Managing Secrets using Kustomize

Creating Secret objects using kustomization.yaml file.

Since Kubernetes v1.14, kubectl supports managing objects using Kustomize. Kustomize provides resource Generators to create Secrets and ConfigMaps. The Kustomize generators should be specified in a kustomization.yaml file inside a directory. After generating the Secret, you can create the Secret on the API server with kubectl apply.

Before you begin

You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:

Create the Kustomization file

You can generate a Secret by defining a secretGenerator in a kustomization.yaml file that references other existing files. For example, the following kustomization file references the ./username.txt and the ./password.txt files:

- name: db-user-pass
  - username.txt
  - password.txt

You can also define the secretGenerator in the kustomization.yaml file by providing some literals. For example, the following kustomization.yaml file contains two literals for username and password respectively:

- name: db-user-pass
  - username=admin
  - password=1f2d1e2e67df

You can also define the secretGenerator in the kustomization.yaml file by providing .env files. For example, the following kustomization.yaml file pulls in data from .env.secret file:

- name: db-user-pass
  - .env.secret

Note that in all cases, you don't need to base64 encode the values.

Create the Secret

Apply the directory containing the kustomization.yaml to create the Secret.

kubectl apply -k .

The output is similar to:

secret/db-user-pass-96mffmfh4k created

Note that when a Secret is generated, the Secret name is created by hashing the Secret data and appending the hash value to the name. This ensures that a new Secret is generated each time the data is modified.

Check the Secret created

You can check that the secret was created:

kubectl get secrets

The output is similar to:

NAME                             TYPE                                  DATA      AGE
db-user-pass-96mffmfh4k          Opaque                                2         51s

You can view a description of the secret:

kubectl describe secrets/db-user-pass-96mffmfh4k

The output is similar to:

Name:            db-user-pass-96mffmfh4k
Namespace:       default
Labels:          <none>
Annotations:     <none>

Type:            Opaque

password.txt:    12 bytes
username.txt:    5 bytes

The commands kubectl get and kubectl describe avoid showing the contents of a Secret by default. This is to protect the Secret from being exposed accidentally to an onlooker, or from being stored in a terminal log. To check the actual content of the encoded data, please refer to decoding secret.

Clean Up

To delete the Secret you have created:

kubectl delete secret db-user-pass-96mffmfh4k

What's next

Last modified May 12, 2021 at 5:29 PM PST: Add envs example for secretGenerator. (eb0fbf236b)