Skip to main content
The SyncSecret resource is a wrapper over the Kubernetes Secret object. It is used to sync secrets from tenant clusters to the LB cluster in a controlled and secure way.

API Version

kubelb.k8c.io/v1alpha1

Spec Fields

immutable
boolean
If set to true, ensures that data stored in the Secret cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time.
data
map[string][]byte
Contains the secret data. Each key must consist of alphanumeric characters, ’-’, ’_’ or ’.’. The serialized form of the secret data is a base64 encoded string, representing the arbitrary (possibly non-string) data value here.
stringData
map[string]string
Allows specifying non-binary secret data in string form. It is provided as a write-only input field for convenience. All keys and values are merged into the data field on write, overwriting any existing values. The stringData field is never output when reading from the API.
type
SecretType
Used to facilitate programmatic handling of secret data. More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-typesCommon types:
  • Opaque (default): arbitrary user-defined data
  • kubernetes.io/service-account-token: service account token
  • kubernetes.io/dockercfg: serialized ~/.dockercfg file
  • kubernetes.io/dockerconfigjson: serialized ~/.docker/config.json file
  • kubernetes.io/basic-auth: credentials for basic authentication
  • kubernetes.io/ssh-auth: credentials for SSH authentication
  • kubernetes.io/tls: data for a TLS client or server
  • bootstrap.kubernetes.io/token: bootstrap token data

Example

Basic Opaque Secret

apiVersion: kubelb.k8c.io/v1alpha1
kind: SyncSecret
metadata:
  name: example-secret
  namespace: default
data:
  username: YWRtaW4=  # base64 encoded "admin"
  password: cGFzc3dvcmQ=  # base64 encoded "password"
type: Opaque

Secret with StringData

apiVersion: kubelb.k8c.io/v1alpha1
kind: SyncSecret
metadata:
  name: db-credentials
  namespace: default
stringData:
  username: dbuser
  password: dbpassword
  host: db.example.com
  port: "5432"
type: Opaque

TLS Secret

apiVersion: kubelb.k8c.io/v1alpha1
kind: SyncSecret
metadata:
  name: tls-certificate
  namespace: default
data:
  tls.crt: LS0tLS1CRUdJTi...  # base64 encoded certificate
  tls.key: LS0tLS1CRUdJTi...  # base64 encoded private key
type: kubernetes.io/tls

Docker Config Secret

apiVersion: kubelb.k8c.io/v1alpha1
kind: SyncSecret
metadata:
  name: docker-registry
  namespace: default
stringData:
  .dockerconfigjson: |
    {
      "auths": {
        "registry.example.com": {
          "username": "user",
          "password": "pass",
          "email": "[email protected]",
          "auth": "dXNlcjpwYXNz"
        }
      }
    }
type: kubernetes.io/dockerconfigjson

Basic Auth Secret

apiVersion: kubelb.k8c.io/v1alpha1
kind: SyncSecret
metadata:
  name: basic-auth
  namespace: default
stringData:
  username: admin
  password: secret123
type: kubernetes.io/basic-auth

SSH Auth Secret

apiVersion: kubelb.k8c.io/v1alpha1
kind: SyncSecret
metadata:
  name: ssh-key
  namespace: default
stringData:
  ssh-privatekey: |
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEA...
    -----END RSA PRIVATE KEY-----
type: kubernetes.io/ssh-auth

Immutable Secret

apiVersion: kubelb.k8c.io/v1alpha1
kind: SyncSecret
metadata:
  name: immutable-config
  namespace: default
immutable: true
stringData:
  api-key: "1234567890abcdef"
  api-url: "https://api.example.com"
type: Opaque

Usage

SyncSecret resources are automatically synchronized from tenant clusters to the KubeLB management cluster. They are typically used for:
  • TLS certificates for secure communication
  • Authentication credentials for external services
  • Docker registry credentials for pulling images
  • API keys and tokens
  • SSH keys for Git operations

Notes

  • The SyncSecret resource follows the same structure as a standard Kubernetes Secret
  • Data values in the data field must be base64 encoded
  • The stringData field is a convenience field that accepts plain text and is automatically base64 encoded
  • When both data and stringData are specified, values from stringData take precedence
  • Immutable secrets cannot be modified after creation, only deleted and recreated
  • Secret data is sensitive and should be handled with appropriate security measures
  • The SyncSecret controller ensures secure synchronization between tenant and management clusters
For more information about Kubernetes Secrets, see: https://kubernetes.io/docs/concepts/configuration/secret/

Build docs developers (and LLMs) love

Get started for freeTalk to us