+27

Auto reflect changes to Kubernetes ConfigMaps to other Namespaces with Reflector (English)

Bài viết tiếng Việt - Tự động đồng bộ Kubernetes ConfigMaps và Secrets qua các Namespaces khác với Reflector

In this article, we will learn how to reflect changes to ConfigMaps and Secrets to other Namespaces. This is a useful tip when we have one ConfigMaps that need to be used in other Namespaces.

To simplify this work, we use Kubernetes Reflector.

What is Reflector?

Reflector is a Kubernetes addon designed to help us automatically reflect ConfigMaps and Secrets from one namespace to another.

The first pros of Reflector is that it monitors the resources (configmaps and secrets) that we specify, and if in other namespaces there are no such resources, Reflector creates a new one, and if there are, then it does nothing.

The second pros of Reflector is that monitor changes to resources (secrets and configmaps) and reflects changes to other namespaces.

Installation

Reflector can be installed either manually or using Helm (recommended).

Using Helm:

helm repo add emberstack https://emberstack.github.io/helm-charts
helm repo update
helm upgrade --install reflector emberstack/reflector

Manual install:

kubectl -n kube-system apply -f https://github.com/emberstack/kubernetes-reflector/releases/latest/download/reflector.yaml

Let's check:

kubectl get pod
NAME                         READY   STATUS    RESTARTS   AGE
reflector-68bdfcbf78-kh4zr   1/1     Running   0          10s

Make sure the Pod is in a Running state.

Usage

For example, we have a configmap.

apiVersion: v1
kind: ConfigMap
metadata:
  name: source-config-map
data:
  DB_URL: postgres
  DB_PORT: 5432

To be able to reflect this configmap to all other namespaces, add reflector.v1.k8s.emberstack.com/reflection-allowed: "true" to the resource annotations.

apiVersion: v1
kind: ConfigMap
metadata:
  name: source-config-map
  annotations:
    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
data:
  DB_URL: postgres
  DB_PORT: 5432

If you only need to reflect some certain namespaces, add reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "<list>" to the resource annotations.

apiVersion: v1
kind: ConfigMap
metadata:
  name: source-config-map
  annotations:
    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "dev,staging,review"
data:
  DB_URL: postgres
  DB_PORT: 5432

In the configuration above, Reflector only reflects changes to dev, staging, and review namespaces.

Usage with Cert Manager

The common use case of Reflector is that we use it with Cert Manager to create SSL for different namespaces.

For example, we need to configure SSL for subdomains dev.devopsvn.tech and staging.devopsvn.tech. We configure Cert Manager as follows:

apiVersion: cert-manager.io/v1
kind: Certificate
...
spec:
  secretName: wildcard-devopsvn-tls
  secretTemplate:
    annotations:
      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "dev,staging"
  ...

And then we configure Ingress as below for the dev namespace:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: devopsvn
  namespace: dev
spec:
  tls:
  - hosts:
      - dev.devopsvn.tech
    secretName: wildcard-devopsvn-tls
  rules:
  - host: dev.devopsvn.tech
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: service1
            port:
              number: 80

For the staging namespace:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: devopsvn
  namespace: staging
spec:
  tls:
  - hosts:
      - staging.devopsvn.tech
    secretName: wildcard-devopsvn-tls
  rules:
  - host: staging.devopsvn.tech
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: service1
            port:
              number: 80

The configuration is quite simple.

Conclusion

As you can see, Reflector helps us to simplify our work 😁.


All rights reserved

Viblo
Hãy đăng ký một tài khoản Viblo để nhận được nhiều bài viết thú vị hơn.
Đăng kí