--- apiVersion: batch/v1beta1 kind: CronJob metadata: name: secret-reflector namespace: networking spec: schedule: "0 0 */2 * *" jobTemplate: spec: template: spec: serviceAccountName: sa-secret-reflector containers: - name: secret-reflector image: bitnami/kubectl:1.21.0 command: - "/bin/sh" - "-ec" - | set -o nounset set -o errexit # space delimited secrets to copy SECRETS=$(kubectl get secrets -n networking | grep -i tls | awk '{print $1}') # source namespace to reflect secret from NAMESPACE_SOURCE="networking" # space delimited namespace where to reflect the secrets to NAMESPACE_DEST="kasten-io" for secret in ${SECRETS}; do secret_source_content="$(kubectl get secret "${secret}" -n "${NAMESPACE_SOURCE}" -o json | jq 'del(.metadata.managedFields, .metadata.creationTimestamp, .metadata.resourceVersion, .metadata.uid)')" secret_source_checksum="$(echo "${secret_source_content}" | jq 'del(.metadata.namespace)' | md5sum | awk '{ print $1 }')" for namespace in ${NAMESPACE_DEST}; do if kubectl get secret "${secret}" -n "${namespace}" >/dev/null 2>&1; then secret_dest_content="$(kubectl get secret "${secret}" -n "${namespace}" -o json | jq 'del(.metadata.managedFields, .metadata.creationTimestamp, .metadata.resourceVersion, .metadata.uid)')" secret_dest_checksum="$(echo "${secret_dest_content}" | jq 'del(.metadata.namespace)' | md5sum | awk '{ print $1 }')" if [ "${secret_source_checksum}" != "${secret_dest_checksum}" ]; then echo "${secret_source_content}" | \ jq -r --arg namespace "$namespace" '.metadata.namespace = $namespace' | \ kubectl replace -n "${namespace}" -f - fi else echo "${secret_source_content}" | \ jq -r --arg namespace "$namespace" '.metadata.namespace = $namespace' | \ kubectl apply -n "${namespace}" -f - fi done done restartPolicy: OnFailure