To propagate secrets from the tenant to the management cluster, KubeLB provides the custom resource SyncSecret, a wrapper over the native Kubernetes secret. It ensures that no secrets from the management cluster are exposed to the tenants.
kind: Secret
apiVersion: v1
metadata:
name: mongodb-credentials
stringData:
mongodb-password: "123456"
mongodb-root-password: "123456"
type: Opaque
kind: SyncSecret
apiVersion: kubelb.k8c.io/v1alpha1
metadata:
name: mongodb-credentials
stringData:
mongodb-password: "123456"
mongodb-root-password: "123456"
type: Opaque
To automate the process of creating SyncSecrets from kubernetes secrets, re-deploy the kubeLB CCM with the following modifications:
kubelb:
enableSecretSynchronizer: true
This would assign CRUD access for secrets to KubeLB controller and enable a syncer that can convert secrets labelled with kubelb.k8c.io/managed-by: kubelb to SyncSecrets.