Synchronize configmaps or secrets across namespaces in kubernetes cluster using kubed

Overview

We all know about kubernetes which is a popular container orchestration platform. Configmaps & Secrets are used to pass insensitive and sensitive info respectively to pods & deployment, Statefulsets.

Sometimes there may be a usecase where you need the same secret or configmap available across all namespaces. But inorder to acheive that we manually need to apply the configmap or secret to all the namespaces. This is completely hectic and very tedious especially if you create new namespaces in future.

So what is the solution? Ans is kubed.

kubed is a Kubernetes Cluster Operator Daemon. It basically synchronizes configmaps & secrets across namespaces or cluster.

Pre-requisites

• Kubernetes cluster
• Helm

Note: If you don’t have cluster with you. you can quickly create one using Kind. Refer to my blog for setting up kind cluster.

Installation

Lets install kubed using helm chart.

helm repo add appscode https://charts.appscode.com/stable/
helm repo update
helm install kubed appscode/kubed --version v0.12.0 --namespace kube-system --set enableAnalytics=false

kubed will be installed in kube-system namespace. You can verify the deployment status using below command.

kubectl get deployment -n kube-system

Synchronize secrets across namespaces

Lets create few sample namespaces using below command.

kubectl create ns demo1
kubectl create ns demo2
kubectl create ns demo3

Now lets try creating a secret in kube-system. Execute the below command.

kubectl -n kube-system create secret generic credentials --from-literal=name=purushotham

Now lets annotate the secret with kubed.appscode.com/sync=””. Execute the below command.

kubectl -n kube-system annotate secret credentials kubed.appscode.com/sync=""

As soon as you add the annotation, secret gets synchronized to all the namespaces.

You can also verify the content of secret by executing below commnad.

kubectl -n demo1 get secret credentials -o json | jq -r .data.name | base64 -d

Now lets try creating new namespace.

kubectl create ns demo4

As soon as you create a new namespace, secret will be synchronized to new namespace as well. You can verify it using below command.

kubectl get secrets -n demo4

Now Lets try updating the content of original secret.

kubectl -n demo1 edit secret credentials

After you update the original secret, updated secret has been reflected on all namespaces. You can verify it using below command.

kubectl -n demo1 get secret credentials -o json | jq -r .data.name | base64 -d

Similarly you can synchronize the configmaps to all namespaces.

Note: If you want to synchronize to specific namespaces(rather than all) then use the below annotation

kubed.appscode.com/sync: "app=kubed"

app=kubed is the label applied to specific namespaces where you want secret/configmaps synchronized to.

Kubed operator will apply following labels on ConfigMap or Secret copies:

• kubed.appscode.com/origin.name
• kubed.appscode.com/origin.namespace
• kubed.appscode.com/origin.cluster

Summary:

In this Blog we have discussed about what kubed is and how it helps in synchronizing secrets/configmaps across namespaces. In the next blog lets explore on how secrets or configmaps get synchronized across clusters.