Skip to content

flanksource/vcluster-sync-host-secrets

Repository files navigation

Host Secret Sync Plygin

This plugin syncs secrets with the correct annotation from the host cluster into the vcluster. It is based on https://github.com/loft-sh/vcluster-sdk/tree/v0.3.0/examples/pull-secret-sync

For more information how to develop plugins in vcluster and a complete walk through, please refer to the official vcluster docs.

Using the Plugin

To use the plugin, create a new vcluster with the plugin.yaml:

# Use public plugin.yaml
vcluster create my-vcluster -n my-vcluster -f https://github.com/flanksource/vcluster-sync-host-secrets/releases/download/v0.1.3/plugin.yaml

This will create a new vcluster with the plugin installed. After that, wait for vcluster to start up and create a secret in the host cluster:

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
  namespace: my-vcluster
  annotations:
    com.flanksource/vcluster-sync: "true"
data:
  special.how: dmVyeQ==
  special.type: Y2hhcm0=
# Check if the secret was synced to the host cluster
vcluster connect my-vcluster -n my-vcluster -- kubectl get secrets

The secret is deployed into the vcluster's default namespace, this can be changed via the DESTINATION_NAMESPACE environment variable for all synced secrets:

plugin:
  sync-host-secrets:
    env:
      - name: DESTINATION_NAMESPACE
        value: dest-ns-inside-vcluster

Alternatively, the annotation com.flanksource/vcluster-namespace can be used to specify a namespace to sync to. The plugin will not create this namespace if it doesn't exist. It is the user's responsibility to ensure that it exists.

Building the Plugin

To just build the plugin image and push it to the registry, run:

# Build
docker build . -t flanksource/vcluster-sync-host-secrets:0.0.1

# Push
docker push flanksource/vcluster-sync-host-secrets:0.0.1

Then exchange the image in the plugin.yaml.

Development

General vcluster plugin project structure:

.
├── go.mod              # Go module definition
├── go.sum
├── devspace.yaml       # Development environment definition
├── devspace_start.sh   # Development entrypoint script
├── Dockerfile          # Production Dockerfile
├── Dockerfile.dev      # Development Dockerfile
├── main.go             # Go Entrypoint
├── plugin.yaml         # Plugin Helm Values
├── syncers/            # Plugin Syncers
└── constants/          # Plugin constants configuration

Before starting to develop, make sure you have installed the following tools on your computer:

  • docker
  • kubectl with a valid kube context configured
  • helm, which is used to deploy vcluster and the plugin
  • vcluster CLI v0.6.0 or higher
  • DevSpace, which is used to spin up a development environment
  • Go programming language build tools

If you want to develop within a remote Kubernetes cluster (as opposed to docker-desktop or minikube), make sure to exchange PLUGIN_IMAGE in the devspace.yaml with a valid registry path you can push to.

After successfully setting up the tools, start the development environment with:

devspace dev -n vcluster

After a while a terminal should show up with additional instructions. Enter the following command to start the plugin:

go run -mod vendor main.go

The output should look something like this:

I0124 11:20:14.702799    4185 logr.go:249] plugin: Try creating context...
I0124 11:20:14.730044    4185 logr.go:249] plugin: Waiting for vcluster to become leader...
I0124 11:20:14.731097    4185 logr.go:249] plugin: Starting syncers...
[...]
I0124 11:20:15.957331    4185 logr.go:249] plugin: Successfully started plugin.

You can now change a file locally in your IDE and then restart the command in the terminal to apply the changes to the plugin.

Delete the development environment with:

devspace purge -n vcluster

Unit tests

Example unit tests can be executed with:

go test ./...

The source code of the example tests can be found in the syncers/secrets_test.go file. It is using the vcluster-sdk/syncer/testing package for easier testing of the syncers.