Available in editions:  CE, BE, SE, SE+, EE

The module lifecycle stageGeneral Availability

This module copies Secrets to all namespaces.

It facilitates the copying of Secrets required to pull images and to provision Ceph’s RBDs as part of the CI process.

The secret-copier module cannot be used together with multitenancy-manager.

multitenancy-manager creates isolated environments for users within their projects, while secret-copier automatically distributes secrets across all namespaces. This may lead to sensitive data leaks if important secrets end up in a user’s isolated environment, violating the security model.

If you need to provide a shared certificate (e.g., a WC certificate for an internal environment) or a shared registry access token, do not use secret-copier. Instead, place such secrets in the project template in multitenancy-manager — the cluster administrator should define them in the project configuration.

How does it work?

This module monitors the Secrets (with the secret-copier.deckhouse.io/enabled: "" label) in the default namespace for changes.

  • The module copies such a Secret to all namespaces after it is created.
  • When a Secret is changed, its new contents are also propagated to all namespaces.
  • When a Secret is deleted, its copies are deleted from all namespaces.
  • The module restores the original content of a copy of a Secret in the application namespace if it gets modified.
  • The module copies all the Secrets (that have the secret-copier.deckhouse.io/enabled: "" label) of the default namespace to any newly created namespace.

Additionally, it synchronizes the Secrets every night, ensuring they are identical to those in the default namespace.

What do I need to configure?

All you need to do is to create a Secret with the secret-copier.deckhouse.io/enabled: "" label in the default namespace.

Note! The working namespace for the module is default, Secrets will be copied only from it. Secrets with the secret-copier.deckhouse.io/enabled: “” label created in other namespaces will be automatically deleted when the module is enabled.

How to synchronize Secret to some selected namespaces instead of all namespaces?

Specify namespace label-selector in the value of the secret-copier.deckhouse.io/target-namespace-selector annotation. For example: secret-copier.deckhouse.io/target-namespace-selector: "app=custom". The module will create a copy of that Secret in all namespaces that matches the label-selector.