1. Overview

Secrets in Kubernetes enable us to store sensitive information like passwords, OAuth tokens, and SSH keys. In this tutorial, we’ll learn how to update a Kubernetes secret using kubectl in various ways.

2. Setup

We need Kubernetes installed and running on our machine. We must also install kubectl to interact with the Kubernetes cluster.

3. Update a Kubernetes Secret

There are two ways to interact with Kubernetes:

  • Imperative: we tell Kubernetes what to do (e.g., kubectl create, kubectl edit, kubectl patch, kubectl replace)
  • Declarative: we tell Kubernetes what we want, and Kubernetes figures out how to do it (e.g., kubectl apply)

There are several ways to update a secret: editing, patching, or replacing it, as well as applying a YAML manifest. Let’s see how we can update a secret using these methods.

Before we start, let’s understand the difference between editing, patching, and replacing at a conceptual level:

  • Edit: we have to open an editor to modify the resource
  • Patch: we can update specific fields from a resource
  • Replace: we replace the entire resource with a new one

3.1. Create a Secret

First, let’s create a secret named application-configuration with the following data:

apiVersion: v1
kind: Secret
metadata:
  name: application-configuration
type: Opaque
data:
  database-username: user
  database-password: pass

We can create the secret using the kubectl create command:

$ kubectl create -f application-configuration.yaml

For more advanced examples, let’s better understand ConfigMaps and Secrets in Kubernetes.

3.2. Edit a Secret

The kubectl edit allows us to edit the secret directly. It opens the secret in our default text editor, where we can make the necessary changes. After editing, we save and exit the editor, and the changes are applied automatically.

To edit a secret, we use the kubectl edit command:

$ kubectl edit secret application-configuration

This command will open the secret in an editor. We modify the data and save the changes.

We can also change the editor used by kubectl by setting the KUBE_EDITOR environment variable:

$ export KUBE_EDITOR="nano"

3.3. Patch a Secret

The kubectl patch will update a specific part of a resource without replacing the entire resource. This command helps make incremental changes, such as updating a single field or adding a new value, without affecting the rest of the secret.

To patch a secret, we use the following kubectl patch command:

$ kubectl patch secret application-configuration -p '{"data": {"database-password": "newpass"}}'

This command will update the database-password field in the application-configuration secret.

3.4. Replace a Secret

The kubectl replace command in Kubernetes is used to update an existing resource with a new configuration specified in a file; this command will overwrite the existing resource with the latest definition provided. Any fields not specified in the new configuration will be removed from the secret.

When replacing a secret, the new definition file must include the same secret name as the existing one.

Let’s create a new secret file called application-configuration-new.yaml to replace the old one:

{
  "apiVersion": "v1",
  "kind": "Secret",
  "metadata": {
    "name": "application-configuration"
  },
  "type": "Opaque",
  "data": {
    "username": "newuser",   
    "password": "newpass"  
  }
}

To replace the secret, we use the kubectl replace command:

$ kubectl replace secret -f application-configuration-new.yaml

This command will replace the application-configuration secret with the application-configuration-new.yaml.

3.5. Apply a YAML Manifest

The kubectl apply command manages and updates resources in Kubernetes. It is designed for a declarative approach, meaning we define the desired state of the secret in the YAML file, and Kubernetes ensures that the actual state matches the desired state.

We edit our file application-configuration.yaml, then use kubectl apply to apply the changes:

$ kubectl apply -f application-configuration.yaml

3.6. JSON Merge Patch

There is another way to use the kubectl patch by sending the operation, value path, and value:

$ kubectl patch secret application-configuration --type='json' -p='[{"op": "replace", "path": "/data/database-password", "value": "newpass"}]'

3.7. Update Using Plugins

First, we need to install Krew, the package manager for kubectl plugins, then the kubectl-modify-secret plugin. This plugin allows us to modify the secret without worrying about doing base64 encoding/decoding.

Base64 encoding is a simple way to ensure that sensitive data can be safely stored and transmitted as text.

We can edit the secret using this command:

$ kubectl modify-secret application-configuration

The editor will open with all the secrets displayed in plain text.

4. Conclusion

In this article, we examined different ways to update a secret and explored how to use different commands to do so; following these approaches is essential for keeping our applications secure and efficient.