Managing Secrets using Kustomize

    Since Kubernetes v1.14, supports managing objects using Kustomize. Kustomize provides resource Generators to create Secrets and ConfigMaps. The Kustomize generators should be specified in a kustomization.yaml file inside a directory. After generating the Secret, you can create the Secret on the API server with kubectl apply.

    You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using or you can use one of these Kubernetes playgrounds:

    Create the Kustomization file

    You can generate a Secret by defining a secretGenerator in a kustomization.yaml file that references other existing files. For example, the following kustomization file references the ./username.txt and the ./password.txt files:

    You can also define the secretGenerator in the kustomization.yaml file by providing some literals. For example, the following kustomization.yaml file contains two literals for username and password respectively:

    1. secretGenerator:
    2. - name: db-user-pass
    4.   - password=1f2d1e2e67df
    1. secretGenerator:
    2. - name: db-user-pass
    3.   envs:
    4.   - .env.secret

    Note that in all cases, you don’t need to base64 encode the values.

    Apply the directory containing the kustomization.yaml to create the Secret.

    The output is similar to:

    1. secret/db-user-pass-96mffmfh4k created

    Note that when a Secret is generated, the Secret name is created by hashing the Secret data and appending the hash value to the name. This ensures that a new Secret is generated each time the data is modified.

    Check the Secret created

    1. kubectl get secrets

    The output is similar to:

    You can view a description of the secret:

    1. kubectl describe secrets/db-user-pass-96mffmfh4k

    The output is similar to:

    2. Labels:          <none>
    3. Annotations:     <none>
    5. Type:            Opaque
    7. Data
    8. ====
    9. password.txt:    12 bytes
    10. username.txt:    5 bytes

    The commands kubectl get and kubectl describe avoid showing the contents of a Secret by default. This is to protect the Secret from being exposed accidentally to an onlooker, or from being stored in a terminal log. To check the actual content of the encoded data, please refer to decoding secret.

    What’s next