change default value

charts/cloudflared/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: cloudflared
-version: 1.23.2
+version: 2.0.1
 description: Cloudflared Tunnel
 keywords:
   - cloudflare

charts/cloudflared/README.md

@@ -1,6 +1,6 @@
 # cloudflared
 
-![Version: 1.23.2](https://img.shields.io/badge/Version-1.23.2-informational?style=flat-square) ![AppVersion: 2025.11.1](https://img.shields.io/badge/AppVersion-2025.11.1-informational?style=flat-square)
+![Version: 2.0.1](https://img.shields.io/badge/Version-2.0.1-informational?style=flat-square) ![AppVersion: 2025.11.1](https://img.shields.io/badge/AppVersion-2025.11.1-informational?style=flat-square)
 
 Cloudflared Tunnel
 
@@ -25,11 +25,14 @@ Cloudflared Tunnel
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| existingSecretKey | string | `"cf-tunnel-token"` | Name of key that contains the token in the existingSecret |
-| existingSecretName | string | `"cloudflared-secret"` | Name of existing secret that contains Cloudflare token |
 | image | object | `{"pullPolicy":"IfNotPresent","repository":"cloudflare/cloudflared","tag":"2025.11.1"}` | Default image |
 | name | string | `"cloudflared"` | Name override of release |
 | resources | object | `{"requests":{"cpu":"10m","memory":"128Mi"}}` | Default resources |
+| secret | object | `{"existingSecret":{"key":"cf-tunnel-token","name":"cloudflared-secret"},"externalSecret":{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels","property":"token"}}}` | Secret configuration |
+| secret.existingSecret | object | `{"key":"cf-tunnel-token","name":"cloudflared-secret"}` | Name of existing secret that contains Cloudflare token |
+| secret.externalSecret | object | `{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels","property":"token"}}` | External Secret configuration |
+| secret.externalSecret.additionalLabels | object | `{}` | Add additional labels |
+| secret.externalSecret.store | object | `{"name":"vault","path":"/cloudflare/tunnels","property":"token"}` | Cluster store config |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/cloudflared/templates/_helpers.tpl

@@ -0,0 +1,71 @@
+{{/*
+Generate the secret name
+*/}}
+{{- define "secret.name" -}}
+  {{- if .Values.secret.externalSecret.enabled }}
+    {{- if .Values.secret.externalSecret.nameOverride }}
+      {{- .Values.secret.externalSecret.nameOverride | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+      {{- printf "%s-cloudflared-secret" .Release.Name -}}
+    {{- end }}
+  {{- else if .Values.secret.existingSecret.name }}
+    {{- printf "%s" .Values.secret.existingSecret.name -}}
+  {{- else }}
+    {{ fail "No Secret Name Found!" }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate the name of the secret key
+*/}}
+{{- define "secret.key" -}}
+  {{- if .Values.secret.externalSecret.enabled }}
+    {{- printf "cf-tunnel-token" -}}
+  {{- else if .Values.secret.existingSecret.key }}
+    {{- printf "%s" .Values.secret.existingSecret.key -}}
+  {{- else }}
+    {{ fail "No Secret Key Found!" }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate path in the secret store
+*/}}
+{{- define "secret.path" -}}
+  {{- if and (.Values.secret.externalSecret.enabled) (.Values.secret.externalSecret.store.path) }}
+    {{- printf "%s/%s" .Values.secret.externalSecret.store.path .Release.Name -}}
+  {{- else }}
+    {{ fail "No Secret Store Path Found!" }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "secret.chart" -}}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "secret.labels" -}}
+helm.sh/chart: {{ include "secret.chart" $ }}
+{{ include "secret.selectorLabels" $ }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.Version | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/name: {{ include "secret.name" . }}
+{{- with .Values.secret.externalSecret.additionalLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "secret.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

charts/cloudflared/templates/common.yaml

@@ -27,8 +27,8 @@ controllers:
           - name: CF_MANAGED_TUNNEL_TOKEN
             valueFrom:
               secretKeyRef:
-                name: {{ .Values.existingSecretName }}
+                name: {{ include "secret.name" . }}
-                key: {{ .Values.existingSecretKey }}
+                key: {{ include "secret.key" . }}
         resources:
         {{- with .Values.resources }}
         resources:

charts/cloudflared/templates/external-secret.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.secret.externalSecret.enabled }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "secret.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "secret.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: {{ .Values.secret.externalSecret.store.name | required "External Secret store name is required" }}
+  data:
+    - secretKey: {{ include "secret.key" . }}
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ include "secret.path" . }}
+        metadataPolicy: None
+        property: {{ .Values.secret.externalSecret.store.property | required "External Secret store property is required" }}
+
+{{- end }}

charts/cloudflared/values.yaml

@@ -1,11 +1,27 @@
 # -- Name override of release
 name: cloudflared
 
-# -- Name of existing secret that contains Cloudflare token
+# -- Secret configuration
-existingSecretName: cloudflared-secret
+secret:
 
-# -- Name of key that contains the token in the existingSecret
+  # -- External Secret configuration
-existingSecretKey: cf-tunnel-token
+  externalSecret:
+    enabled: true
+    nameOverride: ""
+
+    # -- Cluster store config
+    store:
+      name: vault
+      path: /cloudflare/tunnels
+      property: token
+
+    # -- Add additional labels
+    additionalLabels: {}
+
+  # -- Name of existing secret that contains Cloudflare token
+  existingSecret:
+    name: cloudflared-secret
+    key: cf-tunnel-token
 
 # -- Default image
 image: