Skip to main content

Sync Secrets

Creating project secrets with data or synchronized from a global secret is great and all, but we still need a Kubernetes native secret to make use of the secret data from a Pod. vCluster Platform makes this possible by reading a special label from Kubernetes native secrets and updating it with the project secret data.

Create an Opaque Secret

Create a Kubernetes secret in the namespace it's needed, and add the loft.sh/project-secret-name with the name of the project secret as its value:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: my-space
  labels:
    loft.sh/project-secret-name: <PROJECT_SECRET_NAME>
type: Opaque

Replace <PROJECT_SECRET_NAME> with the name of the project secret.

The secret will be synchronized with the project secret momentarily. Secrets may be synchronized in any namespace or virtual cluster that belong to the project.

Syncing Secrets in Intervals

Secrets inside virtual clusters will be synchronized whenever the project secret is created or modified. However, since it would be inefficient to watch all secrets in all virtual clusters, vCluster Platform synchronizes the virtual cluster secrets on an interval. This means there's a small delay before a virtual cluster secret is synchronized once it's created.

Create other Secret Types

There are other types of secrets that can be created because any type of native Kubernetes secret is allowed. In this case example, the secret type will remain unchanged by vCluster Platform, and the data will be populated as-is from the project secret. The project secret data must match the expected format of the chosen secret type.

apiVersion: v1
kind: Secret
metadata:
  name: my-registry-secret
  namespace: my-space
  labels:
    loft.sh/project-secret-name: <PROJECT_SECRET_NAME>
type: kubernetes.io/dockercfg

Replace <PROJECT_SECRET_NAME> with the name of the project secret.