updated if credentials
+                      such as a cloud-access-token expire. Cloud specific `cmd-path`
+                      auth helpers will not function without adding binaries and credentials
+                      to the Pod that is responsible for reconciling the Kustomization.
                     properties:
+                      key:
+                        description: Key in the Secret. If not specified it defaults
+                          to 'value'.
+                        type: string
                       name:
-                        description: Name of the referent.
+                        description: Name of the Secret.
                         type: string
                     required:
+                    - key
                     - name
                     type: object
                 type: object

controllers/kustomization_acl_test.go

@@ -89,7 +89,7 @@ stringData:
 			Interval: metav1.Duration{Duration: reconciliationInterval},
 			Path:     "./",
 			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.LocalObjectReference{
+				SecretRef: kustomizev1.SecretRef{
 					Name: "kubeconfig",
 				},
 			},

controllers/kustomization_decryptor_test.go

@@ -126,7 +126,7 @@ func TestKustomizationReconciler_Decryptor(t *testing.T) {
 			Interval: metav1.Duration{Duration: 2 * time.Minute},
 			Path:     "./",
 			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.LocalObjectReference{
+				SecretRef: kustomizev1.SecretRef{
 					Name: "kubeconfig",
 				},
 			},

controllers/kustomization_dependson_test.go

@@ -143,7 +143,7 @@ spec:
 			Interval: metav1.Duration{Duration: reconciliationInterval},
 			Path:     "./",
 			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.LocalObjectReference{
+				SecretRef: kustomizev1.SecretRef{
 					Name: "kubeconfig",
 				},
 			},

controllers/kustomization_force_test.go

@@ -86,7 +86,7 @@ stringData:
 			Interval: metav1.Duration{Duration: reconciliationInterval},
 			Path:     "./",
 			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.LocalObjectReference{
+				SecretRef: kustomizev1.SecretRef{
 					Name: "kubeconfig",
 				},
 			},

controllers/kustomization_impersonation.go

@@ -177,10 +177,14 @@ func (ki *KustomizeImpersonation) getKubeConfig(ctx context.Context) ([]byte, er
 	}
 
 	var kubeConfig []byte
-	for k := range secret.Data {
-		if k == "value" || k == "value.yaml" {
-			kubeConfig = secret.Data[k]
-			break
+	if refkey := ki.kustomization.Spec.KubeConfig.SecretRef.Key; refkey != "" {
+		kubeConfig = secret.Data[refkey]
+	} else {
+		for k := range secret.Data {
+			if k == "value" || k == "value.yaml" {
+				kubeConfig = secret.Data[k]
+				break
+			}
 		}
 	}
 

controllers/kustomization_impersonation_test.go

@@ -92,7 +92,7 @@ data:
 			Interval: metav1.Duration{Duration: time.Minute},
 			Path:     "./",
 			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.LocalObjectReference{
+				SecretRef: kustomizev1.SecretRef{
 					Name: "kubeconfig",
 				},
 			},

controllers/kustomization_inventory_test.go

@@ -97,7 +97,7 @@ stringData:
 			Interval: metav1.Duration{Duration: 2 * time.Minute},
 			Path:     "./",
 			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.LocalObjectReference{
+				SecretRef: kustomizev1.SecretRef{
 					Name: "kubeconfig",
 				},
 			},

controllers/kustomization_prune_test.go

@@ -23,7 +23,6 @@ import (
 	"time"
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
-	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/testserver"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	. "github.com/onsi/gomega"
@@ -98,7 +97,7 @@ data:
 			Interval: metav1.Duration{Duration: reconciliationInterval},
 			Path:     "./",
 			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.LocalObjectReference{
+				SecretRef: kustomizev1.SecretRef{
 					Name: "kubeconfig",
 				},
 			},
@@ -226,7 +225,7 @@ data:
 			Interval: metav1.Duration{Duration: reconciliationInterval},
 			Path:     "./",
 			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.LocalObjectReference{
+				SecretRef: kustomizev1.SecretRef{
 					Name: "kubeconfig",
 				},
 			},
@@ -370,7 +369,7 @@ data:
 			Interval: metav1.Duration{Duration: reconciliationInterval},
 			Path:     "./",
 			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.LocalObjectReference{
+				SecretRef: kustomizev1.SecretRef{
 					Name: "kubeconfig",
 				},
 			},

controllers/kustomization_transformer_test.go

@@ -24,7 +24,6 @@ import (
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/kustomize"
-	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	. "github.com/onsi/gomega"
 	appsv1 "k8s.io/api/apps/v1"
@@ -74,7 +73,7 @@ func TestKustomizationReconciler_KustomizeTransformer(t *testing.T) {
 			Interval: metav1.Duration{Duration: reconciliationInterval},
 			Path:     "./",
 			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.LocalObjectReference{
+				SecretRef: kustomizev1.SecretRef{
 					Name: "kubeconfig",
 				},
 			},
@@ -197,7 +196,7 @@ func TestKustomizationReconciler_KustomizeTransformerFiles(t *testing.T) {
 			Interval: metav1.Duration{Duration: reconciliationInterval},
 			Path:     "./",
 			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.LocalObjectReference{
+				SecretRef: kustomizev1.SecretRef{
 					Name: "kubeconfig",
 				},
 			},
@@ -316,7 +315,7 @@ func TestKustomizationReconciler_FluxTransformers(t *testing.T) {
 			Interval: metav1.Duration{Duration: reconciliationInterval},
 			Path:     "./",
 			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.LocalObjectReference{
+				SecretRef: kustomizev1.SecretRef{
 					Name: "kubeconfig",
 				},
 			},

controllers/kustomization_validation_test.go

@@ -23,7 +23,6 @@ import (
 	"time"
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
-	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	. "github.com/onsi/gomega"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -79,7 +78,7 @@ func TestKustomizationReconciler_Validation(t *testing.T) {
 			Interval: metav1.Duration{Duration: 2 * time.Minute},
 			Path:     "./",
 			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.LocalObjectReference{
+				SecretRef: kustomizev1.SecretRef{
 					Name: "kubeconfig",
 				},
 			},

controllers/kustomization_varsub_test.go

@@ -120,7 +120,7 @@ stringData:
 		},
 		Spec: kustomizev1.KustomizationSpec{
 			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.LocalObjectReference{
+				SecretRef: kustomizev1.SecretRef{
 					Name: "kubeconfig",
 				},
 			},
@@ -269,7 +269,7 @@ metadata:
 		},
 		Spec: kustomizev1.KustomizationSpec{
 			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.LocalObjectReference{
+				SecretRef: kustomizev1.SecretRef{
 					Name: "kubeconfig",
 				},
 			},

controllers/kustomization_wait_test.go

@@ -85,7 +85,7 @@ data:
 			Interval: metav1.Duration{Duration: 2 * time.Minute},
 			Path:     "./",
 			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.LocalObjectReference{
+				SecretRef: kustomizev1.SecretRef{
 					Name: "kubeconfig",
 				},
 			},

docs/api/kustomize.md

@@ -521,13 +521,13 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
 <td>
 <code>secretRef</code><br>
 <em>
-<a href="https://godoc.org/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
-github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+<a href="#kustomize.toolkit.fluxcd.io/v1beta2.SecretRef">
+SecretRef
 </a>
 </em>
 </td>
 <td>
-<p>SecretRef holds the name to a secret that contains a &lsquo;value&rsquo; key with
+<p>SecretRef holds the name to a secret that contains
 the kubeconfig file as the value. It must be in the same namespace as
 the Kustomization.
 It is recommended that the kubeconfig is self-contained, and the secret
@@ -1095,6 +1095,48 @@ string
 </table>
 </div>
 </div>
+<h3 id="kustomize.toolkit.fluxcd.io/v1beta2.SecretRef">SecretRef
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#kustomize.toolkit.fluxcd.io/v1beta2.KubeConfig">KubeConfig</a>)
+</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>name</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Name of the Secret.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>key</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Key in the Secret. If not specified it defaults to &lsquo;value&rsquo;.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
 <h3 id="kustomize.toolkit.fluxcd.io/v1beta2.SubstituteReference">SubstituteReference
 </h3>
 <p>