This tool implements a Kubernetes controller that mirrors secrets from one location in the cluster to another, either across namespaces or to another name within one namespace. The intent is to allow for users to edit secret values by proxy, without requiring RBAC privileges on secrets in a central namespace.
The controller is configured to mirror a specific set of secrets and will re-load configuration if it detects changes. An example configuration can look like:
secrets:
- from:
namespace: source-namespace
name: dev-secret
to:
namespace: target-namespace
name: prod-secret
In order to ensure the integrity of the target secrets, the controller will only update the target secret if a creation or update is observed on the source secret, and the source secret has a non-zero data field. Not honoring zero-size secret updates or secret deletion prevents the most common outage scenarios.
Its deployment is managed by applyconfig
with those assets.