New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Source from secret #3
Comments
It's an interesting use case.
|
Would you be interested in a PR for this functionality? |
Incidentally, can we avoid relying on an annotation placed on the source secret? That secret might be "owned" by some other operator (which is true in my case) which may overwrite any additional annotations placed on it. Presumably the operator, after taking stock of the existing ClusterSecrets, can maintain an internal list of source secrets and have independent watches for each of them? |
Sorry for the delay, I dont think maintaining an internal list its a good idea, this should be idem potent and fault tolerant, if I delete de pod it should come back and have the same state. We could save data in etcd. But the general approach seems to be with annotations (which at the end is etcd too). Why another operator will may overwrite an annotation? |
You can use same approach as OpenShift/k8s secrets linkage to ServiceAccount:
So, use annotation in ClusterSecret like |
After the latests PR merged. now we have a much stable version. If we have to avoid using annotations on the source secret: But, watching for all secrets modifications and iterating through all the clustersecrets doesn't seems to be the most efficient. Imagine if we have 10k clustersecrets, lets say users keys or something like... this would not scale :/ @immesys I still have the question, how a 3th party will overwrite an annotation, why? and in case of overwriting / modification / deletion the operator will receive this event as its watching for this secret, so we can hanadle :) And... of course PR are always welcome :) |
@zakkg3 Something like what is done in this operator could be accomplished. https://github.com/IBM-Cloud/kube-samples/tree/master/secret-sync-operator |
Another approach can be using a notation similar to this one, which is inspired by k8s secrets, so it enables more granularity
|
Hi, what is the status on adding this feature. As I have searched this is the only project with such proposal. |
Source from Secrets (reference an existing secret) is ready to be tested in branch 0.8 . (#34) Update the deployment:
Try with an example object:
I would appreciate if someone can test this. |
LGTM @1.21.2 |
Tested on 1.23.4 too. |
Using this, so far no issues Kubernetes V 1.24 |
There are many cases where the secret data is generated by a third party tool that you cannot alter to make use of this CRD. Is there a way to have the contents be "the contents of X secret in Y namespace" ? The operator would then watch the source secret for changes and sync it to all the namespaces that the ClusterSecret crd specifies?
The text was updated successfully, but these errors were encountered: