4.0 KiB
| title | content_type | weight | description |
|---|---|---|---|
| Managing Secrets using Kustomize | task | 30 | Creating Secret objects using kustomization.yaml file. |
kubectl supports using the Kustomize object management tool to manage Secrets
and ConfigMaps. You create a resource generator using Kustomize, which
generates a Secret that you can apply to the API server using kubectl.
{{% heading "prerequisites" %}}
{{< include "task-tutorial-prereqs.md" >}}
Create a Secret
You can generate a Secret by defining a secretGenerator in a
kustomization.yaml file that references other existing files, .env files, or
literal values. For example, the following instructions create a Kustomization
file for the username admin and the password 1f2d1e2e67df.
{{< note >}}
The stringData field for a Secret does not work well with server-side apply.
{{< /note >}}
Create the Kustomization file
{{< tabs name="Secret data" >}} {{< tab name="Literals" codelang="yaml" >}} secretGenerator:
- name: database-creds
literals:
- username=admin
- password=1f2d1e2e67df {{< /tab >}} {{% tab name="Files" %}}
-
Store the credentials in files. The filenames are the keys of the secret:
echo -n 'admin' > ./username.txt echo -n '1f2d1e2e67df' > ./password.txtThe
-nflag ensures that there's no newline character at the end of your files. -
Create the
kustomization.yamlfile:secretGenerator: - name: database-creds files: - username.txt - password.txt
{{% /tab %}}}
{{% tab name=".env files" %}}
You can also define the secretGenerator in the kustomization.yaml file by
providing .env files. For example, the following kustomization.yaml file
pulls in data from an .env.secret file:
secretGenerator:
- name: db-user-pass
envs:
- .env.secret
{{% /tab %}} {{< /tabs >}}
In all cases, you don't need to base64 encode the values. The name of the YAML
file must be kustomization.yaml or kustomization.yml.
Apply the kustomization file
To create the Secret, apply the directory that contains the kustomization file:
kubectl apply -k <directory-path>
The output is similar to:
secret/database-creds-5hdh7hhgfk created
When a Secret is generated, the Secret name is created by hashing the Secret data and appending the hash value to the name. This ensures that a new Secret is generated each time the data is modified.
To verify that the Secret was created and to decode the Secret data,
kubectl get -k <directory-path> -o jsonpath='{.data}'
The output is similar to:
{ "password": "UyFCXCpkJHpEc2I9", "username": "YWRtaW4=" }
echo 'UyFCXCpkJHpEc2I9' | base64 --decode
The output is similar to:
S!B\*d$zDsb=
For more information, refer to Managing Secrets using kubectl and Declarative Management of Kubernetes Objects Using Kustomize.
Edit a Secret
-
In your
kustomization.yamlfile, modify the data, such as thepassword. -
Apply the directory that contains the kustomization file:
kubectl apply -k <directory-path>The output is similar to:
secret/db-user-pass-6f24b56cc8 created
The edited Secret is created as a new Secret object, instead of updating the
existing Secret object. You might need to update references to the Secret in
your Pods.
Clean up
To delete a Secret, use kubectl:
kubectl delete secret db-user-pass
{{% heading "whatsnext" %}}
- Read more about the Secret concept
- Learn how to manage Secrets using kubectl
- Learn how to manage Secrets using config file