This is a Kubernetes operator that will sync secrets from a defined source namespace to any number of destination namespaces.
Key features:
- Uses a custom resource
SecretSyncin your destination namespace. - Reads secrets defined in a
SecretSyncresource in a tenant namespace and syncs them from a source namespace - configured in the controller deployment env specSOURCE_NAMESPACE.SOURCE_NAMESPACEis set todefault. It can be updated in the manager deployment- The idea is for admins to configure the global source namespace via this ENV var.
- Allows for centralised secrets to by synced accross any tenant namespace, i.e. global credentials or certificates.
- Deleting the
SecretSyncobject will also delete the secrets it owns. - The operator will reconcile secrets that are defined in the
SecretSync.spec.secretslist only, when:- Modifications are made to a source secret in the source namespace, that are referenced by any SecretSync objects in other namespaces.
- Modifications are made to the secrets owned by the
SecretSyncobject (i.e. a user manually update or deletes a secret owned by theSecretSyncobject) - Modifications are made to the
SecretSyncobject (removing a secret from the list will force a delete of the secret in the destination namespace and vice versa)
- It will skip a secret syncing if the data already matches a source secret data.
Below example will setup a sync for secret1 and secret2 in the namespace team-1, assuming the controller has been configured with a source namespace default, the controller will reconcile the secrets into the team-1 namespace (copying from the default namespace).
Any changes to the secrets will trigger a sync/reconile to keep the secrets in sync with the default namespace.
kubectl apply -f - <<EOF
apiVersion: sync.samir.io/v1
kind: SecretSync
metadata:
name: secretsync-sample
namespace: team-1
spec:
secrets:
- secret1
- secret2
EOF
⚠️ Do not have duplicate secrets forSecretSyncobjects created in the same namespace: It is recommended to have a singleSecretSyncobject per namespace.
The controller will not check for this and can cause undesired behaviour if multipleSecretSyncobjects are attempting to sync the same secrets in the same namespace.
You could limit the count for SecretSync objects to 1 using a Resource Quota with the object quota, i.e. for namespaceteam-1apiVersion: v1 kind: ResourceQuota metadata: name: secretsync-object-quota namespace: team-1 spec: hard: count/secretsyncs.sync.samir.io: 1
- go version v1.20.0+
- docker version 17.03+.
- kubectl version v1.11.3+.
- Access to a Kubernetes v1.11.3+ cluster.
Build and push your image to the location specified by IMG:
make docker-build docker-push IMG=<some-registry>/secret-sync-operator:tagInstall the CRDs into the cluster:
make installDeploy the Manager to the cluster with the image specified by IMG:
make deploy IMG=<some-registry>/secret-sync-operator:tagCreate instances of your solution You can apply the samples (examples) from the config/sample:
kubectl apply -k config/samples/Current integration tests cover the scenarios:
- Creating
SecretSyncobjects and checking the secrets are synced to a namespace - Removing a secret from a
SecretSyncobject and checking the secret has been deleted from a namespace - Deleting a secret owned by a
SecretSyncobject causes the reconilation of the secret to be re-created. - Modifying a secret's data that is owned by a
SecretSyncobject causes the reconcilation of the secret to be updated with the source secret's data. - Modifying a source namespace secret referenced by one or more
SecretSyncobject causes the reconcilation of the secret to be updated in affected namespaces.
Run the controller in the foreground for testing:
make runRun integration tests:
make testGenerate coverage html report:
go tool cover -html=cover.out -o coverage.htmlDelete the instances (CRs) from the cluster:
kubectl delete -k config/samples/Delete the APIs(CRDs) from the cluster:
make uninstallUnDeploy the controller from the cluster:
make undeployNOTE: Run make --help for more information on all potential make targets
More information can be found via the Kubebuilder Documentation
Copyright 2024.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.