Skip to main content
Version: master

Secret Sync

Creating project secrets with data or synchronized from a global secret is great and all, but we still need a Kubernetes native secret to make use of the secret data from a Pod. Loft makes this possible by reading a special label from Kubernetes native secrets and updating it with the project secret data.

Create the Secret

Simply create a Kubernetes secret in the namespace it's needed, and add the loft.sh/project-secret-name with the name of the project secret as its value:

apiVersion: v1
kind: Secret
metadata:
name: my-secret
namespace: my-space
labels:
loft.sh/project-secret-name: my-secret
type: Opaque

The secret will be synchronized with the project secret momentarily. Secrets may be synchronized in any space or virtual cluster that belong to the project.

Virtual Cluster Secrets

Secrets inside virtual clusters will be synchronized whenever the project secret is created or modified. However, since it would be inefficient to watch all secrets in all virtual clusters, Loft synchronizes the virtual cluster secrets on an interval. This means there's a small delay before a virtual cluster secret is synchronized once it's created.

Secret types

The above example is for a secret of type Opaque. You may be wondering about other types of secrets. Since you control the creation of the native secret, you can also set the secret type.

apiVersion: v1
kind: Secret
metadata:
name: my-registry-secret
namespace: my-space
labels:
loft.sh/project-secret-name: my-secret
type: kubernetes.io/dockercfg

In this case, the secret type will remain unchanged by Loft, and the data will be populated as-is from the project secret. Care must be taken that the project secret data matches the expected format of the chosen secret type.