secretGenerator

Generate Secret resources.

Each entry in the argument list results in the creation of one Secret resource (it’s a generator of N secrets).

This works like the configMapGenerator.

  1. apiVersion: kustomize.config.k8s.io/v1beta1
  2. kind: Kustomization
  4. secretGenerator:
  5. - name: app-tls
  6.   files:
  7.   - secret/tls.cert
  8.   - secret/tls.key
  9.   type: "kubernetes.io/tls"
  10. - name: app-tls-namespaced
  11.   # you can define a namespace to generate
  12.   # a secret in, defaults to: "default"
  13.   namespace: apps
  14.   files:
  15.   - tls.crt=catsecret/tls.cert
  16.   - tls.key=secret/tls.key
  17.   type: "kubernetes.io/tls"
  18. - name: env_file_secret
  19.   envs:
  20.   - env.txt
  21.   type: Opaque
  22. - name: secret-with-annotation
  23.   files:
  24.   - app-config.yaml
  25.   type: Opaque
  26.   options:
  27.     annotations:
  28.       app_config: "true"
  29.     labels:
  30.       app.kubernetes.io/name: "app2"

Secret Resources may be generated much like ConfigMaps can. This includes generating them from literals, files or environment files.

Secret Syntax

Secret type is set using the type field.

Example

File Input

  1. # kustomization.yaml
  2. apiVersion: kustomize.config.k8s.io/v1beta1
  3. kind: Kustomization
  4. secretGenerator:
  5. - name: app-tls
  6.   files:
  7.     - "tls.cert"
  8.     - "tls.key"
  9.   type: "kubernetes.io/tls"
  1. # tls.cert
  2. LS0tLS1CRUd...tCg==
  1. # tls.key
  2. LS0tLS1CRUd...0tLQo=

Build Output

  1. apiVersion: v1
  2. data:
  3.   tls.cert: TFMwdExTMUNSVWQuLi50Q2c9PQ==
  4.   tls.key: TFMwdExTMUNSVWQuLi4wdExRbz0=
  5. kind: Secret
  6. metadata:
  7.   name: app-tls-c888dfbhf8
  8. type: kubernetes.io/tls

Important

It is important to note that the secrets are base64 encoded