Add extra secret annotations to most secrets

chart/templates/secrets/elasticsearch-secret.yaml

@@ -33,6 +33,10 @@ metadata:
     {{- with .Values.labels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
+  {{- with .Values.elasticsearch.secretAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 type: Opaque
 data:
   {{- with .Values.elasticsearch.connection }}

chart/templates/secrets/fernetkey-secret.yaml

@@ -38,6 +38,9 @@ metadata:
     "helm.sh/hook": "pre-install"
     "helm.sh/hook-delete-policy": "before-hook-creation"
     "helm.sh/hook-weight": "0"
+    {{- with .Values.fernetKeySecretAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 type: Opaque
 data:
   fernet-key: {{ (default $generated_fernet_key .Values.fernetKey) | b64enc | quote }}

chart/templates/secrets/flower-secret.yaml

@@ -34,6 +34,10 @@ metadata:
     {{- with .Values.labels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
+  {{- with .Values.flower.secretAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 type: Opaque
 data:
   basicAuth: {{ (printf "%s:%s" .Values.flower.username .Values.flower.password) | b64enc | quote }}

chart/templates/secrets/metadata-connection-secret.yaml

@@ -42,6 +42,10 @@ metadata:
     {{- with .Values.labels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
+  {{- with .Values.data.metadataConnection.secretAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 type: Opaque
 data:
   {{- with .Values.data.metadataConnection }}

chart/templates/secrets/pgbouncer-certificates-secret.yaml

@@ -34,6 +34,10 @@ metadata:
     {{- with .Values.labels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
+  {{- with .Values.pgbouncer.certificatesSecretAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 type: Opaque
 data:
   {{- if .Values.pgbouncer.ssl.ca }}

chart/templates/secrets/pgbouncer-config-secret.yaml

@@ -34,6 +34,10 @@ metadata:
     {{- with .Values.labels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
+  {{- with .Values.pgbouncer.configSecretAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 type: Opaque
 data:
   pgbouncer.ini: {{ include "pgbouncer_config" . | b64enc }}

chart/templates/secrets/pgbouncer-stats-secret.yaml

@@ -34,6 +34,10 @@ metadata:
     {{- with .Values.labels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
+  {{- with .Values.pgbouncer.metricsExporterSidecar.statsSecretAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 type: Opaque
 data:
   connection: {{ urlJoin (dict "scheme" "postgresql" "userinfo" (printf "%s:%s" (.Values.data.metadataConnection.user | urlquery) (.Values.data.metadataConnection.pass | urlquery) ) "host" (printf "127.0.0.1:%s" (.Values.ports.pgbouncer | toString)) "path" "/pgbouncer" "query" (printf "sslmode=%s" (.Values.pgbouncer.metricsExporterSidecar.sslmode | toString ))) | b64enc | quote }}

chart/templates/secrets/redis-secrets.yaml

@@ -47,6 +47,9 @@ metadata:
     "helm.sh/hook": "pre-install"
     "helm.sh/hook-delete-policy": "before-hook-creation"
     "helm.sh/hook-weight": "0"
+    {{- with .Values.redis.passwordSecretAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 type: Opaque
 data:
   password: {{ (default $random_redis_password .Values.redis.password) | b64enc | quote }}
@@ -73,6 +76,9 @@ metadata:
     "helm.sh/hook": "pre-install"
     "helm.sh/hook-delete-policy": "before-hook-creation"
     "helm.sh/hook-weight": "0"
+    {{- with .Values.data.brokerUrlSecretAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 type: Opaque
 data:
   {{- if .Values.redis.enabled }}

chart/templates/secrets/result-backend-connection-secret.yaml

@@ -42,6 +42,10 @@ metadata:
     {{- with .Values.labels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
+  {{- with .Values.data.resultBackendConnectionSecretAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 type: Opaque
 data:
   connection: {{ urlJoin (dict "scheme" (printf "db+%s" $connection.protocol) "userinfo" (printf "%s:%s" ($connection.user|urlquery) ($connection.pass | urlquery)) "host" (printf "%s:%s" $host $port) "path" (printf "/%s" $database) "query" $query) | b64enc | quote }}

chart/templates/secrets/webserver-secret-key-secret.yaml

@@ -35,6 +35,10 @@ metadata:
     {{- with .Values.labels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
+  {{- with .Values.webserverSecretAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 type: Opaque
 data:
   webserver-secret-key: {{ (default $generated_secret_key .Values.webserverSecretKey) | b64enc | quote }}

chart/values.schema.json

@@ -1336,6 +1336,14 @@
                             "description": "The database SSL parameter.",
                             "type": "string",
                             "default": "disable"
+                        },
+                        "secretAnnotations": {
+                            "description": "Annotations to add to the metadata connection secret.",
+                            "type": "object",
+                            "default": {},
+                            "additionalProperties": {
+                                "type": "string"
+                            }
                         }
                     }
                 },
@@ -1397,6 +1405,14 @@
                         "sslmode"
                     ]
                 },
+                "resultBackendConnectionSecretAnnotations": {
+                    "description": "Annotations to add to the result backend connection secret.",
+                    "type": "object",
+                    "default": {},
+                    "additionalProperties": {
+                        "type": "string"
+                    }
+                },
                 "brokerUrl": {
                     "description": "Direct url to the redis broker (when using an external redis instance) (can only be set during install, not upgrade).",
                     "type": [
@@ -1405,6 +1421,14 @@
                     ],
                     "x-docsSection": "Redis",
                     "default": null
+                },
+                "brokerUrlSecretAnnotations": {
+                    "description": "Annotations to add to the broker url secret.",
+                    "type": "object",
+                    "default": {},
+                    "additionalProperties": {
+                        "type": "string"
+                    }
                 }
             }
         },
@@ -1426,6 +1450,15 @@
             "x-docsSection": "Airflow",
             "default": null
         },
+        "fernetKeySecretAnnotations": {
+            "description": "Annotations to add to the Fernet Key secret.",
+            "type": "object",
+            "x-docsSection": "Common",
+            "default": {},
+            "additionalProperties": {
+                "type": "string"
+            }
+        },
         "webserverSecretKey": {
             "description": "The Flask secret key for Airflow Webserver to encrypt browser session.",
             "type": [
@@ -1435,6 +1468,15 @@
             "x-docsSection": "Common",
             "default": null
         },
+        "webserverSecretAnnotations": {
+            "description": "Annotations to add to the webserver secret.",
+            "type": "object",
+            "x-docsSection": "Common",
+            "default": {},
+            "additionalProperties": {
+                "type": "string"
+            }
+        },
         "webserverSecretKeySecretName": {
             "description": "The Secret name containing Flask secret_key for the Webserver.",
             "type": [
@@ -6403,6 +6445,14 @@
                     ],
                     "default": null
                 },
+                "secretAnnotations": {
+                    "description": "Annotations to add to the flower secret.",
+                    "type": "object",
+                    "default": {},
+                    "additionalProperties": {
+                        "type": "string"
+                    }
+                },
                 "username": {
                     "description": "Username use to access Flower.",
                     "type": [
@@ -7101,6 +7151,14 @@
                         "type": "string"
                     }
                 },
+                "certificatesSecretAnnotations": {
+                    "description": "Annotations to add to the PgBouncer certificates secret.",
+                    "type": "object",
+                    "default": {},
+                    "additionalProperties": {
+                        "type": "string"
+                    }
+                },
                 "replicas": {
                     "description": "Number of PgBouncer replicas to run in Deployment.",
                     "type": "integer",
@@ -7180,6 +7238,14 @@
                     ],
                     "default": null
                 },
+                "configSecretAnnotations": {
+                    "description": "Annotations to add to the PgBouncer config secret.",
+                    "type": "object",
+                    "default": {},
+                    "additionalProperties": {
+                        "type": "string"
+                    }
+                },
                 "podAnnotations": {
                     "description": "Add annotations for the PgBouncer Pod.",
                     "type": "object",
@@ -7579,6 +7645,14 @@
                             ],
                             "default": null
                         },
+                        "statsSecretAnnotations": {
+                            "description": "Annotations to add to the PgBouncer stats secret.",
+                            "type": "object",
+                            "default": {},
+                            "additionalProperties": {
+                                "type": "string"
+                            }
+                        },
                         "sslmode": {
                             "description": "SSL mode for ``metricsExporterSidecar``",
                             "type": "string",
@@ -7829,6 +7903,14 @@
                     ],
                     "default": null
                 },
+                "passwordSecretAnnotations": {
+                    "description": "Annotations to add to the redis password secret.",
+                    "type": "object",
+                    "default": {},
+                    "additionalProperties": {
+                        "type": "string"
+                    }
+                },
                 "safeToEvict": {
                     "description": "This setting tells Kubernetes that its ok to evict when it wants to scale a node down.",
                     "type": "boolean",
@@ -8080,6 +8162,14 @@
                     ],
                     "default": null
                 },
+                "secretAnnotations": {
+                    "description": "Extra annotations to apply to the elasticsearch secret.",
+                    "type": "object",
+                    "default": {},
+                    "additionalProperties": {
+                        "type": "string"
+                    }
+                },
                 "connection": {
                     "description": "Elasticsearch connection configuration.",
                     "type": "object",

chart/values.yaml

@@ -523,8 +523,12 @@ data:
     port: 5432
     db: postgres
     sslmode: disable
+    # Add custom annotations to the metadata connection secret
+    secretAnnotations: {}
   # resultBackendConnection defaults to the same database as metadataConnection
   resultBackendConnection: ~
+  # Add custom annotations to the result backend connection secret
+  resultBackendConnectionSecretAnnotations: {}
   # or, you can use a different database
   # resultBackendConnection:
   #   user: postgres
@@ -536,14 +540,20 @@ data:
   #   sslmode: disable
   # Note: brokerUrl can only be set during install, not upgrade
   brokerUrl: ~
+  # Add custom annotations to the broker url secret
+  brokerUrlSecretAnnotations: {}
 
 # Fernet key settings
 # Note: fernetKey can only be set during install, not upgrade
 fernetKey: ~
 fernetKeySecretName: ~
+# Add custom annotations to the fernet key secret
+fernetKeySecretAnnotations: {}
 
 # Flask secret key for Airflow Webserver: `[webserver] secret_key` in airflow.cfg
 webserverSecretKey: ~
+# Add custom annotations to the webserver secret
+webserverSecretAnnotations: {}
 webserverSecretKeySecretName: ~
 
 # In order to use kerberos you need to create secret containing the keytab file
@@ -2138,6 +2148,8 @@ flower:
 
   # A secret containing the connection
   secretName: ~
+  # Add custom annotations to the flower secret
+  secretAnnotations: {}
 
   # Else, if username and password are set, create secret from username and password
   username: ~
@@ -2302,6 +2314,9 @@ pgbouncer:
 
   podAnnotations: {}
 
+  # Add custom annotations to the pgbouncer certificates secret
+  certificatesSecretAnnotations: {}
+
   # Create ServiceAccount
   serviceAccount:
     # default value is true
@@ -2340,6 +2355,8 @@ pgbouncer:
   #  configSecretName: pgbouncer-config-secret
   #
   configSecretName: ~
+  # Add custom annotations to the pgbouncer config secret
+  configSecretAnnotations: {}
 
   # PgBouncer pod disruption budget
   podDisruptionBudget:
@@ -2460,6 +2477,8 @@ pgbouncer:
 
     # Key containing the PGBouncer connection URI, defaults to `connection` if not defined
     statsSecretKey: ~
+    # Add custom annotations to the pgbouncer stats secret
+    statsSecretAnnotations: {}
 
     # Detailed default security context for metricsExporterSidecar for container level
     securityContexts:
@@ -2553,6 +2572,9 @@ redis:
   # Note: password can only be set during install, not upgrade.
   password: ~
 
+  # Add custom annotations to the redis password secret
+  passwordSecretAnnotations: {}
+
   # This setting tells kubernetes that its ok to evict
   # when it wants to scale a node down.
   safeToEvict: true
@@ -2599,6 +2621,8 @@ elasticsearch:
   enabled: false
   # A secret containing the connection
   secretName: ~
+  # Add custom annotations to the elasticsearch secret
+  secretAnnotations: {}
   # Or an object representing the connection
   # Example:
   # connection:

helm-tests/tests/helm_tests/other/test_flower.py

@@ -712,3 +712,23 @@ def test_overridden_automount_service_account_token(self):
             show_only=["templates/flower/flower-serviceaccount.yaml"],
         )
         assert jmespath.search("automountServiceAccountToken", docs[0]) is False
+
+
+class TestFlowerSecret:
+    """Tests flower secret."""
+
+    def test_should_add_annotations_to_flower_secret(self):
+        docs = render_chart(
+            values={
+                "flower": {
+                    "enabled": True,
+                    "username": "username",
+                    "password": "password",
+                    "secretAnnotations": {"test_annotation": "test_annotation_value"},
+                }
+            },
+            show_only=["templates/secrets/flower-secret.yaml"],
+        )[0]
+
+        assert "annotations" in jmespath.search("metadata", docs)
+        assert jmespath.search("metadata.annotations", docs)["test_annotation"] == "test_annotation_value"