feat: secret copying

Author: loks0n

README.md

@@ -29,7 +29,7 @@ Choose how the controller should access the API token:
     --wait
   ```
 
-  Swap `--set-file` for `--set credentials.secret.value=$TOKEN` if you prefer piping the token directly from an environment variable or secret store.
+  Swap `--set-file` for `--set credentials.secret.value=$TOKEN` if you prefer piping the token directly from an environment variable or secret store. Add tenant copies with `--set-json credentials.secret.additionalNamespaces='["edge","storefront"]'`.
 
 - **Bring-your-own secret** – pre-create it and point the chart at it:
 
@@ -46,7 +46,7 @@ Choose how the controller should access the API token:
     --wait
   ```
 
-The chart-generated secret defaults to `betterstack-operator-credentials`. Whichever path you choose, the secret must exist in every namespace where you define `BetterStackMonitor` objects.
+The chart-generated secret defaults to `betterstack-operator-credentials` in the release namespace. Use `credentials.secret.namespace` to move the primary secret and `credentials.secret.additionalNamespaces` to duplicate it; whichever path you choose, ensure the secret exists in every namespace where you create `BetterStackMonitor` objects.
 
 ### 2. Create monitors
 
@@ -67,12 +67,13 @@ kubectl describe betterstackmonitor demo-monitor
 
 Deleting a `BetterStackMonitor` automatically deletes the remote Better Stack monitor thanks to controller finalizers.
 
-### Configuration highlights
+### Configuration
 
 See `helm/betterstack-operator/values.yaml` for the full list. Frequently tuned values include:
 
 - `credentials.existingSecret` – reference a pre-created secret instead of letting the chart manage one.
 - `credentials.secret.*` – control chart-managed secret creation (name override, key, annotations, inline value).
+  Use `credentials.secret.namespace` to move the primary secret and `credentials.secret.additionalNamespaces` to fan it out to tenant namespaces.
 - `imagePullSecrets` – add registry credentials when pulling the operator image.
 - `podAnnotations`, `podLabels`, `podSecurityContext`, `containerSecurityContext` – attach metadata or adjust pod/container security posture.
 - `nodeSelector`, `tolerations`, `affinity` – steer the operator onto matching nodes.

helm/betterstack-operator/templates/monitors.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.monitors }}
+{{- range $index, $monitor := .Values.monitors }}
+{{- $name := required (printf "monitors[%d].name is required" $index) $monitor.name }}
+{{- $spec := required (printf "monitors[%d].spec is required" $index) $monitor.spec }}
+---
+apiVersion: monitoring.betterstack.io/v1alpha1
+kind: BetterStackMonitor
+metadata:
+  name: {{ $name }}
+  namespace: {{ default $.Release.Namespace $monitor.namespace }}
+{{- with $monitor.labels }}
+  labels:
+{{ toYaml . | indent 4 }}
+{{- end }}
+{{- with $monitor.annotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+spec:
+{{ toYaml $spec | indent 2 }}
+{{- end }}
+{{- end }}

helm/betterstack-operator/templates/secret.yaml

@@ -1,22 +1,35 @@
 {{- $existing := .Values.credentials.existingSecret -}}
 {{- if and (not $existing) .Values.credentials.secret.create }}
-{{- $name := default (printf "%s-credentials" (include "betterstack-operator.fullname" .)) .Values.credentials.secret.name -}}
+{{- $root := . -}}
+{{- $name := default (printf "%s-credentials" (include "betterstack-operator.fullname" $root)) .Values.credentials.secret.name -}}
 {{- $key := default "api-key" .Values.credentials.secret.key -}}
 {{- $value := required "credentials.secret.value must be set when credentials.secret.create is true" .Values.credentials.secret.value -}}
+{{- $primaryNamespace := default (include "betterstack-operator.namespace" $root) .Values.credentials.secret.namespace -}}
+{{- $namespaces := list $primaryNamespace -}}
+{{- range $ns := .Values.credentials.secret.additionalNamespaces }}
+{{- if $ns }}
+{{- $namespaces = append $namespaces $ns }}
+{{- end }}
+{{- end }}
+{{- range $i, $ns := $namespaces }}
+{{- if $ns }}
+---
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ $name }}
-  namespace: {{ include "betterstack-operator.namespace" . }}
+  namespace: {{ $ns }}
   labels:
-    app.kubernetes.io/name: {{ include "betterstack-operator.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- with .Values.credentials.secret.annotations }}
+    app.kubernetes.io/name: {{ include "betterstack-operator.name" $root }}
+    app.kubernetes.io/instance: {{ $root.Release.Name }}
+    app.kubernetes.io/managed-by: {{ $root.Release.Service }}
+{{- with $root.Values.credentials.secret.annotations }}
   annotations:
 {{ toYaml . | nindent 4 }}
 {{- end }}
 type: Opaque
 stringData:
   {{ $key }}: {{ $value | quote }}
 {{- end }}
+{{- end }}
+{{- end }}

helm/betterstack-operator/values.yaml

@@ -61,3 +61,5 @@ credentials:
     key: api-key
     value: ""
     annotations: {}
+    namespace: ""
+    additionalNamespaces: []