{"id":13607597,"url":"https://github.com/mittwald/kubernetes-replicator","last_synced_at":"2026-02-12T12:14:41.712Z","repository":{"id":31753925,"uuid":"110256058","full_name":"mittwald/kubernetes-replicator","owner":"mittwald","description":"Kubernetes controller for synchronizing secrets \u0026 config maps across namespaces","archived":false,"fork":false,"pushed_at":"2025-11-24T10:38:05.000Z","size":14869,"stargazers_count":1048,"open_issues_count":51,"forks_count":119,"subscribers_count":15,"default_branch":"master","last_synced_at":"2025-11-27T23:07:52.250Z","etag":null,"topics":["golang","kubernetes","kubernetes-configmap","kubernetes-controller","kubernetes-secrets"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mittwald.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2017-11-10T14:30:14.000Z","updated_at":"2025-11-27T07:48:13.000Z","dependencies_parsed_at":"2023-02-10T20:15:15.098Z","dependency_job_id":"c69f3fbd-89ee-4c66-9498-63538586a129","html_url":"https://github.com/mittwald/kubernetes-replicator","commit_stats":null,"previous_names":[],"tags_count":38,"template":false,"template_full_name":null,"purl":"pkg:github/mittwald/kubernetes-replicator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mittwald%2Fkubernetes-replicator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mittwald%2Fkubernetes-replicator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mittwald%2Fkubernetes-replicator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mittwald%2Fkubernetes-replicator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mittwald","download_url":"https://codeload.github.com/mittwald/kubernetes-replicator/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mittwald%2Fkubernetes-replicator/sbom","scorecard":{"id":650613,"data":{"date":"2025-08-11","repo":{"name":"github.com/mittwald/kubernetes-replicator","commit":"3529074396b39ca75f7d4042d9d1b2a108c69d70"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.6,"checks":[{"name":"Code-Review","score":6,"reason":"Found 13/19 approved changesets -- score normalized to 6","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Maintained","score":7,"reason":"9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":1,"reason":"dependency not pinned by hash detected -- score normalized to 1","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/mittwald/kubernetes-replicator/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/mittwald/kubernetes-replicator/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/mittwald/kubernetes-replicator/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/mittwald/kubernetes-replicator/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/mittwald/kubernetes-replicator/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/mittwald/kubernetes-replicator/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/mittwald/kubernetes-replicator/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/mittwald/kubernetes-replicator/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/mittwald/kubernetes-replicator/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/mittwald/kubernetes-replicator/release.yml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile.buildx:1","Warn: downloadThenRun not pinned by hash: .github/workflows/build.yml:65","Warn: downloadThenRun not pinned by hash: .github/workflows/build.yml:66","Info:   0 out of   8 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   2 third-party GitHubAction dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned","Info:   1 out of   1 goCommand dependencies pinned","Info:   0 out of   2 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.txt:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE.txt:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:9"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v2.12.0 not signed: https://api.github.com/repos/mittwald/kubernetes-replicator/releases/231078223","Warn: release artifact v2.11.1 not signed: https://api.github.com/repos/mittwald/kubernetes-replicator/releases/205536654","Warn: release artifact v2.11.0 not signed: https://api.github.com/repos/mittwald/kubernetes-replicator/releases/185201779","Warn: release artifact v2.10.2 not signed: https://api.github.com/repos/mittwald/kubernetes-replicator/releases/174521434","Warn: release artifact v2.10.1 not signed: https://api.github.com/repos/mittwald/kubernetes-replicator/releases/168298233","Warn: release artifact v2.12.0 does not have provenance: https://api.github.com/repos/mittwald/kubernetes-replicator/releases/231078223","Warn: release artifact v2.11.1 does not have provenance: https://api.github.com/repos/mittwald/kubernetes-replicator/releases/205536654","Warn: release artifact v2.11.0 does not have provenance: https://api.github.com/repos/mittwald/kubernetes-replicator/releases/185201779","Warn: release artifact v2.10.2 does not have provenance: https://api.github.com/repos/mittwald/kubernetes-replicator/releases/174521434","Warn: release artifact v2.10.1 does not have provenance: https://api.github.com/repos/mittwald/kubernetes-replicator/releases/168298233"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 24 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-21T13:25:33.355Z","repository_id":31753925,"created_at":"2025-08-21T13:25:33.355Z","updated_at":"2025-08-21T13:25:33.355Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29365833,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-12T08:51:36.827Z","status":"ssl_error","status_checked_at":"2026-02-12T08:51:26.849Z","response_time":55,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","kubernetes","kubernetes-configmap","kubernetes-controller","kubernetes-secrets"],"created_at":"2024-08-01T19:01:20.003Z","updated_at":"2026-02-12T12:14:41.680Z","avatar_url":"https://github.com/mittwald.png","language":"Go","funding_links":[],"categories":["Go","Operators vs Controllers","kubernetes"],"sub_categories":["Namespaces"],"readme":"# ConfigMap, Secret and Role, RoleBinding and ServiceAccount replication for Kubernetes\n\n![Build Status](https://github.com/mittwald/kubernetes-replicator/workflows/Compile%20\u0026%20Test/badge.svg)\n\nThis repository contains a custom Kubernetes controller that can be used to make\nsecrets and config maps available in multiple namespaces.\n\n## Contents\n\n1. [Deployment](#deployment)\n    1. [Using Helm](#using-helm)\n    1. [Manual](#manual)\n1. [Usage](#usage)\n    1. [\"Role and RoleBinding replication](#role-and-rolebinding-replication)\n    1. [\"Push-based\" replication](#push-based-replication)\n    1. [\"Pull-based\" replication](#pull-based-replication)\n        1. [1. Create the source secret](#step-1-create-the-source-secret)\n        1. [2. Create empty secret](#step-2-create-an-empty-destination-secret)\n        1. [Special case: TLS secrets](#special-case-tls-secrets)\n\n## Deployment\n\n### Using Helm\n\n1. Add the Mittwald Helm Repo:\n    ```shellsession\n    $ helm repo add mittwald https://helm.mittwald.de\n    \"mittwald\" has been added to your repositories\n\n    $ helm repo update\n    Hang tight while we grab the latest from your chart repositories...\n    ...Successfully got an update from the \"mittwald\" chart repository\n    Update Complete. ⎈ Happy Helming!⎈\n    ```\n\n2. Upgrade or install `kubernetes-replicator`\n    `helm upgrade --install kubernetes-replicator mittwald/kubernetes-replicator`\n\n### Manual\n\n```shellsession\n$ # Create roles and service accounts\n$ kubectl apply -f https://raw.githubusercontent.com/mittwald/kubernetes-replicator/master/deploy/rbac.yaml\n$ # Create actual deployment\n$ kubectl apply -f https://raw.githubusercontent.com/mittwald/kubernetes-replicator/master/deploy/deployment.yaml\n```\n\n## Usage\n\n### Role and RoleBinding replication\n\nTo create a new role, your own account needs to have at least the same set of privileges as the role you're trying to create. The chart currently offers two options to grant these permissions to the service account used by the replicator:\n\n- Set the value `grantClusterAdmin`to `true`, which grants the service account admin privileges. This is set to `false` by default, as having a service account with that level of access might be undesirable due to the potential security risks attached.\n\n- Set the lists of needed api groups and resources explicitly. These can be specified using the value `privileges`. `privileges` is a list that contains pairs of api group and resource lists.\n\n  Example:\n\n  ```yaml\n  serviceAccount:\n    create: true\n    annotations: {}\n    name:\n    privileges:\n      - apiGroups: [ \"\", \"apps\", \"extensions\" ]\n        resources: [\"secrets\", \"configmaps\", \"roles\", \"rolebindings\",\n        \"cronjobs\", \"deployments\", \"events\", \"ingresses\", \"jobs\", \"pods\", \"pods/attach\", \"pods/exec\", \"pods/log\", \"pods/portforward\", \"services\"]\n      - apiGroups: [ \"batch\" ]\n        resources:  [\"configmaps\", \"cronjobs\", \"deployments\", \"events\", \"ingresses\", \"jobs\", \"pods\", \"pods/attach\", \"pods/exec\", \"pods/log\", \"pods/portforward\", \"services\"]\n  ```\n\n  These settings permit the replication of Roles and RoleBindings with privileges for the api groups `\"\"`. `apps`, `batch` and `extensions` on the resources specified.\n\n### \"Push-based\" replication\n\nPush-based replication will \"push out\" the secrets, configmaps, roles and rolebindings into namespaces when new namespaces are created or when the secret/configmap/roles/rolebindings changes.\n\nThere are two general methods for push-based replication:\n\n- name-based; this allows you to either specify your target namespaces _by name_ or by regular expression (which should match the namespace name). To use name-based push replication, add a `replicator.v1.mittwald.de/replicate-to` annotation to your secret, role(binding) or configmap. The value of this annotation should contain a comma separated list of permitted namespaces or regular expressions. (Example: `namespace-1,my-ns-2,app-ns-[0-9]*` will replicate only into the namespaces `namespace-1` and `my-ns-2` as well as any namespace that matches the regular expression `app-ns-[0-9]*`).\n\n  Example:\n\n  ```yaml\n  apiVersion: v1\n  kind: Secret\n  metadata:\n    name: test-secret\n    annotations:\n      replicator.v1.mittwald.de/replicate-to: \"my-ns-1,namespace-[0-9]*\"\n  data:\n    key1: \u003cvalue\u003e\n  ```\n\n- label-based; this allows you to specify a label selector that a namespace should match in order for a secret, role(binding) or configmap to be replicated. To use label-based push replication, add a `replicator.v1.mittwald.de/replicate-to-matching` annotation to the object you want to replicate. The value of this annotation should contain an arbitrary [label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors).\n\n  Example:\n\n  ```yaml\n  apiVersion: v1\n  kind: Secret\n  metadata:\n    name: test-secret\n    annotations:\n      replicator.v1.mittwald.de/replicate-to-matching: \u003e\n        my-label=value,my-other-label,my-other-label notin (foo,bar)\n  data:\n    key1: \u003cvalue\u003e\n  ```\n\nWhen the labels of a namespace are changed, any resources that were replicated by labels into the namespace and no longer qualify for replication under the new set of labels will be deleted. Afterwards any resources that now match the updated labels will be replicated into the namespace.\n\nIt is possible to use both methods of push-based replication together in a single resource, by specifying both annotations.\n\n### \"Pull-based\" replication\n\nPull-based replication makes it possible to create a secret/configmap/role/rolebindings and select a \"source\" resource\nfrom which the data is replicated from.\n\n#### Step 1: Create the source secret\n\nIf a secret or configMap needs to be replicated to other namespaces, annotations should be added in that object\npermitting replication.\n\n  - Add `replicator.v1.mittwald.de/replication-allowed` annotation with value `true` indicating that the object can be\n    replicated.\n  - Add `replicator.v1.mittwald.de/replication-allowed-namespaces` annotation. Value of this annotation should contain\n    a comma separated list of permitted namespaces or regular expressions. For example `namespace-1,my-ns-2,app-ns-[0-9]*`:\n    in this case replication will be performed only into the namespaces `namespace-1` and `my-ns-2` as well as any\n    namespace that matches the regular expression `app-ns-[0-9]*`.\n\n    ```yaml\n    apiVersion: v1\n    kind: Secret\n    metadata:\n      name: test-secret\n      annotations:\n        replicator.v1.mittwald.de/replication-allowed: \"true\"\n        replicator.v1.mittwald.de/replication-allowed-namespaces: \"my-ns-1,namespace-[0-9]*\"\n    data:\n      key1: \u003cvalue\u003e\n    ```\n\n#### Step 2: Create an empty destination secret\n\nAdd the annotation `replicator.v1.mittwald.de/replicate-from` to any Kubernetes secret or config map object. The value\nof that annotation should contain the the name of another secret or config map (using `\u003cnamespace\u003e/\u003cname\u003e` notation).\n\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  name: secret-replica\n  annotations:\n    replicator.v1.mittwald.de/replicate-from: default/some-secret\ndata: {}\n```\n\nThe replicator will then copy the `data` attribute of the referenced object into the annotated object and keep them in\nsync.\n\nBy default, the replicator adds an annotation `replicator.v1.mittwald.de/replicated-from-version` to the target object.\nThis annotation contains the resource-version of the source object at the time of replication.\n\n##### Sync by Content\n\nWhen the target object is re-applied with an empty `data` attribute, the replicator will not automatically perform replication.\nThe reason is that the target already has the `replicated-from-version` annotation with a matching source resource-version.\nFor Secrets and ConfigMaps, there is the option to synchronize _based on the content_, ignoring the `replicated-from-version` annotation.\n\nTo activate this mode, start the replicator with the `--sync-by-content` flag.\n\n#### Special case: TLS secrets\n\nSecrets of type `kubernetes.io/tls` are treated in a special way and need to have a `data[\"tls.crt\"]` and a\n`data[\"tls.key\"]` property to begin with. In the replicated secrets, these properties need to be present to begin with,\nbut they may be empty:\n\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  name: tls-secret-replica\n  annotations:\n    replicator.v1.mittwald.de/replicate-from: default/some-tls-secret\ntype: kubernetes.io/tls\ndata:\n  tls.key: \"\"\n  tls.crt: \"\"\n```\n\n#### Special case: Docker registry credentials\n\nSecrets of type `kubernetes.io/dockerconfigjson` also require special treatment. These secrets require to have a\n`.dockerconfigjson` key that needs to require valid JSON. For this reason, a replicated secret of this type should be\ncreated as follows:\n\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  name: docker-secret-replica\n  annotations:\n    replicator.v1.mittwald.de/replicate-from: default/some-docker-secret\ntype: kubernetes.io/dockerconfigjson\ndata:\n  .dockerconfigjson: e30K\n```\n\n#### Special case: Strip labels while replicate the resources.\n\nOperators like [https://github.com/strimzi/strimzi-kafka-operator](strimzi-kafka-operator) implement an own garbage collection based on specific labels defined on resources. If mittwald replicator replicate secrets to different namespace, the strimzi-kafka-operator will remove the replicated secrets because from operators point of view the secret is a left-over. To mitigate the issue, set the annotation `replicator.v1.mittwald.de/strip-labels=true` to remove all labels on the replicated resource.\n\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  labels:\n    app.kubernetes.io/managed-by: \"strimzi-kafka-operator\"\n  name: cluster-ca-certs\n  annotations:\n    replicator.v1.mittwald.de/strip-labels: \"true\"\ntype: kubernetes.io/tls\ndata:\n  tls.key: \"\"\n  tls.crt: \"\"\n```\n\n#### Special case: Resource with .metadata.ownerReferences\n\nSometimes, secrets are generated by external components. Such secrets are configured with an ownerReference. By default, the kubernetes-replicator will delete the\nownerReference in the target namespace.\n\nownerReference won't work [across different namespaces](https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/#owners-and-dependents) and the secret at the destination will be removed by the kubernetes garbage collection.\n\nTo keep `ownerReferences` at the destination, set the annotation `replicator.v1.mittwald.de/keep-owner-references=true`\n\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  name: docker-secret-replica\n  annotations:\n    replicator.v1.mittwald.de/keep-owner-references: \"true\"\n  ownerReferences:\n    - apiVersion: v1\n      kind: Deployment\n      name: owner\n      uid: \"1234\"\ntype: kubernetes.io/tls\ndata:\n  tls.key: \"\"\n  tls.crt: \"\"\n```\n\nSee also: https://github.com/mittwald/kubernetes-replicator/issues/120\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmittwald%2Fkubernetes-replicator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmittwald%2Fkubernetes-replicator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmittwald%2Fkubernetes-replicator/lists"}