Keep Secrets in Sync Across Your Cluster with the Secret Sync Operator

In your day-to-day operation of Kubernetes clusters, you might need to move TLS secrets around your cluster namespaces so that your workloads can access the secrets. For example, if you take advantage of the new Network Load Balancer (NLB) features provided in the IBM Cloud Kubernetes Service to create a generated hostname for your Load Balancer type services complete with TLS certificates, you’ll find that new TLS secret in the default namespace. While that might work for you, what if you actually need that secret in the istio-system namespace because you’re trying to secure your Istio IngressGateway service?

Generally speaking, that means you’ll have to duplicate the secret into the namespace where you need it and then remember to do it again on an ongoing basis because the certificates within the TLS secret will expire. The original certificate will be updated automatically in the default namespace but that doesn’t update the copy that you made.

The Secret Sync Operator

Wouldn’t it be nice to have a way to tell your Kubernetes cluster: “Hey, I want you to copy this secret over there and then make sure the copy is updated whenever the original secret is updated”? Well, now you can!

Released as a sample Kubernetes Operator (link resides outside ibm.com) and included in our kube-samples (link resides outside ibm.com) GitHub repository, you can now deploy this operator in your cluster and starting syncing your secrets where you need them. Try it out and let know me know if you have questions.