How can I use External Secrets Operator to copy Kubernetes secrets from one namespace to another?

Question

I'm using External Secrets Operator to copy secrets from external providers into Kubernetes secrets, and it works great for that.

Now I'd like to copy (& synchronize) a secret from one Kubernetes namespace, into another (or potentially, many).

The problem is, I can't figure out how to configure the ClusterSecretStore and ExternalSecret to do this. I need to be able to specify the origin namespace of the secret in ExternalSecret, but I can't find anywhere in the API spec on how to do this.

I can reference a SecretStore in the same namespace as the ExternalSecret, if I wanted to access secrets in the current namespace. And I can reference a ClusterSecretStore, so that I can use the same Store from any namespace, which sounds good at first... but in the ExternalSecret, I can't find any configuration that allows me to configure "use ClusterSecretStore, and find X secret in Y namespace".

Am I going crazy?? Can anyone point me to the right configuration?

I deployed a ClusterSecretStore for Kubernetes, and it has validated.

I look for the ExternalSecretStore API reference, and I can't find a way (in data or dataFrom sections) to reference a specific namespace for a specific secret. I expected there to be some way to specify the namespace.

Answer 1

The ESO - External Secrets Operator integrates external secret manager to directly use the stored secret to k8s secret.

Based on the docs the ClusterSecretStore shall be the cluster scope level of SecretStore wherein ExternalSecret fetches data on the the secret store.

For you to be able to use the same secret in different namespaces thus "replicating same secret" on different namespace inside the cluster, ExternalSecret should be configured properly.

On the part of the yaml, you should look on the following spec to properly point the SecretStoreRef to the ExternalSecret:

spec:

  # SecretStoreRef defines which SecretStore to use when fetching the secret data
  secretStoreRef:
    name: secret-store-name
    kind: SecretStore  # or ClusterSecretStore

  # RefreshInterval is the amount of time before the values reading again from the SecretStore provider
  # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" (from time.ParseDuration)
  # May be set to zero to fetch and create it once
  refreshInterval: "1h"

  # the target describes the secret that shall be created
  # there can only be one target per ExternalSecret
  target:

    # The secret name of the resource
    # Defaults to .metadata.name of the ExternalSecret
    # It is immutable
    name: my-secret

Alternatively, you can use Reflector as add on to your cluster