I'm working on an infrastructure project where I'm configuring KEDA through YAML files. Here's a brief overview of my setup. I'm creating a KEDA scale object named `kafka-message-lag-audit`, which uses a cluster-wide trigger authentication that can potentially access secrets across namespaces. The configuration includes various parameters pointing to secrets that I want to pull from a namespace called `kafka`. However, I discovered that by default, the secrets referenced through `secretTargetRef` need to be in the same namespace as KEDA (usually `keda`).
While it's possible to set the `KEDA_CLUSTER_OBJECT_NAMESPACE` environment variable for the KEDA operator container to change the namespace, it only allows for a single input. I believe I should be able to set up the `ClusterTriggerAuthentication` to reference secrets from any namespace, including `kafka` or `nats`. How can I do this effectively, given these constraints?
3 Answers
I faced a similar issue in my setup too! Instead of using the reflector, we opted for secret-sync operators. They're pretty lightweight and allow you to configure which secrets you want to sync without having to replicate everything. Plus, creating service accounts with the right RBAC permissions can give you better control over cross-namespace secret access.
You might also want to check out the External Secrets Operator. With `kind: ClusterExternalSecret`, you can specify the namespace from which to reflect the secret.
One option could be using a tool like a reflector to replicate the secrets to the namespaces you need. It might seem a bit cumbersome for your case, but it's a solution worth considering.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures