feat: add kubernetes-reflector skill for cross-namespace secret/configmap mirroring
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,140 @@
|
||||
---
|
||||
name: kubernetes-reflector
|
||||
description: Configure Kubernetes Reflector annotations to mirror secrets and configmaps across namespaces.
|
||||
---
|
||||
|
||||
# Kubernetes Reflector Skill
|
||||
|
||||
Configure reflection annotations for [Kubernetes Reflector](https://github.com/emberstack/kubernetes-reflector), a Kubernetes addon that monitors changes to secrets and configmaps and reflects them to mirror resources in other namespaces.
|
||||
|
||||
## Annotations Reference
|
||||
|
||||
### Source Resource Annotations
|
||||
|
||||
Apply to the **source** secret or configmap to permit reflection:
|
||||
|
||||
| Annotation | Value | Description |
|
||||
|---|---|---|
|
||||
| `reflector.v1.k8s.emberstack.com/reflection-allowed` | `"true"` | Permit this resource to be reflected |
|
||||
| `reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces` | comma-separated namespaces or regex | Restrict which namespaces can reflect this resource. If omitted, all namespaces are allowed |
|
||||
|
||||
**Automatic mirror creation** (optional):
|
||||
|
||||
| Annotation | Value | Description |
|
||||
|---|---|---|
|
||||
| `reflector.v1.k8s.emberstack.com/reflection-auto-enabled` | `"true"` | Automatically create mirrors in target namespaces |
|
||||
| `reflector.v1.k8s.emberstack.com/reflection-auto-namespaces` | comma-separated namespaces or regex | Namespaces where auto-mirrors are created. If omitted, all allowed namespaces are used |
|
||||
|
||||
### Mirror Resource Annotations
|
||||
|
||||
Apply to the **mirror** (destination) resource:
|
||||
|
||||
| Annotation | Value | Description |
|
||||
|---|---|---|
|
||||
| `reflector.v1.k8s.emberstack.com/reflects` | `namespace/name` | The source resource to reflect (e.g., `default/my-secret`) |
|
||||
| `reflector.v1.k8s.emberstack.com/reflected-version` | `""` | Reset to empty string to force re-reflection when manually updating the mirror |
|
||||
|
||||
## Examples
|
||||
|
||||
### Enable Reflection on a Source Secret
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: source-secret
|
||||
namespace: default
|
||||
annotations:
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "namespace-1,namespace-2,namespace-[0-9]*"
|
||||
data:
|
||||
...
|
||||
```
|
||||
|
||||
### Create a Mirror Secret
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: mirror-secret
|
||||
namespace: namespace-1
|
||||
annotations:
|
||||
reflector.v1.k8s.emberstack.com/reflects: "default/source-secret"
|
||||
data:
|
||||
...
|
||||
```
|
||||
|
||||
### Automatic Mirroring (No Manual Mirror Creation)
|
||||
|
||||
Annotate the source with `reflection-auto-enabled`:
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: source-secret
|
||||
annotations:
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
|
||||
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
|
||||
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "namespace-1,namespace-2"
|
||||
```
|
||||
|
||||
Reflector will automatically create mirrors in `namespace-1` and `namespace-2` with the same name.
|
||||
|
||||
Reflector monitors changes to source objects and copies the following fields:
|
||||
- `data` for secrets
|
||||
- `data` and `binaryData` for configmaps
|
||||
|
||||
Reflector tracks what was copied by annotating mirrors with the source object version.
|
||||
|
||||
## cert-manager Integration
|
||||
|
||||
### Certificate (v1.5+)
|
||||
|
||||
Secrets created from certificates can enable reflection via `secretTemplate`:
|
||||
|
||||
```yaml
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
...
|
||||
spec:
|
||||
secretTemplate:
|
||||
annotations:
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: ""
|
||||
```
|
||||
|
||||
### Ingress (v1.15+)
|
||||
|
||||
Ingress resources can set reflection annotations via `cert-manager.io/secret-template`:
|
||||
|
||||
```yaml
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
cert-manager.io/secret-template: |
|
||||
{"annotations": {"reflector.v1.k8s.emberstack.com/reflection-allowed": "true", "reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces": ""}}
|
||||
```
|
||||
|
||||
## Usage with kubectl
|
||||
|
||||
```bash
|
||||
# Enable reflection on a source secret
|
||||
kubectl annotate secret -n <namespace> <name> \
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed=true \
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces="<comma-separated-namespaces>" \
|
||||
--overwrite
|
||||
|
||||
# Create a mirror that reflects a source
|
||||
kubectl annotate secret -n <mirror-namespace> <mirror-name> \
|
||||
reflector.v1.k8s.emberstack.com/reflects=<source-namespace>/<source-name> \
|
||||
--overwrite
|
||||
|
||||
# Force re-reflection on a mirror
|
||||
kubectl annotate secret -n <mirror-namespace> <mirror-name> \
|
||||
reflector.v1.k8s.emberstack.com/reflected-version="" \
|
||||
--overwrite
|
||||
```
|
||||
Reference in New Issue
Block a user