Secret Sync
Creating project secrets with data or synchronized from a global secret is great and all, but we still need a Kubernetes native secret to make use of the secret data from a Pod. Loft makes this possible by reading a special label from Kubernetes native secrets and updating it with the project secret data.
Create the Secret
Simply create a Kubernetes secret in the namespace it's needed, and add the loft.sh/project-secret-name
with the name of the project secret as its value:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
namespace: my-space
labels:
loft.sh/project-secret-name: my-secret
type: Opaque
The secret will be synchronized with the project secret momentarily. Secrets may be synchronized in any space or virtual cluster that belong to the project.
Virtual Cluster Secrets
Secrets inside virtual clusters will be synchronized whenever the project secret is created or modified. However, since it would be inefficient to watch all secrets in all virtual clusters, Loft synchronizes the virtual cluster secrets on an interval. This means there's a small delay before a virtual cluster secret is synchronized once it's created.
Secret types
The above example is for a secret of type Opaque
. You may be wondering about other types of secrets. Since you control the creation of the native secret, you can also set the secret type
.
apiVersion: v1
kind: Secret
metadata:
name: my-registry-secret
namespace: my-space
labels:
loft.sh/project-secret-name: my-secret
type: kubernetes.io/dockercfg
In this case, the secret type
will remain unchanged by Loft, and the data will be populated as-is from the project secret. Care must be taken that the project secret data matches the expected format of the chosen secret type.