To copy a secret to another namespace and sync it up-to-date

Secret Mirror Operator

This kubebuilder-based Kubernetes operator copies a Secret to another namespace and synchronizes it with the custom resource SecretMirror.

Reconciliation Logic

  1. Get SecretMirror from request.
  2. If SecretMirror doesn't exist, just finish the reconciliation. If error occurs, retry later.
  3. Get Secret (fromSecret) with SecretMirror's name from fromNamespace Namespace.
  4. If Secret (fromSecret) doesn't exist, delete the corresponding Secret (toSecret) if exists. If error occurs, retry later.
  5. Create toSecret if not exists.
  6. Check if toSecret is managed by secret-mirror-controller.
  7. Update toSecret data if data is changed.

Getting Started

  1. Install secret-mirror-operator.

    kubectl apply -k github.com/bebit/secret-mirror-operator/config/default

  2. Create src and dst namespace.

    kubectl apply -f config/samples/namespace-dst.yaml,config/samples/namespace-src.yaml

  3. Create Secret in src namespace.

    kubectl apply -f config/samples/secret.yaml

  4. Create SecretMirror in dst namespace.

    kubectl apply -f config/samples/secret_v1alpha1_secretmirror.yaml
    apiVersion: secret.bebit.com/v1alpha1
kind: SecretMirror
metadata:
  name: secret
  namespace: dst
spec:
  fromNamespace: src

  5. Check Secret in dst namespace.

    kubectl get secret secret -n dst -o yaml
    apiVersion: v1
data:
  foo: YmFy
kind: Secret
metadata:
  creationTimestamp: "2021-12-30T01:14:26Z"
  name: secret
  namespace: dst
  ownerReferences:
  - apiVersion: secret.bebit.com/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: SecretMirror
    name: secret
    uid: f1709c26-6497-40b5-84a7-da13c38cf05f
  resourceVersion: "41781"
  uid: 81452942-2562-4f14-be8b-e4c3c856cae6
type: Opaque

Behaviors

  1. Change Secret in dst Namespace manually.

    kubectl patch secret secret -p "{\"data\":{\"manually\": \"$(echo updated | base64 -)\"}}" -n dst

    The controller keeps the Secret same as the original Secret.

    kubectl get secret secret -n dst -o jsonpath='{.data}'
{"foo":"YmFy"}

  2. Change Secret in src Namespace manually.

    kubectl patch secret secret -p "{\"data\":{\"srcSecret\": \"$(echo updated | base64 -)\"}}" -n src

    The controller keeps the Secret same as the original Secret.

    kubectl get secret secret -n dst -o jsonpath='{.data}'
{"foo":"YmFy","srcSecret":"dXBkYXRlZAo="}

  3. Delete Secret in dst Namespace.

    kubectl delete sercet dst -n dst

    The controller recreates the Secret.

    kubectl get secret secret -n dst -o jsonpath='{.data}'
{"foo":"YmFy","srcSecret":"dXBkYXRlZAo="}

  4. Delete Secret in src Namespace.

    kubectl delete secret secret -n src

    The controller deletes the Secret in dst Namespace.

    kubectl get secret -n dst
NAME                  TYPE                                  DATA   AGE
default-token-wwsmc   kubernetes.io/service-account-token   3      2m19s

  5. Recreate Secret in src Namespace.

    kubectl apply -f config/samples/secret.yaml

    The controller creates a new Secret in dst Namespace.

    kubectl get secret secret -n dst -o jsonpath='{.data}'
{"foo":"YmFy"}
Owner
beBit, Inc.
ユーザ視点からの価値創出を追求するエクスペリエンス・デザイン・パートナー
beBit, Inc.
https://github.com/bebit/secret-mirror-operator
Similar Resources

Display (Namespace, Pod, Container, Primary PID) from a host PID, fails if the target process is running on host

Display (Namespace, Pod, Container, Primary PID) from a host PID, fails if the target process is running on host

Oct 17, 2022

Watchtower for Git: automatically keep local Git repositories up to date with their remotes

CrowsNest Watchtower for Git: automatically keep local Git repositories up to date with their remotes. Configuration Flags --run-once or -r: Normally

Oct 30, 2022

Copy files and artifacts via SSH using a binary, docker or Drone CI.

drone-scp Copy files and artifacts via SSH using a binary, docker or Drone CI. Feature Support routines. Support wildcard pattern on source list. Supp

Dec 6, 2022

Parallel processing through go routines, copy and delete thousands of key within some minutes

redis-dumper CLI Parallel processing through go routines, copy and delete thousands of key within some minutes copy data by key pattern from one redis

Dec 26, 2021

A simple CLI and API client for One-Time Secret

OTS Go client otsgo is a simple CLI and API client for One-Time Secret written i

Dec 27, 2021

Secret - Prevent your secrets from leaking into logs and std*

secret - Prevent your secrets from leaking into logs and std* The package provid

Dec 30, 2022

Copy your HashiCorp Vault secrets to a file

Vault Backup ⚠️ Check the oficial way to backup your HashiCorp Vault. Create a backup file of all HashiCorp Vault kv2 secrets. ./vault-backup -help

Dec 20, 2022

nginx exporter for Prometheus copy code from ingress-nginx use for monit nginx

nginx exporter for Prometheus copy code from ingress-nginx use for monit nginx

nginx_exporter 介绍 从ingress-nginx官方代码中的expoter迁移出来 用来监控虚拟机上的nginx的expoter 基于官方 controller-v0.49.3 版本移植的代码 软件架构 nginx_socket 通过lua模块monitor.lua 将nginx l

Dec 8, 2021

nginx exporter for Prometheus copy code from ingress-nginx use for monit nginx

nginx exporter for Prometheus copy code from ingress-nginx use for monit nginx

nginx_exporter 介绍 从ingress-nginx官方代码中的expoter迁移出来 用来监控虚拟机上的nginx的expoter 基于官方 controller-v0.49.3 版本移植的代码 软件架构 nginx_socket 通过lua模块monitor.lua 将nginx l

Dec 20, 2021
Related tags
DevOps Tools kubernetes kubernetes-operator
grafana-sync Keep your grafana dashboards in sync.

grafana-sync Keep your grafana dashboards in sync. Table of Contents grafana-sync Table of Contents Installing Getting Started Pull Save all dashboard

Dec 14, 2022
vcluster - Create fully functional virtual Kubernetes clusters - Each cluster runs inside a Kubernetes namespace and can be started within seconds
 vcluster - Create fully functional virtual Kubernetes clusters - Each cluster runs inside a Kubernetes namespace and can be started within seconds

Website • Quickstart • Documentation • Blog • Twitter • Slack vcluster - Virtual Clusters For Kubernetes Lightweight & Low-Overhead - Based on k3s, bu

Jan 4, 2023
Command kube-tmux prints Kubernetes context and namespace to tmux status line.

kube-tmux Command kube-tmux prints Kubernetes context and namespace to tmux status line.

Sep 10, 2021
Quick find namespace and show log

kubernetes dashboard "替代品" 在terminal发起http请求查看kubernetes相关的信息 注意 本程序以查看当前namespace、deployment、pod等信息为主, 面向业务开发人员,主要原因是权限受限。如果是运维人员绕行即可 当前只是使用与token登录方

Dec 23, 2021
Enforcing per team quota (sum of used resources across all their namespaces) and delegating the per namespace quota to users.

Quota Operator Enforcing per team quota (sum of used resources across all their namespaces) and delegating the per namespace quota to users. Instructi

Nov 9, 2022
Go-namesys - Go-namesys provides publish and resolution support for the /ipns/ namespace

go-namesys go-namesys provides publish and resolution support for the /ipns/ nam

Jan 18, 2022
Good enough Kubernetes namespace visualization tool
 Good enough Kubernetes namespace visualization tool

Kubesurveyor Good enough Kubernetes namespace visualization tool. No provisioning to a cluster required, only Kubernetes API is scrapped. Installation

Dec 7, 2022
K8s-ingress-health-bot - A K8s Ingress Health Bot is a lightweight application to check the health of the ingress endpoints for a given kubernetes namespace.

k8s-ingress-health-bot A K8s Ingress Health Bot is a lightweight application to check the health of qualified ingress endpoints for a given kubernetes

Jan 2, 2022
A kubectl plugin to query multiple namespace at the same time.

kubemulti A kubectl plugin to query multiple namespace at the same time. $ kubemulti get pods -n cdi -n default NAMESPACE NAME

Mar 1, 2022
Kubernetes Admission Controller Demo: Validating Webhook for Namespace lifecycle events

Kubernetes Admission Controller Based on How to build a Kubernetes Webhook | Admission controllers Local Kuberbetes cluster # create kubernetes cluste

Feb 27, 2022