Secret Importer

The SecretImporter custom resource is required to be used in conjunction with SecretExporter and SecretCopier when necessary to provide a shared secret value in order to authorize the copying of a secret into a target namespace. The SecretImporter is namespaced and thus users of a cluster could be given selective ability via RBAC to use them in a namespace.

The raw custom resource definition for the SecretImporter custom resource can be viewed by running:

kubectl get crd/secretimporters.secrets.educates.dev -o yaml

Providing authorization to copy

The primary purpose of the SecretImporter is to provide a shared secret value that indicates that a namespace is entitled to receive a secret exported from another namespace.

apiVersion: secrets.educates.dev/v1beta1
kind: SecretImporter
metadata:
  name: registry-credentials
  namespace: developer-namespace
spec:
  copyAuthorization:
    sharedSecret: my-shared-secret

The shared secret value is mandatory so that if a SecretExporter or SecretCopier is created that targets namespaces it shouldn’t, that someone else in control of one of the targeted namespaces can’t steal the secret. For someone to be able to get a copy of the secret, they would need to know the shared secret value.

As such, the SecretImporter needs to use the same shared secret values as would be defined in the SecretExporter:

apiVersion: secrets.educates.dev/v1beta1
kind: SecretExporter
metadata:
  name: registry-credentials
  namespace: registry
spec:
  rules:
  - targetNamespaces:
      nameSelector:
        matchNames:
        - "*"
    copyAuthorization:
      sharedSecret: my-shared-secret

or a SecretCopier:

apiVersion: secrets.educates.dev/v1beta1
kind: SecretCopier
metadata:
  name: registry-credentials
spec:
  rules:
  - sourceSecret:
      name: registry-credentials
      namespace: registry
    copyAuthorization:
      sharedSecret: my-shared-secret

When the rule for copying a secret is defined by a SecretExporter, it is possible that it may not define a shared secret value. In this case a shared secret value is still required in the corresponding SecretImporter, but what should be used is the Kubernetes object ID for the SecretImporter resource.

apiVersion: secrets.educates.dev/v1beta1
kind: SecretImporter
metadata:
  name: registry-credentials
  namespace: developer-namespace
spec:
  copyAuthorization:
    sharedSecret: bd380bd5-4ddc-403a-bdba-454bf21bd7b3

That is, the shared secret value would be the uid from the metadata section of the SecretExporter.

Overlapping rules for target secret

If multiple rules within different SecretExporter or SecretCopier custom resource instances target the same secret, the first to create the target secret will by default win. Only updates against the same source secret as the target secret was originally created from will later be applied.

When using SecretImporter it is possible to qualify from which namespace a source secret may be copied from when there are possible conflicts.

apiVersion: secrets.educates.dev/v1beta1
kind: SecretImporter
metadata:
  name: registry-credentials
  namespace: developer-namespace
spec:
  sourceNamespaces:
    nameSelector:
      matchNames:
      - registry
  copyAuthorization:
    sharedSecret: my-shared-secret

Because secrets can be renamed in the process of being copied, this can be further qualified by identifying by name the source secret in the source namespace.

apiVersion: secrets.educates.dev/v1beta1
kind: SecretImporter
metadata:
  name: registry-credentials
  namespace: developer-namespace
spec:
  sourceSecret:
    name: registry-credentials
  sourceNamespaces:
    nameSelector:
      matchNames:
      - registry
  copyAuthorization:
    sharedSecret: my-shared-secret

Deletion of the secret importer

When a secret is copied into a namespace due to use of paired SecretExporter and SecretImporter, the target secret will be setup to be owned by the SecretImporter custom resource instance. If the SecretImporter custom resource instance is deleted, then the target secret will also be deleted.