KubeMirror - Copy Kubernetes Resources Across Namespaces

The Problem

Kubernetes doesn't let you share resources across namespaces. You need the same Secret or ConfigMap in 10 namespaces? You have to duplicate it manually and keep them all in sync.

Manual Duplication

Copy-paste the same TLS certificate Secret into 20 namespaces. Update it manually in all 20 when it expires.

Environment Hardcoding

Same ConfigMap but with different API URLs for dev, staging, prod? Create 3 separate versions and maintain them.

Limited Tools

Existing tools only support Secrets/ConfigMaps. Want to share Traefik Middleware? Out of luck.

KubeMirror's Solution

Define your resource once in a source namespace. KubeMirror automatically copies it to all target namespaces and keeps them synchronized. Transform values per environment (e.g., preprod-* namespaces get preprod API URLs, prod-* get production URLs). Works with any Kubernetes resource type.

Key Features

Everything you need for resource mirroring and synchronization

Mirror Any Resource Type

Not just Secrets and ConfigMaps. Mirror any namespaced Kubernetes resource:

Secrets & ConfigMaps (obviously)
Traefik Middleware, IngressRoute
Cert-Manager Certificates
Any Custom Resource Definition (CRD)

How: KubeMirror discovers all available resource types automatically. No manual configuration needed.

Transform Per Environment

Change values automatically based on target namespace:

# Preprod namespaces get preprod API

- path: data.API_URL
  value: "https://preprod.api.com"
  namespacePattern: "preprod-*"

# Production gets production API
- path: data.API_URL
  value: "https://api.com"
  namespacePattern: "prod-*"

Why: One source ConfigMap, different values per environment. No manual maintenance.

Automatic Synchronization

Update the source once. All copies update automatically:

Update source Secret → All 50 copies update
Delete source → All copies get deleted
Someone deletes a copy → Recreated automatically
New namespace created → Copy appears automatically

How: Uses SHA256 content hashing + Kubernetes generation tracking. Only updates when content actually changes.

Flexible Targeting

Choose which namespaces receive the copy:

namespace-1,namespace-2 Specific namespaces

app-*,prod-* Pattern matching

all-labeled All labeled namespaces

Safety: Source namespace never receives a copy. Max 100 targets per resource (configurable).

Real-World Examples

See how easy it is to get started with KubeMirror

1

Basic: Mirror a TLS Secret

Share your TLS certificate across multiple application namespaces

apiVersion: v1
kind: Secret
metadata:
  name: tls-cert
  namespace: default
  labels:
    kubemirror.raczylo.com/enabled: "true"
  annotations:
    kubemirror.raczylo.com/sync: "true"
    kubemirror.raczylo.com/target-namespaces: "app-1,app-2,app-3"
type: kubernetes.io/tls
data:
  tls.crt: LS0tLS1CRUd...
  tls.key: LS0tLS1CRUd...

2

Pattern Matching: Mirror to All App Namespaces

Use wildcards to mirror to all namespaces matching a pattern

apiVersion: v1
kind: ConfigMap
metadata:
  name: common-config
  namespace: default
  labels:
    kubemirror.raczylo.com/enabled: "true"
  annotations:
    kubemirror.raczylo.com/sync: "true"
    # Mirror to ALL namespaces starting with "app-"
    kubemirror.raczylo.com/target-namespaces: "app-*"
data:
  log_level: "info"
  api_url: "https://api.example.com"

Result: This ConfigMap will be automatically copied to app-frontend, app-backend, app-worker, and any other namespace starting with "app-"

3

Custom Resource: Share Traefik Middleware

Mirror any CRD like Traefik Middleware across your cluster

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: compression
  namespace: infrastructure
  labels:
    kubemirror.raczylo.com/enabled: "true"
  annotations:
    kubemirror.raczylo.com/sync: "true"
    # Share with all application namespaces
    kubemirror.raczylo.com/target-namespaces: "app-*,prod-*"
spec:
  compress:
    excludedContentTypes:
      - text/event-stream

Works with any CRD: Cert-Manager Certificates, Gateway API resources, or your own custom resources!

How KubeMirror Compares

We built KubeMirror to replace emberstack/reflector

Capability	KubeMirror	Reflector
Supported Resources What resource types can be mirrored	Secrets, ConfigMaps, CRDs, etc.	Secrets, ConfigMaps only
Auto-Discovery Finds all resource types automatically	Yes	Hardcoded
Value Transformation Change values per target namespace	Full support	Not available
Active Development Regular updates and bug fixes	Active	Recently resumed (2025)

Why We Built KubeMirror

We needed to share Traefik Middleware across 200+ namespaces with environment-specific configurations. Reflector couldn't do it (Secrets/ConfigMaps only, no transformations). So we built KubeMirror with modern Kubernetes best practices and all the features we wished Reflector had.

Installation

Get started in under 2 minutes

Helm (Recommended)

helm repo add kubemirror \
  https://lukaszraczylo.github.io/helm-charts

helm install kubemirror \
  kubemirror/kubemirror \
  --namespace kubemirror-system \
  --create-namespace

kubectl

kubectl apply -k \
  github.com/lukaszraczylo/kubemirror/deploy

# Or with specific version
kubectl apply -k \
  github.com/lukaszraczylo/kubemirror/deploy?ref=v1.0.0

Quick Start: Mirror a Secret in 30 Seconds

1

Create your source Secret

apiVersion: v1
kind: Secret
metadata:
  name: tls-cert
  namespace: default
  labels:
    kubemirror.raczylo.com/enabled: "true"
  annotations:
    kubemirror.raczylo.com/sync: "true"
    kubemirror.raczylo.com/target-namespaces: "app-1,app-2"
type: kubernetes.io/tls
data:
  tls.crt: LS0tLS1CRUd...
  tls.key: LS0tLS1CRUd...

2

That's it!

KubeMirror automatically:

Creates copies in app-1 and app-2
Keeps them synchronized when you update the source
Recreates them if someone deletes a copy
Cleans up all copies when you delete the source

Required: Both the label kubemirror.raczylo.com/enabled and annotation kubemirror.raczylo.com/sync are needed.