Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/xunleii/sync-secrets-controller
A simple operator that share a secret to other namespaces
https://github.com/xunleii/sync-secrets-controller
Last synced: 10 days ago
JSON representation
A simple operator that share a secret to other namespaces
- Host: GitHub
- URL: https://github.com/xunleii/sync-secrets-controller
- Owner: xunleii
- License: apache-2.0
- Created: 2020-03-06T20:46:04.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2021-02-16T11:32:52.000Z (over 3 years ago)
- Last Synced: 2024-10-13T00:56:22.564Z (24 days ago)
- Language: Go
- Size: 222 KB
- Stars: 4
- Watchers: 3
- Forks: 2
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
README
# Secret synchronisation controller
[](https://github.com/xunleii/sync-secrets-controller/actions)
[](https://github.com/xunleii/sync-secrets-controller/actions)
[](https://goreportcard.com/report/github.com/xunleii/sync-secrets-controller)
[](go.mod)
## Overview
> Sometimes, we need to access to a secret from an another namespace, which is impossible because secret are namespaced
> and only accessible to the secret's namespace.
> For example, if we have a CA certificate in the namespace A and we want to use it in the namespace B, in order to
> create a new certificate, we need to create a new secret in B with the content of A. Moreover, because the original
> secret can be updated, we always need to sync it to the namespace B, manually.
That is why this controller exists. Thanks to annotations on a secret, it can automatically synchronise the secret over
several namespaces. *However, I do not recommend to use this controller for anything ;
[Kubernetes Secret's restrictions](https://kubernetes.io/docs/concepts/configuration/secret/#restrictions) are here
for a good reason and this controller breaks one of theses restrictions.*
## Annotations
> **These annotations cannot be used together**
`secret.sync.klst.pw/all-namespaces: 'true'`: Synchronize the current secret over all namespace
`secret.sync.klst.pw/namespace-selector: LABEL_SELECTOR`: Synchronize the current secret over all namespace
validating the given label selector
## Features
**This controller can:**
- Synchronize a secret over all namespaces
- Synchronize a secret on specifics namespaces, thanks label selectors
- Synchronize on a new namespace when a secret is already "synchronized"
- Automatically update "slave" secrets when the original is update
- Automatically restore "slave" secret when it is manually modified
- Automatically remove "slave" secrets when the original is removed
- Automatically remove/update "slave" secrets when the original secret annotations are modified/removed
- Automatically recreate "slave" secret when it is removed
## Example
```yaml
apiVersion: v1
kind: Secret
metadata:
annotations:
secret.sync.klst.pw/namespace-selector: require-creds=admin
name: admin-creds
namespace: default
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
```
This secret will be synchronized on all namespaces with the label `require-creds: admin`. For more information about
label selector, see [Kubernetes label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors.)
## How to install
You can install the deployment in a kubernetes cluster with the following commands
```bash
kubectl apply -f https://github.com/xunleii/sync-secrets-controller/tree/master/deploy/rbac.yaml
kubectl apply -f https://github.com/xunleii/sync-secrets-controller/tree/master/deploy/deployment.yaml
```
---
*This controller is still under development and may introduce breaking changes between versions.
Please check the [CHANGELOG](CHANGELOG.md) before updating.*
[Apache License 2.0](LICENSE)