I've recently been trying to deploy a single ApmServer for several namespace. Unfortunately, it means that I have to manually copy the
apm-token to other namespace that might need it.
It makes token rotations time-consuming and a bit risky (for instance, What if I forgot one token secret?)
I thought about tasking the operator to create the secrets for me, however this would lead to an invalid ownerReferences as it is only possible to reference cluster-scoped resources or resources in the same namespace.
Which is why I thought it was a good idea to have one ApmServer per namespace. Unfortunately, this is currently not supported by the operator as the current documentation indicate:
Deploying the APM Server and Elasticsearch in two different namespaces is currently not supported.
How do you guys handle having agents in all namespaces? Do you manually copy the secret? Do you manually specify a secret to the operator so that you can handle rotations yourself? Do you disable authentication all-together?