Kubernetes - Replicate Secrets with Reflector
Table of Contents
This post is part of our ongoing series of posts for Kubernetes. In this post, we will dive into replicating secrets across namespaces using Reflector, a powerful tool for ensuring consistency and security in your Kubernetes environment.
By default, Kubernetes secrets are scoped to individual namespaces. However, there are common use cases where sensitive information, such as API tokens, database credentials, or container registry credentials, needs to be shared across multiple namespaces. Manually managing these secrets can be error-prone and time-consuming.
Reflector addresses this challenge by automating the replication of secrets to specified namespaces, ensuring consistency and reducing administrative overhead. Let’s dive into how to set up and use Reflector effectively.
1. Setup Reflector
Let’s configure Reflector by creating cluster/default/reflector.yaml. This declarative configuration establishes:
- The Emberstack Helm Repository reference
- The Reflector Helm Release with appropriate configuration
1apiVersion: source.toolkit.fluxcd.io/v1
2kind: HelmRepository
3metadata:
4 name: emberstack
5 namespace: default
6spec:
7 interval: 10m
8 url: https://emberstack.github.io/helm-charts
9---
10apiVersion: helm.toolkit.fluxcd.io/v2
11kind: HelmRelease
12metadata:
13 name: reflector
14 namespace: default
15spec:
16 releaseName: reflector
17 interval: 10m
18 chart:
19 spec:
20 chart: reflector
21 version: "9.0.318"
22 interval: 10m
23 sourceRef:
24 kind: HelmRepository
25 name: emberstack
26 namespace: default
After applying this configuration, verify that the Reflector pod is up and running:
1apurv@oxygen:~> kubectl get pods
2
3NAME READY STATUS RESTARTS AGE
4reflector-dcc5cf554-8s8zf 1/1 Running 0 9m30s
As shown above, Reflector has been successfully deployed.
2. Validate Setup
To demonstrate Reflector’s capabilities, we’ll replicate a GitHub Container Registry secret across all namespaces. First, let’s recreate the secret defined in cluster/default/github-registry-secret.yaml ( overriding secret defined in Kubernetes GitOps with FluxCD - Part 3 - Automated Image Updates post ).
1kubectl create secret docker-registry github-registry-secret \
2 --docker-server=ghcr.io \
3 --docker-username=** \
4 --docker-password=** \
5 --namespace=default \
6 --dry-run=client -o yaml > github-registry-secret.yaml
Next, add the necessary Reflector annotations to enable automatic replication:
1apiVersion: v1
2kind: Secret
3metadata:
4 name: github-registry-secret
5 namespace: default
6 annotations:
7+ reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
8+ reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
9type: kubernetes.io/dockerconfigjson
10data:
11 .dockerconfigjson: ***
The annotation reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" ensures the secret is replicated to all namespaces. Alternatively, reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "ns-x,ns-y" can be used to restrict replication to specific namespaces.
Once the secret is configured, encrypt it using SOPS and apply the changes.
Let’s verify that the secret has been replicated across all namespaces:
1kubectl get secrets --all-namespaces --field-selector metadata.name=github-registry-secret
2
3NAMESPACE NAME TYPE DATA AGE
4cert-manager github-registry-secret kubernetes.io/dockerconfigjson 1 2m4s
5default github-registry-secret kubernetes.io/dockerconfigjson 1 7d
6flux-system github-registry-secret kubernetes.io/dockerconfigjson 1 2m3s
7kube-node-lease github-registry-secret kubernetes.io/dockerconfigjson 1 2m3s
8kube-public github-registry-secret kubernetes.io/dockerconfigjson 1 2m3s
9kube-system github-registry-secret kubernetes.io/dockerconfigjson 1 2m3s
10monitoring github-registry-secret kubernetes.io/dockerconfigjson 1 2m3s
The secret has been successfully replicated across all namespaces using Reflector.
References
- Emberstack Reflector - https://github.com/emberstack/kubernetes-reflector
- Kubernetes Documentation - https://kubernetes.io/docs/