Managing Secrets using Kustomize
supports using the Kustomize object management tool to manage Secrets and ConfigMaps. You create a resource generator using Kustomize, which generates a Secret that you can apply to the API server using kubectl
.
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
You can generate a Secret by defining a secretGenerator
in a kustomization.yaml
file that references other existing files, .env
files, or literal values. For example, the following instructions create a Kustomization file for the username admin
and the password 1f2d1e2e67df
.
Store the credentials in files with the values encoded in base64:
echo -n 'admin' > ./username.txt
echo -n '1f2d1e2e67df' > ./password.txt
The
-n
flag ensures that there’s no newline character at the end of your files.-
secretGenerator:
- name: database-creds
files:
- password.txt
You can also define the secretGenerator in the kustomization.yaml
file by providing .env
files. For example, the following kustomization.yaml
file pulls in data from an .env.secret
file:
In all cases, you don’t need to base64 encode the values. The name of the YAML file must be or kustomization.yml
.
Apply the kustomization file
To create the Secret, apply the directory that contains the kustomization file:
kubectl apply -k <directory-path>
The output is similar to:
secret/database-creds-5hdh7hhgfk created
When a Secret is generated, the Secret name is created by hashing the Secret data and appending the hash value to the name. This ensures that a new Secret is generated each time the data is modified.
In your
kustomization.yaml
file, modify the data, such as thepassword
.Apply the directory that contains the kustomization file:
The output is similar to:
secret/db-user-pass-6f24b56cc8 created
The edited Secret is created as a new Secret
object, instead of updating the existing Secret
object. You might need to update references to the Secret in your Pods.
To delete a Secret, use kubectl
:
- Read more about the
- Learn how to manage Secrets using kubectl