Support kind: Service as resource

Dockerfile.buildx

@@ -1,17 +1,16 @@
-FROM --platform=$BUILDPLATFORM golang:1.18 AS deps
+FROM --platform=$BUILDPLATFORM golang:1.22 AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
 
 COPY . /src
 WORKDIR /src
-RUN go get -v ./...
 RUN go vet -v ./...
 RUN CGO_ENABLED=0 GO111MODULE=on go build
 
 FROM --platform=$TARGETPLATFORM scratch
 ARG TARGETPLATFORM
 LABEL MAINTAINER="Martin Helmich <[email protected]>"
 
-COPY --from=build /src/ /kubernetes-replicator
+COPY --from=build /src/kubernetes-replicator /replicator
 
-CMD ["/kubernetes-replicator"]
+CMD ["/replicator"]

README.md

@@ -17,6 +17,8 @@ secrets and config maps available in multiple namespaces.
         1. [1. Create the source secret](#step-1-create-the-source-secret)
         1. [2. Create empty secret](#step-2-create-an-empty-destination-secret)
         1. [Special case: TLS secrets](#special-case-tls-secrets)
+   1. [Special case: Service replication](#special-case-service-replication) 
+1. [Local development/testing](#local-developmenttesting-with-minikube) 
 
 ## Deployment
 
@@ -111,6 +113,11 @@ When the labels of a namespace are changed, any resources that were replicated b
 
 It is possible to use both methods of push-based replication together in a single resource, by specifying both annotations.
 
+#### :warning: "push-based" is dangerous
+:warning: "push-based" setup is dangerous as it allows an actor to influence (read: overwrite) sensitive resources in a cluster.
+
+Please consider to only enable the features you actually need - see `values.yaml:replicationEnabled[]`.
+
 ### "Pull-based" replication
 
 Pull-based replication makes it possible to create a secret/configmap/role/rolebindings and select a "source" resource
@@ -241,3 +248,69 @@ data:
 ```
 
 See also: https://github.com/mittwald/kubernetes-replicator/issues/120
+
+### Special case: Service replication
+
+An annotated `kind: Service` will be replicated to another namespace as `type: ExternalName`. This feature allows to cover 2 use cases
+
+1) common DNS domain for services or a very lightweight service mesh
+2) migration of services into own namespaces while keeping their known DNS names
+
+
+This service
+ ```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: source-service
+  namespace: default
+  annotations:
+    alb.ingress.kubernetes.io/backend-protocol: HTTP
+    alb.ingress.kubernetes.io/healthcheck-path: /version
+    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
+    replicator.v1.mittwald.de/replicate-to: some-namespace
+spec:
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+      protocol: TCP
+  selector:
+    app: foo
+    application: foo
+```
+
+will be replicated to this
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: source-service
+  namespace: some-namespace
+  annotations:
+    replicator.v1.mittwald.de/replicated-at: "2024-08-21T09:07:45Z"
+    replicator.v1.mittwald.de/replicated-from-version: "680"
+spec:
+  type: ExternalName
+  externalName: source-service.default.svc.cluster.local.
+  sessionAffinity: None
+```
+
+Please note:
+- `metadata.annotations` are **not replicated** by default as on a `kind: service` they usually drive load-balancer operators. You can explicitly set `replicator.v1.mittwald.de/strip-annotations: "false"` to keep them.
+- there is only the `replicator.v1.mittwald.de/replicate-to` option implemented
+- pre-existing target `kind: Service` will happily be patched/overwritten ;-)
+
+## Local development/testing with minikube
+- start a minikube cluster
+  - `minikube start --kubernetes-version=latest`
+- build the image (adjust your platform)
+  - `minikube image build -t quay.io/mittwald/kubernetes-replicator:latest -f Dockerfile.buildx --build-env=TARGETPLATFORM=linux/amd64 --build-env=BUILDPLATFORM=linux/amd64 .`
+  - `minikube image ls`
+- deploy replicator
+  - `kubectl apply -f deploy/rbac.yaml`
+  - `kubectl apply -f deploy/deployment.yaml`
+  - `kubectl get pods -n kube-system`
+- deploy test sources
+  - `kubectl apply --kustomize test` 
+- happy replication!

config.go

@@ -14,5 +14,6 @@ type flags struct {
 	ReplicateConfigMaps      bool
 	ReplicateRoles           bool
 	ReplicateRoleBindings    bool
+	ReplicateServices        bool
 	ReplicateServiceAccounts bool
 }

deploy/deployment.yaml

@@ -24,7 +24,7 @@ spec:
       - name: kubernetes-replicator
         securityContext: {}
         image: quay.io/mittwald/kubernetes-replicator:latest
-        imagePullPolicy: Always
+        imagePullPolicy: IfNotPresent
         args: []
         ports:
         - name: health

deploy/helm-chart/kubernetes-replicator/templates/deployment.yaml

@@ -48,6 +48,7 @@ spec:
             - -replicate-roles={{ .Values.replicationEnabled.roles }}
             - -replicate-role-bindings={{ .Values.replicationEnabled.roleBindings }}
             - -replicate-service-accounts={{ .Values.replicationEnabled.serviceAccounts }}
+            - -replicate-services={{ .Values.replicationEnabled.services }}
             {{- with .Values.args }}
             {{- toYaml . | nindent 12 }}
             {{- end }}

deploy/helm-chart/kubernetes-replicator/templates/rbac.yaml

@@ -27,7 +27,7 @@ rules:
     - watch
     - list
 {{ with .Values.replicationEnabled }}
-{{- if or .secrets .configMaps .serviceAccounts }}
+{{- if or .secrets .configMaps .serviceAccounts .services }}
   - apiGroups:
     - ""
     resources:
@@ -39,6 +39,9 @@ rules:
 {{- end }}
 {{- if .serviceAccounts }}
     - serviceaccounts
+{{- end }}
+{{- if .services }}
+    - services
 {{- end }}
     verbs:
     - get

deploy/helm-chart/kubernetes-replicator/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: quay.io/mittwald/kubernetes-replicator
   #tag: stable # if no tag is given, the chart's appVersion is used
-  pullPolicy: Always
+  pullPolicy: IfNotPresent
 imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
@@ -16,6 +16,7 @@ replicationEnabled:
   roles: true
   roleBindings: true
   serviceAccounts: true
+  services: true
 
 ## Deployment strategy / DaemonSet updateStrategy
 ##

deploy/rbac.yaml

@@ -13,7 +13,7 @@ rules:
   resources: [ "namespaces" ]
   verbs: [ "get", "watch", "list" ]
 - apiGroups: [""] # "" indicates the core API group
-  resources: ["secrets", "configmaps", "serviceaccounts"]
+  resources: ["secrets", "configmaps", "serviceaccounts", "services"]
   verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources: ["roles", "rolebindings"]

main.go

@@ -11,6 +11,7 @@ import (
 	"github.com/mittwald/kubernetes-replicator/replicate/role"
 	"github.com/mittwald/kubernetes-replicator/replicate/rolebinding"
 	"github.com/mittwald/kubernetes-replicator/replicate/secret"
+	"github.com/mittwald/kubernetes-replicator/replicate/service"
 	"github.com/mittwald/kubernetes-replicator/replicate/serviceaccount"
 
 	log "github.com/sirupsen/logrus"
@@ -36,6 +37,7 @@ func init() {
 	flag.BoolVar(&f.ReplicateRoles, "replicate-roles", true, "Enable replication of roles")
 	flag.BoolVar(&f.ReplicateRoleBindings, "replicate-role-bindings", true, "Enable replication of role bindings")
 	flag.BoolVar(&f.ReplicateServiceAccounts, "replicate-service-accounts", true, "Enable replication of service accounts")
+	flag.BoolVar(&f.ReplicateServices, "replicate-services", true, "Enable replication of services")
 	flag.Parse()
 
 	switch strings.ToUpper(strings.TrimSpace(f.LogLevel)) {
@@ -117,6 +119,12 @@ func main() {
 		enabledReplicators = append(enabledReplicators, serviceAccountRepl)
 	}
 
+	if f.ReplicateServices {
+		serviceRepl := service.NewReplicator(client, f.ResyncPeriod, f.AllowAll)
+		go serviceRepl.Run()
+		enabledReplicators = append(enabledReplicators, serviceRepl)
+	}
+
 	h := liveness.Handler{
 		Replicators: enabledReplicators,
 	}

replicate/common/consts.go

@@ -12,4 +12,5 @@ const (
 	ReplicateToMatching             = "replicator.v1.mittwald.de/replicate-to-matching"
 	KeepOwnerReferences             = "replicator.v1.mittwald.de/keep-owner-references"
 	StripLabels                     = "replicator.v1.mittwald.de/strip-labels"
+	StripAnnotations                = "replicator.v1.mittwald.de/strip-annotations"
 )