Mirror your Kubernetes configs, secrets, and resources to other namespaces
What is Reflector?
Reflector is a Kubernetes addon designed to monitor changes to resources (secrets and configmaps) and reflect changes to mirror resources in the same or other namespaces.Since secrets and configs are scoped to a single namespace, this helps you create and change resources in one namespace and “reflect” them to resources in other namespaces.This is especially helpful for things like certificates and configs that are needed in multiple namespaces.You can find the GitHub repo here!
Install
This might go without saying but you’ll want to be sure you have a working Kubernetes cluster! If you need help setting on up, check out my Ansible Playbook!
You’ll also want to be sure you have helm installed.
Then we’ll run:
1
2
3
helm repo add emberstack https://emberstack.github.io/helm-charts
helm repo update
helm upgrade --install reflector emberstack/reflector
This command will add the helm repo locally, then update the repo, then install reflector in your cluster.
Reflecting Resources
Now that it’s installed, all we need to do is add some annotations to “reflect” our resources to other namespaces.
Secrets
Let’s say you create the following Secret with the annotation below:
1
2
3
4
5
6
7
8
9
apiVersion: v1
kind: Secret
metadata:
name: some-secret
annotations:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "namespace-1,namespace-2,namespace-[0-9]*"
data:
...
This will:
- create a
Secret - “reflect” the same secret to
namespace-1,namespace-2and all other namespaces that match the patternnamespace-[0-9]*
ConfigMaps
ConfigMaps are just as easy! Let’s say you have a ConfigMap with the following contents:
1
2
3
4
5
6
7
8
9
apiVersion: v1
kind: ConfigMap
metadata:
name: source-config-map
annotations:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "namespace-1,namespace-2,namespace-[0-9]*"
data:
...
This will:
- create a
ConfigMap - “reflect” the same
ConfigMaptonamespace-1,namespace-2and all other namespaces that match the patternnamespace-[0-9]*
Certificates
This is the real reason I brought this chart into my cluster, was support for cert-manager certificates. There are many cases where I need to create the same certificate in multiple namespaces and rather than create them manually, I have reflector create them for me.
1
2
3
4
5
6
7
8
9
apiVersion: cert-manager.io/v1
kind: Certificate
...
spec:
secretTemplate:
annotations:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "namespace-1,namespace-2,namespace-[0-9]*"
...
This will:
- create a
Certificate - “reflect” the same
Certificatetonamespace-1,namespace-2and all other namespaces that match the patternnamespace-[0-9]*
The benefit of doing it this way with cert-manager is that when your certificates are updated with something like Let’s Encrypt, all certificates you reflect are also updated! Of course you will only want to limit your reflections to other namespaces you trust.If you’d like to check out cert-manager see my post on how to install traefik and cert-manager!
Join the conversation
Ok, I think I made it just in time!
— Techno Tim (@TechnoTimLive) April 27, 2023
A post on reflector for Kubernetes!https://t.co/IOYIhTk6g5#homelab
Links
⚙️ See all the hardware I recommend at https://l.technotim.live/gear
🚀 Don’t forget to check out the 🚀Launchpad repo with all of the quick start source files