Managing Secrets using Kustomize
kubectl
supports using the Kustomize object management tool to manage Secrets
and ConfigMaps. You create a resource generator using Kustomize, which
generates a Secret that you can apply to the API server using kubectl
.
Before you begin
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
Create a Secret
You can generate a Secret by defining a secretGenerator
in a
kustomization.yaml
file that references other existing files, .env
files, or
literal values. For example, the following instructions create a kustomization
file for the username admin
and the password 1f2d1e2e67df
.
Note:
ThestringData
field for a Secret does not work well with server-side apply.Create the kustomization file
secretGenerator:
- name: database-creds
literals:
- username=admin
- password=1f2d1e2e67df
-
Store the credentials in files. The filenames are the keys of the secret:
echo -n 'admin' > ./username.txt echo -n '1f2d1e2e67df' > ./password.txt
The
-n
flag ensures that there's no newline character at the end of your files. -
Create the
kustomization.yaml
file:secretGenerator: - name: database-creds files: - username.txt - password.txt
You can also define the secretGenerator in the kustomization.yaml
file by
providing .env
files. For example, the following kustomization.yaml
file
pulls in data from an .env.secret
file:
secretGenerator:
- name: db-user-pass
envs:
- .env.secret
In all cases, you don't need to encode the values in base64. The name of the YAML
file must be kustomization.yaml
or kustomization.yml
.
Apply the kustomization file
To create the Secret, apply the directory that contains the kustomization file:
kubectl apply -k <directory-path>
The output is similar to:
secret/database-creds-5hdh7hhgfk created
When a Secret is generated, the Secret name is created by hashing the Secret data and appending the hash value to the name. This ensures that a new Secret is generated each time the data is modified.
To verify that the Secret was created and to decode the Secret data,
kubectl get -k <directory-path> -o jsonpath='{.data}'
The output is similar to:
{ "password": "MWYyZDFlMmU2N2Rm", "username": "YWRtaW4=" }
echo 'MWYyZDFlMmU2N2Rm' | base64 --decode
The output is similar to:
1f2d1e2e67df
For more information, refer to Managing Secrets using kubectl and Declarative Management of Kubernetes Objects Using Kustomize.
Edit a Secret
-
In your
kustomization.yaml
file, modify the data, such as thepassword
. -
Apply the directory that contains the kustomization file:
kubectl apply -k <directory-path>
The output is similar to:
secret/db-user-pass-6f24b56cc8 created
The edited Secret is created as a new Secret
object, instead of updating the
existing Secret
object. You might need to update references to the Secret in
your Pods.
Clean up
To delete a Secret, use kubectl
:
kubectl delete secret db-user-pass
What's next
- Read more about the Secret concept
- Learn how to manage Secrets using kubectl
- Learn how to manage Secrets using config file
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.