Secrets | Notion

Let's create a generic secret using kubectl:

$ kubectl create secret generic service-auth --from-literal=username=ricky --from-literal=password=ILOVEPIZZA2
secret/service-auth created

You can now use the describe command to describe the Secret:

$ kubectl describe secret service-auth
Name:         service-auth
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password:  11 bytes
username:  5 bytes

Let's also look at the YAML representation of the Secret to see how the values are stored:

$ kubectl get secret service-auth -o yaml
apiVersion: v1
data:
  password: SUxPVkVQSVpaQTI=
  username: cmlja3k=
....

Kubernetes stores the values as a Base64-encoded string. Encoding the values like that allows you to store not just plain text, but also binary data. If you are creating a secret through YAML, you will have to Base64-encode all binary values. However, if you have any secrets that don't need to be Base64-encoded (i.e., non-binary values), you can provide them in plain text using the stringData field.

Here's the same Secret as before, but in this case, we are providing the username in plain text, while the password is still provided as Base64-encoded string:

apiVersion: v1
kind: Secret
metadata:
  name: service-auth-2
  namespace: default
stringData:
  username: ricky
data:
  password: SUxPVkVQSVpaQTI=

Save the above YAML in svc-auth-2.yaml file and create it using this command: kubectl apply -f svc-auth-2.yaml.

If you get the YAML representation, you will see that both values still end up being Base64-encoded and the field stringData is omitted (Kubernetes uses it to create the Base64-encode entries under the data field):

$ kubectl get secret service-auth-2 -o yaml
apiVersion: v1
data:
  password: SUxPVkVQSVpaQTI=
  username: cmlja3k=
kind: Secret
metadata:
....

Just like with ConfigMaps, Pods can consume Secrets through environment variables and volumes. When you use the Secret is a Pod, the values are stored as plain text. You don't have to Base64-decode the values in your containers.

Secrets as environment variables

Let's look at how you can consume the values from a Secret we created earlier as environment variables: