Since Kubernetes v1.14, kubectl
supports managing objects using Kustomize. Kustomize provides resource Generators to create Secrets and ConfigMaps. The Kustomize generators should be specified in a kustomization.yaml
file inside a directory. After generating the Secret, you can create the Secret on the API server with kubectl apply
.
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
You can generate a Secret by defining a secretGenerator
in a kustomization.yaml
file that references other existing files. For example, the following kustomization file references the ./username.txt
and the ./password.txt
files:
secretGenerator:
- name: db-user-pass
files:
- username.txt
- password.txt
You can also define the secretGenerator
in the kustomization.yaml
file by providing some literals. For example, the following kustomization.yaml
file contains two literals for username
and password
respectively:
secretGenerator:
- name: db-user-pass
literals:
- username=admin
- password=1f2d1e2e67df
You can also define the secretGenerator
in the kustomization.yaml
file by providing .env
files. For example, the following kustomization.yaml
file pulls in data from .env.secret
file:
secretGenerator:
- name: db-user-pass
envs:
- .env.secret
Note that in all cases, you don't need to base64 encode the values.
Apply the directory containing the kustomization.yaml
to create the Secret.
kubectl apply -k .
The output is similar to:
secret/db-user-pass-96mffmfh4k created
Note that when a Secret is generated, the Secret name is created by hashing the Secret data and appending the hash value to the name. This ensures that a new Secret is generated each time the data is modified.
You can check that the secret was created:
kubectl get secrets
The output is similar to:
NAME TYPE DATA AGE
db-user-pass-96mffmfh4k Opaque 2 51s
You can view a description of the secret:
kubectl describe secrets/db-user-pass-96mffmfh4k
The output is similar to:
Name: db-user-pass-96mffmfh4k
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password.txt: 12 bytes
username.txt: 5 bytes
The commands kubectl get
and kubectl describe
avoid showing the contents of a Secret
by default. This is to protect the Secret
from being exposed accidentally to an onlooker, or from being stored in a terminal log. To check the actual content of the encoded data, please refer to decoding secret.
To delete the Secret you have created:
kubectl delete secret db-user-pass-96mffmfh4k
kubectl
command
© 2022 The Kubernetes Authors
Documentation Distributed under CC BY 4.0.
https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kustomize/