I'm working on an infrastructure setup where KEDA is configured using YAML files. The config I've outlined includes a cluster-wide trigger authentication, allowing access across namespaces, but I ran into an issue. By default, KEDA requires secrets referenced in `secretTargetRef` to be in the same namespace as KEDA itself (commonly deployed as 'keda'). While I create ClusterTriggerAuthentications for different services, I'm not sure how to reference secrets from other namespaces like 'kafka' directly. I've come across the `KEDA_CLUSTER_OBJECT_NAMESPACE` environment variable, but it only accepts a single namespace. Is there a way to effectively manage this?
2 Answers
One solution could be to use a reflector to replicate the secrets into the desired namespaces. While it might seem a bit heavy-handed, it's a straightforward way to ensure that secrets are accessible where needed. However, if you'd prefer something lighter, secret-sync operators could be a great alternative. They allow for more precise control over which secrets you want to sync without duplicating everything.
But isn't it possible to just create service accounts with proper RBAC permissions to access those secrets cross-namespace? I found that gave us better control.
Have you tried using the ExternalSecrets Operator? It allows you to define a `ClusterExternalSecret` and specify the namespace where you want the secret to be reflected. This could be an easier workaround for your issue!
I think that could be a good approach! I'll look into setting that up to see if it fits our requirements.
That makes sense! We ran into a similar situation, and using secret-sync operators worked out better for us due to their flexibility.