The annotations added by kubernetes-replicator to copied secrets are insufficient to reliably identify the origin they were copied from.
e.g.
annotations:
replicator.v1.mittwald.de/replicated-at: "2025-05-06T01:24:17Z"
replicator.v1.mittwald.de/replicated-from-version: "677124"
replicator.v1.mittwald.de/replicated-keys: queries
Describe the solution you'd like
It would be very helpful if kubernetes-replicator could annotate the copied secrets with the origin resource's:
- namespace
- name
uid (the resourceVersion is already there as replicator.v1.mittwald.de/replicated-from-version)
It might look like this:
annotations:
replicator.v1.mittwald.de/replicated-at: "2025-05-06T01:24:17Z"
replicator.v1.mittwald.de/replicated-from-name: "my-secret"
replicator.v1.mittwald.de/replicated-from-namespace: "some-namespace"
replicator.v1.mittwald.de/replicated-from-uid: "5200dabf-3945-4917-8edc-42b5d8593567"
replicator.v1.mittwald.de/replicated-from-version: "677124"
replicator.v1.mittwald.de/replicated-keys: queries
This would make understanding systems that use the replicator significantly easier, as there would be breadcrumbs from the destination copies back to the source resource.
Describe alternatives you've considered
Pull-based replication inherently provides this, and solves other issues like the inability to change the name on the destination.
But pull secrets interact poorly with gitops-style continuous deployment tools like fluxcd because flux tends to fight for control over the secret. Telling the tool to only create the pull secret once then ignore it means that it tends to be orphaned when deleted, and updates to its annotations etc get ignored. It's also not always very practical in cases where a secret must be replicated to a lot of namespaces owned and managed by different components (e.g. TLS resources or image registry credentials), since each one must contain the pull secret stub.
Proposed implementation
Something like:
- Add a
config.go option for addSourceAnnotations
- Add a flag in
main.go to set the option on the CLI
- add constants in
replicate/common/consts.go for the annotation names
- Move the maintenance of replicated-from annotations etc from individual replicators into the common helper base
- inject the new annotations in the common helper when the feature is enabled
The annotations added by
kubernetes-replicatorto copied secrets are insufficient to reliably identify the origin they were copied from.e.g.
Describe the solution you'd like
It would be very helpful if
kubernetes-replicatorcould annotate the copied secrets with the origin resource's:uid(theresourceVersionis already there asreplicator.v1.mittwald.de/replicated-from-version)It might look like this:
This would make understanding systems that use the replicator significantly easier, as there would be breadcrumbs from the destination copies back to the source resource.
Describe alternatives you've considered
Pull-based replication inherently provides this, and solves other issues like the inability to change the name on the destination.
But pull secrets interact poorly with gitops-style continuous deployment tools like fluxcd because flux tends to fight for control over the secret. Telling the tool to only create the pull secret once then ignore it means that it tends to be orphaned when deleted, and updates to its annotations etc get ignored. It's also not always very practical in cases where a secret must be replicated to a lot of namespaces owned and managed by different components (e.g. TLS resources or image registry credentials), since each one must contain the pull secret stub.
Proposed implementation
Something like:
config.gooption foraddSourceAnnotationsmain.goto set the option on the CLIreplicate/common/consts.gofor the annotation names