Merge pull request #786 from controlplaneio-fluxcd/improve-kubeconfig

operator: support `kubeconfig` key and custom keys in `convertKubeConfigFrom`

Author: matheuscscp

docs/api/v1/resourceset.md

@@ -502,6 +502,65 @@ setting the `--watch-configs-label-selector=owner!=helm`
 flag in flux-operator, which allows watching all ConfigMaps
 and Secrets except for Helm storage Secrets.
 
+#### Converting kubeconfig data from Secrets
+
+To generate ConfigMap resources with the API server address and CA certificate
+extracted from a kubeconfig stored in a Secret, the
+`fluxcd.controlplane.io/convertKubeConfigFrom` annotation must be set on the
+ConfigMap template.
+
+The annotation value must be in the format `namespace/name` or `namespace/name:key`:
+
+- `namespace/name` - looks for the kubeconfig data under the `kubeconfig` key first,
+  then falls back to the `value` key in the referenced Secret.
+- `namespace/name:key` - uses the specified custom key to read the kubeconfig data
+  from the referenced Secret.
+
+Example of converting kubeconfig data from a CAPI Secret:
+
+```yaml
+spec:
+  inputs:
+    - cluster: "staging"
+    - cluster: "production"
+  resources:
+    - apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: << inputs.cluster >>-cluster-info
+        namespace: flux-system
+        annotations:
+          fluxcd.controlplane.io/convertKubeConfigFrom: "flux-system/<< inputs.cluster >>-kubeconfig"
+      data:
+        cluster: << inputs.cluster >>
+```
+
+In the above example, the operator reads the kubeconfig from the
+`flux-system/<cluster>-kubeconfig` Secret, extracts the API server address
+and the CA certificate from the first cluster entry, and populates the
+`address` and `ca.crt` fields in the generated ConfigMap.
+
+If the ConfigMap template already contains `address` or `ca.crt` fields,
+the existing values are preserved and not overwritten.
+
+Example using a custom Secret key:
+
+```yaml
+spec:
+  inputs:
+    - cluster: "staging"
+  resources:
+    - apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: << inputs.cluster >>-cluster-info
+        namespace: flux-system
+        annotations:
+          fluxcd.controlplane.io/convertKubeConfigFrom: "flux-system/<< inputs.cluster >>-kubeconfig:my-custom-key"
+      data:
+        cluster: << inputs.cluster >>
+```
+
 #### Conditional resource exclusion
 
 To exclude a resource based on input values, the `fluxcd.controlplane.io/reconcile` annotation can be set

internal/controller/resourceset_controller.go

@@ -689,6 +689,8 @@ func (r *ResourceSetReconciler) copyResources(ctx context.Context,
 // convertKubeConfigResources converts kubeconfig data stored in Secrets
 // into ConfigMap fields by extracting the server and CA certificate.
 // The conversion is triggered using a specific annotation on the ConfigMap.
+// The annotation value must be in the format 'namespace/name' or 'namespace/name:key'.
+// When no key is specified, the function looks for 'kubeconfig' first, then 'value'.
 func (r *ResourceSetReconciler) convertKubeConfigResources(
 	ctx context.Context,
 	kubeClient client.Client,
@@ -705,9 +707,20 @@ func (r *ResourceSetReconciler) convertKubeConfigResources(
 			continue
 		}
 
-		sourceParts := strings.Split(source, "/")
+		// Parse the annotation value to extract namespace/name and optional key.
+		// Supported formats: 'namespace/name' or 'namespace/name:key'.
+		var customKey string
+		nameRef := source
+		if colonIdx := strings.LastIndex(source, ":"); colonIdx > 0 {
+			if slashIdx := strings.Index(source, "/"); slashIdx > 0 && colonIdx > slashIdx {
+				customKey = source[colonIdx+1:]
+				nameRef = source[:colonIdx]
+			}
+		}
+
+		sourceParts := strings.Split(nameRef, "/")
 		if len(sourceParts) != 2 {
-			return fmt.Errorf("invalid %s annotation value '%s' must be in the format 'namespace/name'", fluxcdv1.ConvertKubeConfigFromAnnotation, source)
+			return fmt.Errorf("invalid %s annotation value '%s' must be in the format 'namespace/name' or 'namespace/name:key'", fluxcdv1.ConvertKubeConfigFromAnnotation, source)
 		}
 
 		sourceName := types.NamespacedName{
@@ -717,12 +730,24 @@ func (r *ResourceSetReconciler) convertKubeConfigResources(
 
 		secret := &corev1.Secret{}
 		if err := kubeClient.Get(ctx, sourceName, secret); err != nil {
-			return fmt.Errorf("failed to get kubeconfig Secret/%s: %w", source, err)
+			return fmt.Errorf("failed to get kubeconfig Secret/%s: %w", nameRef, err)
 		}
 
-		data, exists := secret.Data["value"]
-		if !exists {
-			return fmt.Errorf("kubeconfig Secret/%s does not have 'value' field", source)
+		var data []byte
+		var exists bool
+		if customKey != "" {
+			data, exists = secret.Data[customKey]
+			if !exists {
+				return fmt.Errorf("kubeconfig Secret/%s does not have '%s' field", nameRef, customKey)
+			}
+		} else {
+			data, exists = secret.Data["kubeconfig"]
+			if !exists {
+				data, exists = secret.Data["value"]
+			}
+			if !exists {
+				return fmt.Errorf("kubeconfig Secret/%s does not have 'kubeconfig' or 'value' field", nameRef)
+			}
 		}
 
 		kubeconfigYAML := string(data)