kube_sync_secret
Secret Syncer
This submodule will sync a target Secret (secret_namespace/secret_name) across destination_namespaces. Since Secrets
are namespace-scoped, this can be a helpful utility for sharing configuration / secret values across your cluster.
If no destination_namespaces are specified, the Secret will be synchronized across all namespaces.
If you wish to exclude specific namespaces from receiving the Secret, specify excluded_namespaces.
Any updates to the Secret will automatically be propagated. If the source Secret is deleted, all Secrets generated by this module will be deleted. If this module is destroyed, all Secrets generated by this module will also be destroyed.
Providers
The following providers are needed by this module:
-
kubectl (2.0.4)
-
kubernetes (2.27.0)
-
pf (0.0.3)
Required Inputs
The following input variables are required:
secret_name
Description: The name of the Secret to sync
Type: string
secret_namespace
Description: The namespace of the Secret to sync
Type: any
Optional Inputs
The following input variables are optional (have default values):
destination_namespaces
Description: A list of namespaces to sync the Secret to. If not specified, will sync to all namespaces.
Type: list(string)
Default: []
excluded_namespaces
Description: A list of namespaces that are explicitly excluded from having the Secret copied to.
Type: list(string)
Default: []
Outputs
No outputs.
Usage
No notes
Maintainers
resources.txt is generated by running
kubectl api-resources --no-headers | awk '{
name = $1;
if (NF == 4) {
shortname = "none";
apiGroup = $2
namespaced = $3;
kind = $4;
t = "1";
} else {
shortname = $2;
apiGroup = $3
namespaced = $4;
kind = $5;
t = "0";
}
print name " " apiGroup;
}' | awk '{ arr[$2] = arr[$2] ? arr[$2] "," $1 : $1 } END { for (i in arr) print arr[i], i }'
against a Kubernetes cluster with all the stack resources deployed.
This is required by we must explicitly enumerate permissions for all resources in order to exclude secret resources for the restricted-reader role.