diff --git a/charts/cloudflared/Chart.yaml b/charts/cloudflared/Chart.yaml index d7f18d6..71310a0 100644 --- a/charts/cloudflared/Chart.yaml +++ b/charts/cloudflared/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: cloudflared -version: 1.23.2 +version: 2.0.0 description: Cloudflared Tunnel keywords: - cloudflare diff --git a/charts/cloudflared/README.md b/charts/cloudflared/README.md index 69e7412..13a0760 100644 --- a/charts/cloudflared/README.md +++ b/charts/cloudflared/README.md @@ -1,6 +1,6 @@ # cloudflared -![Version: 1.23.2](https://img.shields.io/badge/Version-1.23.2-informational?style=flat-square) ![AppVersion: 2025.11.1](https://img.shields.io/badge/AppVersion-2025.11.1-informational?style=flat-square) +![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=flat-square) ![AppVersion: 2025.11.1](https://img.shields.io/badge/AppVersion-2025.11.1-informational?style=flat-square) Cloudflared Tunnel @@ -25,11 +25,14 @@ Cloudflared Tunnel | Key | Type | Default | Description | |-----|------|---------|-------------| -| existingSecretKey | string | `"cf-tunnel-token"` | Name of key that contains the token in the existingSecret | -| existingSecretName | string | `"cloudflared-secret"` | Name of existing secret that contains Cloudflare token | | image | object | `{"pullPolicy":"IfNotPresent","repository":"cloudflare/cloudflared","tag":"2025.11.1"}` | Default image | | name | string | `"cloudflared"` | Name override of release | | resources | object | `{"requests":{"cpu":"10m","memory":"128Mi"}}` | Default resources | +| secret | object | `{"existingSecret":{"key":"cf-tunnel-token","name":"cloudflared-secret"},"externalSecret":{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels/","property":"token"}}}` | Secret configuration | +| secret.existingSecret | object | `{"key":"cf-tunnel-token","name":"cloudflared-secret"}` | Name of existing secret that contains Cloudflare token | +| secret.externalSecret | object | `{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels/","property":"token"}}` | External Secret configuration | +| secret.externalSecret.additionalLabels | object | `{}` | Add additional labels | +| secret.externalSecret.store | object | `{"name":"vault","path":"/cloudflare/tunnels/","property":"token"}` | Cluster store config | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/cloudflared/templates/_helpers.tpl b/charts/cloudflared/templates/_helpers.tpl new file mode 100644 index 0000000..f616a33 --- /dev/null +++ b/charts/cloudflared/templates/_helpers.tpl @@ -0,0 +1,71 @@ +{{/* +Generate the secret name +*/}} +{{- define "secret.name" -}} + {{- if .Values.secret.externalSecret.enabled }} + {{- if .Values.secret.externalSecret.nameOverride }} + {{- .Values.secret.externalSecret.nameOverride | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- printf "%s-cloudflared-secret" .Release.Name -}} + {{- end }} + {{- else if .Values.secret.existingSecret.name }} + {{- printf "%s" .Values.secret.existingSecret.name -}} + {{- else }} + {{ fail "No Secret Name Found!" }} + {{- end }} +{{- end }} + +{{/* +Generate the name of the secret key +*/}} +{{- define "secret.key" -}} + {{- if .Values.secret.externalSecret.enabled }} + {{- printf "cf-tunnel-token" -}} + {{- else if .Values.secret.existingSecret.key }} + {{- printf "%s" .Values.secret.existingSecret.key -}} + {{- else }} + {{ fail "No Secret Key Found!" }} + {{- end }} +{{- end }} + +{{/* +Generate path in the secret store +*/}} +{{- define "secret.path" -}} + {{- if and (.Values.secret.externalSecret.enabled) (.Values.secret.externalSecret.store.path) }} + {{- printf "%s/%s" .Values.secret.externalSecret.store.path .Release.Name -}} + {{- else }} + {{ fail "No Secret Store Path Found!" }} + {{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "secret.chart" -}} + {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "secret.labels" -}} +helm.sh/chart: {{ include "secret.chart" $ }} +{{ include "secret.selectorLabels" $ }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.Version | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ include "secret.name" . }} +{{- with .Values.secret.externalSecret.additionalLabels }} +{{ toYaml . }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "secret.selectorLabels" -}} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/part-of: {{ .Release.Name }} +{{- end }} diff --git a/charts/cloudflared/templates/common.yaml b/charts/cloudflared/templates/common.yaml index 03be908..fe5880a 100644 --- a/charts/cloudflared/templates/common.yaml +++ b/charts/cloudflared/templates/common.yaml @@ -27,8 +27,8 @@ controllers: - name: CF_MANAGED_TUNNEL_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.existingSecretName }} - key: {{ .Values.existingSecretKey }} + name: {{ include "secret.name" . }} + key: {{ include "secret.key" . }} resources: {{- with .Values.resources }} resources: diff --git a/charts/cloudflared/templates/external-secret.yaml b/charts/cloudflared/templates/external-secret.yaml new file mode 100644 index 0000000..c7fe0be --- /dev/null +++ b/charts/cloudflared/templates/external-secret.yaml @@ -0,0 +1,23 @@ +{{- if .Values.secret.externalSecret.enabled }} +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: {{ include "secret.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "secret.labels" . | nindent 4 }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: {{ .Values.secret.externalSecret.store.name | required "External Secret store name is required" }} + data: + - secretKey: {{ include "secret.key" . }} + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: {{ include "secret.path" . }} + metadataPolicy: None + property: {{ .Values.secret.externalSecret.store.property | required "External Secret store property is required" }} + +{{- end }} diff --git a/charts/cloudflared/values.yaml b/charts/cloudflared/values.yaml index 16a4d1c..cae1fc9 100644 --- a/charts/cloudflared/values.yaml +++ b/charts/cloudflared/values.yaml @@ -1,11 +1,27 @@ # -- Name override of release name: cloudflared -# -- Name of existing secret that contains Cloudflare token -existingSecretName: cloudflared-secret +# -- Secret configuration +secret: -# -- Name of key that contains the token in the existingSecret -existingSecretKey: cf-tunnel-token + # -- External Secret configuration + externalSecret: + enabled: true + nameOverride: "" + + # -- Cluster store config + store: + name: vault + path: /cloudflare/tunnels/ + property: token + + # -- Add additional labels + additionalLabels: {} + + # -- Name of existing secret that contains Cloudflare token + existingSecret: + name: cloudflared-secret + key: cf-tunnel-token # -- Default image image: