Open everythings-gonna-be-alright opened 3 months ago
Kubernetes Secrets and ConfigMaps are not meant to be shared across namespaces, it would break RBAC. Use Kyverno or some other tool that can sync them from one namespace to another.
Oh, I did not know about it. Thanks. But if it is incorrect, how can I inherit substitutes in child flux customization resources without syncing secrets between namespaces in some other way?
For now, I am forced to declare substitutes for all flux customization:
postBuild:
substitute:
cluster_domain: "${cluster_domain}"
It is not convenient, especially when adding some new variables. A shared secret is also not an option. So, only Kyverno?
See here what cert-manager team recommends https://cert-manager.io/docs/devops-tips/syncing-secrets-across-namespaces/ or do your own search on Google, there are lots of options to sync secrets between namespaces.
Many thanks. I will try. One more question. Wouldn't it be better to implement substitutes inheritance between kustomize.toolkit.fluxcd.io/v1 internally, without the need to create secrets with substitutes? Why was this approach chosen?
https://github.com/fluxcd/kustomize-controller/blob/a1a33f2adda783dd2a17234f5d8e84caca4e24e2/api/v1/kustomization_types.go#L223
In my case, the command created Kustomizations in different namespaces. Such as monitoring Kustomization -> namespace monitoring logging Kustomization -> namespace logging and so on.
How can I share basic variables between all clusters in this case? Why is it restricted?