Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/emberstack/kubernetes-reflector
Custom Kubernetes controller that can be used to replicate secrets, configmaps and certificates.
https://github.com/emberstack/kubernetes-reflector
cert-manager certificate configmap controller k8s kubectl kubernetes kubernetes-cluster kubernetes-controller secrets
Last synced: 2 days ago
JSON representation
Custom Kubernetes controller that can be used to replicate secrets, configmaps and certificates.
- Host: GitHub
- URL: https://github.com/emberstack/kubernetes-reflector
- Owner: emberstack
- License: mit
- Created: 2019-04-18T13:23:06.000Z (almost 6 years ago)
- Default Branch: main
- Last Pushed: 2024-07-06T14:22:13.000Z (7 months ago)
- Last Synced: 2025-01-09T23:07:32.429Z (9 days ago)
- Topics: cert-manager, certificate, configmap, controller, k8s, kubectl, kubernetes, kubernetes-cluster, kubernetes-controller, secrets
- Language: C#
- Homepage:
- Size: 235 KB
- Stars: 1,146
- Watchers: 13
- Forks: 98
- Open Issues: 29
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-ccamel - emberstack/kubernetes-reflector - Custom Kubernetes controller that can be used to replicate secrets, configmaps and certificates. (C#)
- awesome-repositories - emberstack/kubernetes-reflector - Custom Kubernetes controller that can be used to replicate secrets, configmaps and certificates. (C# #)
README
# Reflector
Reflector is a Kubernetes addon designed to monitor changes to resources (secrets and configmaps) and reflect changes to mirror resources in the same or other namespaces.
[](https://github.com/emberstack/kubernetes-reflector/actions/workflows/pipeline.yaml)
[](https://github.com/emberstack/kubernetes-reflector/releases/latest)
[](https://hub.docker.com/r/emberstack/kubernetes-reflector)
[](https://hub.docker.com/r/emberstack/kubernetes-reflector)
[](LICENSE)
> Supports `amd64`, `arm` and `arm64`
## Support
If you need help or found a bug, please feel free to open an Issue on GitHub (https://github.com/emberstack/kubernetes-reflector/issues).
## Deployment
Reflector can be deployed either manually or using Helm (recommended).
### Prerequisites
- Kubernetes 1.14+
- Helm 3 (if deployed using Helm)
#### Deployment using Helm
Use Helm to install the latest released chart:
```shellsession
$ helm repo add emberstack https://emberstack.github.io/helm-charts
$ helm repo update
$ helm upgrade --install reflector emberstack/reflector
```
You can customize the values of the helm deployment by using the following Values:
| Parameter | Description | Default |
| ---------------------------------------- | ------------------------------------------------ | ------------------------------------------------------- |
| `nameOverride` | Overrides release name | `""` |
| `fullnameOverride` | Overrides release fullname | `""` |
| `image.repository` | Container image repository | `emberstack/kubernetes-reflector` |
| `image.tag` | Container image tag | `Same as chart version` |
| `image.pullPolicy` | Container image pull policy | `IfNotPresent` |
| `configuration.logging.minimumLevel` | Logging minimum level | `Information` |
| `configuration.watcher.timeout` | Maximum watcher lifetime in seconds | `` |
| `configuration.kubernetes.skipTlsVerify` | Skip TLS verify when connecting the the cluster | `false` |
| `rbac.enabled` | Create and use RBAC resources | `true` |
| `serviceAccount.create` | Create ServiceAccount | `true` |
| `serviceAccount.name` | ServiceAccount name | _release name_ |
| `livenessProbe.initialDelaySeconds` | `livenessProbe` initial delay | `5` |
| `livenessProbe.periodSeconds` | `livenessProbe` period | `10` |
| `readinessProbe.initialDelaySeconds` | `readinessProbe` initial delay | `5` |
| `readinessProbe.periodSeconds` | `readinessProbe` period | `10` |
| `startupProbe.failureThreshold` | `startupProbe` failure threshold | `10` |
| `startupProbe.periodSeconds` | `startupProbe` period | `5` |
| `resources` | Resource limits | `{}` |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `tolerations` | Toleration labels for pod assignment | `[]` |
| `affinity` | Node affinity for pod assignment | `{}` |
| `priorityClassName` | `priorityClassName` for pods | `""` |
> Find us on [Artifact Hub](https://artifacthub.io/packages/helm/emberstack/reflector)
#### Manual deployment
Each release (found on the [Releases](https://github.com/emberstack/kubernetes-reflector/releases) GitHub page) contains the manual deployment file (`reflector.yaml`).
```shellsession
$ kubectl -n kube-system apply -f https://github.com/emberstack/kubernetes-reflector/releases/latest/download/reflector.yaml
```
## Usage
### 1. Annotate the source `secret` or `configmap`
- Add `reflector.v1.k8s.emberstack.com/reflection-allowed: "true"` to the resource annotations to permit reflection to mirrors.
- Add `reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: ""` to the resource annotations to permit reflection from only the list of comma separated namespaces or regular expressions. Note: If this annotation is omitted or is empty, all namespaces are allowed.
#### Automatic mirror creation:
Reflector can create mirrors with the same name in other namespaces automatically. The following annotations control if and how the mirrors are created:
- Add `reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"` to the resource annotations to automatically create mirrors in other namespaces. Note: Requires `reflector.v1.k8s.emberstack.com/reflection-allowed` to be `true` since mirrors need to able to reflect the source.
- Add `reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: ""` to the resource annotations specify in which namespaces to automatically create mirrors. Note: If this annotation is omitted or is empty, all namespaces are allowed. Namespaces in this list will also be checked by `reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces` since mirrors need to be in namespaces from where reflection is permitted.
> Important: If the `source` is deleted, automatic mirrors are deleted. Also if either reflection or automirroring is turned off or the automatic mirror's namespace is no longer a valid match for the allowed namespaces, the automatic mirror is deleted.
> Important: Reflector will skip any conflicting resource when creating auto-mirrors. If there is already a resource with the source's name in a namespace where an automatic mirror is to be created, that namespace is skipped and logged as a warning.
Example source secret:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: source-secret
annotations:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "namespace-1,namespace-2,namespace-[0-9]*"
data:
...
```
Example source configmap:
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: source-config-map
annotations:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "namespace-1,namespace-2,namespace-[0-9]*"
data:
...
```
### 2. Annotate the mirror secret or configmap
- Add `reflector.v1.k8s.emberstack.com/reflects: "/"` to the mirror object. The value of the annotation is the full name of the source object in `namespace/name` format.
> Note: Add `reflector.v1.k8s.emberstack.com/reflected-version: ""` to the resource annotations when doing any manual changes to the mirror (for example when deploying with `helm` or re-applying the deployment script). This will reset the reflected version of the mirror.
Example mirror secret:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: mirror-secret
annotations:
reflector.v1.k8s.emberstack.com/reflects: "default/source-secret"
data:
...
```
Example mirror configmap:
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: mirror-config-map
annotations:
reflector.v1.k8s.emberstack.com/reflects: "default/source-config-map"
data:
...
```
### 3. Done!
Reflector will monitor any changes done to the source objects and copy the following fields:
- `data` for secrets
- `data` and `binaryData` for configmaps
Reflector keeps track of what was copied by annotating mirrors with the source object version.
- - - -
## `cert-manager` support
> Since version 1.5 of cert-manager you can annotate secrets created from certificates for mirroring using `secretTemplate` (see https://cert-manager.io/docs/usage/certificate/).
```
apiVersion: cert-manager.io/v1
kind: Certificate
...
spec:
secretTemplate:
annotations:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: ""
...
```