Kubernetes Secrets Operations: Difference between revisions
| Line 83: | Line 83: | ||
shape: c3F1YXJl | shape: c3F1YXJl | ||
size: bGFyZ2U= | size: bGFyZ2U= | ||
</syntaxhighlight> | |||
Alternatively, the values can be specified in clear as part of the "stringData" map; they will be encoded by Kubernetes when the secret is created: | |||
<syntaxhighlight lang='yaml'> | |||
apiVersion: v1 | |||
kind: Secret | |||
metadata: | |||
name: blue | |||
type: Opaque | |||
stringData: | |||
shape: square | |||
size: large | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 22:17, 23 August 2019
Internal
Inspecting Secrets
kubectl get secrets
kubectl get secret mysecret -o yaml
The value of the secret is base64-encoded and it can be retrieved with:
echo '....' | base64 --decode
kubectl describe secret secret-name
Create a Secret
With kubectl CLI
From File
Declare the secret content in one (or more) file(s) on the local filesystem. The file name will become a secret's data map key. Multiple files can be added to the same secret. When the secret is exposed to a pod, the content will be available as volume files with the same name.
echo -n "test-user" > ./username.txt echo -p "test-password" > ./password.txt
kubectl create secret generic username-and-password --from-file=./username.txt --from-file=./password.txt
This will create the following secret:
Name: username-and-password
Namespace: test
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password.txt: 17 bytes
username.txt: 9 bytes
From Literal
The secret's data map key followed by "=" followed by value can be specified on command line with --from-literal=.
kubectl create secret generic red --from-literal=key1=somevalue --from-literal=key2=someothervalue
From Env File
A key-value (env) file can be used as source for secrets with --from-env-file=. The keys in the key-value file become the keys in the secret's data map.
kubectl create secret generic green --from-env-file=./test.txt
where test.txt:
key1=value1
key2=value2
Special Character Handling
Special characters such as '$', '*' and '!' require escaping (\).
From a Manifest
TODO
The secret's data map key/value pairs can be specified in the manifest. The value must be base64-encoded before being written in the manifest.
apiVersion: v1
kind: Secret
metadata:
name: blue
type: Opaque
data:
shape: c3F1YXJl
size: bGFyZ2U=
Alternatively, the values can be specified in clear as part of the "stringData" map; they will be encoded by Kubernetes when the secret is created:
apiVersion: v1
kind: Secret
metadata:
name: blue
type: Opaque
stringData:
shape: square
size: large
Creating Secrets with a Generator
TODO