apiVersion: v1 data: key1: dmFsdWUx key2: dmFsdWUy kind: Secret metadata: name: secretexample type: OpaqueThe manifest file of the Secret is pretty simple. It contains the fields apiVersion, kind, and metadata. It also contain the data field that contains the keys-values of the Secret.
$ echo -n 'value1' | base64
dmFsdWUxThe -n flag ensures that the generated output doesn't have an extra newline character at the end of the text. This is to avoid that the extra newline character gets encoded along with the text.
$ echo 'dmFsdWUx' | base64 --decode
value1Note: If you update a Secret that was already posted to the Kubernetes API server, then Pods that were already created will be able to leverage the new data only if it was injected as files in a volume. Secrets data injected as environment variables won't be updated in a running Pod unless you recreate it.
$ kubectl create secret generic secretfromliteral --from-literal="key1=value1" --from-literal=key2='value2'
secret/secretfromliteral createdCheck the Secret:
$ kubectl get secret secretfromliteral
NAME TYPE DATA AGE secretfromliteral Opaque 2 9m5sDescribe the Secret:
$ kubectl describe secret secretfromliteral
Name: secretfromliteral Labels: <none> Annotations: <none> Type: Opaque Data ==== key1: 6 bytes key2: 6 bytesView the YAML file of the Secret:
$ kubectl get secrets secretfromliteral -o yaml
apiVersion: v1 data: key1: dmFsdWUx key2: dmFsdWUy kind: Secret metadata: name: secretfromliteral type: OpaqueTo decode the Secret of a specific key, you need to decode its base64 data:
$ kubectl get secrets secretfromliteral -o jsonpath='{.data.key1}' | base64 --decode -
value1
$ kubectl get secrets secretfromliteral -o jsonpath='{.data.key2}' | base64 --decode -
value2
$ mkdir ./secrets/Create a sample file "file1.txt" (single line text):
$ echo -n 'value1' > "./secrets/file1.txt"Create a sample file "file2.txt" (multiple lines text):
$ echo 'value2-1' > "./secrets/file2.txt" $ echo 'value2-2' >> "./secrets/file2.txt"
$ kubectl create secret generic secret1fromfile --from-file="./secrets/file1.txt" --from-file="./secrets/file2.txt"
secret/secret1fromfile createdView the Secrets (notice that the content of the file is indented properly):
$ kubectl get secret secret1fromfile -o yaml
apiVersion: v1 data: file1.txt: dmFsdWUx # note that the name of the key is file1.txt file2.txt: dmFsdWUyLTEKdmFsdWUyLTIK # note that the name of the key is file2.txt kind: Secret metadata: name: secret1fromfile type: Opaque
$ kubectl create secret generic secret2fromfile --from-file="mykey1=./secrets/file1.txt" --from-file="mykey2=./secrets/file2.txt"
secret/secret2fromfile createdView the Secrets (notice that the content of the file is indented properly):
$ kubectl get secret secret2fromfile -o yaml
apiVersion: v1 data: mykey1: dmFsdWUx # note that the name of the key is mykey1 mykey2: dmFsdWUyLTEKdmFsdWUyLTIK # note that the name of the key is mykey2 kind: Secret metadata: name: secret2fromfile type: Opaque
$ kubectl create secret generic secretfromdirectory --from-file="./secrets/"
secret/secretfromdirectory createdView the Secrets (notice that the content of the file is indented properly):
$ kubectl get secret secretfromdirectory -o yaml
apiVersion: v1 data: file1.txt: dmFsdWUx # note that the name of the key is file1.txt file2.txt: dmFsdWUyLTEKdmFsdWUyLTIK # note that the name of the key is file2.txt kind: Secret metadata: name: secretfromdirectory type: Opaque
$ vi "./secrets/file1.properties"
key1=value1 key2=value2Create the Secret:
$ kubectl create secret generic secretfromenvfile --from-env-file="./secrets/file1.properties"
secret/secretfromenvfile createdView the Secret (notice that each entry in the property file is represented by a key:value pairs in the Secret):
$ kubectl get secret secretfromenvfile -o yaml
apiVersion: v1 data: key1: dmFsdWUx key2: dmFsdWUy kind: Secret metadata: name: secretfromenvfile type: Opaque
$ vi secretkeyvalue.yaml
apiVersion: v1 kind: Secret metadata: name: secretkeyvalue data: key1: dmFsdWUx key2: dmFsdWUyTo apply the file:
$ kubectl apply -f secretkeyvalue.yaml
secret/secretkeyvalue created
$ kubectl edit secret secretkeyvalue
# Please edit the object below. # Lines beginning with a '#' will be ignored, and an empty file will abort the edit. # If an error occurs while saving this file will be reopened with the relevant failures. # apiVersion: v1 data: key1: dmFsdWUx key2: dmFsdWUy kind: Secret metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","data":{"key1":"dmFsdWUx","key2":"dmFsdWUy"},"kind":"Secret","metadata":{"annotations":{},"name":"secretkeyvalue"}} name: secretkeyvalue type: Opaque
secret/secretkeyvalue edited
$ vi hello-busybox-secret-keyref.yaml
apiVersion: v1 kind: Pod metadata: name: hello-busybox-secret-keyref spec: containers: - name: hello-busybox-secret-keyref image: busybox:latest tty: true # (TeleTYpewriter) allocates a TTY / terminal console on the container stdin: true # Keeps stdin open on the container env: - name: mykey1 valueFrom: secretKeyRef: name: secretkeyvalue key: key1 - name: mykey2 valueFrom: secretKeyRef: name: secretkeyvalue key: key2Note: You can give the environment variable a different name than the Secrets key name (i.e. name: mykey1).
$ kubectl apply -f hello-busybox-secret-keyref.yaml
pod/hello-busybox-secret-keyref createdCheck the environment variables:
$ kubectl exec hello-busybox-secret-keyref -- env | grep key
mykey1=value1 mykey2=value2Note that the secrets are clear text!
$ vi hello-busybox-secret-ref.yaml
apiVersion: v1 kind: Pod metadata: name: hello-busybox-secret-ref spec: containers: - name: hello-busybox-secret-ref image: busybox:latest tty: true stdin: true envFrom: - secretRef: name: secretkeyvalueApply the Pod:
$ kubectl apply -f hello-busybox-secret-ref.yaml
pod/hello-busybox-secret-ref createdCheck the environment variables:
$ kubectl exec hello-busybox-secret-ref -- env | grep key
key1=value1 key2=value2
$ vi hello-busybox-secret-volume.yaml
apiVersion: v1 kind: Pod metadata: name: hello-busybox-secret-volume spec: containers: - name: hello-busybox-secret-volume image: busybox:latest tty: true stdin: true volumeMounts: - name: secretkeyvalue mountPath: /tmp/secretkeyvalue volumes: - name: secretkeyvalue secret: secretName: secretkeyvalueApply the Pod:
$ kubectl apply -f hello-busybox-secret-volume.yaml
pod/hello-busybox-secret-volume createdCheck the files in the volume (notice two files are created: key1, key2):
$ kubectl exec hello-busybox-secret-volume -- ls -l /tmp/secretkeyvalue
lrwxrwxrwx 1 root root key1 -> ..data/key1 lrwxrwxrwx 1 root root key2 -> ..data/key2Check the content of the files:
$ kubectl exec hello-busybox-secret-volume -- cat /tmp/secretkeyvalue/key1
value1
$ vi hello-busybox-secret-volume-item.yaml
apiVersion: v1 kind: Pod metadata: name: hello-busybox-secret-volume-item spec: containers: - name: hello-busybox-secret-volume-item image: busybox:latest tty: true stdin: true volumeMounts: - name: secretkeyvalue mountPath: /tmp/secretkeyvalue volumes: - name: secretkeyvalue secret: secretName: secretkeyvalue items: - key: key1 path: key1pathApply the Pod:
$ kubectl apply -f hello-busybox-secret-volume-item.yaml
pod/ello-busybox-secret-volume-item createdCheck the files in the volume (notice the "key1path" file was created):
$ kubectl exec hello-busybox-secret-volume-item -- ls -l /tmp/secretkeyvalue
lrwxrwxrwx 1 root root key1path -> ..data/key1pathCheck the content of the files:
$ kubectl exec hello-busybox-secret-volume-item -- cat /tmp/secretkeyvalue/key1path
value1
$ vi hello-busybox-secret-keyref-arg.yaml
apiVersion: v1 kind: Pod metadata: name: hello-busybox-secret-keyref-arg spec: containers: - name: hello-busybox-secret-keyref-arg image: busybox:latest command: ['sh', '-c', 'echo "mykey1:$(mykey1) | mykey2:$(mykey2)"; sleep 300;'] env: - name: mykey1 valueFrom: secretKeyRef: name: secretkeyvalue key: key1 - name: mykey2 valueFrom: secretKeyRef: name: secretkeyvalue key: key2Apply the Pod:
$ kubectl apply -f hello-busybox-secret-keyref-arg.yaml
pod/hello-busybox-secret-keyref-arg createdCheck the logs of the Pod:
$ kubectl logs hello-busybox-secret-keyref-arg
mykey1:value1 | mykey2:value2
$ kubectl delete -f secretkeyvalue.yaml
secret "secretkeyvalue" deletedTo delete a Secret using its name:
$ kubectl delete secret secretkeyvalue
secret "secretkeyvalue" deleted