Sync Secrets
Creating project secrets with data or synchronized from a global secret is great and all, but we still need a Kubernetes native secret to make use of the secret data from a Pod. vCluster Platform makes this possible by reading a special label from Kubernetes native secrets and updating it with the project secret data.
Create an Opaque Secret​
Create a Kubernetes secret in the namespace it's needed, and add the loft.sh/project-secret-name
with the name of the project secret as its value:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
namespace: my-space
labels:
loft.sh/project-secret-name: <PROJECT_SECRET_NAME>
type: Opaque
Replace <PROJECT_SECRET_NAME>
with the name of the project secret.
The secret will be synchronized with the project secret momentarily. Secrets may be synchronized in any namespace or virtual cluster that belong to the project.
Syncing Secrets in Intervals​
Secrets inside virtual clusters will be synchronized whenever the project secret is created or modified. However, since it would be inefficient to watch all secrets in all virtual clusters, vCluster Platform synchronizes the virtual cluster secrets on an interval. This means there's a small delay before a virtual cluster secret is synchronized once it's created.
Create other Secret Types​
There are other types of secrets that can be created because any type of native Kubernetes secret is allowed. In this case example, the secret type
will remain unchanged
by vCluster Platform, and the data will be populated as-is from the project secret. The project secret data must match the expected format of the chosen secret type.
apiVersion: v1
kind: Secret
metadata:
name: my-registry-secret
namespace: my-space
labels:
loft.sh/project-secret-name: <PROJECT_SECRET_NAME>
type: kubernetes.io/dockercfg
Replace <PROJECT_SECRET_NAME>
with the name of the project secret.