spillway

Install

# replace 0.2.5 with your target release
helm install spillway oci://ghcr.io/kroy-the-rabbit/charts/spillway \
  --version 0.2.5 \
  --namespace spillway-system \
  --create-namespace

Requires Kubernetes 1.25+ and Helm 3.10+. The chart is published to GHCR as an OCI artifact — no helm repo add needed.

The idea

You have a Secret in platform and every one of your tenant namespaces needs a copy. Copy-pasting YAML doesn't scale, and writing a script to keep them in sync is exactly as fun as it sounds.

Spillway watches your cluster. Add one annotation to a source object, and it handles creation, updates, and cleanup across whatever namespaces you target — by name, glob, or label selector.

Usage

Annotate a source object:

apiVersion: v1
kind: Secret
metadata:
  name: shared-api-token
  namespace: platform
  annotations:
    spillway.kroy.io/replicate-to: "team-*,prod"
type: Opaque
stringData:
  token: hunter2

Spillway reconciles shared-api-token into every team-* namespace and into prod. It keeps them up to date as the source changes, and deletes them if the annotation is removed or the source is deleted.

ConfigMaps work exactly the same way.

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-settings
  namespace: platform
  annotations:
    spillway.kroy.io/replicate-to: "team-*"
    spillway.kroy.io/exclude-namespaces: "team-dev"
data:
  LOG_LEVEL: info

You can also target by namespace label rather than name:

  annotations:
    spillway.kroy.io/replicate-to-matching: "env=prod"

Annotation reference

kube-system is excluded by default when using all or wildcards. Explicitly naming it overrides that.

Upgrade

# replace 0.2.5 with your target release
helm upgrade spillway oci://ghcr.io/kroy-the-rabbit/charts/spillway \
  --version 0.2.5 \
  --namespace spillway-system \
  --reuse-values