Kubernetes: modify a secret using kubectl?

Question

How can I modify the values in a Kubernetes secret using kubectl?

I created the secret with kubernetes create secret generic, but t

Answer 1

Deriving from 'Skeeves' answer:

Base64 encode your value:
echo -n 'encode_My_Password' | base64
Open the secret in edit mode:
kubectl edit secret my-secret

The default editor will open, replace the value of an exiting key or add a new line and a new key with the encoded value. Save and close the file. The updated value or new key-value pair has now been added to the secret.

Answer 2

The most direct (and interactive) way should be to execute kubectl edit secret <my secret>. Run kubectl get secrets if you'd like to see the list of secrets managed by Kubernetes.

Answer 3

As I found myself in the need of modifying a secret, I landed up here.

Here is the most convenient way I found for editing a (one-line) secret.

This elaborates on kubectl edit secret <my secret> of Timo Reimann above.

kubectl edit secret <my secret> will (in my case) invoke vi.

Now I move the cursor to the space after the colon of the secret I want to edit.

Then I press r and [enter] which will put the base64 encoded value onto a line of its own.

Now I enter :. ! base64 -D which will decode the current line.

After making my changes to the value, I enter :. ! base64 which will encode the changed value.

Pressing k [shift]J will rejoin the secret name and its new value.

:wq will write the new secretfile and quit vi.

P.S. If the secret has a multi-line value, switch on line numbers (:set nu) and, after changing the decoded value, use A,B ! base64 where A and B are the line numbers of the first and last line of the value.

P.P.S I just learned the hard way that base64 will receive the text to encode with an appended newline :( If this is no issue for your values - fine. Otherwise my current solution is to filter this out with: .!perl -pe chomp | base64

Answer 4

The Easy Way : Delete and recreate the secret

After looking at all these answers, for my needs the best solution was to delete and recreate :

kubectl delete secret generic
kubectl create secret generic # or whatever .. 

---

If you want to do it the hard way :

Using edit to change a docker-registry secret

I came to this question looking to modify a "docker-registry" style secret.
Simply editing it using kubectl edit secret seemed fraught as I didn't know what the secret value looked like.

I had created it with a command like kubectl create secret docker-registry generic-registry-secret --docker-server=docker.server --docker-username='my-cloud-usernname' --docker-password='my-auth-token' --docker-email='my@email.com'

I could have edited it, I figured out after looking at the other various answers here how that could be done - I'm including my notes here in case they help others.

List secrets : kubectl get secrets
Details of specific secret : kubectl describe secrets/generic-registry-secret
Get value of secret : kubectl get secret generic-registry-secret -o jsonpath={.data}
Decode secret value : First get everything between "map[.dockerconfigjson:" and "]" and then do :
echo "x9ey_the_secret_encoded_value_here_X0b3=" | base64 --decode

I could then take from that the specific auth token value I was seeking, and replace it with a new one. And then run that new full entire string through a | base 64 to get the base 64 encoding, and now I could finally, confidently, change the value by using kubectl edit secret generic-registry-secret and put in the new correct value.

But a delete and recreate is the simpler option.

---

References :

• https://kubernetes.io/docs/concepts/configuration/secret/
• https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/

Answer 5

In case you prefer a non-interactive update, this is one way of doing it:

kubectl get secret mysecret -o json | jq '.data["foo"]="YmFy"' | kubectl apply -f -

Note that YmFy is a base64-encoded bar string. If you want to pass the value as an argument, jq allows you to do that:

kubectl get secret mysecret -o json | jq --arg foo "$(echo bar | base64)" '.data["foo"]=$foo' | kubectl apply -f -

I'm more comfortable using jq but yq should also do the job if you prefer yaml format.

Answer 6

The easiest way from the command line:

echo "This is my secret" | base64 | read output;kubectl patch secret my_secret_name -p="{\"data\":{\"secret_key\": \"$output\"}}" -v=1

It will encode value This is my secret and update your my_secret_name secret by adding secret_key key and encoded values as a last key-value pair in that secret.