weaveworks
diff --git a/‎README.md‎
Lines changed: 38 additions & 2 deletions b/‎README.md‎
Lines changed: 38 additions & 2 deletions
diff --git a/‎api/v1alpha2/secretsync_types.go‎
Lines changed: 66 additions & 0 deletions b/‎api/v1alpha2/secretsync_types.go‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎api/v1alpha2/zz_generated.deepcopy.go‎
Lines changed: 98 additions & 0 deletions b/‎api/v1alpha2/zz_generated.deepcopy.go‎
Lines changed: 98 additions & 0 deletions
diff --git a/‎config/crd/bases/capi.weave.works_secretsyncs.yaml‎
Lines changed: 120 additions & 0 deletions b/‎config/crd/bases/capi.weave.works_secretsyncs.yaml‎
Lines changed: 120 additions & 0 deletions
diff --git a/‎config/rbac/role.yaml‎
Lines changed: 26 additions & 0 deletions b/‎config/rbac/role.yaml‎
Lines changed: 26 additions & 0 deletions
@@ -2,7 +2,14 @@
 
 This is a controller that tracks [GitopsCluster] objects.
 
-It provides a CR for a `ClusterBootstrapConfig` which provides a [Job](https://kubernetes.io/docs/concepts/workloads/controllers/job/) template.
+It provides the following CRs:
+
+- [ClusterBootstrapConfig](#clusterBootstrapConfig)
+- [SecretSync](#secretsync)
+
+## ClusterBootstrapConfig
+
+`ClusterBootstrapConfig` CR provides a [Job](https://kubernetes.io/docs/concepts/workloads/controllers/job/) template.
 
 When a GitopsCluster is "Ready" a Job is created from the template, the template can access multiple fields.
 
@@ -36,7 +43,7 @@ spec:
 
 This is using Go [templating](https://pkg.go.dev/text/template) and the `GitopsCluster` object is provided as the context, this means that expressions like `{{ .ObjectMeta.Name }}` will get the _name_ of the GitopsCluster that has transitioned to "Ready".
 
-## Annotations
+### Annotations
 
 Go templating doesn't easily support access to strings that have "/" in them,
 which is a common annotation [naming strategy](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set).
@@ -53,6 +60,35 @@ e.g.
 
 ```
 
+## SecretSync
+
+`SecretSync` provides a way to sync secrets from management cluster to leaf cluster.
+
+The CR references the secret on management cluster to be synced to matched leaf clusters.
+
+SecretSync has a selector to select group of clusters based on their labels
+
+Secrets will be re-synced to leaf clusters when updated
+
+### Example
+
+```yaml
+apiVersion: capi.weave.works/v1alpha2
+kind: SecretSync
+metadata:
+  name: my-dev-secret-syncer
+  namespace: default
+spec:
+  clusterSelector:
+    matchLabels:
+      environment: dev
+  secretRef:
+    name: my-dev-secret
+  targetNamespace: my-namespace
+```
+
+
+
 ## Installation
 
 Release files are available https://github.com/weaveworks/cluster-bootstrap-controller/releases
 
@@ -0,0 +1,66 @@
+package v1alpha2
+
+import (
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// SecretSyncSpec
+type SecretSyncSpec struct {
+	// Label selector for Clusters. The Clusters that are
+	// selected by this will be the ones affected by this SecretSync.
+	// It must match the Cluster labels. This field is immutable.
+	// Label selector cannot be empty.
+	ClusterSelector metav1.LabelSelector `json:"clusterSelector"`
+	// SecretRef specifies the Secret to be bootstrapped to the matched clusters
+	// Secret must be in the same namespace of the SecretSync object
+	SecretRef v1.LocalObjectReference `json:"secretRef"`
+	// TargetNamespace specifies the namespace which the secret should be bootstrapped in
+	// The default value is the namespace of the referenced secret
+	//+optional
+	TargetNamespace string `json:"targetNamespace,omitempty"`
+}
+
+// SecretSyncStatus secretsync object status
+type SecretSyncStatus struct {
+	// SecretVersions a map contains the ResourceVersion of the secret of each cluster
+	// Cluster name is the key and secret's ResourceVersion is the value
+	SecretVersions map[string]string `json:"versions"`
+}
+
+// SetClusterSecretVersion sets the latest secret version of the given cluster
+func (s *SecretSyncStatus) SetClusterSecretVersion(cluster, version string) {
+	if s.SecretVersions == nil {
+		s.SecretVersions = make(map[string]string)
+	}
+	s.SecretVersions[cluster] = version
+}
+
+// GetClusterSecretVersion returns secret's ResourceVersion of the given cluster
+func (s *SecretSyncStatus) GetClusterSecretVersion(cluster string) string {
+	return s.SecretVersions[cluster]
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:storageversion
+//+kubebuilder:scope:namespaced
+
+type SecretSync struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              SecretSyncSpec   `json:"spec,omitempty"`
+	Status            SecretSyncStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+type SecretSyncList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []SecretSync `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&SecretSync{}, &SecretSyncList{})
+}
@@ -0,0 +1,120 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.9.2
+  creationTimestamp: null
+  name: secretsyncs.capi.weave.works
+spec:
+  group: capi.weave.works
+  names:
+    kind: SecretSync
+    listKind: SecretSyncList
+    plural: secretsyncs
+    singular: secretsync
+  scope: Namespaced
+  versions:
+  - name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: SecretSyncSpec
+            properties:
+              clusterSelector:
+                description: ClusterSelector specifies the label selector to match
+                  clusters with
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              secretRef:
+                description: SecretRef specifies the Secret to be bootstrapped to
+                  the matched clusters Secret must be in the same namespace of the
+                  SecretSync object
+                properties:
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Add other useful fields. apiVersion, kind, uid?'
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+              targetNamespace:
+                description: TargetNamespace specifies the namespace which the secret
+                  should be bootstrapped in The default value is the namespace of
+                  the referenced secret
+                type: string
+            required:
+            - clusterSelector
+            - secretRef
+            type: object
+          status:
+            description: SecretSyncStatus secretsync object status
+            properties:
+              versions:
+                additionalProperties:
+                  type: string
+                description: SecretVersions a map contains the ResourceVersion of
+                  the secret of each cluster Cluster name is the key and secret's
+                  ResourceVersion is the value
+                type: object
+            required:
+            - versions
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
@@ -51,6 +51,32 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - capi.weave.works
+  resources:
+  - secretsyncs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - capi.weave.works
+  resources:
+  - secretsyncs/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - capi.weave.works
+  resources:
+  - secretsyncs/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - cluster.x-k8s.io
   resources: