Sometimes, we need to access to a secret from an another namespace, which is impossible because secret are namespaced and only accessible to the secret's namespace. For example, if we have a CA certificate in the namespace A and we want to use it in the namespace B, in order to create a new certificate, we need to create a new secret in B with the content of A. Moreover, because the original secret can be updated, we always need to sync it to the namespace B, manually.
That is why this controller exists. Thanks to annotations on a secret, it can automatically synchronise the secret over several namespaces. However, I do not recommend to use this controller for anything ; Kubernetes Secret's restrictions are here for a good reason and this controller breaks one of theses restrictions.
These annotations cannot be used together
secret.sync.klst.pw/all-namespaces: 'true'
: Synchronize the current secret over all namespace
secret.sync.klst.pw/namespace-selector: LABEL_SELECTOR
: Synchronize the current secret over all namespace
validating the given label selector
This controller can:
apiVersion: v1
kind: Secret
metadata:
annotations:
secret.sync.klst.pw/namespace-selector: require-creds=admin
name: admin-creds
namespace: default
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
This secret will be synchronized on all namespaces with the label require-creds: admin
. For more information about
label selector, see Kubernetes label selector
You can install the deployment in a kubernetes cluster with the following commands
kubectl apply -f https://github.com/xunleii/sync-secrets-controller/tree/master/deploy/rbac.yaml
kubectl apply -f https://github.com/xunleii/sync-secrets-controller/tree/master/deploy/deployment.yaml
This controller is still under development and may introduce breaking changes between versions. Please check the CHANGELOG before updating.