Skip to main content
Version: main 🚧

Sync Secrets

Enterprise
Available in these plansFreeDevProdScale
Secrets Sync

Creating project secrets with data or synchronized from a global secret is great and all, but we still need a Kubernetes native secret to make use of the secret data from a Pod. vCluster Platform makes this possible by reading a special label from Kubernetes native secrets and updating it with the project secret data.

Create an Opaque Secret​

Create a Kubernetes secret in the namespace it's needed, and add the loft.sh/project-secret-name with the name of the project secret as its value:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
  namespace: my-space
  labels:
    loft.sh/project-secret-name: <PROJECT_SECRET_NAME>
type: Opaque

Replace <PROJECT_SECRET_NAME> with the name of the project secret.

The secret will be synchronized with the project secret momentarily. Secrets may be synchronized in any namespace or tenant cluster that belong to the project.

Syncing Secrets in Intervals​

Secrets inside tenant clusters will be synchronized whenever the project secret is created or modified. However, since it would be inefficient to watch all secrets in all tenant clusters, vCluster Platform synchronizes the tenant cluster secrets on an interval. This means there's a small delay before a tenant cluster secret is synchronized once it's created.

Create other Secret Types​

There are other types of secrets that can be created because any type of native Kubernetes secret is allowed. In this case example, the secret type will remain unchanged by vCluster Platform, and the data will be populated as-is from the project secret. The project secret data must conform to the format required by the Kubernetes secret type. All mandatory keys must be present with a valid value and cannot be omitted, even when using a placeholder. The type kubernetes.io/dockerconfigjson requires the .dockerconfigjson key, an empty JSON object {} is the minimum valid value.

apiVersion: v1
kind: Secret
metadata:
  name: my-registry-secret
  namespace: my-space
  labels:
    loft.sh/project-secret-name: <PROJECT_SECRET_NAME>
data:
  .dockerconfigjson: e30K  # base64("{}")
type: kubernetes.io/dockerconfigjson

Replace <PROJECT_SECRET_NAME> with the name of the project secret.