[external-dns] Using CloudFlare with cloudflare.secretName containing cloudflare_api_key does not work

[nielsvz]

Describe the bug
When installing the external-dns chart with the CloudFlare provider and an API key in a custom secretName the resulting Pod fails with CreateContainerConfigError.

Version of Helm and Kubernetes:
Helm v3.1.1
Kubernetes v1.17

Which chart:
External-DNS 2.19.1

What happened:
Installing External-DNS with the following values results in the output below.

Values:

cloudflare:
  email: dns@my-domain.com
  secretName: cloudflare-apikey

Output from kubectl describe pod:
Warning Failed 14s (x6 over 53s) kubelet, minikube Error: couldn't find key cloudflare_api_token in Secret system-external-dns/cloudflare-apikey

What you expected to happen:
The External-DNS Pod should use the API key when providing both cloudflare.email and cloudflare.secretName.

How to reproduce it (as minimally and precisely as possible):

1. kubectl create ns external-dns
2. kubectl -n external-dns create secret generic cloudflare-apikey --from-literal=cloudflare_api_token=CHANGEMEPLEASE
3. Install the Helm chart with the values below in a custom-values.yaml: helm install external-dns stable/external-dns --namespace external-dns --values custom-values.yaml

custom-values.yaml:

sources: ['ingress']
provider: cloudflare
cloudflare:
  email: dns@my-domain.com
  secretName: cloudflare-apikey
  proxied: false

4. Check the environment values in the external-dns Pod and find the following:

- name: CF_API_TOKEN
    valueFrom:
    secretKeyRef:
        name: cloudflare-apikey
        key: cloudflare_api_token

[andresbono]

Hi @nielsvz, thanks for filling this issue.

I can only reproduce the issue if I create the secret with wrong properties:

kubectl create ns external-dns
kubectl -n external-dns create secret generic cloudflare-apikey --from-literal=wrong=CHANGEMEPLEASE
helm install external-dns stable/external-dns --namespace external-dns --values ./custom-values.yaml

kubectl -n external-dns describe pod external-dns-56fdf9fdb6-zvs9f
...

  Warning  Failed     9s (x3 over 11s)  kubelet, minikube  Error: couldn't find key cloudflare_api_token in Secret external-dns/cloudflare-apikey

If I describe the secret, key in the secret is wrong:

$ kubectl -n external-dns describe secret cloudflare-apikey
Name:         cloudflare-apikey
Namespace:    external-dns
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
wrong:  14 bytes

Can you also describe your secret in case it doesn't have the cloudflare_api_token key?

By the way, the logs say it's looking for a secret called cloudflare-apikey in the system-external-dns namespace instead of external-dns, in case it's relevant.

[nielsvz]

I just re-validated this in a clean minikube cluster:

kubectl create ns external-dns
kubectl -n external-dns create secret generic cloudflare-apikey --from-literal=cloudflare_api_key=SECRET
helm install external-dns stable/external-dns --namespace external-dns --values ./custom-values.yaml

pod:

kubectl -n external-dns describe pod external-dns-b4586954d-569fx             Mon Mar  2 17:41:01 2020
Name:         external-dns-b4586954d-569fx

...
  Warning  Failed     2s (x3 over 15s)  kubelet, minikube  Error: couldn't find key cloudflare_api_token in Secret external-dns/cloudflare-apikey

secret:

kubectl -n external-dns describe secret cloudflare-apikey                                                                   Mon Mar  2 17:41:31 2020

Name:         cloudflare-apikey
Namespace:    external-dns
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
cloudflare_api_key:  6 bytes

I think this is caused by the conditions in deployment.yaml, if you provide cloudflare.secretName, this will never get to the CF_API_KEY environment value.

Changing line 241 to this works for me:
{{- if or .Values.cloudflare.apiToken (and (not .Values.cloudflare.email) .Values.cloudflare.secretName) }}

[andresbono]

The error is very strange.

I think this is caused by the conditions in deployment.yaml, if you provide cloudflare.secretName, this will never get to the CF_API_KEY environment value.

I don't think so, the error that you are seeing when describing the pod is Warning Failed 2s (x3 over 15s) kubelet, minikube Error: couldn't find key cloudflare_api_token in Secret external-dns/cloudflare-apikey

I don't think that is related to the contents of the deployment.yaml file.

In any case, you can modify it to try to identify the source of the issue.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

[stale]

This issue is being automatically closed due to inactivity.

[lukasmrtvy]

@carrodher ping, setting CF_API_KEY will never work, fix from @nielsvz

[carrodher]

Hi,

Given the stable deprecation timeline, this Bitnami maintained Helm chart is now located at bitnami/charts. Please visit the bitnami/charts GitHub repository to create Issues or PRs, we will be happy to review/answer them.

In this issue we tried to explain more carefully the reasons and motivations behind this transition, please don't hesitate to add a comment in this issue if you have any question related to the migration itself.