Managing Secrets using Kustomize
Creating Secret objects using kustomization.yaml file.
Since Kubernetes v1.14, kubectl
supports managing objects using Kustomize. Kustomize provides resource Generators to create Secrets and ConfigMaps. The Kustomize generators should be specified in a kustomization.yaml
file inside a directory. After generating the Secret, you can create the Secret on the API server with kubectl apply
.
Before you begin
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
Create the Kustomization file
You can generate a Secret by defining a secretGenerator
in a kustomization.yaml
file that references other existing files. For example, the following kustomization file references the ./username.txt
and the ./password.txt
files:
secretGenerator:
- name: db-user-pass
files:
- username.txt
- password.txt
You can also define the secretGenerator
in the kustomization.yaml
file by providing some literals. For example, the following kustomization.yaml
file contains two literals for username
and password
respectively:
secretGenerator:
- name: db-user-pass
literals:
- username=admin
- password=1f2d1e2e67df
You can also define the secretGenerator
in the kustomization.yaml
file by providing .env
files. For example, the following kustomization.yaml
file pulls in data from .env.secret
file:
secretGenerator:
- name: db-user-pass
envs:
- .env.secret
Note that in all cases, you don’t need to base64 encode the values.
Create the Secret
Apply the directory containing the kustomization.yaml
to create the Secret.
kubectl apply -k .
The output is similar to:
secret/db-user-pass-96mffmfh4k created
Note that when a Secret is generated, the Secret name is created by hashing the Secret data and appending the hash value to the name. This ensures that a new Secret is generated each time the data is modified.
Check the Secret created
You can check that the secret was created:
kubectl get secrets
The output is similar to:
NAME TYPE DATA AGE
db-user-pass-96mffmfh4k Opaque 2 51s
You can view a description of the secret:
kubectl describe secrets/db-user-pass-96mffmfh4k
The output is similar to:
Name: db-user-pass-96mffmfh4k
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password.txt: 12 bytes
username.txt: 5 bytes
The commands kubectl get
and kubectl describe
avoid showing the contents of a Secret
by default. This is to protect the Secret
from being exposed accidentally to an onlooker, or from being stored in a terminal log. To check the actual content of the encoded data, please refer to decoding secret.
Clean Up
To delete the Secret you have created:
kubectl delete secret db-user-pass-96mffmfh4k
What’s next
- Read more about the Secret concept
- Learn how to manage Secrets with the
kubectl
command - Learn how to manage Secrets using config file