Kubernetes - Replicate Secrets with Reflector
Table of Contents
This post is part of our ongoing series of posts for Kubernetes. In this post, we will dive into replicating secrets across namespaces using Reflector, a powerful tool for ensuring consistency and security in your Kubernetes environment.
By default, Kubernetes secrets are scoped to individual namespaces. However, there are common use cases where sensitive information, such as API tokens, database credentials, or container registry credentials, needs to be shared across multiple namespaces. Manually managing these secrets can be error-prone and time-consuming.
Reflector addresses this challenge by automating the replication of secrets to specified namespaces, ensuring consistency and reducing administrative overhead. Let’s dive into how to set up and use Reflector effectively.
1. Setup Reflector
Let’s configure Reflector by creating cluster/default/reflector.yaml. This declarative configuration establishes:
- The Emberstack Helm Repository reference
- The Reflector Helm Release with appropriate configuration
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: emberstack
namespace: default
spec:
interval: 10m
url: https://emberstack.github.io/helm-charts
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: reflector
namespace: default
spec:
releaseName: reflector
interval: 10m
chart:
spec:
chart: reflector
version: "9.0.318"
interval: 10m
sourceRef:
kind: HelmRepository
name: emberstack
namespace: default
After applying this configuration, verify that the Reflector pod is up and running:
apurv@oxygen:~> kubectl get pods
NAME READY STATUS RESTARTS AGE
reflector-dcc5cf554-8s8zf 1/1 Running 0 9m30s
As shown above, Reflector has been successfully deployed.
2. Validate Setup
To demonstrate Reflector’s capabilities, we’ll replicate a GitHub Container Registry secret across all namespaces. First, let’s recreate the secret defined in cluster/default/github-registry-secret.yaml ( overriding secret defined in Kubernetes GitOps with FluxCD - Part 3 - Automated Image Updates post ).
kubectl create secret docker-registry github-registry-secret \
--docker-server=ghcr.io \
--docker-username=** \
--docker-password=** \
--namespace=default \
--dry-run=client -o yaml > github-registry-secret.yaml
Next, add the necessary Reflector annotations to enable automatic replication:
apiVersion: v1
kind: Secret
metadata:
name: github-registry-secret
namespace: default
annotations:
+ reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+ reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: ***
The annotation reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" ensures the secret is replicated to all namespaces. Alternatively, reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "ns-x,ns-y" can be used to restrict replication to specific namespaces.
Once the secret is configured, encrypt it using SOPS and apply the changes.
Let’s verify that the secret has been replicated across all namespaces:
kubectl get secrets --all-namespaces --field-selector metadata.name=github-registry-secret
NAMESPACE NAME TYPE DATA AGE
cert-manager github-registry-secret kubernetes.io/dockerconfigjson 1 2m4s
default github-registry-secret kubernetes.io/dockerconfigjson 1 7d
flux-system github-registry-secret kubernetes.io/dockerconfigjson 1 2m3s
kube-node-lease github-registry-secret kubernetes.io/dockerconfigjson 1 2m3s
kube-public github-registry-secret kubernetes.io/dockerconfigjson 1 2m3s
kube-system github-registry-secret kubernetes.io/dockerconfigjson 1 2m3s
monitoring github-registry-secret kubernetes.io/dockerconfigjson 1 2m3s
The secret has been successfully replicated across all namespaces using Reflector.
References
- Emberstack Reflector - https://github.com/emberstack/kubernetes-reflector
- Kubernetes Documentation - https://kubernetes.io/docs/