base on Custom Kubernetes controller that can be used to replicate secrets, configmaps and certificates. # Reflector Reflector is a Kubernetes addon designed to monitor changes to resources (secrets and configmaps) and reflect changes to mirror resources in the same or other namespaces. [](https://github.com/emberstack/kubernetes-reflector/actions/workflows/pipeline.yaml) [](https://github.com/emberstack/kubernetes-reflector/releases/latest) [](https://hub.docker.com/r/emberstack/kubernetes-reflector) [](https://hub.docker.com/r/emberstack/kubernetes-reflector) [](LICENSE) > Supports `amd64`, `arm` and `arm64` ## Support If you need help or found a bug, please feel free to open an Issue on GitHub (https://github.com/emberstack/kubernetes-reflector/issues). ## Deployment Reflector can be deployed either manually or using Helm (recommended). ### Prerequisites - Kubernetes 1.14+ - Helm 3 (if deployed using Helm) #### Deployment using Helm Use Helm to install the latest released chart: ```shellsession $ helm repo add emberstack https://emberstack.github.io/helm-charts $ helm repo update $ helm upgrade --install reflector emberstack/reflector ``` You can customize the values of the helm deployment by using the following Values: | Parameter | Description | Default | | ---------------------------------------- | ------------------------------------------------ | ------------------------------------------------------- | | `nameOverride` | Overrides release name | `""` | | `fullnameOverride` | Overrides release fullname | `""` | | `image.repository` | Container image repository | `emberstack/kubernetes-reflector` | | `image.tag` | Container image tag | `Same as chart version` | | `image.pullPolicy` | Container image pull policy | `IfNotPresent` | | `configuration.logging.minimumLevel` | Logging minimum level | `Information` | | `configuration.watcher.timeout` | Maximum watcher lifetime in seconds | `` | | `configuration.kubernetes.skipTlsVerify` | Skip TLS verify when connecting the the cluster | `false` | | `rbac.enabled` | Create and use RBAC resources | `true` | | `serviceAccount.create` | Create ServiceAccount | `true` | | `serviceAccount.name` | ServiceAccount name | _release name_ | | `livenessProbe.initialDelaySeconds` | `livenessProbe` initial delay | `5` | | `livenessProbe.periodSeconds` | `livenessProbe` period | `10` | | `readinessProbe.initialDelaySeconds` | `readinessProbe` initial delay | `5` | | `readinessProbe.periodSeconds` | `readinessProbe` period | `10` | | `startupProbe.failureThreshold` | `startupProbe` failure threshold | `10` | | `startupProbe.periodSeconds` | `startupProbe` period | `5` | | `resources` | Resource limits | `{}` | | `nodeSelector` | Node labels for pod assignment | `{}` | | `tolerations` | Toleration labels for pod assignment | `[]` | | `affinity` | Node affinity for pod assignment | `{}` | | `priorityClassName` | `priorityClassName` for pods | `""` | > Find us on [Artifact Hub](https://artifacthub.io/packages/helm/emberstack/reflector) #### Manual deployment Each release (found on the [Releases](https://github.com/emberstack/kubernetes-reflector/releases) GitHub page) contains the manual deployment file (`reflector.yaml`). ```shellsession $ kubectl -n kube-system apply -f https://github.com/emberstack/kubernetes-reflector/releases/latest/download/reflector.yaml ``` ## Usage ### 1. Annotate the source `secret` or `configmap` - Add `reflector.v1.k8s.emberstack.com/reflection-allowed: "true"` to the resource annotations to permit reflection to mirrors. - Add `reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "<list>"` to the resource annotations to permit reflection from only the list of comma separated namespaces or regular expressions. Note: If this annotation is omitted or is empty, all namespaces are allowed. #### Automatic mirror creation: Reflector can create mirrors with the same name in other namespaces automatically. The following annotations control if and how the mirrors are created: - Add `reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"` to the resource annotations to automatically create mirrors in other namespaces. Note: Requires `reflector.v1.k8s.emberstack.com/reflection-allowed` to be `true` since mirrors need to able to reflect the source. - Add `reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "<list>"` to the resource annotations specify in which namespaces to automatically create mirrors. Note: If this annotation is omitted or is empty, all namespaces are allowed. Namespaces in this list will also be checked by `reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces` since mirrors need to be in namespaces from where reflection is permitted. > Important: If the `source` is deleted, automatic mirrors are deleted. Also if either reflection or automirroring is turned off or the automatic mirror's namespace is no longer a valid match for the allowed namespaces, the automatic mirror is deleted. > Important: Reflector will skip any conflicting resource when creating auto-mirrors. If there is already a resource with the source's name in a namespace where an automatic mirror is to be created, that namespace is skipped and logged as a warning. Example source secret: ```yaml apiVersion: v1 kind: Secret metadata: name: source-secret annotations: reflector.v1.k8s.emberstack.com/reflection-allowed: "true" reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "namespace-1,namespace-2,namespace-[0-9]*" data: ... ``` Example source configmap: ```yaml apiVersion: v1 kind: ConfigMap metadata: name: source-config-map annotations: reflector.v1.k8s.emberstack.com/reflection-allowed: "true" reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "namespace-1,namespace-2,namespace-[0-9]*" data: ... ``` ### 2. Annotate the mirror secret or configmap - Add `reflector.v1.k8s.emberstack.com/reflects: "<source namespace>/<source name>"` to the mirror object. The value of the annotation is the full name of the source object in `namespace/name` format. > Note: Add `reflector.v1.k8s.emberstack.com/reflected-version: ""` to the resource annotations when doing any manual changes to the mirror (for example when deploying with `helm` or re-applying the deployment script). This will reset the reflected version of the mirror. Example mirror secret: ```yaml apiVersion: v1 kind: Secret metadata: name: mirror-secret annotations: reflector.v1.k8s.emberstack.com/reflects: "default/source-secret" data: ... ``` Example mirror configmap: ```yaml apiVersion: v1 kind: ConfigMap metadata: name: mirror-config-map annotations: reflector.v1.k8s.emberstack.com/reflects: "default/source-config-map" data: ... ``` ### 3. Done! Reflector will monitor any changes done to the source objects and copy the following fields: - `data` for secrets - `data` and `binaryData` for configmaps Reflector keeps track of what was copied by annotating mirrors with the source object version. - - - - ## `cert-manager` support > Since version 1.5 of cert-manager you can annotate secrets created from certificates for mirroring using `secretTemplate` (see https://cert-manager.io/docs/usage/certificate/). ``` apiVersion: cert-manager.io/v1 kind: Certificate ... spec: secretTemplate: annotations: reflector.v1.k8s.emberstack.com/reflection-allowed: "true" reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "" ... ```", Assign "at most 3 tags" to the expected json: {"id":"5369","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"