Syncing Secrets Across Namespaces using Kubed
It may be required for multiple components across namespaces to consume the same
Secret
that has been created by a single Certificate
. The recommended way to
do this is to use kubed with its secret
syncing
feature.
In order for the target Secret to be synced, the Secret resource must first be
created with the correct annotations before the creation of the Certificate,
else the Secret will need to be edited instead. The example below shows syncing
a certificate belonging to the sandbox
Certificate from the cert-manager
namespace, into the sandbox
namespace.
apiVersion: v1kind: Namespacemetadata:name: sandboxlabels:cert-manager-tls: sandbox # Define namespace label for kubed---apiVersion: v1data:ca.crt: ''tls.crt: ''tls.key: ''kind: Secretmetadata:name: sandbox-tlsnamespace: cert-managerannotations:kubed.appscode.com/sync: "cert-manager-tls=sandbox" # Sync certificate to matching namespacestype: kubernetes.io/tls---apiVersion: cert-manager.io/v1alpha2kind: Certificatemetadata:name: sandboxnamespace: cert-managerspec:secretName: sandbox-tlscommonName: sandboxissuerRef:name: sandbox-cakind: Issuergroup: cert-manager.io