feat: Add optional annotations to the password secret

[sunsided]

Description of the change

Adds the admin.annotations value for adding annotations to the admin password Secret.

Benefits

By allowing annotations to be added to the password secret, we can use tools like Reflector to synchronize secrets across namespaces.

This is interesting e.g. with the ExternalDNS 0.14+'s Pi-Hole integration that can automatically expose Ingress host names to the Local DNS configuration:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: external-dns
spec:
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: external-dns
  template:
    metadata:
      labels:
        app: external-dns
    spec:
      serviceAccountName: external-dns
      containers:
      - name: external-dns
        image: registry.k8s.io/external-dns/external-dns:v0.14.0
        # If authentication is disabled and/or you didn't create
        # a secret, you can remove this block.
        envFrom:
          - secretRef:
              # Change this if you gave the secret a different name
              name: pihole-password
        args:
          - --source=service
          - --source=ingress
          # Pihole only supports A/CNAME records so there is no mechanism to track ownership.
          # You don't need to set this flag, but if you leave it unset, you will receive warning
          # logs when ExternalDNS attempts to create TXT records.
          - --registry=noop
          # IMPORTANT: If you have records that you manage manually in Pi-hole, set
          # the policy to upsert-only so they do not get deleted.
          - --policy=upsert-only
          - --provider=pihole
          # Change this to the actual address of your Pi-hole web server
          - --pihole-server=http://pihole-web.pihole.svc.cluster.local
        resources:
          limits:
            cpu: 1
            memory: 1Gi
          requests:
            cpu: 100m
            memory: 256M
      securityContext:
        fsGroup: 65534 # For ExternalDNS to be able to read Kubernetes token files

Since the Secret reference can only refer to a secret in the same namespace as ExternalDNS, using Reflector is a viable option to synchronize the two secrets. This can now be done via

admin:
  enabled: true
  existingSecret: ""
  passwordKey: "password"
  annotations:
    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "external-dns"

Possible drawbacks

Applicable issues

none

Additional information

none

Checklist

• [x] Variables are documented in the values.yaml they will be automatically added to README.md during deployment
• [x] Title of the pull request follows conventional commits
• [x] All commits signed off and in agreement of Developer Certificate of Origin (DCO)

[MoJo2600]

Thank you for your contribution. LGTM! I just copied your description of the change to a new value documentation file. I'm planning on adding some more documentation and I appreciate your extensive description of the change!

[sunsided]

There's one little part missing when it comes to Reflector itself (namely the target secret), but that's easily found on the Reflector docs. It I don't forget about it tomorrow I'll add that in.

[sunsided]

Here we go: For Reflector to work we also need to create the mirror (target) secret in ExternalDNS' namespace:

apiVersion: v1
kind: Secret
metadata:
  # Change this to match the secretRef used in the ExternalDNS deployment:
  name: pihole-password
  # Change this to ExternalDNS' namespace:
  namespace: external-dns
  annotations:
    # Change this to address the pihole password secret: 'namespace/secret-name':
    reflector.v1.k8s.emberstack.com/reflects: "pihole/pihole-password"
data: {}  # Will be overwritten by Reflector

[MoJo2600]

I added the example to the documentation file. Could you please double check if the documentation makes sense as it is now?

[sunsided]

@MoJo2600 Looks good to me. :)