kubed syncing secret to more than one namespace

Question

I have kubed running in kubernetes for syncing secret to multiple namespace.

With

  annotations:
    kubed.appscode.com/sync: "cert-manager-tls=dev" 

I was able to sync secret to dev namespace. Now I want to copy same secret to more than one namespace. I tried following

1.

  annotations:
    kubed.appscode.com/sync: "cert-manager-tls=dev,cert-manager-tls=dev2" 

  annotations:
    kubed.appscode.com/sync: "cert-manager-tls=dev,dev2" 

this didn't worked at all.

3

  annotations:
    kubed.appscode.com/sync: "cert-manager-tls=dev" 
    kubed.appscode.com/sync: "cert-manager-tls=dev2" 

This worked for namespace dev2 , but not for namespace dev

How can I get this working for two or more namespaces ?

Answer 1

You may try kubed.appscode.com/sync: "" according to https://appscode.com/products/kubed/0.6.0-rc.0/guides/config-syncer/intra-cluster/

Say, you are using some Docker private registry. You want to keep its image pull secret synchronized across all namespaces of a Kubernetes cluster. Kubed can do that for you. If a ConfigMap or a Secret has the annotation kubed.appscode.com/sync: "", Kubed will create a copy of that ConfigMap/Secret in all existing namespaces. Kubed will also create this ConfigMap/Secret, when you create a new namespace.

Answer 2

UseCase: Let's imagine we want to synchronize an image-pull-secret that is managed in kube-system to other namespaces. (Pull secrets are namespace specific)

Option 1 is to sync the secret by default to ALL namespaces. So you need to add this annotation to the secret:

annotations:
    kubed.appscode.com/sync: ""

Option 2 is to sync the secret to one or more (!!) specific namespaces. In this case you need to add custom value (it is up to you which value you use):

annotations:
    kubed.appscode.com/sync: "pullsecret=bitbucket-dev" 

For option 1 you don't need to do anything else on the namespace side, it is simply copied to all of them. For option 2 you need to label all namespaces where this secret should be available with your defined annotation value:

metadata:
    labels:
        pullsecret: bitbucket-dev

You can label multiple namespaces with this label. To each of them the secret is copied from kube-system.

Edit: TechnoCowboy is correct. I clarified my answer to avoid any confusion.

Answer 3

Generally, to replicate the secret to multiple (but not all) namespaces, you would need to add a label to the destination namespaces:

metadata:
  labels:
    cert-manager-tls: dev

So, the label is used by kubed to identify the destination namespaces.

You can see examples here: https://appscode.com/products/kubed/v0.11.0/guides/config-syncer/intra-cluster/#namespace-selector

However, I can see that there is a typo in the explanation. It says to add an annotation. This should be a label (as the following code also shows)