add option to replicate only to defined namespaces

Question

add option to replicate only to defined namespaces

monotek opened this issue 5 years ago · 9 comments

currently only exclude is possible which means you need to know all namespaces you want to have excluded.

a new env var NAMESPACE_INCLUDE should be available.
default should be "all".

Answer 1 · 2020-03-17T18:17:18.000Z

+1. Was going to ask the same thing.

I've been running clusters where I have a user namespace <project> and a supporting namespace we manage for the user <project>-admin. I'd like to sync secrets managed in the <project>-admin namespace (cert-manager generated/managed) into the <project> namespace. So I'd need a way to specify just the namespace I want it to go into.

Answer 2 · 2020-03-17T19:59:11.000Z

wolud it also be an option to add an annotation to a single secret with the list of namespaces? I'm currently thinking how to solve it and also be flexible.

Answer 3 · 2020-03-17T20:03:35.000Z

That could be another option, but does run into problems with cert-manager specifically:
cert-manager/cert-manager#2576

Answer 4 · 2020-03-17T20:17:38.000Z

ok I will think about it. Thank's for your answer.

Answer 5 · 2020-07-02T11:27:48.000Z

@rpahli Ping :)

Answer 6 · 2020-07-28T10:15:23.000Z

@kfox1111
you maybe could use kubed (https://github.com/appscode/kubed) as a workaround

Answer 7 · 2020-07-28T15:38:40.000Z

@monotek, no it won't work. See referenced issue above.

TL;DR
I want to place a Cert-Manager Certificate request in a namespace called -admin where we manage stuff on behalf of users. In there is an ingress-nginx running in there that watches namespace . In single namespace mode, ingress-nginx only watches for tls certificates in that namespace and cert-manager will only create certificate secrets in the same namespace as the certificate object. What this means, is I need a way of syncing a secret from one namespace to another. In addition, cert-manager doesn't support annotating/labeling secrets it creates. So Kubed wont work as it must have labels.

Secret-replicator will just about work, but only needs to sync from -admin to , not to every other namespace.

Answer 8 · 2020-07-28T15:48:30.000Z

Looks like this may be implemented already?
cacb280

Is there a plan to cut a new release soon with this in place?

Thanks!
Kevin

Answer 9 · 2020-07-28T23:59:31.000Z

Actually, I hit another snag. This only looks to be able to run across all namespaces. I'd be wanting to use it to watch one namespace and syncronize into a second namespace and have multiple instances of secret-replicator running in parallel looking at nonoverlapping namespaces.