Make the kubeconfig secrets compatible with SOPS

Add `values.yaml` to the supported kubeconfig secret key names in order for SOPS to correctly detect the storage format based on the file extension.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

controllers/helmrelease_controller.go

@@ -470,8 +470,16 @@ func (r *HelmReleaseReconciler) getRESTClientGetter(ctx context.Context, hr v2.H
 	if err := r.Get(ctx, secretName, &secret); err != nil {
 		return nil, fmt.Errorf("could not find KubeConfig secret '%s': %w", secretName, err)
 	}
-	kubeConfig, ok := secret.Data["value"]
-	if !ok {
+
+	var kubeConfig []byte
+	for k, _ := range secret.Data {
+		if k == "value" || k == "value.yaml" {
+			kubeConfig = secret.Data[k]
+			break
+		}
+	}
+
+	if len(kubeConfig) == 0 {
 		return nil, fmt.Errorf("KubeConfig secret '%s' does not contain a 'value' key", secretName)
 	}
 	return kube.NewMemoryRESTClientGetter(kubeConfig, hr.GetReleaseNamespace()), nil

docs/spec/v2beta1/helmreleases.md

@@ -1035,7 +1035,7 @@ in that KubeConfig instead of the local cluster that is responsible for the reco
 HelmRelease.
 
 The secret defined in the `spec.kubeConfig.secretRef` must exist in the same namespace as the
-HelmRelease. On every reconciliation, the KubeConfig bytes will be loaded from the `values` key
+HelmRelease. On every reconciliation, the KubeConfig bytes will be loaded from the `value`  or `value.yaml` key
 of the secret's data, and the secret can thus be regularly updated if cluster-access-tokens have
 to rotate due to expiration.
 
@@ -1114,7 +1114,7 @@ cluster where helm-controller is running e.g.:
 
 ```sh
 kubectl -n default create secret generic prod-kubeconfig \
-    --from-file=value=./kubeconfig
+    --from-file=value.yaml=./kubeconfig
 ```
 
 > **Note** that the KubeConfig should be self-contained and not rely on binaries, environment,