To propagate secrets from tenant to management cluster. KubeLB has introduced a custom resource SyncSecret which is merely a wrapper over the native Kubernetes secret. The custom resource helps us ensure that we are not exposing any secrets from the LB cluster to the tenants.
kind: Secret
apiVersion: v1
metadata:
name: mongodb-credentials
stringData:
mongodb-password: "123456"
mongodb-root-password: "123456"
type: Opaque
kind: SyncSecret
apiVersion: kubelb.k8c.io/v1alpha1
metadata:
name: mongodb-credentials
stringData:
mongodb-password: "123456"
mongodb-root-password: "123456"
type: Opaque
To automate the process of creating SyncSecrets from kubernetes secrets, re-deploy the kubeLB CCM with the following modifications:
kubelb:
enableSecretSynchronizer: true
This would assign CRUD access for secrets to KubeLB controller and enable a syncer that can convert secrets labelled with kubelb.k8c.io/managed-by: kubelb to SyncSecrets.