Kustomize’s secret generator can embed secrets directly into your Kubernetes manifests, but it only works if you understand how it expects your secret data to be formatted.
Here’s how you can create Kubernetes secrets from files using Kustomize’s secret generator.
Let’s say you have a file named my-api-key.txt with your API key inside:
my-super-secret-api-key-12345
You want this to become a Kubernetes Secret. You’d create a kustomization.yaml file like this:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deployment.yaml # Your existing deployment manifest
secretGenerator:
- name: my-api-secret
files:
- api-key.txt=my-api-key.txt
When you run kustomize build ., Kustomize will generate a Secret object. The name field becomes the name of the Kubernetes Secret resource. The files field is a list where each item maps a key within the Secret’s data field to a file on your local filesystem. In this case, the key inside the Secret will be api-key.txt, and its value will be the content of your my-api-key.txt file.
The generated Secret will look something like this:
apiVersion: v1
kind: Secret
metadata:
name: my-api-secret
type: Opaque
data:
api-key.txt: bXktc3VwZXItc2VjcmV0LWFwaS1rZXktMTIzNDU= # Base64 encoded content of my-api-key.txt
Notice that the value is base64 encoded. This is standard for Kubernetes Secrets. The key api-key.txt is what your application will use to access the secret data within the mounted volume or environment variable.
You can then reference this secret in your deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
template:
spec:
containers:
- name: app-container
image: my-app-image
volumeMounts:
- name: secret-volume
mountPath: "/etc/secrets"
readOnly: true
volumes:
- name: secret-volume
secret:
secretName: my-api-secret
When this deployment is applied, Kubernetes will create a volume from the my-api-secret and mount it into the container at /etc/secrets. Inside this directory, you’ll find a file named api-key.txt containing your actual API key.
You can also use secret generator to create multiple secrets from a single file, or multiple files for a single secret. For multiple files within one secret:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
secretGenerator:
- name: db-credentials
files:
- user=./db/user.txt
- password=./db/password.txt
This will create a secret named db-credentials with two keys, user and password, whose values are read from the respective files.
If you need to inject multiple secrets, each from its own file, you simply add more entries to the secretGenerator list:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
secretGenerator:
- name: api-keys
files:
- google.com.key=./keys/google.txt
- name: jwt-secrets
files:
- jwt.key=./keys/jwt.txt
This will produce two separate Secret resources, api-keys and jwt-secrets.
A common pitfall is when the file path is incorrect, or the file doesn’t exist. Kustomize will error out with a message like Error: open ./my-api-key.txt: no such file or directory. Always double-check relative paths from where your kustomization.yaml file is located.
Another point of confusion can be the exact naming of the key within the secret. If you omit the part before the equals sign, like files: - my-api-key.txt, Kustomize will use the filename itself as the key. So files: - api-key.txt=my-api-key.txt results in a key named api-key.txt, while files: - my-api-key.txt would result in a key named my-api-key.txt. Be explicit with the key=file format to ensure predictable key names within your secret data.
Kustomize also allows you to specify the type of the secret. By default, it’s Opaque. You can explicitly set it if needed, for example, for kubernetes.io/tls secrets, although this typically involves generating the secret from a certificate and key file rather than plain text.
The secretGenerator is a powerful way to manage sensitive configuration data, keeping it out of your main application manifests and allowing for easier updates. The next step is often understanding how to reference these secrets as environment variables in your containers.