1. Overview
Secrets in Kubernetes enable us to store sensitive information like passwords, OAuth tokens, and SSH keys. In this tutorial, we’ll learn how to update a Kubernetes secret using kubectl in various ways.
2. Setup
We need Kubernetes installed and running on our machine. We must also install kubectl to interact with the Kubernetes cluster.
3. Update a Kubernetes Secret
There are two ways to interact with Kubernetes:
- Imperative: we tell Kubernetes what to do (e.g., kubectl create, kubectl edit, kubectl patch, kubectl replace)
- Declarative: we tell Kubernetes what we want, and Kubernetes figures out how to do it (e.g., kubectl apply)
There are several ways to update a secret: editing, patching, or replacing it, as well as applying a YAML manifest. Let’s see how we can update a secret using these methods.
Before we start, let’s understand the difference between editing, patching, and replacing at a conceptual level:
- Edit: we have to open an editor to modify the resource
- Patch: we can update specific fields from a resource
- Replace: we replace the entire resource with a new one
3.1. Create a Secret
First, let’s create a secret named application-configuration with the following data:
apiVersion: v1
kind: Secret
metadata:
name: application-configuration
type: Opaque
data:
database-username: user
database-password: pass
We can create the secret using the kubectl create command:
$ kubectl create -f application-configuration.yaml
For more advanced examples, let’s better understand ConfigMaps and Secrets in Kubernetes.
3.2. Edit a Secret
The kubectl edit allows us to edit the secret directly. It opens the secret in our default text editor, where we can make the necessary changes. After editing, we save and exit the editor, and the changes are applied automatically.
To edit a secret, we use the kubectl edit command:
$ kubectl edit secret application-configuration
This command will open the secret in an editor. We modify the data and save the changes.
We can also change the editor used by kubectl by setting the KUBE_EDITOR environment variable:
$ export KUBE_EDITOR="nano"
3.3. Patch a Secret
The kubectl patch will update a specific part of a resource without replacing the entire resource. This command helps make incremental changes, such as updating a single field or adding a new value, without affecting the rest of the secret.
To patch a secret, we use the following kubectl patch command:
$ kubectl patch secret application-configuration -p '{"data": {"database-password": "newpass"}}'
This command will update the database-password field in the application-configuration secret.
3.4. Replace a Secret
The kubectl replace command in Kubernetes is used to update an existing resource with a new configuration specified in a file; this command will overwrite the existing resource with the latest definition provided. Any fields not specified in the new configuration will be removed from the secret.
When replacing a secret, the new definition file must include the same secret name as the existing one.
Let’s create a new secret file called application-configuration-new.yaml to replace the old one:
{
"apiVersion": "v1",
"kind": "Secret",
"metadata": {
"name": "application-configuration"
},
"type": "Opaque",
"data": {
"username": "newuser",
"password": "newpass"
}
}
To replace the secret, we use the kubectl replace command:
$ kubectl replace secret -f application-configuration-new.yaml
This command will replace the application-configuration secret with the application-configuration-new.yaml.
3.5. Apply a YAML Manifest
The kubectl apply command manages and updates resources in Kubernetes. It is designed for a declarative approach, meaning we define the desired state of the secret in the YAML file, and Kubernetes ensures that the actual state matches the desired state.
We edit our file application-configuration.yaml, then use kubectl apply to apply the changes:
$ kubectl apply -f application-configuration.yaml
3.6. JSON Merge Patch
There is another way to use the kubectl patch by sending the operation, value path, and value:
$ kubectl patch secret application-configuration --type='json' -p='[{"op": "replace", "path": "/data/database-password", "value": "newpass"}]'
3.7. Update Using Plugins
First, we need to install Krew, the package manager for kubectl plugins, then the kubectl-modify-secret plugin. This plugin allows us to modify the secret without worrying about doing base64 encoding/decoding.
Base64 encoding is a simple way to ensure that sensitive data can be safely stored and transmitted as text.
We can edit the secret using this command:
$ kubectl modify-secret application-configuration
The editor will open with all the secrets displayed in plain text.
4. Conclusion
In this article, we examined different ways to update a secret and explored how to use different commands to do so; following these approaches is essential for keeping our applications secure and efficient.