How can I copy a Kubernetes secret from one namespace to a different namespace?. A Secret is a Kubernetes object that stores sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in an image but for sharing across Pods and services it is better be done as Kubernetes object. Kubernetes cluster users can create secrets and the system also creates some secrets.
In this guide we will copy a secret already created in a namespace or project if using OpenShift and apply it to a different namespace. This is often applicable to secrets such registry secrets, shared git credentials, SSL Certificates and Keys, shared API credentials e.t.c. We will create a test secret and show you how to copy it from one project to another.
Creating Kubernetes Secrets
We will create a secret with username and password from file.
echo -n 'admin' > ./username.txt
echo -n 'Password' > ./password.txtRun the kubectl create secret command to package these files into a Secret and create the object on the API server.
$ kubectl create secret generic my-user-pass --from-file=./username.txt --from-file=./password.txt
secret/my-user-pass created
You can as well create a Secret directly with kubectl without file.
kubectl create secret generic my-user-pass --from-literal='username=admin' --from-literal='password=Password'The name of a Secret object must be a valid DNS subdomain name.
List secrets:
$ kubectl get secretsConverting your secret data to base-64
This is how you’ll manually convert a secret data to a base-64 representation:
$ echo -n 'admin' | base64
YWRtaW4=
$ echo -n 'Password' | base64
UGFzc3dvcmQ=Your yaml manifest file will like below.
apiVersion: v1
kind: Secret
metadata:
name: my-user-pass
data:
username: YWRtaW4=
password: UGFzc3dvcmQ=
Copy Kubernetes Secrets Between Namespaces
Use the following command syntax to copy a secret from one namespace to a different namespace.
kubectl get secret <secret-name> \
--namespace=<source-nemespace> \
--export -o yaml | \
kubectl apply --namespace=<new-namespace> -f -In my example I’ll run:
kubectl get secret my-user-pass \
--namespace=namespace1 \
--export -o yaml | \
kubectl apply --namespace=namespace2 -f -Command execution output:
secret/my-user-pass createdConfirm secret creation in the namespace.
$ kubectl get secret -n namespace2 my-user-pass
NAME TYPE DATA AGE
my-user-pass Opaque 2 38sDecrypt secret to confirm data is correct:
secret_name="my-user-pass"
namespace="namespace2"
kubectl get secret -n $namespace $secret_name -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'Command output:
password.txt: Password
username.txt: adminIf you have jq you can use the following command to decrypt.
$ kubectl get secret my-user-pass -o json | jq '.data | map_values(@base64d)'
{
"password.txt": "Password",
"username.txt": "admin"
}
Copy Secret between Kubernetes Clusters
For seprate clusters you need to save the secret to file.
$ kubectl get secret <secret-name> --export -o yaml > secret-name.yamlThen copy the secret to where you’re authenticated on the other cluster and apply.
$ kubectl apply -f secret-name.yamlConfirm the secret has been created.
$ kubectl get secret
If you’ve configured kubectl with multiple contexts then you can use the following approach:
$ kubectl get secret <secret-name> --context <source-context> --export -o yaml \
| kubectl apply --context <destination-context> -f -That is how you can easily copy secret between namespaces in Kubernetes and OpenShift Cluster.
Kubernetes Learning Videos:
More guides:
Using Horizontal Pod Autoscaler on Kubernetes EKS Cluster
How to force delete a Kubernetes Namespace
How To Migrate Docker Compose Application to Kubernetes With Kompose
