ContextQMD
Back to Kustomize

Generating Secrets

site/content/en/docs/Tasks/secret_generator.md

3.3.13.4 KB
Original Source

Secret objects can be generated by adding a secretGenerator entry to the kustomization.yaml file. This is similar to the configMapGenerator. Secret Resources may be generated from files and literals. It is important to note that the secrets are base64 encoded.

Create Secret from a file

To generate a Secret Resource from a file, add an entry to secretGenerator with the filename.

The Secret will have data values populated from the file contents. The contents of each file will appear as a single data item in the Secret keyed by the filename.

The following example generates a Secret with a data item containing the contents of a file.

  1. Create a Kustomization file.
yaml
# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
secretGenerator:
- name: db-user-pass
  files:
  - credentials.txt
  1. Create a credentials.txt file.
yaml
# credentials.txt
username=admin
password=S!B\*d$zDsb=
  1. Create the Secret using kustomize build.
bash
kustomize build .

The Secret manifest is generated.

yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: db-user-pass-gf9bgh225c
data:
  credentials.txt: dXNlcm5hbWU9YWRtaW4KcGFzc3dvcmQ9UyFCXCpkJHpEc2I9Cg==

The credentials key value is base64 encoded.

bash
echo "dXNlcm5hbWU9YWRtaW4KcGFzc3dvcmQ9UyFCXCpkJHpEc2I9Cg==" | base64 -d
username=admin
password=S!B\*d$zDsb=

Create Secret from literals

To generate a Secret Resource from literal key-value pairs, add an entry to secretGenerator with a list of literals.

{{< alert color="success" title="Literal Syntax" >}}

  • The key/value are separated by a = sign (left side is the key).
  • The value of each literal will appear as a data item in the Secret keyed by its key. {{< /alert >}}

The following example generates a Secret with two data items generated from literals.

  1. Create a Kustomization file.
yaml
# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
secretGenerator:
- name: db-user-pass
  literals:
    - username=admin
    - password=S!B\*d$zDsb=
  1. Create the Secret using kustomize build.
bash
kustomize build .

The Secret manifest is generated.

yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: db-user-pass-t8d2d65755
data:
  password: UyFCXCpkJHpEc2I9
  username: YWRtaW4=

The credential key values are base64 encoded.

bash
echo "UyFCXCpkJHpEc2I9" | base64 -d
S!B\*d$zDsb=

echo "YWRtaW4=" | base64 -d
admin

Create a TLS Secret

The following example generates a TLS Secret with certificate and private key data files.

  1. Create a Kustomization file.
yaml
# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
secretGenerator:
- name: app-tls
  files:
    - "tls.crt"
    - "tls.key"
  type: "kubernetes.io/tls"
  1. Create a certificate file.
yaml
# tls.crt
LS0tLS1CRUd...tCg==
  1. Create a private key file.
yaml
# tls.key
LS0tLS1CRUd...0tLQo=
  1. Create the Secret using kustomize build.
bash
kustomize build .

The Secret manifest is generated. The data key values are base64 encoded.

yaml
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
  name: app-tls-c888dfbhf8
data:
  tls.crt: TFMwdExTMUNSVWQuLi50Q2c9PQ==
  tls.key: TFMwdExTMUNSVWQuLi4wdExRbz0=