Sync Secrets Across Clusters

Store a secret in the vault and sync it to one or more clusters. The sync block fully replaces existing sync targets each time you terraform apply.

resource "kupe_secret" "db_password" {
  name        = "db-password"
  secret_path = "shared/db-password"

  sync = [
    {
      cluster   = kupe_cluster.production.name
      namespace = "backend"
    },
    {
      cluster   = kupe_cluster.staging.name
      namespace = "backend"
    },
  ]
}

You can override the Kubernetes Secret name in the target cluster with secret_name:

resource "kupe_secret" "api_token" {
  name        = "stripe-api-token"
  secret_path = "integrations/stripe"

  sync = [
    {
      cluster     = kupe_cluster.production.name
      namespace   = "payments"
      secret_name = "stripe-credentials"
    },
  ]
}

The actual secret values are stored in the vault, not in Terraform state — set them via the console or the API. See Manage Secrets via the API for the underlying model.