Helm Chart: Adding support for secrets enabled multi-cluster

[cmcgalliard]

Summary

This simplifies the process of configuring kubeconfigs in secrets for Headlamp. This functionality already exists; the Helm chart just doesn't make it easy to configure.

Changes

• Updated Deployments YAML to add volumes for each secret
• Updated Deployments YAML to target each kubeconfig mount in the KUBECONFIG envvar
• Updated values file to allow for a list of secrets containing kubeconfigs
• Updated helm documentation

Steps to Test

1. Create 1+ secret containing a kubeconfig

2. Configure the kubeconfigSecrets

# kubeconfigSecrets:
  #   - secretName: prod-cluster-kubeconfig
  #     key: config  # optional, defaults to "config"

3. Disable the inCluster kubeconfkg (there is a conflict in the code here, documented in my PR)

config:
  inCluster: false

4. helm install headlamp
5. navigate to clusters, validate that you can see multiple clusters configured with secrets you provided.

Screenshots (if applicable)

Notes for the Reviewer

I considered changing it so we could use the in-cluster kubeconfig, but I'm not sure whether you all have intentionally chosen this pattern.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: cmcgalliard
Once this PR has been reviewed and has the lgtm label, please assign yolossn for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[linux-foundation-easycla]

• ✅ login: cmcgalliard / name: Corey McGalliard (c0f3b24, d8c6dfc, 32a6212, 4ca3790, 7383beb, 848f3a7, b65a044, e6171fd, f7a6182)
• ❌ - login: @Copilot / name: Copilot . The commit (d8c6dfc) is not authorized under a signed CLA. Please click here to be authorized. For further assistance with EasyCLA, please submit a support request ticket.

[k8s-ci-robot]

Welcome @cmcgalliard!

It looks like this is your first PR to kubernetes-sigs/headlamp 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/headlamp has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[Copilot]

Pull request overview

Adds Helm chart support for configuring Headlamp multi-cluster access via one or more kubeconfig files stored in Kubernetes Secrets, by mounting each secret and building a KUBECONFIG env var pointing at the mounted files.

Changes:

• Introduces config.kubeconfigSecrets in chart values and documents how to use it.
• Updates the Deployment template to mount each referenced secret and set KUBECONFIG accordingly.
• Adds Helm helper templates to detect/configure kubeconfig secret usage.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File	Description
charts/headlamp/values.yaml	Adds config.kubeconfigSecrets values entry with inline documentation.
charts/headlamp/templates/deployment.yaml	Mounts kubeconfig secrets as volumes/volumeMounts and sets KUBECONFIG env var.
charts/headlamp/templates/_helpers.tpl	Adds helpers to build the KUBECONFIG path and detect whether secrets are configured.
charts/headlamp/README.md	Documents multi-cluster configuration via kubeconfig secrets.

[Copilot]

The multi-cluster table is malformed Markdown: the header and rows start with || instead of |, so it won’t render as a proper table. Please fix the leading pipes for the table in this section.

[cmcgalliard]

I don't see a line where this is the case

[Copilot]

This adds KUBECONFIG support via config.kubeconfigSecrets, but the chart doesn’t currently enforce the documented requirement that config.inCluster must be false. Consider adding a template validation (e.g., required/fail) when kubeconfigSecrets is non-empty and inCluster is true, so Helm install fails fast instead of silently ignoring the mounted kubeconfigs.

[cmcgalliard]

I am still not sure whether the lack of the in-cluster kubeconfig mapping here was intentional. I also asked about this in the CNCF Slack. It would be nice if someone from the project could let me know what you all would like :)

[Copilot]

The commented example under config.kubeconfigSecrets is missing the surrounding config: key/indentation, which can be confusing when users copy/paste it into their values file. Please adjust the example to reflect the actual nesting under config:.

Suggested change

	# Example:
	# kubeconfigSecrets:
	# - secretName: prod-cluster-kubeconfig
	# key: config # optional, defaults to "config"
	# - secretName: dev-cluster-kubeconfig
	# key: kubeconfig
	# - secretName: staging-cluster-kubeconfig
	# Example (in values.yaml):
	# config:
	# kubeconfigSecrets:
	# - secretName: prod-cluster-kubeconfig
	# key: config # optional, defaults to "config"
	# - secretName: dev-cluster-kubeconfig
	# key: kubeconfig
	# - secretName: staging-cluster-kubeconfig

[cmcgalliard]

Adding config: would be more confusing than helpful, as it would add a duplicate line if someone were to just uncomment the code.

[cmcgalliard]

Tested this evening after adjusting for code review and it seems to work as expected.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

[Copilot]

If users also set .Values.env with a KUBECONFIG entry, this template will emit duplicate env: entries with the same name (one from kubeconfigSecrets, one from toYaml .Values.env). That can lead to unpredictable results during apply/patch. Consider either (a) only setting KUBECONFIG when it’s not already present in .Values.env, or (b) explicitly failing with a clear message when both are configured.

[cmcgalliard]

I think handling this edge case will make the helm difficult to read - most folks will not use both if they get this far, IMO.