Generating Secrets

Working with the Secret Generator

Secret objects can be generated by adding a secretGenerator entry to the kustomization.yaml file. This is similar to the configMapGenerator. Secret Resources may be generated from files and literals. It is important to note that the secrets are base64 encoded.

Create Secret from a file

To generate a Secret Resource from a file, add an entry to secretGenerator with the filename.

The Secret will have data values populated from the file contents. The contents of each file will appear as a single data item in the Secret keyed by the filename.

The following example generates a Secret with a data item containing the contents of a file.

Create a Kustomization file.

# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
secretGenerator:
- name: db-user-pass
  files:
  - credentials.txt

Create a credentials.txt file.

# credentials.txt
username=admin
password=S!B\*d$zDsb=

Create the Secret using kustomize build.

kustomize build .

The Secret manifest is generated.

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: db-user-pass-gf9bgh225c
data:
  credentials.txt: dXNlcm5hbWU9YWRtaW4KcGFzc3dvcmQ9UyFCXCpkJHpEc2I9Cg==

The credentials key value is base64 encoded.

echo "dXNlcm5hbWU9YWRtaW4KcGFzc3dvcmQ9UyFCXCpkJHpEc2I9Cg==" | base64 -d
username=admin
password=S!B\*d$zDsb=

Create Secret from literals

To generate a Secret Resource from literal key-value pairs, add an entry to secretGenerator with a list of literals.

Literal Syntax

The key/value are separated by a = sign (left side is the key).
The value of each literal will appear as a data item in the Secret keyed by its key.

The following example generates a Secret with two data items generated from literals.

Create a Kustomization file.

# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
secretGenerator:
- name: db-user-pass
  literals:
    - username=admin
    - password=S!B\*d$zDsb=

Create the Secret using kustomize build.

kustomize build .

The Secret manifest is generated.

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: db-user-pass-t8d2d65755
data:
  password: UyFCXCpkJHpEc2I9
  username: YWRtaW4=

The credential key values are base64 encoded.

echo "UyFCXCpkJHpEc2I9" | base64 -d
S!B\*d$zDsb=

echo "YWRtaW4=" | base64 -d
admin

Create a TLS Secret

The following example generates a TLS Secret with certificate and private key data files.

Create a Kustomization file.

# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
secretGenerator:
- name: app-tls
  files:
    - "tls.crt"
    - "tls.key"
  type: "kubernetes.io/tls"

Create a certificate file.

# tls.crt
LS0tLS1CRUd...tCg==

Create a private key file.

# tls.key
LS0tLS1CRUd...0tLQo=

Create the Secret using kustomize build.

kustomize build .

The Secret manifest is generated. The data key values are base64 encoded.

apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
  name: app-tls-c888dfbhf8
data:
  tls.crt: TFMwdExTMUNSVWQuLi50Q2c9PQ==
  tls.key: TFMwdExTMUNSVWQuLi4wdExRbz0=

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified October 27, 2023: Add Generator Tasks to Documentation (#5368) (bd435d41)