The Secret Sync Operator is an example Kubernetes operator that will synchronize Kubernetes secrets that you annotate with target secrets that you designate.

In your day-to-day operation of Kubernetes clusters, you might need to move TLS secrets around your cluster namespaces so that your workloads can access the secrets. For example, if you take advantage of the new Network Load Balancer (NLB) features provided in the IBM Cloud Kubernetes Service to create a generated hostname for your Load Balancer type services complete with TLS certificates, you’ll find that new TLS secret in the default namespace. While that might work for you, what if you actually need that secret in the istio-system namespace because you’re trying to secure your Istio IngressGateway service?

Generally speaking, that means you’ll have to duplicate the secret into the namespace where you need it and then remember to do it again on an ongoing basis because the certificates within the TLS secret will expire. The original certificate will be updated automatically in the default namespace but that doesn’t update the copy that you made.

The Secret Sync Operator

Wouldn’t it be nice to have a way to tell your Kubernetes cluster: “Hey, I want you to copy this secret over there and then make sure the copy is updated whenever the original secret is updated”? Well, now you can!

Released as a sample Kubernetes Operator and included in our kube-samples GitHub repository, you can now deploy this operator in your cluster and starting syncing your secrets where you need them. Try it out and let know me know if you have questions.

Questions or comments

You can engage our team in Slack by registering here and joining the discussion in the #general and #secret-sync-operator channels on our public IBM Cloud Kubernetes Service Slack.