kubesecretsync

package module

v1.3.0 Latest Latest Go to latest Published: Sep 16, 2022 License: MIT Imports: 0 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/alehechka/kube-secret-sync

Links

Open Source Insights

README ¶

kube-secret-sync

A kubernetes client-go app for syncing secrets across namespaces.

The application works by creating SecretSyncRule resources that define which secrets to sync and which namespaces to sync it to. The application will watch all SecretSyncRule, Secret, and Namespace resources for changes and sync the defined secrets where necessary.

Deployment

Each released version will create a package helm chart and compiled yaml to deploy the entire application and its required resources. The most recent version can be deployed with the following:

`helm`

helm install kube-secret-sync https://github.com/alehechka/kube-secret-sync/releases/download/v1.3.0/kube-secret-sync-1.3.0.tgz --namespace kube-secret-sync --create-namespace

`kubectl`

kubectl apply -f https://github.com/alehechka/kube-secret-sync/releases/download/v1.3.0/kube-secret-sync.yaml

Secret Sync Rules

Syncing secrets is an opt-in process per secret. This allows for fine-grained control of which secrets get synced and where to. The below example the my-api-key secret will be automatically synced from the default namespace to all but the kube-[.]* system defined namespaces:

apiVersion: kube-secret-sync.io/v1
kind: SecretSyncRule
metadata:
  name: my-api-key-rule
spec:
  secret:
    name: my-api-key
    namespace: default
  rules:
    namespaces:
      excludeRegex:
        - 'kube-[.]*'

Full SecretSyncRule configuration options

Spec Variable	Example	Type	Description
`secret`	`mysecret`	`string`	The name of a secret to sync.
`namespace`	`default`	`string`	The name of the namespace that the secret to sync is defined in.
`rules.namespaces.exclude`	`["kube-system"]`	`[]string`	A list of namespaces to exclude from syncing (will take precedence over include rules).
`rules.namespaces.excludeRegex`	`["kube-[.]*"]`	`[]string`	A list of regex patterns that represent namespaces to exclude from syncing (will take precedence over include rules).
`rules.namespaces.include`	`["my-namespace"]`	`[]string`	A list of namespaces to include in syncing (all non-included will be excluded).
`rules.namespaces.includeRegex`	`["my-[.]"]`	`[]string`	A list of regex patterns that represent namespaces to include in syncing (all non-included will be excluded).
`rules.force`	`true`	`boolean`	A flag to turn on forced sync. By default, the app will only sync "managed-by" secrets. With this on, any non-managed matching secret names will also be synced.

Configuration Options

The application itself has a few configuration options, however these are mainly used during local development and should most likely not be changed.

Environment Variable	Example	Type	Default	Description
`POD_NAMESPACE`	`custom-namespace`	`string`	`kube-secret-sync`	Specifies the namespace that current application pod is running in.
`DEBUG`	`true`	`boolean`	`false`	Log debug messages.